Chapter 5: Managing Server Roles

Now that you’ve seen some of the tools you can use to manage Microsoft Windows Server 2008, let’s give them a test drive. Key to managing Windows Server 2008 is understanding the difference between roles, role services, and features. This chapter starts by explaining these differences and then looks at how you can add or remove roles from Windows Server 2008 using some of the tools discussed in the previous chapter.

Understanding Roles, Role Services, and Features

A server role (or simply role) is a specific function that your server performs on your network. Examples of roles you can deploy on Windows Server 2008 include File Server, Print Services, Terminal Services, and so on. Many of these roles will be familiar to administrators who work with Windows Server 2003 R2, but a few are new-such as Windows Deployment Services (WDS) and Network Policy and Access Services (NAP/NPS).

Most server roles are supported by one or more role services, which provide different kinds of functionality to that role. A good example here is the File Server role, which is supported by the following role services:

• Distributed File System (DFS)

• File Server Resource Manager (FSRM)

• Services for Network File System (NFS)

• Single Instance Store (SIS)

• Windows Search Service

• Windows Server 2003 File Services

These role services are optional for the File Server role and can be added to provide enhanced functionality for that role. For example, by adding the File Server Resource Manager role service, you gain access to a console (fsrm.msc) that lets you configure file and volume quotas, implement file screens, and generate reports. The File Server Resource Manager console was first included in Windows Server 2003 R2, and it has basically the same functionality in Windows 2008 Server as it did on the previous platform. We’ll look at how to install this tool later in this chapter.

Note also that some role services are supported by additional role services. For example, the Distributed File System role service is supported by these two other services:

• DFS Namespace

• DFS Replication

When you choose to install the Distributed File System, Windows Server 2008 automatically selects both of these other services for installation as well, though can you choose to deselect either one of these services if they are not needed on your server.

Finally, in addition to roles and roles services, there are things called features that you can install on Windows Server 2008. Features are usually optional, although some roles might require that certain features be installed, in which case you’ll be prompted to install these features if they’re not already installed when you add the role. Optional features are usually Windows services or groups of services that provide additional functionality you might need on your server. Examples of features range from foundational components such as the .NET Framework 3.0 (which contains some sub-features also) to management essentials such as the Remote Server Administration Tools (which we talked about in Chapter 4, “Managing Windows Server 2008”) to legacy roles such as the WINS Server (yes it’s still around if you need it) to Failover Clustering (clustering is a feature, not a role-see Chapter 9, “Clustering Enhancements,” to find out why) and lots of other stuff.

In a moment, we’ll look at how to add (install) roles, role services, and features. But first let’s summarize what’s on the menu.

Available Roles and Role Services

First let’s look at a list of the different roles you can install on Windows Server 2008, along with brief descriptions of what these roles do and which optional role services are available for each role. We’ll list these server roles in alphabetical order together with the various role services available (or needed) by each role.

Note that some role services might be required for a particular role, while other services are optional and should be added only if their functionality is required. The cool thing about Windows Server 2008 is that so little functionality is installed by default. This is intentional, as it increases the security of the platform. For example, if the DHCP Server role is not installed, the bits for the DHCP Server service are not present, which means the server can’t be compromised by malware attempting to access the server on UDP port 67 or attempting to compromise the DHCP Server service. For even greater protection, a Windows server core installation has even less functionality by default than a full installation of Windows Server 2008, and also has a more limited set of roles you can install-see Chapter 6, “Windows Server Core,” for more details.

Anyway, let’s look now at each available role you can install, together with its role services.

Active Directory Certificate Services

Active Directory Certificate Services enables creation and management of digital certificates for users, computers, and organizations as part of a public key infrastructure. The following role services are available when you install this role:

• Certification Authority Certification Authority (CA) issues and manages digital certificates for users, computers, and organizations. Multiple CAs can be linked to form a public key infrastructure.

• Certification Authority Web Enrollment Web Enrollment allows you to request certificates, retrieve certificate revocation lists, and perform smart card certificate enrollment using a Web browser.

• Online Certificate Status Protocol Online Certificate Status Protocol (OCSP) Support enables clients to determine certificate revocation status using OCSP as an alternative to using certificate revocation lists.

• Microsoft Simple Certificate Enrollment Protocol Microsoft Simple Certificate Enrollment Protocol (MSCEP) Support allows routers and other network devices to obtain certificates.

For more information concerning the Active Directory Certificate Services role, see Chapter 7, “Active Directory Enhancements.”

Active Directory Domain Services

Active Directory Domain Services (AD DS) stores information about objects on the network and makes this information available to users and network administrators. AD DS uses domain controllers to give network users access to permitted resources anywhere on the network. The following role services are available when you install this role (note that the Identity Management for UNIX role service is not available for installation until after you have installed the Active Directory Domain Controller role service):

• Active Directory Domain Controller Active Directory Domain Controller enables a server to store directory data and manage communication between users and domains, including user logon processes, authentication, and directory searches.

• Identity Management for UNIX Identity Management for UNIX integrates computers running Windows into an existing UNIX environment and has the following subcomponents.

  • Server for Network Information Service Integrates Windows and NIS networks by exporting NIS domain maps to Active Directory entries, giving an Active Directory domain controller the ability to act as a master NIS server.

