Don't upgrade to Windows Server 2008 R2 until you read this

The desire to have all the latest features may not require a complete server overhaul -- here's how to tell what you really need

I love the latest and greatest: Windows Server 2008 R2, Windows 7, Exchange 2010, SharePoint 2010, and the list goes on. My recommendation is to upgrade everything you have.

At least, it used to be. Now I'm not so sure. This week, I had the strangest real-world question posed my way by Jim Basa, senior network administrator for Lutheran Social Services of Minnesota. He has roughly 50 servers in multiple locations and is considering moving everything to Windows Server 2008 R2 to take advantage of the many benefits. He wanted to know if he should upgrade the Active Directory first and worry about domain controllers, or implement Windows Server 2008 R2 member servers first to take advantage of the new R2 features -- a reasonable question.

[ Read J. Peter Bruzzese's insight into Windows Server 2008 R2 in "Windows Server 2008 R2 polishes up an already sleek server OS," "Criticisms and kudos for the Active Directory Recycle Bin," and "Thumbs-up, thumbs-down: Windows Server 2008 R2 Active Directory." ]

My response caught me completely off-guard. LSS is the largest social service organization in Minnesota, with more than 2,200 employees. Considering its nonprofit status and the fact that this has been a tough economy, I couldn't help but wonder if upgrading every server was necessary or even worthwhile. So I asked Jim what features he was especially interested in using. Here are some of the features he liked, along with some of the ones I personally see as valuable:

  • AppLocker: This is a new feature in Windows 7 and Windows Server 2008 R2 that replaces Software Restriction Policies. This features provides the ability to control how (or if) users can access .exe files, scripts, .msi files, and DLLs. You essentially define rules that can be assigned to users or security groups that are based on an applications digital signature, including the publisher, product name, file name, and/or file version. And the good news is that AppLocker's Group Policy foundation requires no upgrade of domain controllers. Existing Windows Server 2003 and 2008 servers can host AppLocker policies.
  • BranchCache: Implemented in either a distributed cache or hosted cache format, this feature allows branch offices to reduce the amount of excessive WAN bandwidth usage by providing a copy of the data accessed locally. The first time a user in the branch office initially accesses intranet or file servers, that data is either cached on the user's machine (in a distributed cache solution) or on a server (which must be running Windows Server 2008 R2, although it can run just the Windows Server Core version). Once again, the good news is that BranchCache can run on an R2 Member Windows Server, so no need to upgrade your domain controllers for this feature either.
  • DirectAccess: This new Windows 7/Windows Server 2008 R2 feature allows users to connect to their corporate network from anywhere at any time (as long as they have an Internet connection) without connection to a VPN. Yet again, this is a feature that doesn't require R2 Active Directory Domain Services. You do need at least one domain controller running Windows Server 2008 or later.

And there are a host of others that you may be thinking about implementing, including Hyper-V R2, IIS 7.5, scalability, and management features. The majority of these features do not require you to upgrade your domain controllers.

You might be thinking, "What about new Active Directory features!? I want those features!" Well, then yes, that may require one or all domain controllers be Windows Server 2008 R2 versions.

  • Active Directory Administrative Center: Built on PowerShell, this is a new administrative console that you can use rather than the typical Active Directory Users, Computers, and so forth. While it will not install on computers running Windows Server 2003 or 2008 R1, it can be installed on Windows 7 and/or Windows Server 2008 R2. But the caveat is that you must have at least one Windows Server 2008 R2 domain controller in your domain.
  • Active Directory Module for PowerShell: This provides command-line scripting for a host of administrative, configuration, and diagnostic tasks. Initially, this worked only if you had an R2 domain controller, but now you can install the free Active Directory Management Gateway Service (ADMGS) from Microsoft. There are versions for Windows Server 2003 and Windows Server 2008, although you still need Windows Server 2008 R2 (or Windows 7) to access the service.
  • Active Directory Best Practices Analyzer: This new management tool collects information about your existing domain and provides areas where best practices can be implemented to improve your Active Directory environment. The caveat again is the requirement to have at least one R2 domain controller for this to work.
  • Active Directory Recycle Bin: This provides the ability to undelete an object that has accidentally been deleted. This tool has to be turned on to function, is not GUI-friendly, and requires all domain controllers be running Windows Server 2008 R2 with the forest functional level raised to R2. All that extra work and money for one little tool -- and oddly, you can use a free tool called Active DirectoryRecycleBin provided by Overall Solutions that works on R2 and earlier domains, so you don't need R2 domain controllers at all to have this restore functionality.

There are other features you may want to consider with Active Directory in R2, and they may or may not require R2 domain controllers. From what Microsoft says regarding features of domain or forest level in Windows Server 2008 R2, it looks like the following are the requirements:

  • Domain level: Includes all the features of the legacy levels (2000/2003/2008 features) with authentication mechanism assurance and automatic SPN management for services included.
  • Forest level: Includes all the features of the legacy levels (2000/2003/2008 features) with the Active Directory Recycle Bin feature.

So what did Jim decide? Will he still go forward with the complete upgrade of all servers (both domain controllers and Member Windows Servers)? Or will he put in place only the servers he needs to add new features? Obviously in tough times such as these, especially as a nonprofit, good financial decisions and spending funds wisely take precedence over simply having the latest and greatest. Jim knows that all too well.

The question is, What would you do?

This story, "Don't upgrade to Windows Server 2008 R2 until you read this," was originally published at Follow the latest developments in Windows and Windows Server at

Copyright © 2009 IDG Communications, Inc.

How to choose a low-code development platform