This post is not about SharePoint or Windows 2008 as solo products. It is about the SharePoint areas where you can expect improvements when running on Windows 2008 and why Windows Server 2008 is a better platform for SharePoint implementations. This is not a general overview of Windows 2008 or Windows 2008 R2. It’s a review of Windows 2008 from a unique vintage point – SharePoint.
The core infrastructure technologies that are built into Windows Server 2008 OS that makes it platform of choice are – Web, Virtualization technologies and rewritten TCP/IP stack.
The core infrastructure level features improve the positioning of SharePoint as Web Application Platform delivering efficiently and effectively with the significant improvements in administration, development and operations.
Features like Network Access Protection (NAP), Active Directory Federation Services (AD FS), Federated Rights Management, and Read-Only Domain Controller (RODC) are big step towards SharePoint in perimeter networks and ready platform for inter-enterprise implementation. Core infrastructure features like Server Core, PowerShell, and enhanced networking and clustering technologies provides a better platform for large workloads and high SLA implementations.
Virtualization is playing an important role in today’s implementations. Whether in development environment or in production, scaling up or scaling out you witness it in all spaces. VMWare is an undisputed leader but now with Windows 2008 Hyper-V Microsoft is closing the gap.
Because of limited projection of CPU in guest OS (Guests were limited to see one core from a multi-core CPU), lack of 64bit OS Support and memory allocation, Virtual Server 2003 or 2005 R2 provided the entry point solutions. Other virtualization products like VMWare are lot more mature and in use at large datacenters. Community will be watching how this new Hyper V is going to play out.
Hypervisor a thin layer of software that and works with hardware assisted virtualization technology (Intel VT or AMD-V), using a new type of hardware device drivers (synthetic drivers) and has the ability to directly access the disk systems.
· 64 Bit Support: 64 bit hardware with 64 bit host can support 64-bit guests.
· Multiprocessor Guest Support. Multiple CPUs can be allocated to a single guest machine to support virtualization of multithreaded applications.
· New Device Virtualization Architecture. A new virtualized I/O architecture. New synthetic devices provide higher performance and low overhead when compared to earlier emulated device drivers.
· Large Memory: virtual machine memory support.
· Virtual LAN: You can have virtual VLAN within your virtualized environment.
Windows System Resource Manager
A new tool - Windows System Resource Manager (WSRM) allows you to control how CPU and memory resources are allocated to applications, services, and processes on the server. Managing resources in this way improves system performance and by reducing the chances that a services, or processes will starve the other assets by taking CPU or memory resources away.
Think about its possible useses in managing resource intensive activities like running STSADM or Timer Services, or a backup job running during production hours and so on.
Read-Only Domain Controller
It may not be very obvious for Intranet only implementations but Read Only DC is a big deal for internet facing sites, whether publishing or collaborating or a combination. It significantly improves the enterprise security by reducing the attack surface and in case of a compromised (breach) limiting the exposure.
Regardless of the implementation (Intranet, Extranet or Internet) it improves the efficiency and effectiveness of Server Farm deployment and efficiency of WAN communications from the Server Farm VLAN.
An RODC hosts read-only partitions of the Active Directory Domain Services database. A RODC deployed closer or alongside with SharePoint WFE results in fast and more reliable authentication process.
To deploy an RODC, you must have at least one writable domain controller running Windows Server 2008 and functional level of your domain and forest must be Windows Server 2003 or higher.
Not to undermine its benefits in an Intranet implementation, where RODC is more secure and more efficient, this functionality can help in Internet or Extranet SharePoint deployment as well.
· Read-only Active Directory Domain Services database (more secure)
· Unidirectional replication (eliminates threats that can be introduced by a compromised DC placed in perimeter network)
· Credential caching(faster response for subsequent requests)
· Credential subset (not a full replica - only the credential that are being used will be retain/cached locally)
· Read-Only DNS (more secure than writable DNS)
Except for account passwords, an RODC holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the RODC. Changes must be made on a writable domain controller and then replicated back to the RODC.
