Microsoft Server PlatformLjubomir IvaniCPU d.o.o.Microsoft Certified IT Professional Virtualization Administrator 2008 R2Microsoft Certified IT Professional Enterprise AdministratorMicrosoft Certified Trainer

VirtualizationTerminal ServicesServer CoreIP V6NAPSecurity

Streamlined Administration

Updated Event Viewer

Terminal Services RemoteAppTerminal ServicesGateway Server

RemoteApp console used to make application availableAlso used to make programs available via TS Web Access

Programs look like they are running locally

Only supported by Remote Desktop client 6.0, or newer

Windows SharePoint ServicesAdministration model enhancementsNew and improved compliance features and capabilitiesNew and improved operational tools and capabilities Improved support for network configurationExtensibility enhancements

Windows Firewall Advanced Security

Windows Deployment ServicesRapidly deploys Windows operating systemsUpdated and redesigned version of Remote Installation Services (RIS)Server componentsClient componentsManagement componentsWindows Deployment Services provides several enhancements to RISWindows ClientWindows Server

BitLocker Drive Encryption

Group Policy allows central encryption policy and provides Branch Office protectionProvides data protection, even when the system is in unauthorized hands or is running a different or exploiting Operating System

Read-Only Domain ControllerMain OfficeBranch OfficeFeaturesRead Only Active Directory DatabaseOnly allowed user passwords are stored on RODCUnidirectional ReplicationRole SeparationBenefitsIncreases security for remote Domain Controllers where physical security cannot be guaranteed

AD Rights Management ServicesAD RMS protects access to an organizations digital filesAD RMS in Windows Server 2008 includes several new featuresImproved installation and administration experienceSelf-enrollment of the ADRMS clusterIntegration with ADFederation ServicesNew ADRMS administrative roles

Active Directory Federation ServicesAD FS provides an identity access solutionDeploy federation servers in multiple organizations to facilitate business-to-business (B2B) transactions ADFS provides a Web-based, SSO solutionADFS interoperates with other security products that support the Web Services ArchitectureAD FS improved in Windows Server 2008Web ServerAccount Federation ServerResource Federation ServerFederation Trust

Federated Rights ManagementTogether AD FS and AD RMS enable users from different domains to securely share documents based on federated identities AD RMS is fully claims-aware and can interpret AD FS claims Office SharePoint Server 2007 can be configured to accept federated identity claims Account Federation ServerResource Federation ServerFederation Trust

Microsoft's Virtualization SolutionsServer VirtualizationApplication VirtualizationDesktop VirtualizationPresentation Virtualization

Interface bound to process Storage assigned to specific locationsNetwork assigned to specific locationsOperating System assignedto specific hardwareApplications installed toSpecific hardware and OSVirtualization is the isolation of one computing resource from the others: Traditional software stackComponent isolation with VirtualizationVirtualization results in more efficient resource utilization, and enables greater flexibility and simplified change management

Windows Server VirtualizationArchitectureOSMS / XenSource NovellISV/IHV/OEMWindows Server VirtualizationParent PartitionKernel ModeUser ModeChild Partitions

Terminal Services RemoteAppTerminal ServicesGateway Server

RemoteApp console used to make application availableAlso used to make programs available via TS Web Access

Programs look like they are running locally

Only supported by Remote Desktop client 6.0, or newer

DMZHTTPS / 443InternetCorp LANTerminal ServerHotelExternal FirewallInternal FirewallHomeBusiness Partner/Client SiteE-mail ServerTerminal ServerInternetTerminal Services Gateway ServerTerminal Services gateway

HVALA NA PAZNJIPITANJA NA :Ljubomir.Ivanis@cpu.rs

VirtualizationPlatform andManagement

**Title: Windows Server 2008 OverviewTalking Points:Introduce yourself This presentation will provide an overview of the exciting new features in Microsoft WindowsServer2008, and how they may be used by both developers and in organizations.*Title: Streamlined AdministrationTalking Points: With the ever-growing number of computers and workstations in a typical enterprise network, IT personnel spend a substantial amount of time installing, deploying, and maintaining variants of the Windows operating system on servers and workstations. It is crucial to the overall productivity of the business that a consistently high level of quality is maintained in these processes. WindowsServer2008 includes many new features and enhancements designed to reduce the cost and effort of deploying and managing all Windows servers within the corporate network.

Easier Windows Server Setup and Faster DeploymentInstalling operating systems has historically been a time-consuming process requiring the constant monitoring and hands-on interaction of IT administrators to ensure proper installation. WindowsServer2008 streamlines the setup process, freeing the administrator to perform other tasks. A redesigned installation interface guides administrators and users through the most common post-installation tasks, helping ensure that the server is configured correctly and securely. The improved installation process of WindowsServer2008 saves the time setting up the operating system, freeing administrators to perform more valuable tasks. In addition to a streamlined setup, organizations can use Windows Deployment Services (WDS), a revised version of Remote Installation Services designed to be used with WindowsServer2008 and Window Vista, that provide a simplified, secure means of rapidly deploying Windows operating systems to computers over networks without requiring that administrators visit each computer or install directly from CD or DVD media. This reduces the time and work involved in deploying operating systems on servers and workstations and the costs associated with deploying new computers.Microsoft has a published Microsoft Deployment, the next version of Business Desktop Deployment (BDD) 2007. It is the recommended process and toolset to automate desktop and server deployment. Microsoft Deployment provides detailed guidance and job aids for every organizational role involved with large-scale deployment projects. It unifies the tools and processes required for desktop and server deployment into a common deployment console and collection of guidance. Microsoft Deployments tools and end-to-end guidance reduce deployment time, standardize desktop and server images, limit service disruptions, reduce post-deployment help desk costs, and improve security and ongoing configuration management.

Simplified AdministrationThe Server Manager Console in WindowsServer2008 makes the task of managing and securing servers easier. The interface of the Server Manager Console is a single window that contains all of the information necessary for managing a servers configuration and system information. It incorporates the functionality of several management tools, enabling administrators to go directly to consoles for managing specific roles, troubleshooting tools, or finding backup and disaster recovery options. Roles and features installed by using Server Manager are secure by default. Administrators dont need to run the Security Configuration Wizard following role installation or removal unless they want to change the default settings.

Most common administration tasks in WindowsServer2008 can be performed with the assistance of wizards. Wizards in Server Manager streamline server deployment tasks in an enterprise by cutting deployment time. Most common configuration tasks, such as configuring or removing roles, defining multiple roles, and role services can now be completed in a single session using Server Manager Wizards. Dependency checks are performed as the user progresses through Server Manager wizards, ensuring that all of the prerequisite role services that a selected role needed are installed, and none are removed that remaining roles or role services might still require .Server Manager consolidates a variety of management interfaces and tools into a unified management console, enabling administrators to complete common management tasks without having to navigate between multiple interfaces, tools, and dialog boxes reducing the time it takes to perform administration tasks, reducing configuration errors, and reducing server management costs.

Powerful Automation of IT Administration TasksMicrosoft Windows PowerShell is a new command-line shell and scripting language that helps IT Professionals achieve greater productivity and control system administration more easily. Windows PowerShell does not require that you to migrate your existing scripts, and it is ideally suited for automation of new WindowsServer2008 features.Windows Powershell has more than 130 standard command-line tools, a new admin-focused scripting language, and consistent syntax and utilities. It allows administrators to efficiently complete server administration tasks that are common across all WindowsServer2008 roles, such as services, processes, and storage. Windows PowerShell also allows administrators to manage specific WindowsServer2008 roles, such as IIS7.0 and Terminal Server, as well as Microsoft Exchange Server 2007 and Microsoft Operations Manager 2007. Also, a number of partners have provided Windows PowerShell commands that improve network management and provide rich charting and gauge capabilities.

Using the configuration scripts, refinery administrators can simply run a script rather than trying to follow written instructions, reducing the time spent on installation, deployment, and maintenance as well as the potential for configuration errors. Windows PowerShell is easy to adopt, learn, and use, because it does not require a background in programming, and it works with your existing IT infrastructure, existing scripts, and existing command-line tools. With PowerShell, organizations can more easily automate administration tasks, reducing effort and saving costs.

Enterprise Class Print ManagementA substantial part of an organizations IT resources is usually devoted to configuring and maintaining network attached printers that require constant maintenance and administration. The techniques for configuring one printer model usually do not translate to other models, so IT personnel must devote substantial time and effort in becoming familiar with many different printer configuration methods. In addition, on previous versions of Windows, printers had to be managed on a per-server basis -there was no centralized printer management tool. This resulted in high costs in time and resources for the organization. WindowsServer2008 addresses these issues with Print Management, an MMC snap-in that enables administrators to manage, monitor, and troubleshoot all of the printers within the enterprise network from a single interface, even those printers that are remotely connected to the network. When responding to remote printer issues, IT personnel do not have to rely on users at the remote site to check the printer and provide diagnostic information; the administrator can use Print Managements easy-to-use console interface to access this information directly. It can also send e-mail notifications and run maintenance scripts when a printer or print server needs attention. Print Management can also access the Web interfaces of printers that support them.Print Management can be used with Group Policy to automatically one or many desktop computers to network printers. IT administrators do not have to install and configure printers on each desktop computer, and this optimizes IT resources and saves the organization time and money.Print Management simplifies printer management duties, optimizing IT resources and reducing time and cost for the organization.

Increased Infrastructure Reliability with Server CoreInfrastructure servers perform tasks critical to the day-to-day operation of Windows Server-based enterprise networks, such as supporting the Domain Name Service (DNS), Active Directory, and the Dynamic Host Configuration Protocol (DHCP) service. Enterprise networks depend on the stability and optimal performance of infrastructure servers. To meet these needs, WindowsServer2008 includes a new installation option called Server Core. Server Core installations contain only the functionality needed for the servers task in the enterprise network. Functionality that is not strictly required for the server task is not included. The Server Core installation option is available for the following roles:Hyper-VIIS7.0Dynamic Host Configuration Protocol (DHCP) serverDomain Name System (DNS) serverFile serverActive Directory Domain Services (ADDS)Active Directory Lightweight Directory Services (ADLDS)Windows Media ServicesPrint ServerBecause Server Core runs with a minimal set of installed functionality, less maintenance, fewer software updates, and fewer restarts are needed. Server security is enhanced as running less code reduces the attack profile of the server.Server Cores minimal server implementations increase network security and performance, reducing an organizations maintenance and support costs and allowing organizations to run critical infrastructure servers in their most reliable configuration.

Customer Evidence:Valero Energy Corporation is North Americas largest refiner of oil and gas products has started to deploy WindowsServer2008. One of the compelling reasons to deploy is scriptability. On the refinery side, one of the big benefits of WindowsServer2008 is scriptability and ease of configuration, says Scott Mock, Lead I/S Specialist. Valero plans to use Windows PowerShell to create configuration scripts that automate basic server management tasks. Valero Energy Corporation is North Americas largest refiner of oil and gas products. By using the Server Core installation option, Valero is anticipating significantly reduced downtime for maintenance at the refineries. Server Core goes a long way in reducing the amount of security updates we have to apply, by reducing the number of components that need updating on a regular basis, says I/S Project Manager Shawn Crow.Valero Energy Corporation Case Study

Additional Information:http://www.microsoft.com/deployment http://www.microsoft.com/windowsserver2008/evaluation/overview.mspx***Title: Terminal Services RemoteAppTalking Points: Windows Server 2008 Terminal Services RemoteApp (TS RemoteApp) provides the ability to run both local and remotely-hosted programs on a Windows desktop.Windows Server 2008 Terminal Services RemoteApp (TS RemoteApp) provides the ability to run both local and remotely-hosted programs on a Windows desktop. These programs will be fully integrated with the local computer, having their own resizable windows and taskbar entries. The remote program is completely integrated with the user's desktop, and appears to the user as if it is running on the user's local computer. Users can run programs from a remote location side-by-side with their local programs. If the program uses a notification area icon, this icon appears in the client's notification area. Popup windows are redirected to the local desktop. Local drives and printers can be redirected to appear in the remote program. Many users might not be aware that the remote program is any different than a local program. The Terminal Server Configuration console is the central location from which administrators configure a terminal server to host remote programs.[BUILD1] RemoteApp Console: From the RemoteApp console, you can select which applications on the terminal server to make available as remote programs as well as deciding whether or not such programs should also be made available by means of Terminal Services Web Access.[BUILD2] Programs Look Like They Are Running Locally: This image demonstrates TS RemoteApp. Microsoft Office Outlook 2007 is running on a terminal server, and yet the launch-tray icon and the reminder tabs have migrated over to the client desktop as if it were running locally. Compare this to the Internet Explorer window, also open on the desktop, in which applications accessed using TS Web Access would operate. [BUILD3] Remote Desktop Client: Remote Programs are only supported by the Remote Desktop client 6.0, or later. This client is available for Windows XP SP2, Windows Server 2003 SP1, and WindowsVista, and is distributed free through Windows Update.Additional Information:Changes in Functionality to Windows Server Longhorn (January 2007).doc (also called the Book of Longhorn)http://www.microsoft.com/windowsserver/longhorn/terminal-services/default.mspxwww.microsoft.com/technet/Add-301.ppt www.microsoft.com/technet/Add-400.ppt***Title: Windows SharePoint ServicesTalking Points: Windows SharePoint Services contain a variety of enhanced features.Microsoft Windows SharePoint Services 3.0 is a collaboration technology that helps organizations improve business processes and enhance team productivity. With a rich set of features and tools that give people browser-based access to workspaces and shared documents, Windows SharePoint Services helps people connect to and work with others across organizational and geographic boundaries. Windows SharePoint Services also provides a foundation platform for building Web-based business applications that are flexible and scale easily to meet the changing and growing needs of your business. In addition, robust administrative controls for managing storage and Web infrastructure give IT departments a cost-effective way to implement and manage a high-performance collaboration environment.Windows SharePoint Services 3.0 has many new features and enhancements that can help IT Professionals deploy and maintain Windows SharePoint Services solutions. Together, these new features and enhancements provide IT organizations with better control over information resources; individually these new features and enhancements provide functional benefits that help reduce administrative overhead.[BUILD1] Administration model enhancements - Windows SharePoint Services includes several enhancements to the administration model that help IT organizations implement management plans and perform administrative tasks more effectively and efficiently.Centralized configuration and management: Windows SharePoint Services now has a centralized configuration and management model, which includes a centralized configuration database and two new services that automatically propagate and synchronize the centrally-stored configuration settings across all of the servers in your server farm. The new configuration and management model allows you to centrally manage your server farm without having to manage farm settings on a server-by-server basis. For example, if you create a Web application on one of your Web servers, the Web application is automatically propagated to all of your Web servers. You no longer have to create and configure individual Web applications on each of your Web servers.Two-tier administration model: Windows SharePoint Services has an enhanced two-tier administration model that makes it easier for IT organizations to differentiate administrative roles and assign administrative responsibilities.Farm-based Central Administration user interface: The SharePoint Central Administration Web pages have been redesigned and reorganized, allowing easier implementation of administrative tasks and procedures.Delegation of administrative responsibilities and roles: Because the multi-tier administration model provides a clear delineation of administrative tasks, IT managers can better delegate administrative responsibilities to the appropriate users and administrators within an organization.[BUILD2] New and improved compliance features and capabilities - Windows SharePoint Services includes new and enhanced features that provide IT organizations with better control over information resources.Policy management: You can now configure policies for Web applications based on the domain or the server authentication zone. For example, you can create intranet and extranet authentication zones to restrict access to information based on how users access information. You can also use authentication zones to create access control lists (ACLs) that include a group of users from different authentication providers. Diagnostic logging: Diagnostic logging can now be configured for all actions on sites, content, and workflows.Item-level access control: Windows SharePoint Services provides item-level access control and security settings that allow site administrators and IT administrators to control which people or groups have access to sites, document libraries, lists, folders, documents, and list items. In addition, Windows SharePoint Services provides security trimming of UI elements. Security trimming controls which UI elements are visible or actionable based on a user's permissions, thereby reducing Web page clutter and making Web pages easier to navigate.Administrator access control: Windows SharePoint Services now prohibits IT administrators from viewing site content unless the IT administrator is granted site collection administrator privileges. In addition, an event is written to the Event Viewer Application log whenever an IT administrator changes site collection administrator privileges.[BUILD3] New and improved operational tools and capabilities: Windows SharePoint Services includes several new and improved tools and capabilities that help IT organizations implement operational plans and tasks.Backup and Recovery Support: Several new and improved features make it easier to perform backup and recovery tasks. A multi-stage recycle bin allows users to retrieve inadvertently deleted documents, reducing dependence on IT departments for document retrieval functions. The recycle bin also allows administrators to manage the lifecycle of deleted items in the recycle bin.The backup and restore functionality is also enhanced, providing support for Volume Shadow Copy Service (VSS), which allows better integration with non-Microsoft backup and recovery programs. In addition, the backup and restore functionality in Windows SharePoint Services allows IT staff to back up and restore the data that is stored in a SQL Server database, such as your configuration database, content and configuration data for Web applications, and search databases.Upgrade and migration support: The following features have been added to make upgrades faster and easier:Gradual upgrade support: By performing a gradual upgrade, you can incrementally upgrade data and functionality on a server that is running Microsoft Windows SharePoint Services version 2 and Windows SharePoint Services 3.0. This is particularly useful if you are upgrading a complex environment and you do not want to interrupt business processes. Migration support: Windows SharePoint Services provides support for migrating content. You can migrate content for an entire Web site or you can migrate content on a more specific basis, such as lists and documents. You can also migrate content incrementally. Reparenting. This allows you to dynamically rearrange a hierarchy of SharePoint sites, and is typically used during a migration. Previously, in Windows SharePoint Services version 2, to move a site, you needed to back up and then delete it from its current location, and then restore the site in the new location.Monitoring support: Improved instrumentation is provided through Microsoft Operations Manager (MOM) management packs. MOM packages support centralized monitoring and management of configurations ranging from single server and small server farms to very large server farms. Host header mode: Host header mode, a new feature in Windows SharePoint Services, allows you to create multiple domain-named sites in a single Web application. In Windows SharePoint Services version 2, when scalable hosting mode was enabled, you could extend only one IIS Web site. Now, with host header mode, you can have host header-based site collections on multiple Web applications, so you are no longer limited to extending just one IIS Web site.Server renaming: Windows SharePoint Services now has the Stsadm renameserver command that makes it easier to rename your Web servers and your database servers. When you run Stsadm renameserver, the configuration database for your farm is updated, so that any URLs or references to the old server name are now mapped to the new server name. Credential management: You can now manage service account credentials, such as the application pool identity for your application pools, through the SharePoint Central Administration site. [BUILD4] Improved support for network configuration: Windows SharePoint Services includes enhanced support for network configuration.Alternate access mapping: Alternate access mapping (AAM) provides a mechanism for mapping newly-added Web servers to your Web application. For example, if you install and configure Windows SharePoint Services on a single Web server, and a user browses to your server, the server will render the content that is in your Web application. However, if you add subsequent Web servers to your server farm, the newly-added servers will not have alternate access mappings configured to your Web application. Pluggable authentication: Windows SharePoint Services adds support for non-Windows-based identity systems by integrating with the pluggable Microsoft ASP.NET forms authentication system. ASP.NET authentication allows Windows SharePoint Services to work with identity management systems that implement the Membership Provider interface.[BUILD5] Extensibility enhancements: Windows SharePoint Services has several extensibility enhancements that make it easier to create custom applications that are well integrated with Windows SharePoint Services features, functionality, and user interface elements.Site definitions have been enhanced so that sites are no longer locked or bound to your original template choice. Administration tasks and functionality can be extended to custom applications.Enhancements to the Windows SharePoint Services Timer service make it easier to create and manage timer jobs that control custom services. Windows SharePoint Services hosts the Windows Workflow Foundation, which allows the creation of customized workflow solutions and the use of structured workflows on document library and list items. In conjunction with the Windows SharePoint Services application templates, the Windows Workflow Foundation allows you to create robust workflow-enabled business applications.Additional Information:Changes in Functionality to Windows Server Longhorn (January 2007).doc (also called the Book of Longhorn)*Title: Windows Firewall with Advanced SecurityTalking Points: Windows Firewall with Advanced Security provides a number of security enhancements. Windows Server SP1 was the first release to contain a server firewall, and it only did port filtering. Many enhancements have been made to Windows Firewall with Advanced Security as described below.The Windows Firewall with Advanced Security in Windows Server 2008 is a host-based firewall that allows or blocks network traffic according to its configuration and the applications that are currently running, to provide a level of protection from malicious users and programs on a network. A feature of the advanced security functionality in Windows Server 2008 is ability to support firewall interception of both incoming and outgoing traffic by means of policy-based networking. For example, administrators can configure the new Windows Firewall with a set of exceptions to block all traffic sent to specific ports, such as the well-known ports used by viruses, or to specific addresses containing either sensitive or undesirable content. Combined firewall and IPsec management: In previous versions of Windows, the IPsec and Firewall configuration were performed in two places. IPsec and firewall configuration can now be done from one location which helps to prevent customers from accidentally setting up conflicts. The new Windows Firewall can be configured with an MMC snap-in, Windows Firewall with Advanced Security. With the new Windows Firewall with Advanced Security snap-in, network administrators can configure settings for Windows Firewall on remote computers, which is not currently possible for the current Windows Firewall without a remote desktop connection. [BUILD1]Firewall rules become more intelligent: The advanced security functionality in Windows Server 2008 allows administrators to configure firewall exceptions in a number of new ways. For example, exceptions can be configured for IP protocol number, by source and destination, for all or multiple ports, and so on. Policy-based network rules give administrators control to better protect their environment. [BUILD2]Policy-based networking: The policy-based networking feature, also called outbound filtering, is designed for enterprise management only. This feature can block either traffic sent in response to a request of the computersolicited trafficor unsolicited traffic that has been specified as allowedexcepted traffic. This is a crucial component of firewall functionality as it helps prevent the infection of computers by network-level viruses and worms that spread through unsolicited incoming traffic. Simplified protection policy: The new simplified protection policy makes it easier for administrators to manage the Windows firewall. For example, administrators can specify which users, groups, or application are allowed to use a specific port, or can turn off access to a specific port enterprise-wide in the case of a virus attack.Additional Information:Changes in Functionality to Windows Server Longhorn (January 2007).doc (also called the Book of Longhorn)www.microsoft.com/technet/Add-301.ppt***Title: Windows Deployment ServicesTalking Points: Windows Deployment Services (WDS) is a suite of components that work together on WindowsServer 2008 to provide a simplified, secure means of rapidly deploying Windows operating systems to computers by using network-based installation, without the need for an administrator to work directly on each computer, or install Windows components from CD or DVD media. It contains a number of new or enhanced features that will save IT staff time.The Windows Deployment Services Process: Windows Deployment Services allow IT staff to rapidly deploy the Windows operating systems to computers by using network-based installation, without the need for an administrator to work directly on each computer, or install Windows components from CD or DVD media. WDS can also be used to quickly repurpose existing computers.[BUILD1] Windows Deployment Services: Windows Deployment Services, the updated and redesigned version of Remote Installation Services (RIS), is the feature name for a suite of components that work together on Windows Server 2008 to enable the deployment of Windows operating systems, particularly WindowsVista. These components are organized by the following three categories: server, client and management components.[BUILD2] Server components: These components include a Pre-Boot Execution Environment (PXE) server and Trivial File Transfer Protocol (TFTP) server for network booting a client to load and install an operating system. Also included is a shared folder and image repository that contains boot images, installation images, and files that you need specifically for network boot.[BUILD3] Client components: These components include a graphical user interface that runs within the Windows Pre-Installation Environment (Windows PE) and communicates with the server components to select and install an operating system image.[BUILD4] Management components: These components are a set of tools that you use to manage the server, operating system images, and client computer accounts.[BUILD5] Enhancements to Windows Deployment Services: Windows Deployment Services includes the Windows Deployment Services MMC snap-in, which provides rich management of all Windows Deployment Services features. Windows Deployment Services also provides several enhancements to the RIS feature set. These enhancements support the deployment of the WindowsVista and Windows Server 2008 operating systems. With Windows Deployment Services, IT staff can:Use the Windows Deployment Services snap-in to create a "capture image" that can create a custom image from a computer that has been prepared with Sysprep.exeUse the Windows Deployment Services Capture Wizard to create and add an image prepared with Sysprep.exeUse the Windows Deployment Services snap-in to associate unattended installation files with Windows imagesAssociate one or more language packs with an image, eliminating your need for unique images for each language your organization supportsUse the Windows Deployment Services snap-in to create a "discover image" for use with computers that do not support PXE bootAdditional Information:SVR322_Niehaus.pptChanges in Functionality to Windows Server Longhorn (January 2007).doc (also called the Book of Longhorn)**Title: BitLocker Drive EncryptionTalking points: BitLocker Drive Encryption is an integral new security feature in Windows Server 2008 to protect servers at locations, such as in a branch office, and mobile computers for roaming users.Information loss can be very costly. As more businesses and services are moving into an online mode, data has become more vulnerable. At the same time, there is a growing need among consumers that this data be protected. New rules and regulations at state and national levels such as Sarbanes-Oxley and HIPAA help drive the need for data protection. BitLocker provides enterprise solutions to protect sensitive data for a variety of applications to meet these standards.Allows central encryption policy and provides Branch Office protection: The Group Policy feature of Windows Server 2008 allows administrators to set a corporate encryption policy. When combined with BitLocker encryption, this provides additional security for branch offices, sites with limited IT support, or sites at risk for security breaches.[BUILD1] Group Policy allows central encryption policy and provides Branch Office protection: BitLocker is configurable through Group Policy. What this means is that with Windows Server 2008, administrators have the ability to implement an enterprise-wide BitLocker policy. Provides data protection, even when the system is in unauthorized hands or is running a different or exploiting Operating System: BitLocker provides off-line data and operating system protection by ensuring that data stored on the computer is not revealed if the machine is tampered with when the installed operating system is offline.BitLocker Drive Encryption optionally uses a Trusted Platform Module, or TPM, to provide enhanced protection for data and to assure early boot component integrity. This helps protect data from theft or unauthorized viewing by encrypting the entire Windows volume. How BitLocker Works: BitLocker prevents a thief who boots another operating system or runs a malicious software tool from breaking Windows file and system protections, or performing offline viewing of the files stored on the protected drive. BitLocker Drive Encryption protects data while the system is offline because it encrypts the entire Windows volume, including both user data and system files, the hibernation file, the page file, and temporary files. This provides umbrella protection for third-party applications because they receive the benefits of BitLocker automatically when they are installed on an encrypted volume.[BUILD2] Using BitLocker with a TPM: The TPM is a chip available with newer motherboards. BitLocker is designed to work the TPM 1.2 or later models, which enhance data protection by bringing together two major sub-functions: full drive encryption, and the integrity checking of early boot components. Qualified systems will have v1.2 Trusted Computing Group, or TCG-compliant BIOS. The BIOS establishes chain of trust for pre-operating system boot, and the system must include support for TCG specified Static Root Trust Measurement (SRTM). The TPM validates that early boot components are correct.Ideally, BitLocker uses a Trusted Platform Module, or TPM, to protect user data and to ensure that a PC running has not been tampered with while the system was offline. BitLocker Drive Encryption can use a USB flash drive for key storage if no TPM is available. BitLocker is designed to offer the most integrated end-user experience with systems that have a compatible TPM microchip and BIOS. BitLocker provides a wizard for setup and management, as well as extensibility and manageability through a Windows Management Instrumentation (WMI) interface with scripting support. BitLocker is tightly integrated into Windows, and provides a secure and easily manageable data protection solution for the enterprise. For example, BitLocker optionally leverages an enterprises existing Active Directory Domain Services infrastructure to remotely escrow recovery keys. BitLocker also has a disaster recovery console integrated into the early boot components to provide for in the field data retrieval.IT Professionals can choose one of several authentication modes when they initially configure BitLocker. Each time a BitLocker-protected operating system volume boots, Windows boot code performs a sequence of steps based on the volume protections set. These steps can include code integrity checks and other authentication steps that must be verified before the protected volume is unlocked. Volume contents are encrypted with a Full Volume Encryption Key (FVEK), which in turn is encrypted with a Volume Master Key (VMK). Securing the VMK is an indirect way of protecting data on the disk volume: the addition of the volume master key allows the system to be re-keyed easily when keys upstream in the trust chain are lost or compromised. This saves the expense of decrypting and re-encrypting the entire disk volume.BitLocker Recovery and Active Directory Integration: BitLocker also provides recovery and Active Directory integration. For example, an administrator could have a BitLocker password recovery in Active Directory, allowing Group Policy to manage BitLocker settings for Windows Server 2008 and Windows Vista.Additional Information:Changes in Functionality to Windows Server Longhorn (January 2007).doc (also called the Book of Longhorn)www.microsoft.com/technet/Add-301.ppt; Add-305.ppt***Title: Read-Only Domain Controller (RODC)Talking Points: The Read-Only Domain Controller (RODC) provides increased security for locations such as Branch Offices. A read-only domain controller (RODC) is a new type of domain controller in the Windows Server 2008 operating system. The Read-Only Domain Controller (RODC) is primarily targeted toward branch offices or edge sites. RODC doesnt store any passwords, by default. That way, if the RODC is compromised, then an administrator doesnt have to worry about someone gaining access to the entire network using the information stored on that server. This addresses the lack of security that can occur at branch offices. So the threat to the Active Directory is drastically reduced.[BUILD1] RODC Features: RODC are read-only state with unidirectional (read-only) replication for Active Directory and FRS\DFSR. Each RODC has its own KDC KrbTGT accountthis is the account that issues tickets. This provides cryptographic isolation. RODC uses workstation accounts, so it has very limited rights to write in Active Directory, to minimize unauthorized access. And since RODCs have workstation accounts, they have no EDC or Display Data Channel (DDC) group membership.Because no changes are written directly to the RODC, and therefore do not originate locally, writable domain controllers that are replication partners do not have to pull changes from the RODC. This reduces the workload of bridgehead servers in the hub site, and the effort required to monitor replication.RODC unidirectional replication applies to both ADDS and Distributed File System Replication. The RODC performs normal inbound replication for ADDS and Distributed File System Replication changes.RODC also uses credential caching. Credential caching is the storage of user or computer credentials. Credentials consist of a small set of approximately 10 passwords that are associated with security principals.With Role Separation you can delegate the local administrator role of an RODC to any domain user without granting that user any user rights for the domain, or other domain controllers. This permits a local branch user to log on to an RODC and perform maintenance work on the server, such as upgrading a driver. However, the branch user cannot log on to any other domain controller or perform any other administrative task in the domain. In this way, the branch user can be delegated the ability to effectively manage the RODC in the branch office without compromising the security of the rest of the domain.[BUILD2] RODC Benefits: RODCs provide a way to deploy a domain controller more securely in a branch office location, extranet, or an application-facing role. RODCs are designed to be placed in locations that require rapid, reliable, and robust authentication services but that might also have a security limitation that prevents deployment of a writable domain controller. With an RODC, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed.[BUILD3] RODC Support: RODCs provide support for: ADFS, DNS, DHCP, FRS V1, DFSR (FRS V2), Group Policy, IAS/VPN, DFS, SMS, ADSI queries, and MOM.We provide more detailed information on how RODC works and what is required to implement RODC in Windows Server 2008 in the next two slides.Additional Information:Changes in Functionality to Windows Server Longhorn (January 2007).doc (also called the Book of Longhorn)www.microsoft.com/technet/Add-301.ppt Title: Active Directory Rights Management Services (ADRMS)Talking Points: Windows Server 2008 Active Directory Rights Management Services protects access to an organizations digital files. It is a security technology that works with applications to help safeguard digital contentno matter where it goesfor people who need to protect sensitive Web content, documents, and e-mail messages. In Windows Server 2008, the Active Directory Rights Management Services (ADRMS), a format and application-agnostic technology, provides services to enable the creation of information-protection solutions. It will work with any AD RMS-enabled application to provide persistent usage policies for sensitive information. Content that can be protected by using AD RMS includes intranet Web sites, e-mail messages, and documents. AD RMS includes a set of core functions that allow developers to add information protection to the functionality of existing applications. For Windows Server 2008, AD RMS includes several new features that were not available in Microsoft Windows Rights Management Services (RMS). These new features are designed to ease administrative overhead of AD RMS and to extend its use outside of an organization.ADRMS Protects Access to an Organizations Digital FilesEnsuring Privacy and protection of digital files and information is a difficult ongoing task. Traditional solutions in organizations protect initial access using a combination of perimeter-based security technologies to protect sensitive data: network access is protected by firewalls, servers hosting sensitive files can be restricted by Access Control Lists (ACLs), and confidential e-mail messages can be encrypted in transit to assure no tampering. However, this may result in information leaks and unauthorized users gaining access to information. These forms of information protection, while immensely valuable, share a common limitation: after the intended (or unintended) recipient gains access to the information, he or she is free to use it in whatever manner they wish. For example, he or she can forward e-mail messages around the world in a single click sometimes to unintended recipientsor save it to a mobile computer or USB drive. What if those get portable devices get stolen? A user can burn a CD to work at home, but then carelessly store the CD, or perhaps lose it. . While this can be done accidentally or on purpose, it happens too often, and the risks are high.In Windows Server 2008, ADRMS can help protect information from unauthorized use. ADRMS is information protection technology that works with ADRMS enabled applications to help safeguard digital information from unauthorized use. Content owners can define exactly how a recipient can use the information, such as who can open, modify, print, forward, or take other actions with the information. Organizations can create custom usage rights templates such as "ConfidentialRead Only" that can be applied directly to information such as financial reports, product specifications, customer data, and e-mail messages.[BUILD1] Active Directory Rights Management Services in Windows Server 2008:New features of AD RMS were designed to ease administrative overhead of ADRMS, and to extend its use outside of an organization. These new features include:ADRMS is included with WindowsServer 2008, and is installed as a server role.[BUILD2] Improved installation and administration experience: ADRMS administration is done through an MMC, as opposed to the Web site administration presented in the earlier versions.[BUILD3] Self-enrollment of the ADRMS cluster: ADRMS cluster can be enrolled without having to connect to the Microsoft Enrollment Service. Through the use of a server self-enrollment certificate, the enrollment process is done entirely on the local computer.[BUILD4] Integration with ADFederation Services: Enterprises are increasingly feeling the need to collaborate outside their enterprise boundaries, and are looking at federation as a solution. Federation support with ADRMS will allow enterprises to leverage their established federated relationships to enable collaboration with external partners. For example, an organization that has deployed ADRMS can set up federation with an external entity by using ADFS, and can leverage this relationship to share rights-protected content across the two organizations without requiring a deployment of ADRMS in both places. This is covered in more detail in the next 2 slides.[BUILD5] New ADRMS administrative roles: The ability to delegate ADRMS tasks to different administrators is needed in any enterprise environment and is included with this version of ADRMS. Three administrative roles have been created: ADRMS Enterprise Administrators, ADRMS Template Administrators, and ADRMS Auditors.Additional Information:Changes in Functionality to Windows Server Longhorn (January 2007).doc (also called the Book of Longhorn)http://technet2.microsoft.com/WindowsServer/f/?en/Library/9b24bb70-47ed-46d0-a321-e693d16b1eb01033.mspx**Title: Active Directory Federation Services (ADFS)Talking Points: Active Directory Federation Services (ADFS) is a feature of the Windows Server 2008 operating system that provides an identity access solution. You can use the AD FS server role to create a highly extensible, Internet-scalable, and secure identity access solution that can operate across multiple platforms, which includes both Windows and non-Windows environments. Active Directory Federation Services (ADFS) is a feature of the Windows Server 2008 operating system that provides an identity access solution. Using ADFS will give browser-based clients, both inside and outside the network, one prompt access to protected, Internet-facing applications, even when user accounts and applications are located in different networks or organizations.A typical scenario, occurs when an application is in one network and a user account is in another network, and the user is required to enter secondary credentials when he or she attempts to access the application. However, with ADFS secondary accounts are not necessary. Instead trust relationships can be used to project a user's digital identity and access rights to trusted partners. In this federated environment, each organization continues to manage its own identities, but each organization can securely project and accept identities from other organizations. [BUILD1] Deploy federation servers in multiple organizations to facilitate business-to-business (B2B) transactions: By deploying federation servers in multiple organizations business-to-business (B2B) transactions can be facilitated between trusted partner organizations. Federated B2B partnerships identify both business partners as either of these organization types, resource or account organization. Organizations that own and manage resources that are accessible from the Internet can deploy ADFS federation servers and ADFSenabled Web servers that manage access to the protected resources for trusted partners only. These trusted partners can include external third parties, other departments, or subsidiaries in the same organization.In addition, organizations that own and manage user accounts can deploy ADFS federation servers that authenticate local users and create security tokens. Federation servers in the resource organization can use these security decisions to make authorization decisions.[BUILD2] ADFS provides a Web-based, SSO solution: The process of authenticating to one network while accessing resources in another networkwithout the burden of repeated logon actionsis known as single sign-on (SSO). ADFS provides a Web-based, SSO solution that authenticates users to multiple Web applications over the life of a single browser session.[BUILD3] ADFS interoperates with other security products that support the Web Services Architecture: ADFS provides a federated identity management solution that interoperates with other security products that support the WS-* Web Services Architecture. ADFS employs the federation specification of WS-*, called the WS-Federation Passive Requestor Profile (WS-F PRP). This specification makes it possible for environments that do not use the Microsoft Windows identity model to federate with Windows environments.[BUILD4] AD FS improved in Windows Server 2008: For Windows Server2008, ADFS includes new functionality that was not available in WindowsServer2003R2. This new functionality is designed to ease administrative overhead and to further extend support for key applications: Improved installationADFS is included in Windows Server2008 as a server role, and there are new server validation checks in the installation wizard. Improved application supportADFS is more tightly integrated with Microsoft OfficeSharePointServer2007 and Active Directory Rights Management Services (ADRMS). A better administrative experience when you establish federated trustsImproved trust policy import and export functionality helps to minimize partner-based configuration issues that are commonly associated with federated trust establishment.

