High Availability and Recovery Changes
Windows Server 2008 R2
includes several features to further enhance high availability and
backup services. These include new features such as PowerShell support
for clustering and the ability to backup individual files and folders
with Windows Backup.
Failover Cluster PowerShell support
Failover
Clusters can now be set up and administered using PowerShell 2.0. This
not only includes the new cmdlets for Failover Clustering but also the
ability to remotely send commands to cluster services via PowerShell
2.0. With the added support for PowerShell, the cluster.exe command line
utility is being deemphasized and may not be available in future
releases of Windows.
Cluster shared volumes
Failover
Clustering supports the use of Cluster shared volumes (CSV). These are
volumes that can be accessed by multiple nodes of the cluster at the
same time. This brings new benefits to Hyper-V deployments by providing
Live Migration and a reduced number of LUNs required.
Since previous versions
of Windows could only have one host actively accessing the LUN, a
fail-over would cause all VMs stored on a LUN to fail-over. Prior to
Windows Server 2008 R2, Microsoft recommended that each VM in a Failover
Cluster be assigned its own LUN to ensure that a single VM could
fail-over. For many deployments, this resulted in a lot of LUNs being
assigned to each Hyper-V host. Windows Server 2008 R2 removes this
restriction using CSV allowing both hosts to access the volume and at
the same time enabling a single VM on a LUN to fail-over without
requiring over VMs on that same LUN to do the same.
Improved cluster validation
Windows Server 2008
introduced the Cluster Validation Wizard. By using this wizard,
administrators could easily verify and set up a cluster ensuring it was
in a supported configuration. If the cluster passed the validation
wizard, it was considered to be in a correct configuration. Windows
Server 2008 R2 adds additional tests to further ensure that a cluster
can be validated using the Cluster Validation Wizard.
Support for additional cluster aware services
The Remote Desktop Connection
Broker and DFSR can both be configured on a Failover Cluster to provide
high availability and redundancy to these services.
Ability to backup individual files and folders
Windows
Server 2008 R1 (RTM) backup did not have the ability to select
individual files and folders to be backed up. This was a feature offered
in previous versions of Windows such as Windows Server 2003. Windows
Server 2008 R1, however, only provided the ability to backup a full
volume. Windows Server 2008 R2 has brought back the feature to allow
administrators to selectively choose which files and folders to include
in a backup set.
Security Changes
Windows
Server 2008 R2 introduces new features to help ensure your network is
more secure and protected. These new features include additions to
existing services and entirely new applications and roles. In this
section, we will discuss some of the security enhancements offered by
the R2 release of Windows Server 2008.
DNSSEC support
Windows Server 2008 R2 provides support for the
standards-based DNSSEC. This technology is not proprietary to Microsoft
and is being adopted by many DNS solution providers. DNSSEC helps ensure
that DNS zones are more secure by offering public/private key signing
of zones to help prevent man-in-the-middle attacks.
AppLocker
AppLocker is a new feature
available in Windows Server 2008 R2 and Windows 7 to restrict which
applications and scripts users can install on the system. AppLocker
allows administrators to create rules based upon the file version, file
name, publisher, and other attributes of the application. Using
AppLocker, administrators can decrease the chances of malicious
applications being installed and executed on the systems they manage.
Changes to Network Access Protection
Windows Server
2008 R2 NAP now allows administrators to implement multiple System
Health Validators (SHVs). This allows different SHVs to be applied to
different network policies. For example, an administrator could
configure an SHV that requires that computers have all current windows
updates and antivirus software to be installed. This SHV could then be
applied to computers connected to the corporate network. The
administrator could then configure a second SHV to require only
antivirus software be installed and apply it to a network policy for
computers connecting remotely such as via VPN.
Windows Server 2008 R2 also
includes the ability to create Network Policy Server (NPS) templates.
Administrators can now configure NPS settings and save them as a
template. The template can then be used to deploy NPS policies without
having to recreate all settings each time a new policy is needed.
Managed Service Accounts
It
is a well-known best practice that account passwords should be changed
on a regular basis. For years, administrators have struggled with
performing password changes on service accounts because changing a
password usually meant making configuration changes to the service
itself. For example, by changing a password on a service account for an
IIS Application Pool, the administrator would then need to logon to the
Web server, open IIS Manager, and change the password settings of each
application pool in which that password had been set. This not only
caused huge administrative overhead, but sometimes resulted in forgotten
app pools and Web applications experiencing service disruptions. Windows Server 2008 R2 now provides
the ability to set up Managed Service Accounts. Managed service accounts
allow an administrator to change a service account password without
impacting services such as IIS application pools. If an administrator
changes the managed service account password, the IIS application pool
will automatically update its configuration with the new password.
New security auditing features
Microsoft has further expanded auditing capabilities in Windows Server 2008 R2. These include:
Global object access auditing
Reason for access reporting
New audit categories can be enabled via GPO
Global object access auditing
In Windows Server
2008 R2, an administrator can globally audit object access to the file
system or registry. This allows you to globally monitor access to the
changes effected to the system no matter what settings are configured at
the file and folder level.
Reason for access reporting
This
feature allows you to review why a particular account was allowed or
denied access to an object. For example, if a user was a member of a
group that gave them access to a particular file, Reason for Access
Reporting would indicate that this access was given because the user was
a member of the group.
PowerShell Changes
Windows
Server 2008 R2 includes the new PowerShell 2.0, providing new features,
including remote management capabilities. Administrators can now send
PowerShell commands to a server from a remote workstation or other
server. Additionally, Windows Server 2008 R2 includes an expanded set of
cmdlets to manage Windows Servers. In this section, we will take a look
at some of the new features of PowerShell 2.0 on Windows Server 2008
R2.
Integrated scripting environment and debugger
Windows
Server 2008 R2 includes the new integrated scripting environment (ISE)
and fully functional debugger. The ISE is a GUI interface that provides
script writers an easy way to create, edit, and validate PowerShell
scripts. Using the ISE, you can also run the new debugger to perform
common debug tasks such as the ability to step through code and add
break points. If you write PowerShell scripts, you may want to
familiarize yourself with the new ISE and debugger environments.
Background jobs
PowerShell now allows you to run
commands in the background. This allows you to continue to work in the
shell while a command is running. For example, you could issue a
PowerShell command that could change a setting on 1000 AD accounts. Due
to the number of accounts being updated, the command may take several
minutes to complete. PowerShell will now allow you to continue issuing
other PowerShell commands while the process to update the AD accounts
completes.
Transactions
PowerShell now allows you to
create transactions that can run a batch of scripts or commands as a
single process, giving you the ability to commit or rollback mass
changes. This is much like the behavior of SQL transactions.
Cmdlets for server administration
Windows Server 2008 R2
includes a large number of cmdlets for administering Windows Servers. In
fact, an administrator can perform most administrative functions on a
Windows Server 2008 R2 server using PowerShell 2.0. Providers and
cmdlets have been written for most server roles, giving administrators
the ability to automate common tasks and rapidly make configuration
changes to hundreds or thousands of servers at once.
ServerManageCmd and PowerShell
ServerManagerCmd
was introduced in Windows Server 2008 R1 (RTM) as a powerful command
line utility to perform many common administrative tasks. Most of the
ServerManagerCmd commands are now available in PowerShell 2.0 on Windows
Server 2008 R2. With this in mind, Microsoft is deemphasizing the use
of ServerManagerCmd and the utility may not be included in future
releases of the operating system.