Local applications that request Read access to the directory can obtain access. LDAP applications that request Write access receive an LDAP referral response redirecting them to a writable domain controller.
No changes are written directly to the RODC. Therefore writable replication partners DC do not have to pull changes from the RODC.
By default, an RODC does not store user or computer credentials except its own account and kerberos tickets.
You must explicitly allow any other credential caching on an RODC. The Password Replication Policy determines if credentials can be replicated and cached. Leaving credential caching disabled will limit risk exposure, but it also results in all authentication requests being forwarded to a writable domain controller. An administrator can modify the default Password Replication Policy to allow users’ credentials to be cached at the RODC.
By limiting credential caching only to users who have authenticated to the RODC, the potential exposure of credentials by a compromise of the RODC is also limited.
Server Core
A new interesting feature in Windows Server 2008 is to install the core without any GUI. For WFE you can install the web server core and managed the server via CLI, PowerShell or using remote tools. It can improve security and reduce management. This type of installation is called a Server Core installation option.
You can install the core role of Web Server for a higher security environment like internet facing sites. However, before you try it in production makes yourself very familiar working without Shell (GUI)
I am excited about the new TCP/IP stack, not because of IPv6 but because I am seeing several new auto-tuning features that can help heavy utilizations.
TCP receive window is in memory buffer size on a receiving host to store incoming TCP connection data stream. Receive Window Auto-Tuning will determine the optimal receive window size per connection by analyzing the bandwidth-delay, latency, and the application retrieval rate dynamically.
If all the applications are optimized to receive TCP data, the overall utilization of the network can increase substantially. I am expecting to see the gains within SharePoint farm and SQL running on Windows 2008.
Whereas Receive Window tuning optimizes receiver-side, Compound TCP optimizes sender-side throughput.
Compound TCP aggressively increases the amount of data sent at a time, yet ensuring its behavior does not negatively impact other TCP connections.
You might be familiar with a separate downloadable product called ADAM – Active Directory Application Mode, as a standalone LDAP identity store which later became part of Windows 2003 R2. AD FS is continuation of same story and which is getting better.
AD FS is a server role that can be used to create identity access solution across multiple operating platforms and across internet.
AD FS as an identity access solution provides browser-based clients, single logon access to protected Internet-facing applications, even when the user credentials and applications itself are located in different organizations.
AD FS makes it unnecessary to have an account in application network by providing trust relationships that you can use authenticate user from trusted account bearing organization and projecting it to application to determine access rights on the application resources.
In a federated environment, each organization continues to manage their own credentials and/or resource and trust other. An analogy may be Windows Active Directory trust between two domains (one-way or two-way trust) or Microsoft Live ID/Passport as Internet based credential/authentication provider.
You can deploy Federation Servers (Windows 2008 Servers with AD FS Role) in multiple organizations as infrastructure service to support many different business-to-business (B2B) type of transactions. AD FS may not be of any significant interest in a mid size intranet deployment of SharePoint. However, it can significantly improve your design in large disconnected organizations under a parent company, or organizations with de-centralized IT or linking with Customers or Partners.
Federated B2B partnerships identify business partners as one of the following types of organization:
· Resource Organization. Organizations that provide resources accessible over the Internet can deploy AD FS Federation Servers and AD FS enabled Web servers that manage access to protected resources for trusted partners.
· Account Organization. Organizations that own user accounts can deploy AD FS Federation Servers to authenticate users locally and create security tokens that are later used by Federation Servers in the resource organization to make authorization decisions.
The process of authenticating to one network while accessing resources in another network — without repeated logons — is known as single sign-on (SSO). AD FS provides a Web-based, SSO solution that authenticates users to multiple Web applications over the life of a single browser session.
Active Directory Federation Services in Windows Server 2008 includes enhancements that increase its ability to integrate with other applications, such as Office SharePoint Services 2007 and Active Directory Rights Management Services.
Integration With Office SharePoint Services 2007
Office SharePoint® Services 2007 takes full advantage of the SSO capabilities that are integrated into Windows 2008 version of AD FS. It includes functionality to support membership and role providers. You can effectively configure Office SharePoint Services 2007 as a claims-aware application in Active Directory Federation Services, and you can administer any Office SharePoint Services 2007 sites using membership and role-based access control.
