March 24, 2008 at 12:34

What we pay for buying Windows Server 2008. Part 2: Server Core and RODC.

    As many people know, recently MS released a new server OS - Windows Server 2008. Launch was in Russia on March 18th (this is in Moscow, in St. Petersburg on the 19th), and in the States on February 27th. A new product - new opportunities, but I would like to know in advance what we are offered, do not buy a pig in a poke. What's new in WS 2008, what are its advantages over WS 2003? What innovations will be appreciated by the user, and what will benefit the administrator? Finally, is it worth buying a new system if everything works fine on the old one and, if so, how to convince management to pay the bill?
    If I knew the answers to all these questions, I would have lived in Sochi for a long time. However, I have some thoughts on the topic.

    Point 2: Server Core (SC) and Read Only Domain Controller (RODC).

    WS2008 introduced a new installation option for the system - Server Core. In MS it is called nothing more than a "very interesting thing." I have a slightly different opinion, but I will try to describe everything impersonally.

    What is Server Core?
    SC is an installation option for WS2008 with limited functionality. There is no graphical shell; only the following server roles are available:
    • AD (including the RODC, which I will mention below)
      DHCP Server
      DNS Server
      File Services
      Print Services
      Web Server (IIS)
      Not so little, for administrative purposes it’s enough. Let me remind you that the standard installation of WS2008 has 16 basic roles - much more.
      Management is carried out using the command line, scripts, or from a remote MMC console.

      Server core concept.
      I don’t know about you, but I personally didn’t understand how to use the server with truncated functionality. According to MS, the application formula looks like this: SC + RODC + BitLocker = server for the branch.
      Server Core Application Diagram.

      Imagine a typical situation: a company opens a branch or just a remote point for several (the number and even its order do not matter) jobs. You are asked to organize the work of the local network. The miracle of the Internet and a couple of Cisco magic balls created a unified network of head and branch offices. However, you do not need a visionary gift to understand: no, even the most reliable Internet channel will not last forever - sooner or later the branch will drop out of your network map. There is no connection with the head office - no AD, no control, no DNS. A terrible picture flashed before my eyes; you exhaled and decided: we’ll send a domain controller to the branch. Something simpler, cheaper - another question is whether the server will be more reliable than the channel. Will support basic services in the event of a loss of communication. Maybe the same server will act as a router or file server.
      I deliberately exaggerated the situation, however, I suspect that it is quite common in Russia. It is clear that with an intermittent or very slow channel between offices, you almost always need to send DC to the branch office to maintain the domain structure. If, I emphasize, there is a need for it.
      Having got rid of one problem, you immediately made yourself many others. Firstly, you have almost no time for maintenance - it is high to God, far to the server. Secondly, you do not have physical access to the server. Thirdly, the likelihood of theft is far from zero - what might result in the theft of a domain controller, I think everyone understands. And this is not counting anecdotal cases.
      Here in this place to insert a beautiful video about exactly how MS offers to protect our poor branches. Unfortunately, for the lack of materials clearly of an advertising nature, I will describe it myself.
      1. Oddly enough, the keywords here are not Server Core, but Read Only Domain Controller - RODC. This is a new role that appeared in WS2008. RO controllers contain the same objects and records as regular controllers except account passwords. They are not intended to be modified, and conventional controllers do not replicate data from the RODC. In addition, in WS2008, on a domain controller, a user can have local administrator rights, which was not the case in WS2003. You can provide the administrator of the branch with comprehensive rights to service the server, while prohibiting him from making any changes to the domain. Once again I will mention the fact that account passwords are not stored on the RODC - authentication takes place with the participation of DC head office (writable).
        Here I am somewhat surprised at the situation with the use of the cache. It is clear that when the connection is disconnected, writable DC cannot provide a password at the request of the RODC, so passwords must be cached - in this case or to minimize traffic transmitted through the WAN. Agree, it’s illogical to refuse to store account settings, and then cache them. Not to mention the transfer of passwords over the global network.
        SC in this scheme is positioned as a carrier RODC. Server Core, according to developers, once configured, will not require administrator intervention in the future. In addition, the minimum installation hardware requirements are significantly lower than standard installation requirements. The number of required updates is also minimized - 60% less compared to non-SC server updates. Finally, minimal installation requires minimal errors and shortcomings.
        BitLocker, as always, encrypts data. The presence of this component in the magic formula SC + RODC + BitLocker does not raise questions.

        Conclusions.
        Perhaps this piece should be called "personal objections."
        I already wrote about the incomprehensible (or incomprehensible?) Role of RODC. There are claims to the SC itself.
        Firstly, the term “minimal installation” itself makes you feel like they laughed at you as soon as you read the hardware requirements: 1GHz CPU + 512MB RAM + 3GB of disk space. And despite the fact that there is no graphical shell. When I recall a router with DHCP for Linux that fits on a floppy disk, my tears well up.
        On the other hand, a typical WS installation took about 15 GB of hard disk space after adding the Terminal Services role. After these numbers, 3 GB (1 GB for installation + 2 GB of free space) no longer seems to be a serious requirement. In addition, MS justifies that the minimum requirements are imposed by the WS installer - the server is also functional on the worst hardware.
        The next item is management. And here it is not the shell-less interface that scares me at all, but its heterogeneity. Well, all administration would come down to CMD. But no, some operations can only be performed with scripts, for example, configuring automatic updates. Or else - controller deployment: dcpromo will only work with the answer file, which is proposed to be created on writable DC, where there is a full-fledged graphical interface. You already decide whether we refuse the graphical shell or not.
        Yes, of course, I understand that scripts should be perceived as a continuation of the command line, and not its opposition. I also understand that you can create an answer file for dcpromo without using a graphical shell. But still there is a feeling of some inconsistency. Again, the qualifications of a branch administrator are growing.
        Next, server roles. They are not only few, but their functionality is truncated. For example, there is no .NET. You cannot use it in WebServer. Also, PowerShell will not be available to you. Developers say .NET has dependencies that cannot be satisfied in Server Core. However, in the future it is possible to publish the core edition of .NET.
        SC installation. Only a clean installation is available — you cannot upgrade to SC from any version of WS (including WS2008). The converse is also true - you cannot switch from a Server Core installation to a standard one. Now attention: installing SC, your company spent as much money as a standard installation would cost. In this situation, I have only one question: why it was impossible to publish the hotel edition of WS2008 (with a reduced cost) and name it Windows Server 2008: Server Core Edition?

        Literature.
    Tags:

    Also popular now: