Windows
Server 2008 R2 has greatly enhanced the technology offerings that
provide better IT services to organizations with remote offices or
branch offices. Typically, a remote or branch office has limited IT
support or at least the site needs to have the same functionality and
reliability as the main corporate or business office, but without the
budget, to have lots of redundant hardware and devices for full
operational support. With the new Windows Server 2008 R2 branch office
resources, a remote location can now have high security, high
performance, access to data without significant latency, and operational
capabilities, even if the remote site is dropped off the network due to
a WAN or Internet connection problem.
The tools and
technologies new or improved in Windows Server 2008 R2 include Read-Only
Domain Controllers, BitLocker Drive Encryption, distributed file server
data replication, and distributed administration.
Read-Only Domain Controllers for the Branch Office
The RODC provides a copy of the Active
Directory global catalog for logon authentication of select users and
communications with the Active Directory tree without having the
security exposure of a full global catalog server in the remote
location. Many organizations concerned with distributed global catalog
servers chose to not place a server in a remote location, but rather
kept their global catalog and domain controllers centralized. What this
meant for remote and branch offices is that all logon authentication had
to go across the WAN or Internet connection, which could be very slow.
And in the event of a WAN or Internet connection failure, the remote or
branch office would be offline because users could not authenticate to
the network and access network resources until the WAN or Internet
connection was restored.
Read-Only
Domain Controllers provide a way for organizations to distribute
authentication and Active Directory access without increasing their
security risk caused by the distribution of directory services.
BranchCache File Access
New
to Windows Server 2008 R2 is a role called BranchCache. BranchCache is a
technology that provides users with better access to files across a
wide area network (WAN). Normally, if one user accesses a file, the file
is transferred across the WAN for the user, and then when another user
accesses the same file, the same file is again transferred across the
WAN for the other user. BranchCache acknowledges that a file has been
transferred across the WAN by a previous user, and instead of retrieving
the file across the WAN, the file is accessed locally by the subsequent
user.
BranchCache requires Windows 7
on the client side and can be set up so that the file is effectively
retrieved in a peer-to-peer manner from another Windows 7 client that
had previously accessed a file. Or, a Windows Server 2008 R2 server with
the BranchCache server role can be set up in the remote location where
remotely accessed files are temporarily cached for other Windows 7
client users to seamlessly access the files locally instead of being
downloaded across the WAN.
BranchCache does not require
the user to do anything differently. Users simply accesses files as they
normally do (either off a Windows file system or from a SharePoint
document library), and the combination of Windows 7 and Windows Server
2008 R2 does all the caching automatically. BranchCache has proven to
improve access time on average 30%–45% for remote users, thus increasing
user experience and potentially user productivity by having faster
access to information in remote locations.
BitLocker for Server Security
BitLocker is a technology
first introduced with Windows Vista that provides an organization with
the ability to do a full partition encryption of all files, documents,
and information stored on the encrypted partition. When BitLocker was
first introduced in Windows Server 2008 as a server tool, it was hard to
understand why a server would need to have its drive volume encrypted.
It made sense that a laptop would be encrypted in the event the laptop
is stolen—so that no one could get access to the data on the laptop hard
drive. However, when considering that servers are placed in remote
locations—many times not in a locked server rack in a locked computer
room but rather sitting in a closet or even under a cash register in the
situation of a retail store with a server acting as the point-of-sale
system—servers with sensitive data are prevalent in enterprise
environments.
So, BitLocker
provides encryption of the volume of a Windows Server 2008 R2 server;
for organizations that are concerned that the server might be physically
compromised by the theft of the server or physical attack of the
system, BitLocker is a great component to implement on the server
system.
Distributed File System Replication
Introduced in Windows 2000,
improved in Windows 2003, and now a core component of the branch office
offerings in Windows Server 2008 R2, Distributed File System
Replication (DFSR) allows files to be replicated between servers,
effectively providing duplicate information in multiple locations.
Windows Server 2008 R2 has a much improved Distributed File System than
what was available in Windows 2000/2003. In most organizations, files are
distributed across multiple servers throughout the enterprise. Users
access file shares that are geographically distributed but also can
access file shares sitting on several servers in a site within the
organization. In many organizations, when file shares were originally
created years ago, server performance, server disk capacity, and the
workgroup nature of file and print server distribution created
environments in which those organizations had a file share for every
department and every site. Thus, files have typically been distributed
throughout an entire organization across multiple servers.
Windows Server 2008
R2 Distributed File System Replication enables an organization to
combine file shares to fewer servers and create a file directory tree
not based on a server-by-server or share-by-share basis, but rather an
enterprisewide directory tree. This allows an organization to have a
single directory spanning files from multiple servers throughout the
enterprise.
Because the DFSR directory is a
logical directory that spans the entire organization with links back to
physical data, the actual physical data can be moved without having to
make changes to the way the users see the logical DFS directory. This
enables an organization to add or delete servers, or move and
consolidate information, however it works best within the organization.
For branch office locations, DFSR
allows for data stored on a file server in a remote location to be
trickled back to the home office for nightly backup. Instead of having
the remote location responsible for data backup, or the requirement of
an organization to have tape drives in each of its branch offices, any
data saved on the branch office can be trickle replicated back to a
share at the main office for backup and recovery.
If the main office has data
that it wants to push out to all remote offices, whether that is
template files, company policy documents, standard company materials, or
even shared data that a workgroup of users needs to access and
collaborate on, DFSR provides the ability to push out data to other
servers on the network. Users with access rights to the data no longer
have to go across a WAN connection to access common data. The
information is pushed out to a server that is more local to the user,
and the user accesses the local copy of the information. If any changes
are made to remote or centralized copies of data, those changes are
automatically redistributed back to all volumes storing a copy of the
data.
One of the
enhancements made in Windows Server 2008 R2 specific to DFS-R is the
ability for an administrator to set a DFS replica to be read-only. In
the past, DFS replicas were all read/write replicas so that a user in a
remote location could accidentally overwrite files that then replicate
to all replicas in the environment. Administrators have compensated for
this potential issue by setting file-level permissions across files and
folders; however, for many remote branch offices, if the administrator
could simply make the entire replica read-only, it would simplify the
security task dramatically. Thus, read-only replicas can now be set so
that an entire server or branch of a DFS tree can be set to replicate to
a remote server on a read-only basis.
Improvements in Distributed Administration
Finally,
for remote or branch offices that do have IT personnel in the remote
locations, administration and management tasks have been challenging to
distribute proper security rights. Either remote IT personnel were given
full domain administrator rights when they should only be limited to
rights specific to their site, or administrators were not given any
administrative rights because it was too difficult to apply a more
limiting role.
Windows Server 2008 R2
Active Directory has now defined a set of rights specific to branch
office and remote site administrators. Very similar to site
administrators back in the old Exchange Server 5.5 days—where an
administrator was able to add users, contacts, and administer local
Exchange servers—now network administrators in Active Directory can be
delegated rights based on a branch or remote site role. This provides
those administrators with the ability to make changes specific to their
branch location. This, along with all the other tools in Windows Server
2008 R2 specific to branch office and remote office locations, now
provides better IT services to organizations with multiple offices in
the enterprise.