  • Password Synchronization Automatically changes a user password on the UNIX network when the user changes his or her Windows password, and vice versa. This allows users to maintain just one password for both networks.

  • Administration Tools Used for administering this feature.

For more information concerning the Active Directory Domain Services role, see Chapter 7.

Active Directory Federation Services

Active Directory Federation Services (AD FS) provides simplified, secured identity federation and Web single sign-on (SSO). The following role services are available when you install this role:

• Federation Service Federation Service provides security tokens to client applications in response to requests for access to resources.

• Federation Service Proxy Federation Service Proxy collects user credentials from browser clients and Web applications and forwards the credentials to the federation service on their behalf.

• AD FS Web Agents AD FS Web Agents validate security tokens and allow authenticated access to Web resources from browser clients and Web applications. There are two types of agents you can install:

  • Claims-Aware Agent Enables authentication for applications that use claims directly for authentication.

  • Windows Token-Based Agent Enables authentication for applications that use traditional Windows security token-based authentication.

For more information concerning the Active Directory Federation Services role, see Chapter 7.

Active Directory Lightweight Directory Services

Active Directory Lightweight Directory Services (AD LDS) provides a store for application-specific data. For more information concerning this role, see Chapter 7.

Active Directory Rights Management Services

Active Directory Rights Management Services (AD RMS) helps protect information from unauthorized use. AD RMS includes a certification service that establishes the identity of users, a licensing service that provides authorized users with licenses for protected information, and a logging service to monitor and troubleshoot AD RMS. Note that the server must be joined to a domain before you can install this role on it. The following role services are available when you install this role:

• Active Directory Rights Management Server Rights Management Server helps protect information from unauthorized use.

• Identity Federation Support AD RMS can use an existing federated trust relationship between your organization and another organization to establish user identities and provide access to protected information created by either organization. For example, a trust established by Active Directory Federation Services can be used to establish user identities for AD RMS.

For more information concerning the Active Directory Rights Management Services role, see Chapter 7.

Application Server

Application Server supports running distributed applications, such as those built with the Windows Communication Foundation or COM+. The following role services are available when you install this role:

• Application Server Core Application Server Core provides technologies for deploying and managing .NET Framework 3.0 applications.

• Web Server (IIS) Support Web Server (IIS) Support enables Application Server to host internal or external Web sites and Web services that communicate over HTTP.

• COM+ Network Access COM+ Network Access enables Application Server to host and allow remote invocation of applications built with COM+ or Enterprise Services components.

• TCP Port Sharing TCP Port Sharing allows multiple net.tcp applications to share a single TCP port so that they can exist on the same physical computer in separate, isolated processes while sharing the network infrastructure required to send and receive traffic over a TCP port such as port 80.

• Windows Process Activation Service Support Windows Process Activation Service Support enables Application Server to invoke applications remotely over the network using protocols such as HTTP, Message Queuing, TCP, and named pipes. Subcomponents of this role service include:

  • HTTP Activation Supports process activation via HTTP.

  • Message Queuing Activation Supports process activation via Message Queuing.

  • TCP Activation Supports process activation via TCP.

  • q Named Pipes Activation Supports process activation via named pipes.

• Distributed Transactions Distributed Transactions provides services that help ensure complete and successful transactions over multiple databases hosted on multiple computers on the network. Subcomponents of this role service include:

  • Incoming Remote Transactions Provides distributed transaction support for applications that enlist in remote transactions.

  • Outgoing Remote Transactions Provides distributed transaction support for propagating transactions that an application generates.

  • WS-Atomic Transactions Provides distributed transaction support for applications that use two-phase commit transactions with exchanges based upon the Simple Object Access Protocol (SOAP).

Note that installing this server role also requires that you install the Windows Process Activation Service (WPAS) and .NET Framework 3.0 features, together with some of their subcomponents.

For more information concerning the Application Server role, see Chapter 12, “Other Features and Enhancements.”

DHCP Server

Dynamic Host Configuration Protocol (DHCP) Server enables the central provisioning, configuration, and management of temporary IP addresses and related information for client computers. For more information concerning this role, see Chapter 12.

DNS Server

Domain Name System (DNS) Server translates domain and computer DNS names to IP addresses. DNS is easier to manage when it is installed on the same server as Active Directory Domain Services. If you select the Active Directory Domain Services role, you can install and configure DNS Server and Active Directory Domain Services to work together. For more information concerning this role, see Chapter 7.

Fax Server

Fax Server sends and receives faxes and allows you to manage fax resources such as jobs, settings, reports, and fax devices on this computer or on the network. For more information concerning this role, see Chapter 12.

File Services

File Services provides technologies for storage management, file replication, distributed namespace management, fast file searching, and streamlined client access to files. The following role services are available when you install this role:

• Distributed File System Distributed File System (DFS) provides tools and services for DFS Namespace and DFS Replication. Subcomponents of this role service include:

  • DFS Namespace Aggregates the files from multiple file servers into a single, global namespace for users.

  • DFS Replication Enables configuration, management, monitoring, and replication of large quantities of data over the WAN in a scalable and highly efficient manner.

