Product review: Windows Server 2008 is the host with the most, and the perfect guest

A standing complaint about Windows Server is its resource footprint. Those in IT just take as rote that it requires lots of memory, lots of CPU, and lots of disk to put any substantial services on the air with Windows Server 2003. I think it's safe to say that the typical x86 rack server's characteristics reflect the requirements of Windows Server. Microsoft's big OS has always been designed under the presumption that it will have a full physical server to itself.

In Windows Server 2008, Microsoft delivers a 64-bit server OS with a smaller minimum resource footprint than Windows Vista. It varies by edition; Windows Server 2008 Datacenter doesn't focus so much on shedding the pounds, but it, too, picks up the speed benefits from the slimmer Server Core, which was created to be a practically weightless virtualized guest OS. IT shops are likely to use Windows Server 2008 the same way they use Windows Server 2003 now, only now they can run lots of independent virtual Windows Servers that scale in features and footprint across a broad range of options.

Windows Server 2008 remains a component of the Windows Server System, so Microsoft has not instituted a free lunch program. Functions like e-mail and collaboration, database, and robust edge services are add-ons that most deployments will require. But these can be placed at the host level, with virtualized guests distributing applications and services that utilize Windows Server components. In other words, one license of Exchange Server or SQL Server will stretch further than ever before.

How low it can go
I spent most of my time testing Windows Server 2008 Enterprise on an eight-core, two-socket AMD Barcelona reference server. When you align the features of the Barcelona architecture with Windows Server 2008's capabilities, you come away with the impression that AMD designed its CPU with Windows Server 2008 in mind. Having talked with Barcelona's architects, I'll bend nondisclosure just enough to say that to call Barcelona a Windows Server 2008 hardware architecture is not far-fetched.

Windows Server 2008 is built for virtualization. All SKUs up to Datacenter are tooled for what you might call "buffet" scalability. You can choose, with finer granularity than is possible under Windows Server 2003, the server features you want to run, where you want to run them, and what portion of total resources are dedicated to them. For example, Internet Information Services (IIS) 7.0 has split Web application services functionality into some 40 independently loadable plug-ins. It is similar in concept to Apache's modular approach, but IIS's approach is safer, more transparent, and much easier to manage. This is a nice fit for server roles, a feature introduced in Windows Server 2003 that provides simple on/off switches and wizards that bring up and shut down groups of services according to need. Windows Server 2008 continues Windows Server's tradition of server roles, but adds finer-grained, modular control over individual features. You can still do a blunderbuss deployment in which a Windows Server host or guest role is "all," but it is well worth IT managers' and administrators' time to learn to match server roles, and modular services within those roles, to user and application requirements. Do that, and you'll have servers that will make physical-to-virtual transitions and virtual machine relocation uncommonly easy.

One road you won't need to take to slenderize Windows Server 2008 is to run it as a 32-bit (x86) OS instead of 64-bit (x64). You've heard hype that the overhead of going to 64 bit, especially for virtual guests, is substantial enough to blow x64 off unless you know you need access to a 64-bit virtual address space (as if that knowledge were easy to come by). Dismiss this as noise. The 32-bit server OS is the HD DVD of IT, even for virtual guests. It's time to step into the future.

To put a fine point on the virtues of Windows Server 2008's trimmer physique, consider that I ran the x64 Windows Server 2008 Standard on an Apple MacBook Pro, running as a 64-bit virtual guest under VMware Fusion software virtualization for OS X. Of MacBook Pro's 2GB of RAM, I reserved 512MB for Windows Server 2008. I made just one allowance for Windows Server 2008: I installed it on an off-board 18GB FireWire-powered hard drive. To be honest, that was for me. I wanted a blinky light that showed me how hard Windows Server 2008 was hitting the drive.

What-ux?
Seen from one perspective, Microsoft wants to reach out to and play nice with Linux. Subsystem for Unix Applications (SUA) is bundled with Windows Server 2008 Standard, Enterprise, and Datacenter, and all Windows Server 2008 SKUs can compile and run many open source and commercial x86/x64 operating systems, OS X being a notable exception. Microsoft's decision, albeit one made under legal duress, to publish its proprietary APIs and protocols should make Linux developers and users of freeware Linux distributions ecstatic.

Seen another way, Microsoft has executed Windows Server 2008 in a way that makes commercial Linux far less appealing. In those places where Linux might be seen as a good fit for its performance and small footprint, any Windows Server 2008 SKU, including the painlessly priced Windows Server 2008 Web and the Windows Server Core license that rides along with all Windows Server 2008 SKUs, all but slams the door shut on Linux in a Windows shop; Linux is just an impossible sell in Windows shops. That's not because Microsoft has exerted some evil monopolistic power over the enterprise OS market, but because Microsoft made the IT-friendly technical, licensing, and packaging decisions that leave very few gaps, if any, left to fill.

Many children at your service
The Hyper-V hypervisor (currently beta, due Q3) and virtual machine management tools baked into Windows Server 2008 Standard will go a long way toward taking Microsoft server virtualization beyond a poor man's alternative to VMware. Windows Server 2008 casts off a cumbersome, high-overhead, heavyweight virtual machine manager model in favor of a wafer-thin, host-optimized hypervisor. This does not take away the substantial value that VMware, Virtual Iron, Citrix/XenSource, and other serious virtualization players add to large-scale enterprise operations that might have thousands of virtual instances running at once. But Microsoft's virtualization has three unique advantages: It costs nothing, its administration is integrated into Microsoft's other server management tools, and Windows Server 2008 is the only host OS it needs to support. In that last case, Windows shops derive a serious performance and scalability kick from the fact that Microsoft's virtualization is proprietary.