The membership and role providers that are included in this version of Active Directory Federation Services are for consumption only by Office SharePoint Services 2007.
Integration With Active Directory Rights Management Server (AD RMS)
AD RMS and AD FS integration allows Resource Organization to assert digital rights on resources in Account Organizations even without requiring Resource Organization to deploy AD RMS Services.
IIS version 7.0 is a major enhancement and all existing ASP, ASP.NET 1.1 and ASP.NET 2.0 applications are expected to run on IIS 7.0 without any code changes (using the compatible ISAPI support).
You will be pleased to see that IIS is providing better troubleshooting support (developers and administrator) to troubleshoot errant behaviors and a better window into internal diagnostic information and surfacing detailed diagnostic events.
IIS is now storing IIS configuration settings in web.config files, which makes it much easier to maintain across farm. IIS 7 configuration is based on the existing .NET Framework configuration store, which enables IIS configuration settings to be stored alongside ASP.NET configuration in Web.config files.
The configuration settings for a web application can be copied from one computer to another, as application moves from one env to other. An interesting change, potentially, for a server farm you can use a file server share or DFS to store the web application configurations and have all servers retrieve configuration settings and content from common location. I am not just ‘thinking’ for IIS root or bin, I am thinking for 12 hive!!
IIS 7.0 stores global configuration in the \system32\inetsrv directory in a file called ApplicationHost.config. In this file there are two major configuration section groups:
· system.applicationHost
· system.webServer
The system.applicationHost section group contains configuration for site, application, virtual directory and application pools. The system.webServer section group contains configuration for all other settings, including global Web defaults.
URL specific configuration can also be stored in ApplicationHost.config using <location> tags. IIS 7.0 can also read and write URL specific configuration within the code or content directories of the Web sites and applications on the server in Web.config files, along with ASP.NET configuration.
Because Windows Server 2008 is a major release, you should expect to spend some time familiarizing yourself with the new configuration options.
The new IIS Manager UI supports remote administration over HTTP without requiring DCOM or other administrative ports be opened on the firewall.
Another fundamental change is, both native and managed codes are processed through a single request pipeline. The new worker process Web core also provides access to all notification events in the request pipeline allowing existing ASP.NET features (such as Forms-based authentication or URL authorization) to be used for all types of Web content
In IIS 6, all functionality was built in kind of a monolithic way and there was no easy way to extend or replace any of that functionality. In IIS 7.0 core is divided into over 40 separate replaceable feature modules.
The core also includes a new API to develop new core server modules. Modules can be a replacements for ISAPI filters and extensions, although these filters and extensions are still supported in IIS 7.0.
Windows Server 2008 includes .NET Framework 2.0, regardless of any server role that is installed. Application Server Core role adds .NET Framework 3.0 features to the baseline .NET Framework 2.0 features to include:
· Windows Communication Foundation (WCF)
· Windows Workflow Foundation (WF)
· Windows Presentation Foundation (WPF)
Obviously for a SharePoint deployment you will need to include this role as well.
Transactional NTFS file system and the Transactional Registry has been enhanced to coordinate their work through transactions.
It provides support for full Atomic, Consistent, Isolated and Durable (ACID) semantics for transactions. For example, you can group together sets of file and registry operations with a transaction so that all of them succeed or none of them succeed.
If not already in works, I can imagine SharePoint Timer Jobs & Definations and configuration synchronization between the WFE and may be index copying will be wrapped into transactions.
The new built of NLB (Network Load Balancing) include the support new Network Driver Interface Specification (NDIS) 6.0, Windows Management Instrumentation (WMI) enhancements, and improved functionality with Microsoft Internet Security and Acceleration (ISA) Server.
The NLB driver has been completely rewritten to use the new NDIS 6.0 lightweight filter model for enhanced driver performance and scalability. With WMI enhancements multiple dedicated IP address are supported.
Aamir Qureshi