• File Server Resource Manager File Server Resource Manager (FSRM) generates storage reports, configures quotas, and defines file-screening policies.

• Services for Network File System Services for Network File System (NFS) permits UNIX clients to access files on a server running a Windows operating system.

• Single Instance Store Single Instance Store (SIS) reduces the amount of storage required on your server by consolidating files that have the same content into one master copy.

• Windows Search Service Windows Search Engine enables fast file searches on this server from Windows Search-compatible clients.

• Windows Server 2003 File Services Provides file services for Windows Server 2003. Subcomponents of this role service include:

  • File Replication Service (FRS) Supports legacy distributed file environments. If you’re running your server in an environment with Windows 2003 replication and you want to use this server to support that, select this option. If you want to enable the latest replication technology, select DFS Replication instead.

  • Indexing Service Catalogs contents and properties of files on local and remote computers, and provides rapid access to files through a flexible query language.

For more information concerning the File Services role, see Chapter 12.

Network Policy and Access Services

Network Access Services provides support for routing LAN and WAN network traffic, creating and enforcing network access policies, and accessing network resources over VPN and dial-up connections. The following role services are available when you install this role:

• Network Policy Server Network Policy Server (NPS) creates and enforces organization-wide network access policies for client health, connection request authentication, and network authorization. In addition, you can use NPS as a RADIUS proxy to forward connection requests to NPS or other RADIUS servers that you configure in remote RADIUS server groups.

• Routing and Remote Access Services Routing and Remote Access Services (RRAS) provide remote users access to resources on your private network over virtual private network (VPN) or dial-up connections. Servers configured with Routing and Remote Access Services can provide LAN and WAN routing services to connect network segments within a small office or to connect two private networks over the Internet. Subcomponents of this role service include:

  • Remote Access Service Enables remote or mobile workers to access private office networks through VPN or dial-up connections.

  • Routing Provides support for NAT Routers, LAN Routers running RIP, and multicast-capable routers (IGMP Proxy).

• Health Registration Authority Health Registration Authority validates client requests for health certificates used in Network Access Protection.

• Host Credential Authorization Protocol Host Credential Authorization Protocol (HCAP) behaves as a connection point between Cisco Access Control Server and the Microsoft Network Policy Server, allowing the Microsoft Network Policy Server to validate the machine’s posture in a Cisco 802.1X environment.

For more information concerning the Network Access Services role, see Chapter 10, “Network Access Protection.”

Print Services

Print Services manages and provides access to network printers and printer drivers. The following role services are available when you install this role:

• Print Server Print Server manages and provides access to network printers and printer drivers.

• Internet Printing Internet Printing enables Web-based printer management and allows printing to shared printers via HTTP.

• LPD Service Line Printer Daemon (LPD) Service provides print services for UNIX-based computers.

For more information concerning the Print Services role, see Chapter 12.

Terminal Services

Terminal Services provides technologies that enable access to a server running Windows-based programs or the full Windows desktop. Users can connect to a terminal server to run programs, save files, and use network resources on that server. The following role services are available when you install this role:

• Terminal Server Terminal Server enables sharing of Windows-based programs or the full Windows desktop. Users can connect to a terminal server to run programs, save files, and use network resources on that server.

• TS Licensing TS Licensing manages the Terminal Server client access licenses (TS CALs) that are required to connect to a terminal server. You use TS Licensing to install, issue, and monitor the availability of TS CALs.

• TS Session Broker TS Session Broker supports reconnection to an existing session on a terminal server that is a member of a load-balanced TS farm.

• TS Gateway TS Gateway provides access to Terminal Servers inside a corporate network from the outside via HTTP.

• TS Web Access TS Web Access provides access to Terminal Servers via the Web. For more information concerning the Terminal Services role, see Chapter 8, “Terminal Services Enhancements.”

UDDI Services

Universal Description, Discovery, and Integration (UDDI) Services organizes and catalogs Web services and other programmatic resources. A UDDI Services site consists of a UDDI Web Application connected to a UDDI Database. The following role services are available when you install this role:

• UDDI Services Database UDDI Database provides a store for the UDDI Services catalog and configuration data.

• UDDI Services Web Application UDDI Web Application provides a Web site where users and Web applications can search and discover Web services in the UDDI Services catalog.

Web Server (IIS)

Web Server provides a reliable, manageable, and scalable Web application infrastructure. Because this particular role has a whole lot of role services you can optionally enable, let’s start with the three main ones and then examine additional services that depend on these three services:

• Web Server Internet Information Services provides support for HTML Web sites and, optionally, support for ASP.NET, classic ASP, and Web server extensions.

• Management Tools Web Server Management Tools enable administration of Web servers and Web sites.

• FTP Publishing Service File Transfer Protocol (FTP) Publishing Service provides support for hosting and managing FTP sites.

Now let’s take a closer look at each of these role services with their optional subcomponents.

Web Server Role Service When you choose to install the Web Server role service, the following subcomponents are available for installation as well:

• Common HTTP Features Common HTTP Features provides support for static Web server content such as HTML and image files. Subcomponents of this role service include:

  • Static Content Serves .htm, .html, and image files from a Web site.

  • Default Document Permits a specified default file to be loaded when users do not specify a file in a request URL.

  • Directory Browsing Allows clients to see the contents of a directory hosted on a Web site.

  • HTTP Errors Allows you to customize the error messages returned to clients.

  • HTTP Redirection Provides support to redirect client requests to a specific destination.

• Application Development Web Application Support provides infrastructure for hosting applications developed using ASP.NET, classic ASP, CGI, and ISAPI extensions. Subcomponents of this role service include:

  • ASP.NET Hosts .NET Web applications built using ASP.NET.

  • .NET Extensibility Provides support for hosting .NET Framework managed module extensions.

  • Active Server Pages (ASP) Provides support for hosting traditional Web applications built using ASP.

  • Common Gateway Interface (CGI) Provides support for executing scripts such as Perl and Python.

  • Internet Server Application Programming Interface (ISAPI) Extensions Provides support for developing dynamic Web content using ISAPI extensions. An ISAPI extension runs when requested just like any other static HTML file or dynamic ASP file.

  • Internet Server Application Programming Interface (ISAPI) Filters Provides support for Web applications developed using ISAPI filters. ISAPI filters are files that can be used to modify and enhance the functionality provided by IIS.

  • Server Side Includes Serves .stm, .shtm, and .shtml files from a Web site.

• Health and Diagnostics Health and Diagnostics enables you to monitor and manage server, site, and application health. Subcomponents of this role service include:

  • HTTP Logging Enables logging of Web site activity on this server.

  • Logging Tools Enables you to manage Web activity logs and automate common logging tasks.

  • Request Monitor Shows server, site, and application health.

  • Tracing Enables tracing for ASP.NET applications and failed requests.

  • Custom Logging Enables support for custom logging for Web servers, sites, and applications.

  • ODBC Logging Enables support for logging to an ODBC-compliant database.

• Security Security Services provides support for securing servers, sites, applications, virtual directories, and files. Subcomponents of this role service include:

  • Basic Authentication Provides support for requiring a valid Windows user name and password to connect to resources.

  • Windows Authentication Provides support for authenticating clients using NTLM or Kerberos authentication.

  • Digest Authentication Provides support for authenticating clients by sending a password hash to a Windows domain controller.

  • Client Certificate Mapping Authentication Provides support for authenticating client certificates with Directory Service accounts.

  • IIS Client Certificate Mapping Authentication Provides support for mapping client certificates to a Windows user account.

  • URL Authorization Provides support for authorizing client access to the URLs that compose a Web application.

  • Request Filtering Provides support for configuring rules to block selected client requests.

  • IP and Domain Restrictions Provide support for allowing or denying content access based on IP address or domain name.

• Performance Performance Services compress content before returning it to a client. Subcomponents of this role service include:

  • Static Content Compression Compresses static content before returning it to a client.

  • Dynamic Content Compression Compresses dynamic content before returning it to a client.

Management Tools When you choose to install the Management Tools role service, the following subcomponents are available for installation as well:

• IIS Management Console IIS Management Console enables local and remote administration of Web servers using a Web-based management console.

• IIS Management Scripts and Tools IIS Management Scripts and Tools enables managing Web servers from the command line and automating common administrative tasks.

• Management Service Management Service allows this Web server to be managed remotely from another computer using the Web Server Management Console.

• IIS 6 Management Compatibility IIS 6 Management Compatibility allows you to use existing IIS 6 interfaces and scripts to manage this IIS 7 Web server. Subcomponents of this role service include:

  • IIS 6 Metabase Compatibility Translates IIS 6 metabase changes to the new IIS 7 configuration store.

  • IIS 6 WMI Compatibility Provides support for IIS 6 WMI scripting interfaces.

  • IIS 6 Scripting Tools Streamlines common administrative tasks for IIS 6 Web servers.

  • IIS 6 Management Console Provides support for administering remote IIS 6 Web servers from this computer.

FTP Publishing Service When you choose to install the FTP Publishing Service role service, the following subcomponents are available for installation as well:

• FTP Server File Transfer Protocol (FTP) Server provides support for hosting FTP sites and transferring files using FTP.

• FTP Management Console File Transfer Protocol (FTP) Management Console enables administration of local and remote FTP servers.

Note that adding the Web Server (IIS) role requires that you also add the Windows Process Activation Service (WPAS) feature together with these three subcomponents of this feature:

• Process Model

• .NET Environment

• Configuration APIs

For more information concerning this role, see Chapter 11, “Internet Information Services 7.0.”

Windows Deployment Services

Windows Deployment Services (WDS) provides a simplified, secure means of rapidly deploying Windows to computers via network-based installation, without the administrator visiting each computer directly or installing Windows from physical media.

• Deployment Server Deployment Server provides the full functionality of WDS, which you can use to configure and remotely install Windows operating systems. With Windows Deployment Server, you can create and customize images and then use them to reimage computers. Deployment Server is dependent on the core parts of Transport Server.

• Transport Server Transport Server provides a subset of the functionality of WDS services. It contains only the core networking parts, which you can use to transmit data using multicasting on a standalone server. You should use this role service if you want to transmit data using multicasting but do not want to implement all of WDS services.

For more information concerning the Windows Deployment Services role, see Chapter 12.

Windows SharePoint Services

Windows SharePoint Services helps organizations increase productivity by creating Web sites where users can collaborate on documents, tasks, and events and easily share contacts and other information. Note that installing this server role also requires that you install the Web Server role and some of its role services, and also the Windows Process Activation Service (WPAS) and .NET Framework 3.0 features together with some of their subcomponents.

Remember, of course, that this book is based on a prerelease version (Beta 3) of Windows Server 2008, so there might be changes to the aforementioned list of roles and role services in RTM.

Available Features

Now that we’ve summarized the various roles and role services you can install on Windows Server 2008, let’s examine the different features you can install. Once we’ve done this, we’ll look at how to add roles, role services, and features on a server.

.NET Framework 3.0

Microsoft .NET Framework 3.0 combines the power of the .NET Framework 2.0 APIs with new technologies for building applications that offer appealing user interfaces, protect your customers’ personal identity information, enable seamless and secure communication, and provide the ability to model a range of business processes. The following are subcomponents of this feature:

• .NET Framework 3.0 Features Microsoft .NET Framework 3.0 combines the power of the .NET Framework 2.0 APIs with new technologies for building applications that offer appealing user interfaces, protect your customers’ personal identity information, enable seamless and secure communication, and provide the ability to model a range of business processes.

• XPS Viewer An XML Paper Specification (XPS) document is electronic paper that provides a high-fidelity reading and printing experience. The XPS Viewer allows for the viewing, signing, and protecting of XPS documents.

• Windows Communication Foundation Activation Components Windows Communication Foundation (WCF) Activation Components use Windows Process Activation Service (WPAS) Support to invoke applications remotely over the network. It does this by using protocols such as HTTP, Message Queuing, TCP, and named pipes. Consequently, applications can start and stop dynamically in response to incoming work items, resulting in application hosting that is more robust, manageable, and efficient. Subcomponents of this component include:

  • HTTP Activation Supports process activation via HTTP. Applications that use HTTP Activation can start and stop dynamically in response to work items that arrive over the network via HTTP.

  • Non-HTTP Activation Supports process activation via Message Queuing, TCP, and named pipes. Applications that use Non-HTTP Activation can start and stop dynamically in response to work items that arrive over the network via Message Queuing, TCP, and named pipes.

Before we continue our look at the various optional features we can install on Windows Server 2008, let’s pause a moment and dig deeper into the improvements of the feature we just mentioned, namely the .NET Framework 3.0. Let’s hear what an expert at Microsoft has to say concerning this:

From the Experts: .NET Framework 101

The .NET Framework is an application development and execution environment that includes programming languages and libraries designed to work together to create Windows client and Internet-based applications that are easier to build, manage, deploy, and integrate with other networked systems. The .NET Framework 3.0 is installed by default on Windows Vista. On Microsoft Windows Server 2008, you can install the .NET Framework 3.0 as a Windows feature using the Roles Management tools.

The .NET Framework is composed of several abstraction layers. At the bottom is the common language runtime (CLR). The CLR contains a set of components that implement language integration, garbage collection, security, and memory management. Programs written for the .NET Framework execute in a software environment that manages the program’s runtime requirements. The CLR provides the appearance of an application virtual machine so that programmers don’t have to consider the capabilities of the specific CPU that will execute the program. The CLR also provides other important services, such as security mechanisms, memory management, and exception handling.

At runtime, the output of application code compiled within the CLR is Microsoft Intermediate Language (MIL). MIL is a language-neutral byte code that operates within the managed environment of the CLR. For developers, the CLR provides lifetime management services and structured exception handling. An object’s lifetime within the.NET Framework is determined by the garbage collector (GC), which is responsible for checking every object to evaluate and determine its current status. The GC traverses the memory tree, and any objects that it encounters are marked as alive. During a second pass, any object not marked is destroyed and the associated resources are freed. Finally, to prevent memory fragmentation and increase application performance, the entire memory heap is compacted. This process automatically prevents memory leaks and ensures that developers don’t have to write code that deals with low-level system resources.

On top of the CLR is a layer of class libraries that contain the interface and classes that are used within the framework abstraction layers. This Base Class Library (BCL) is a set of interfaces that define things such as data types, data access, and I/O methods. The BCL is then inherited into the upper layers to provide services for Windows, Web Forms, and Web Services. For example, all the base controls that are used to design forms are inherited from classes that are defined within the BCL. At the core of the BCL is the XML enablement classes that are inherited and used within the entire framework and provide a variety of additional services that include data access. Layered on top of the data access and XML layers and inheriting all of their features is the visual presentation layer of Windows Forms and Web Forms.

Residing at the top level of the .NET Framework is the Common Language Specification (CLS), which provides the basic set of language features. The CLS is responsible for defining a subset of the common type system that provides a set of rules that define how language types are declared, managed, and used in the runtime environment. This ensures language interoperability by defining a set of feature requirements that are common in all languages. Because of this, any language that exposes CLS interfaces is guaranteed to be accessible from any other language that supports the CLS. This layer is responsible for guaranteeing that the Framework is language agnostic for any CLS-compliant language. For example, both Microsoft Visual Basic .NET and C# are CLS compliant and therefore interoperable.

