What we pay for when buying Windows Server 2008. Part 2: Server Core and RODC.

As many know, MS recently released a new server operating system - Windows Server 2008. In Russia, Launch was on March 18th (this is in Moscow, in St. Petersburg - the 19th), in the States - on February 27th. New product - new features, but I would like to know in advance what we are offered, not to buy a cat in a bag. What's new in WS 2008, what are its advantages over WS 2003? What innovations will the user appreciate, and what will be on hand to the administrator? Finally, is it worth buying a new system if everything works fine on the old one and, if so, how to convince management to pay the bill?
If I knew the answers to all these questions, I would have lived in Sochi for a long time. However, I have some thoughts on the subject.

Point 2: Server Core (SC) and Read Only Domain Controller (RODC).

WS2008 has a new installation option for the system - Server Core. In MS, he is called precisely “a very interesting thing.” I have a slightly different opinion, but I will try to describe everything impersonal.

What is Server Core?
SC - WS2008 installation option with limited functionality. The graphical shell is missing, only the following server roles are available:

• AD (including RODC, which I will mention below)
  DHCP server
  DNS Server
  File services
  Print Services
  Web Server (IIS)
  Not so little, for administrative purposes is enough. Let me remind you that the standard installation WS2008 has 16 basic roles - much more.
  Management is carried out using the command line, scripts or from a remote MMC-console.
  
  The concept of Server Core.
  I don’t know about you, but personally I didn’t understand how to use a server with reduced functionality. According to MS, the application formula looks like this: SC + RODC + BitLocker = server for the branch.
  
  ')
  Let us imagine a typical situation: a company opens a branch or just a remote point for several (the number and even its order does not matter) jobs. You are asked to organize the work of the local network. The miracle of the Internet and a pair of Cisco magic balls created a single network of head and branch offices. However, you do not need a visionary gift to understand: no, not even the most reliable Internet channel is eternal - sooner or later the branch will drop out of the map of your network. No connection to the head office - no AD, no control, no DNS. A terrible picture flashed before my eyes; you exhaled and decided: we will send a domain controller to the branch office. Something simpler, cheaper - another question is whether the server will be more reliable than the channel. Will support basic services in case of connection failure. Maybe the same server will act as a router or file server.
  I deliberately exaggerated the situation, however, I suspect that it is quite common in Russia. It is clear that in a non-permanent or very slow channel between offices, you almost always need to send a DC branch to maintain the domain structure. If, I emphasize, there is a need for it.
  Having got rid of one problem, you immediately made a lot of others. First of all, you have almost no time for maintenance - God is high, far from the server. Secondly, you do not have physical access to the server. Thirdly, the probability of theft is far from zero - what can turn the theft of a domain controller, I think everyone understands. And this is not counting anecdotal cases.
  Here in this place to insert a beautiful movie about exactly how MS offers to protect our poor branches. Unfortunately, in the absence of materials of a clearly advertising nature, I will describe myself.
  1. Oddly enough, the keywords here are not Server Core, but Read Only Domain Controller - RODC. This is a new role that appeared in WS2008. RO controllers contain the same objects and records as regular controllers, except for account passwords. They are not intended to be modified, and regular controllers do not replicate data from the RODC. In addition, in WS2008 on a domain controller, a user may have local administrative rights, which was not the case in WS2003. You can give the branch administrator exhaustive rights to server maintenance, while prohibiting him from making any changes to the domain. Once again I will mention the fact that account passwords are not stored on the RODC - authentication takes place with the participation of the head office DC (writable).
     Here I am somewhat surprised by the situation with the use of the cache. It is clear that when the connection is broken, writable DC cannot provide a password at the request of the RODC; therefore, passwords must be cached - in such a case or to minimize the traffic transmitted via WAN. Agree, it is illogical to refuse to store account settings, and then cache them. Not to mention the transfer of passwords through the global network.
     SC in this scheme is positioned as an RODC carrier. Server Core, according to the developers, once configured, will not require administrator intervention in the future. In addition, the hardware requirements for the minimum installation are significantly lower than the standard installation requirements. Also, the number of required updates is minimized - 60% less compared to non-SC server updates. Finally, the minimum installation involves minimal errors and omissions.
     BitLocker, as always, encrypts data. The presence of this component in the magic formula SC + RODC + BitLocker raises no questions.
     
     Findings.
     Perhaps this piece should be called "personal objections."
     I have already written about the incomprehensible (or incomprehensible?) Role of the RODC. There are claims to the SC itself.
     Firstly, the term “minimal installation” itself gives rise to the feeling that they laughed at you as soon as you read the hardware requirements: 1GHz CPU + 512MB RAM + 3GB on the disk. And this despite the fact that there is no graphical shell. When I recall a DHCP router under Linux that fits on a floppy disk, I have tears in my eyes.
     On the other hand, a typical WS installation took about 15 GB of hard disk space after adding the Terminal Services role. After these numbers, 3 GB (1 GB for installation + 2 GB of free space) no longer seems like a serious requirement. In addition, MS is justified by the fact that the minimum requirements are set by the WS installer - the server is also operational on the worst hardware.
     The next item is management. And here it’s not the shell-less interface that scares me at all, but its heterogeneity. All right administration all was reduced to CMD. But no, some operations can be performed only by scripts, for example, configuration of automatic updates. Or, another thing is the controller deployment: dcpromo will only work with the answer file that is proposed to be created on writable DC, where there is a full-fledged graphical interface. You have to decide whether we refuse the graphic shell or not.
     Yes, of course, I understand that scripts should be perceived as a continuation of the command line, and not opposing it. I also understand that you can create an answer file for dcpromo without using a graphical shell. But still there is a feeling of some kind of discrepancy. Again, the qualification requirements for the branch manager are increasing.
     Next, the server role. They are not only small, but their functionality is trimmed. For example, there is no .NET. You will not be able to use it in WebServer. Also, PowerShell will not be available to you. Developers say that .NET has dependencies that cannot be satisfied in Server Core. However, in the future it is possible to publish .NET core editions.
     SC installation. Only a clean installation is available - you cannot upgrade to SC from any version of WS (including WS2008). The reverse is also true - you cannot switch from a Server Core installation to a standard one. Now note: having installed SC, your company spent as much money as a standard installation would cost. In this situation, I have only one question: why it was impossible to publish the hotel edition WS2008 (with reduced cost) and call it Windows Server 2008: Server Core Edition?
     
     Literature.
     • Developers blog .
       Record a web conference on SC . There are answers to frequently asked questions.
       WS2008 Technical Library .
       SC Installation Guide .
       http://blogs.dirteam.com/blogs/sanderberkouwer/ - guide to action.
       Briefly about RODC .
       
       
       PS_1. The note is not written to agitate anyone for or against WS2008 in general or SC in particular. The goal is to describe new features, features of work. The personal attitude of the author is present, it is not going anywhere. Controversial points perceive as IMHO.
       PS_2. I beg you not to turn the discussion of innovations into a comparison of Windows and Linux.
       PS_3. If you find this article interesting, write a description of which new feature you would like to read in the future. On the face of NAP, changes in the installation of drivers and programs, new in the security scheme.