Additional Information:Changes in Functionality to Windows Server Longhorn (January 2007).doc (also called the Book of Longhorn)http://technet2.microsoft.com/windowsserver2008/en/library/61f7f298-2cac-4cfb-977f-88fd4b781b4e1033.mspx**Title: Federated Rights ManagementTalking Points: AD RMS and AD FS in Windows Server 2008 provide a new way to protect sensitive information that is both more comprehensive and easier to administer. AD RMS and AD FS in Windows Server 2008 provide a new way to protect sensitive information: Windows Server 2008 enables a new way to protect sensitive information that is both more comprehensive and easier to administer. As in Windows Server 2003, Active Directory Federation Services (AD FS) enables one organization to set up a federated trust with another organization. Users sign on onceto their local domainand gain access to a partner domain through identity and access federation. Because AD RMS has been integrated with AD FS in Windows Server 2008, a federated trust now allows AD RMS to grant appropriate RMS permissions to an external user without requiring them to sign in locally or have their own AD RMS server. Additionally, Microsoft Office SharePoint Server 2007 can also be configured to use federated trusts to apply RMS permissions without recourse to a local Active Directory profile.[BUILD1] AD RMS is fully claims-aware and can interpret AD FS claims: In Windows Server 2008, AD FS and AD RMS work together to enable users from different domains to securely share documents based on federated identities, rather than local Active Directory profiles. AD RMS in Windows Server 2008 is fully claims-aware. It can interpret AD FS claims to authenticate users and control their access to content. When external users sign on to their local AD domains, they are provided with federation claims that contain their credentials and the access rights they should be granted. When they access the external resource, the resource providers AD FS server contacts the requesters AD FS server to check the validity of the requesters claims. If the claims are valid, the resource providers AD FS server passes the claims on to the application, allowing the external user appropriate access RMS-protected content. This creates a powerful new content sharing scenariofederated document collaborationthat eliminates the need to maintain shadow accounts for external users and provides those users with single sign-on access to RMS-protected content. Once two entities have set up a federated trust, users can share and utilize protected content almost as if they were in the same domain. Administrators at the resource provider can control the fine points of who has what kind of access to what kinds of content without needing to manage identities for individual users. [BUILD2] Office SharePoint Server 2007 can be configured to accept federated identity claims: Microsoft Office SharePoint Server 2007 can also be configured to use identity and access federation to apply RMS permissions without requiring a local Active Directory profile. In a SharePoint repository, RMS permissions are not applied directly to documents. Instead, SharePoint dynamically applies RMS protection to stored documents when they are requested by a user. In previous versions of SharePoint, this was achieved using Windows NT tokens tied to a users AD profile. As with earlier iterations of RMS in general, this required administrators to maintain redundant AD profiles for external users if organizations wanted to share content across firewalls, presenting the same challenges to security, management and SSO enablement. Office SharePoint Server 2007, on the other hand, can be configured to accept federated identity claims to enable organizations to control user access to documents and how those documents are used. It, too, applies RMS permissions to resources as they are consumed by the user, but based on the authenticated users AD FS claims rather than on a separate identity stored in the AD records associated with the Office SharePoint Server 2007 host. Federated RMS permissions can be managed using the same tools they would be if the users were internal to the company hosting the content. This enables resource-side users to apply claims-based controls rather than relying on user-user or group-group mapping between organizations. No shadow account is needed on the resource AD FS server side.Additional Information:Changes in Functionality to Windows Server Longhorn (January 2007).doc (also called the Book of Longhorn)http://technet2.microsoft.com/WindowsServer/f/?en/Library/9b24bb70-47ed-46d0-a321-e693d16b1eb01033.mspxhttp://technet2.microsoft.com/windowsserver2008/en/library/61f7f298-2cac-4cfb-977f-88fd4b781b4e1033.mspxFederated Rights Management in Windows Server 2008.doc white paper**Title: Microsoft's Virtualization SolutionsTalking Points:

[BUILD 1]So, the Microsoft Server Virtualization is really an end to end platform. Its a suite of products that really come together and come up with this concept of a dynamic data center. So managing not just a server but managing virtual machines, managing applications.

So, obviously from the server virtualization platform up in the top right, we have virtual server 2005 R2 which is currently released and then also Windows Server 2008 and the hypervisor or Windows Server Virtualization

[BUILD 2]From the presentation virtualization, that would be where our terminal services and terminal services gateway mode really comes into play.

That the ability to actually publish applications, publish them to secure sites on a terminal services infrastructure. So, its UI rendering on the client and nothings actually getting loaded down to the client.

[BUILD 3]Then of course, desktop virtualization and virtual pcs continuing as part of enterprise and ultimate virtual pc 2007 which is again the same kind of licensing structure as enterprise edition of server, so you would have a before guess? in virtual pc.

[BUILD 4]And then of course, the final one would be the application virtualization.

We acquired a company called Soft Grid and their product is called Softricity which really allows enterprises to actually publish applications in secure sandbox modes out to their employees.

So, based upon group policy, you can actually determine which applications would appear as icons on the desktop.

And, based on one of two delivery mechanisms, either streaming or full SMS dial up application delivery, the end user can then click on one of those applications in one of those virtual sandboxes.

So, today, were going to really focus on the infrastructure piece.

So were going to talk about the core windows server and in particular Windows Server 2008 and how thats really the central point.

To give you an idea of why this is important to us and to some of our customers . . . . thinking about whats coming by the end of this year were talking about eight way servers that would be in a 6 use spot today.

6U rack size, thinking about 8 cores in each of those CPUs.

So, think about those 6 use and 64 way with close to 2 terabytes of ram.

And think about all the blade servers that are coming.

In a 1 use slot, you have dual core and quad core coming, so you have 16 U processing in a 1 blade.

Microsoft is actually building on a data centre in Eastern Washington where its the size of a Costco. For those of you to know that its a pretty large warehouse here in the United States. That Costco would be full of servers and thinking about what were going to do to optimize that space.

Now virtualization is going to be a key part of that.

This is something that has to happen and its something that the industry needs and Microsoft needs and this is why the virtualization in WS 2008 is so important to us. *Virtualization in an IT environment is essentially the isolation of one computing resource from the others. By separating the different layers in the logic stack, you enable greater flexibility and simplified change managementyou no longer need to configure each element for them to all work together.In a traditional hardware/software stack, all of the elements are bound together, required specific configuration to allow the components to properly interact with each other. Creating new capability entails procuring and configuring the hardware, software and interfaces.

In a virtualized stack. Each element is logically isolated and independent. Adding new capability can be as simple as replicating an OS and application instance on existing hardware that has excess capacity.Perhaps the best way to understand Virtualization in a practical application is to look at the most common use, machine virtualization. Machine Virtualization is where an Operating System and Application are packaged together to form a virtual machine, which is then hosted on a physical server running a host operating system or Hypervisor (a thin layer of software that provides the basic interface with the hardware).

The most important concept to understand is that this virtual machine (OS+App) is operating independent from the OS on the physical server. In fact, multiple virtual machines can run on a single physical server, while providing the isolation and security as if they were each on their own discrete hardware.

*Title: Hypervisor Design GoalsTalking Points:

VSP = Virtualization Service ProvidersVSC = Virtualization Service Clients

So, this is again, the end to end look, with a little bit more detail

[BUILD 1] So, we have again the AMD-V, Intel VT chip set, and then our hypervisor.

So, when you install Windows Server Virtualization after Windows Server 2008 ships, then well be able to have this hypervisor role and the first thing well do is well instantiate the hypervisor on top of the hardware.

[BUILD 2] And then the next thing well do is itll install the parent partition in a windows server core mode. And that can be very key.

There are some strong security benefits and patching benefits that you need to talk to the customer about but then after instantiates the core, you can have tools like system center virtual machine manager access the parent then actually start creating your child partitions.

[BUILD 3] So, thats kind of the way it works and then the communications are happening down at this VM Bus level.

You can see here, at the end, through the announcement with Novell the then source enabled boxes will plug directly in through a hypercall adapter that is written directly into our VM bus.

So, the goal here is to really keep the windows server virtualization as the core platform play and itll give companies flexibility to actually plug in the different child, and then also theres end source.

If something goes wrong, and they insert a Linux kernel here, an end source kernel or a VMware kernel we have the chance of losing the platform.

Well talk a little bit more about that inside the Competitors section.**Title: Terminal Services RemoteAppTalking Points: Windows Server 2008 Terminal Services RemoteApp (TS RemoteApp) provides the ability to run both local and remotely-hosted programs on a Windows desktop.Windows Server 2008 Terminal Services RemoteApp (TS RemoteApp) provides the ability to run both local and remotely-hosted programs on a Windows desktop. These programs will be fully integrated with the local computer, having their own resizable windows and taskbar entries. The remote program is completely integrated with the user's desktop, and appears to the user as if it is running on the user's local computer. Users can run programs from a remote location side-by-side with their local programs. If the program uses a notification area icon, this icon appears in the client's notification area. Popup windows are redirected to the local desktop. Local drives and printers can be redirected to appear in the remote program. Many users might not be aware that the remote program is any different than a local program. The Terminal Server Configuration console is the central location from which administrators configure a terminal server to host remote programs.[BUILD1] RemoteApp Console: From the RemoteApp console, you can select which applications on the terminal server to make available as remote programs as well as deciding whether or not such programs should also be made available by means of Terminal Services Web Access.[BUILD2] Programs Look Like They Are Running Locally: This image demonstrates TS RemoteApp. Microsoft Office Outlook 2007 is running on a terminal server, and yet the launch-tray icon and the reminder tabs have migrated over to the client desktop as if it were running locally. Compare this to the Internet Explorer window, also open on the desktop, in which applications accessed using TS Web Access would operate. [BUILD3] Remote Desktop Client: Remote Programs are only supported by the Remote Desktop client 6.0, or later. This client is available for Windows XP SP2, Windows Server 2003 SP1, and WindowsVista, and is distributed free through Windows Update.Additional Information:Changes in Functionality to Windows Server Longhorn (January 2007).doc (also called the Book of Longhorn)http://www.microsoft.com/windowsserver/longhorn/terminal-services/default.mspxwww.microsoft.com/technet/Add-301.ppt www.microsoft.com/technet/Add-400.ppt*** 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.*Microsoft Confidential*