.NET Framework 3.0 is an extension of the existing .NET Framework 2.0 CLR and runtime environment. Designed to leverage the extensibility of the .NET Framework 2.0, it contains several new features but no breaking changes to existing applications.

Windows CardSpace (CardSpace)

Windows CardSpace is a new feature of Microsoft Windows and the .NET Framework 3.0 that enables application users to safely manage and control the exchange of their personal information online. By design, Windows CardSpace puts the user at the center of controlling his online identities. Windows CardSpace simplifies the online experience by allowing users to identify themselves. Users do this by submitting cryptographically strong information tokens rather than having to remember and manually type their details into Web sites. This approach leverages what is known as an identity selector: when a user needs to authenticate to a Web site, CardSpace provides a special security-hardened UI with a set of information “cards” for the user to choose from.

CardSpace visually represents a user’s identity information as an information card. Each information card is controlled by the user and represents one or more claims about their identity. Claims are a set of named values that the issuer of the information card asserts is related to a particular individual. Windows CardSpace supports two types of information cards: personal cards and managed cards. Personal cards are created by the user, and managed cards are obtained from trusted third parties such as the user’s bank, employer, insurance company, hotel chain, and so on. To protect any type of personal information, all information cards are stored on the local computer in a secure encrypted store that is unique to the user login. Each file is encrypted twice to prevent malicious access. Managed cards provide an additional layer of protection, as no personal data is stored on the user’s machine; instead, it is stored by a trusted provider like your bank or credit card provider and is released only as an encrypted and signed token on demand.

Windows Presentation Foundation (WPF)

Windows Presentation Foundation (WPF) is the next-generation presentation subsystem for Windows. It provides developers and designers with a unified programming model for building rich Windows smart client user experiences that incorporate UI, media, and documents. WPF is designed to build applications for client-side application development and provide either a richer Windows Forms application or a Rich Internet Application (RIA) that is designed to run on the application client workstation.

Windows Workflow Foundation

Windows Workflow Foundation (WF) is a part of the .NET Framework 3.0 that enables developers to create workflow-enabled applications. Activities are the building blocks of workflow. They are a unit of work that needs to be executed. They can be created by either using code or composing them from other activities.

Microsoft Visual Studio contains a set of activities that mainly provide structure-such as parallel execution, if/else, and call Web service. Visual Studio also contains the Workflow Designer that allows for the graphical composition of workflows by placing activities within the workflow model. For developers, this feature of the designer can be rehosted within any Windows Forms or ASP.NET application. WF also contains a rules engine. This engine enables declarative, rule-based development for workflows and any.NET application to use.

Finally, there is the Workflow Runtime. This is a lightweight and extensible engine that executes the activities that make up a workflow. The runtime is hosted within any .NET process, enabling developers to bring workflow to anything from a Windows Forms application to an ASP.NET Web site or a Windows Service. WF provides a common UI and API for application developers and is used within Microsoft’s own products, such as SharePoint Portal Server 2007.

Windows Communication Foundation

Modern distributed systems are based on the principles of Service Oriented Architecture (SOA). This type of application architecture is based on loosely coupled and interoperable services. The global acceptance of Web Services has changed how these application components are defined and built. The widespread acceptance has been fueled by vendor agreements on standards and proven interoperability. This combination has helped set Web Services apart from other integration technologies. Windows Communication Foundation (WCF) is Microsoft’s unified framework for building reliable, secure, transacted, and interoperable distributed applications. WCF was completely designed with service orientation in mind. It is primarily implemented as a set of classes on top of the.NET Framework CLR.

SOA is an architectural pattern that has many styles. To support this, WCF provides a layered architecture. At the bottom layer, WCF exposes a channel architecture that provides asynchronous, untyped messages. Built on top of this are protocol facilities for secure reliable, transacted data exchange and a broad choice of transport and encoding options. Although WCF introduces a new development environment for distributed applications, it is designed to interoperate with applications that are not WCF based. There are two important aspects to WCF interoperability: interoperability with other platforms, and interoperability with the Microsoft technologies that preceded WCF.

The typed programming model or service model exposed by WCF is designed to ease the development of distributed applications and provide developers with experience in using the ASP.NET Web service. .NET Remoting and Enterprise Services are a familiar development experience with WCF. The service model features a straightforward mapping of Web service concepts to the types of the .NET Framework CLR. This includes a flexible and extensible mapping of messages to the service implementation found in the.NET languages. WCF also provides serialization facilities that enable loose coupling and versioning, while at the same time providing integration and interoperability with existing .NET technologies such as MSMQ, COM+, and others. The result of this technology unification is greater flexibility and significantly reduced development complexity.

To allow more than just basic communication, WCF implements Web services technologies defined by the WS-* specifications. These specifications address several areas, including basic messaging, security, reliability, transactions, and working with a service’s metadata. Support for the WS-* protocols means that Web services can easily take advantage of interoperable security, reliability, and transaction support required by businesses today. Developers can now focus on business logic and leave the underlying plumbing to WCF. Windows Communication Foundation also provides opportunities for new messaging scenarios with support for additional transports such as TCP and named pipes and new channels such as the Peer Channel. More flexibility is also available with regard to hosting Web services. Windows Forms applications, ASP.NET applications, console applications, Windows services, and COM+ services can all easily host Web service endpoints on any protocol. WCF also has many options for digitally signing and encrypting messages, including support for Kerberos and X.509.

