IT Expert Voice

Microsoft has finally gotten its client and server teams into a cadence that encourages building strong connections between client and server. Once you learn the combined strength of Windows 7 and Windows Server 2008 R2, you may get off the fence about migrating.

Even though Microsoft shifted to a common core technology for both its client and server Windows software a decade ago, the two development teams were never quite in sync when it came to releases, and therefore, it was difficult to coordinate special features that tied the desktop OS to the server.

But with Windows 7 and Windows Server 2008 R2, Microsoft finally got the two on a very close release schedule. Both entered beta in late 2008 and were commercially available in October 2009. They share quite a few common technologies, including:

• Scaling to 256 cores
• Fewer hardware locks and improved parallelism
• Timer coalescing, where multiple tasks can be executed at once, rather than one at a time, so the processor can go into a low power mode
• Windows Installer 5.0 supports installing and configuring Windows Services and provides developers with more control over setting permissions during software installation
• Usually the kernel handles all thread scheduling, but 64-bit Windows 7 and Windows Server 2008 R2 only allow for applications with large concurrent threading requirements, such as a database to do its own scheduling.

That’s just scraping the surface. Let’s dive into some of the major features wherein Windows 7 takes advantage of the server OS, and ways in which Windows Server turns on new functionality in the client OS.

Knowing and Trust

Microsoft has put a lot of emphasis on securing both the client and server, which in turn results in Windows 7 clients trusting Windows Server 2008 R2 servers and vice versa. In developing these two operating systems in concert, Microsoft built in a lot of trusted and security-related technologies.

For example, DirectAccess technology permits much more secure connections than the old remote access option, virtual private networks (VPNs). Let’s face it: for most of us, our VPN experience at best has been a hassle, at worst spawning words unprintable here. DirectAccess provides remote users with the same access to the network they would have if they were in the office, and it initiates the connection automatically. No more firing up and fighting with the VPN client.

DirectAccess uses two-factor authentication, so that biometric reader on your laptop is finally useful. It creates two IP Security (IPSec) tunnels. One is for the computer certificate only, which gives the computer access to the DNS server and domain controller so the user can download Group Policies and request user authentication. A second tunnel uses both a computer certificate and user certificate, which gives the user access to internal resources and application servers for which they are authorized.

DirectAccess also allows an IT administrator to manage remote systems even when they aren’t connected to a VPN. You can apply new Group Policy or distribute software updates even if the computer isn’t logged on, because as soon as they connect, those changes will be pushed down.

IT Expert Voice has delved into DirectAccess in greater depth, so consult that story for further examination of its benefits.

RemoteApp

Windows Server 2008 revised and renamed Windows Terminal Services as Remote Desktop Services, and added some new features. Windows 7 is the first to include feeds that support the server-side accessibility.

RemoteApp lets Windows users enjoy remote applications with the same look and feel as local applications. With RemoteApp and Desktop Connections in Windows 7, applications can be installed in the Start menu, so an application being run off a server is started just like an application installed on the computer’s hard drive.

The Windows 7 client can subscribe to a RemoteApp program by using a URL, just as you run a desktop appliction through a link to an executable stored in a directory. Once the user subscribes to the feed, that connection will always be there, just like an installed application. Users only have to log on once to create the connection. After that, Windows remembers their user credentials. All of this requires a Windows 7 client.

Windows Server 2008 R2 and Windows 7 also come with the latest version of the RDP Protocol (RDP v7), which provides graphics rendering and multimedia enhancements for remote desktop users, so you don’t need to use a primitive, basic interface like with previous terminal services. Windows 7′s Aero glass effect is now supported, multi-monitor support is improved and overall performance better.

AppLocker

Prior attempts to provide software control and restriction on a Windows desktop were rather lacking in options and flexibility and often easy to get around. AppLocker is a new feature in Windows 7 and Server 2008 R2 that replaces the old Software Restriction Policies with more flexibility and stronger rules.

AppLocker allows you to create rules to control which files can be run on the desktop and assign those rules to specific users or groups. You can allow application access from certain publishers, the product name, the file name or the file version, or those with a digital signature. Conversely, you can exclude applications based on the same criteria, or restrict programs based on the directory path. You can create hash tags for specific software whose access you want to allow or deny.

AppLocker has publisher rules based upon an application digital signatures. A publisher’s rules can be passed on through future upgrades because it’s possible to say “a certain version and up.” For example, you could create a rule that allows user to run all versions of Firefox 3.5 and higher; when version 4.0 comes out, the end user can download, install, and upgrade her browser because its version number is greater than 3.5.

For more on AppLocker, see I Know I Can Find It In Here Somewhere: Using Windows 7 Applocker.

BranchCache

BranchCache is more of a Windows Server 2008 R2 feature than a Windows 7 feature, but Windows 7 does benefit from it. With BranchCache, remote offices can locally cache files that they frequently access, rather than having to repeatedly request them from the central servers, at the cost of time and bandwidth. Windows 7 is the only client that supports caching on the client.

In addition to the caching, Windows Server 2008 R2 and Windows 7 support a read-only Distributed File System (DFS), again designed to minimize network traffic and congestion, by putting read-only files in a local network so they don’t have to be fetched from the central server.

While not related to BranchCache, Windows 7 has a new feature called “transparent caching,” sometimes referred to “Offline Files & Folders.” Transparent caching stores network files on the local computer the first time you access them, so when you revisit a file, it’s on your computer rather than on the network. So like BranchCache, it can minimize network traffic for file retrieval. Windows 7 checks the local file against the one on the network to ensure you have the latest copy; if yours is older, the new one is retrieved. The cached copy is not accessed if the server is unavailable and updates to the file are always written directly to the server.

More on BranchCache: See BranchCache Basics: Moving the Central Office Closer.

BitLocker

BitLocker drive encryption was introduced with Windows Vista, but it was limited to only encrypting the system partition. In Windows Server 2008 and Windows Vista SP1, BitLocker was enhanced to encrypt additional (non-system) partitions. With Server 2008 R2 and Windows 7, BitLocker can also encrypt removable drives, such as USB drives, which have been widely recognized as a security threat because they can hold sensitive data and be easily removed from the office.

The BitLocker To Go feature in Windows Server 2008 R2 and Windows 7 allows administrators to use Group Policy to force users to enable BitLocker on removable drives before they can write anything to the drives, making them (the drives, that is, not the administrators!) much more secure. The recovery key can be stored in the Active Directory.

To learn more about BitLocker in action, watch the screencast, I Know I Can Find It In Here Somewhere: Using Windows 7 Bitlocker.

Playing Nice Together

These examples show how Microsoft is tying its client and server together for improved performance, something it probably couldn’t do ten years ago for two reasons: one, monopoly accusations, and two, its two development teams were out of sync. With Linux so strong on the server market — Linux now accounts for 14.8% of server revenue as of the third quarter 2009, according to IDC, while Windows has 43% of server revenue — it’s hard to make the case that Microsoft is in a monopoly position. So some heat is off the company.

At the same time, Microsoft has finally gotten the releases of the two operating systems in sync, and it plans to keep it that way. It’s rumored (and impossible to prove at this point) that Microsoft plans to release the successors to Windows 7 and Server 2008 in 2012.

But that’s in the future. For now, it’s clear there are definite benefits to having the two operating systems working in concert and should be taken into consideration when debating a migration, upgrade or rollout.

Want more like this? Sign up for the weekly IT Expert Voice newsletter so you don’t miss a thing!