Relaxed licensing is a huge win for shops that deploy Windows Server 2008. Buy a big, fat, fast x64 server, and you can use one Windows Server license to host as many virtual guest instances as you like on that one server. Each physical server requires its own license, and Microsoft seat licenses still apply across the board, but I can see an eight-socket Opteron server easily pulling the workload of a half rack of very busy two-socket rack servers, or a full rack of similar servers with typical utilization.

Of course, Microsoft virtualization works on Intel Xeon as well, albeit with lower single-server consolidation capacity. (Lest anyone think I'm harping, I'll write about the enormous advantages that Opteron brings to Windows Server 2008 virtualization elsewhere.) Hyper-V leverages AMD and Intel hardware-accelerated virtualization to reduce the overhead of software virtualization to a minimum. I say "reduce" to cover edge cases, but for most uses, Hyper-V makes the overhead of trapping privileged instructions and swapping guest OS instance contexts in software disappear. Plus, Hyper-V is very flexible in its resource allocation, permitting guest instances the privilege of "owning" a peripheral. When you can afford this, the layers devoted to arbitrating access to a single device by multiple virtual guests are bypassed. I/O bandwidth for each virtual machine can approach native performance. This feature favors servers with lots of expansion slots. For existing servers, you can buy a PCI-Express bus extension chassis to create a bank of, say, LAN adapters to give each virtual instance its own card.

Devoting devices to guests takes away the I/O bottleneck, but it also aids availability through redundancy. A dead LAN card or host bus adapter, or a downed route, won't be felt by users or applications as long as you've done the network and peripheral redundancy you'd build into any enterprise plan. However, you may opt to skip some of that homework because all but catastrophic contingencies short of a whole server going up in smoke are adequately covered by Hyper-V. Continuity and load distribution architecture and management are addressed by Hyper-V's snapshot, guest instance migration, and direct access to virtual disk images for offline virtual machines.

A whole new level of manageability is enabled by what I consider to be an essential add-on to Windows Server 2008. Microsoft's System Center Virtual Machine Manager adds intelligent monitoring, provisioning, and placement of virtual machine images and workloads across your network. System Center Virtual Machine Manager is fantastic once you make the effort to wrap your mind around its concepts and the shortcomings in its user interface. I lived in System Center Virtual Machine Manager's Workgroup Edition during my testing, a $499 package that runs up to five physical servers, and I can't imagine being without it. The full System Center suite, which is scaled and licensed for enterprise use, includes Virtual Machine Manager.

Big services for small clients
Windows Server 2008 covers another flavor of virtualization in the form of Terminal Services. A mainstay of Windows Server, the big news in this release is its HTTPS tunnel, or Terminal Services Gateway. Edge security often blocks inbound access to the TCP ports needed by Terminal Services. The Terminal Services Gateway allows remote clients normally blocked by firewalls to access Terminal Services, without the hassle of VPN, but with full security and auditing.

Terminal Services Gateway will undoubtedly get played by competitors as an exploitable backdoor, but it's a much smarter way to control user access (internal as well as external) to network services. Terminal Services Gateway requires the application of Remote Access Policies (RAP) that define and enforce the characteristics of clients permitted access to Terminal Services, and remote services in general. A client that doesn't meet RAP's health tests and policies, such as a notebook that's plugged into your network by an internal hacker, can't get in through Terminal Services or any other means. Period.

Seriously? Absolutely. BitLocker local disk encryption can be defined as an enforced remote access policy. Users like encryption for privacy, but IT will love BitLocker. It uses a client system's Trusted Platform Module (TPM) to create a file access authentication path that users cannot bypass, even if they boot from a nonencrypted drive or overwrite the boot blocks on the local drive. If policies allow users to work with local copies of sensitive files, the TPM can ensure that files are unreadable away from the network, and they can't be copied to removable media.

More to the point, if you have a lapse in security that allows a user inside the firewall to suck in a database of customer information, when they get their client home they won't be able to read the files they've stolen. All access to Windows Server 2008 is revocable at the user, client computer, or group level. To absolutely, positively terminate employees' or contractors' network access, and access to locally stored files, the administrator need only create and distribute a new certificate. This is one of many simple ways to change the locks in Windows Server 2008.

This, too, will raise the hackles of those who don't like the idea of systems that users can't control, but they should know that BitLocker and RAP do not preclude the use of other operating systems, and they can be undone by someone with administrative privileges (another reason to extend these sparingly). Used properly, RAP, TPM, and BitLocker can obviate the necessity for client-side security agents and hardware such as USB crypto keys.

Windows Server 2008 enhances network security in other ways as well. Tunneling is implemented in several Windows network services, and can be extended to any application through socket sharing. Several applications, even applications that use different protocols, can listen on a single TCP socket. Traffic analysis routes packets to the appropriate application, and port sharing doesn't interfere with load balancing.

The potential for OS-level tunneling becomes evident when many guest OS instances are run on a single physical host. The Windows Server 2008 host acts as a gateway and load balancer. Tunneling may allow guests to share one TCP port such that one heavily monitored HTTPS socket might be the only direct access a virtual host has to the outside world. I haven't tested this to see if it's a feature in the current release, but I see this as tunneling's greatest potential use.