–Thom Robbins

Director of .NET Platform Product Management

BitLocker Drive Encryption

BitLocker Drive Encryption helps to protect data on lost, stolen, or inappropriately decommissioned computers by encrypting the entire volume and checking the integrity of early boot components. Data is decrypted only if those components are successfully verified and the encrypted drive is located in the original computer. Integrity checking requires a compatible trusted platform module.

BITS Server Extensions

Background Intelligent Transfer Service (BITS) Server Extensions allow a server to receive files uploaded by clients using BITS. BITS allows client computers to transfer files in the foreground or background asynchronously, preserve the responsiveness of other network applications, and resume file transfers after network failures and computer restarts.

Connection Manager Administration Kit

Connection Manager Administration Kit (CMAK) generates Connection Manager profiles using a wizard that guides you through the process of building service profiles that exactly meet your business needs.

Desktop Experience

Desktop Experience includes features of Windows Vista, such as Windows Media Player, desktop themes, and photo management. Desktop Experience does not enable any of the Windows Vista features; you must manually enable them.

Failover Clustering

Failover Clustering allows multiple servers to work together to provide high availability of services and applications. Failover Clustering is often used for file and print services, as well as database and mail applications.

Internet Printing Client

Internet Printing Client allows you to use HTTP to connect to and use printers that are on Web print servers. Internet printing enables connections between users and printers that are not on the same domain or network. Examples of uses include enabling a traveling employee at a remote office site or in a coffee shop equipped with Wi-Fi access to send documents to a printer located at her main office.

Internet Storage Naming Server

Internet Storage Naming Server (iSNS) processes registration requests, de-registration requests, and queries from iSCSI devices.

LPR Port Monitor

Line Printer Remote (LPR) Port Monitor allows users who have access to UNIX-based computers to print on devices attached to them.

Message Queuing

Message Queuing provides guaranteed message delivery, efficient routing, security, and priority-based messaging between applications. Message Queuing also accommodates message delivery between applications that run on different operating systems, use dissimilar network infrastructures, are temporarily offline, or that are running at different times to communicate across heterogeneous networks and systems that might be temporarily offline. MSMQ provides guaranteed message delivery, efficient routing, security, and priority. The following subcomponents are available when you install this feature:

• Message Queuing Services Message Queuing Services enable applications running at different times to communicate across heterogeneous networks and systems that may be temporarily offline. Message Queuing provides guaranteed message delivery, efficient routing, security, and priority-based messaging between applications. Subcomponents of this component include:

  • MSMQ Server Provides guaranteed message delivery, efficient routing, security, and priority-based messaging. It can be used to implement solutions for both asynchronous and synchronous messaging scenarios.

  • Directory Service Integration Enables publishing of queue properties to the directory, out-of-the-box authentication and encryption of messages using certificates registered in the directory, and routing of messages across Windows sites.

  • Message Queuing Triggers Enables the invocation of a COM component or an executable, depending on the filters that you define for the incoming messages in a given queue.

  • HTTP Support Enables the sending of messages over HTTP.

  • Multicasting Support Enables queuing and sending of multicast messages to a multicast IP address.

  • Routing Service Routes messages between different sites and within a site.

• Windows 2000 Client Support Windows 2000 Client Support is required for Message Queuing clients on Windows 2000 computers in the domain.

• Message Queuing DCOM Proxy Message Queuing DCOM Proxy enables the computer to act as a DCOM client of a remote MSMQ server.

Multipath I/O

Microsoft Multipath I/O (MPIO), along with the Microsoft Device Specific Module (DSM) or a third-party DSM, provides support for using multiple data paths to a storage device on Microsoft Windows.

Network Load Balancing

Network Load Balancing (NLB) distributes traffic across several servers, using the TCP/IP networking protocol. NLB is particularly useful for ensuring that stateless applications, such as a Web server running Internet Information Services (IIS), are scalable by adding additional servers as the load increases.

Peer Name Resolution Protocol

Peer Name Resolution Protocol (PNRP) allows applications to register on and resolve names from your computer so that other computers can communicate with these applications.

Remote Assistance

Remote Assistance enables you (or a support person) to offer assistance to users with computer issues or questions. Remote Assistance allows you to view and share control of the user’s desktop to troubleshoot and fix the issues. Users can also ask for help from friends or co-workers.

Remote Server Administration Tools

Remote Server Administration Tools (RSAT) enable role and feature management tools on a computer so that you can target them at another 2008 Server machine for remote administration. This feature will not set up the core binaries for the selected components but only their administration tools. Note that the following list of Remote Server Administration Tools is based on the Beta 3 milestone of Windows Server 2008 and that additional tools for managing roles and features may be provided in Release Candidate builds:

• Role Administration Tools Role administration tools that are not installed by default in 2008 Server computers. The following role administration tools are available for installation:

  • Active Directory Certificate Services

  • Active Directory Domain Services

  • Active Directory Lightweight Directory Services

  • Active Directory Rights Management Services

  • DNS Server

  • Fax Server

  • File Services

  • Network Policy and Access Services

  • Print Services

  • Terminal Services.

  • Web Server (IIS)

  • Windows Deployment Services

• Feature Administration Tools Feature administration tools that are not installed by default in 2008 Server computers. The following feature administration tools are available for installation:

  • BitLocker Drive Encryption

  • BITS Server

  • Failover Clustering.

  • Network Load Balancing

  • SMTP Server

  • Simple SAN Management

  • Windows System Resource Management (WSRM)

  • WINS Server

Removable Storage Manager

Removable Storage Manager (RSM) manages and catalogs removable media and operates automated removable media devices.

RPC Over HTTP Proxy

RPC Over HTTP Proxy is a proxy that is used by objects that receive remote procedure calls (RPC) over Hypertext Transfer Protocol (HTTP). This proxy allows clients to discover these objects even if the objects are moved between servers or if they exist in discrete areas of the network for security or other reasons.

Simple TCP/IP Services

Simple TCP/IP Services supports the following TCP/IP services: Character Generator, Daytime, Discard, Echo, and Quote of the Day. Simple TCP/IP Services is provided for backward compatibility and should not be installed unless it is required.

SMTP Server

SMTP Server supports the transfer of e-mail messages between e-mail systems.

SNMP Services

Simple Network Management Protocol (SNMP) Services includes the SNMP Service and SNMP WMI Provider. The following subcomponents are available when you install this feature:

• SNMP Service SNMP Service includes agents that monitor the activity in network devices and report to the network console workstation.

• SNMP WMI Provider SNMP Windows Management Instrumentation (WMI) Provider enables WMI client scripts and applications to get access to SNMP information. Clients can use WMI C++ interfaces and scripting objects to communicate with network devices that use the SNMP protocol and can receive SNMP traps as WMI events.

Storage Manager for SANs

Storage Manager for Storage Area Networks (SANs) helps you create and manage logical unit numbers (LUNs) on Fibre Channel and iSCSI disk drive subsystems that support Virtual Disk Service (VDS) in your SAN.

Subsystem for UNIX-based Applications

Subsystem for UNIX-based Applications (SUA), along with a package of support utilities available for download from the Microsoft Web site, enables you to run UNIX-based programs, and compile and run custom UNIX-based applications in the Windows environment.

Telnet Client

Telnet Client uses the Telnet protocol to connect to a remote telnet server and run applications on that server.

Telnet Server

Telnet Server allows remote users, including those running UNIX-based operating systems, to perform command-line administration tasks and run programs by using a telnet client.

TFTP Client

Trivial File Transfer Protocol (TFTP) Client is used to read files from, or write files to, a remote TFTP server. TFTP is primarily used by embedded devices or systems that retrieve firmware, configuration information, or a system image during the boot process from a TFTP server.

Windows Internal Database

Windows Internal Database is a relational data store that can be used only by Windows roles and features, such as UDDI Services, Active Directory Rights Management Services, Windows SharePoint Services, Windows Server Update Services, and Windows System Resource Manager.

Windows Process Activation Service

Windows Process Activation Service generalizes the IIS process model, removing the dependency on HTTP. All the features of IIS that were previously available only to HTTP applications are now available to applications hosting Windows Communication Foundation (WCF) services, using non-HTTP protocols. IIS 7.0 also uses Windows Process Activation Service for message-based activation over HTTP. The following subcomponents are available when you install this feature:

• Process Model The process model hosts Web and WCF services. Introduced with IIS 6.0, the process model is a new architecture that features rapid failure protection, health monitoring, and recycling. Windows Process Activation Service Process Model removes the dependency on HTTP.

• .NET Environment .NET Environment supports managed code activation in the process model.

• Configuration APIs Configuration APIs enable applications that are built using the .NET Framework to configure Windows Process Activation Service programmatically. This lets the application developer automatically configure Windows Process Activation Service settings when the application runs instead of requiring the administrator to manually configure these settings.

Windows Server Backup

Windows Server Backup allows you to back up and recover your operating system, applications, and data. You can schedule backups to run once a day or more often, and you can protect the entire server or specific volumes.

Windows System Resource Manager

Windows System Resource Manager (WSRM) is a Windows Server operating system administrative tool that can control how CPU and memory resources are allocated. Managing resource allocation improves system performance and reduces the risk that applications, services, or processes will interfere with each other to reduce server efficiency and system response.

WINS Server

Windows Internet Name Service (WINS) provides a distributed database for registering and querying dynamic mappings of NetBIOS names for computers and groups used on your network. WINS maps NetBIOS names to IP addresses and solves the problems arising from NetBIOS name resolution in routed environments.

Wireless Networking

Wireless Networking configures and starts the WLAN AutoConfig service, regardless of whether the computer has any wireless adapters. WLAN AutoConfig enumerates wireless adapters and manages both wireless connections and the wireless profiles that contain the settings required to configure a wireless client to connect to a wireless network.

Again, please remember that this book is based on a prerelease version (Beta 3) of Windows Server 2008, so there might be changes to the preceding list of features in RTM. For example, in the build that this particular chapter is based on (IDS_2, also known as February 2007 Community Technology Preview), the Group Policy Management Console (GPMC) is not present and there are no RSAT tools present for managing certain roles such as File Server, Network Policy and Access Services, Windows Deployment Services, and so on.