Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Windows Server 2008 R2 and Windows 7 - Download Center

VIEWS: 2 PAGES: 50

									Better together


Markus Erlacher
Technial Solution Professional, Microsoft Switzerland
markus.erlacher@microsoft.com
DirectAccess
BranchCache
SMB
Remote Desktop Services for VDI
                                Internet

                                                Remote
                                                 Client
               Enterprise
                Network
                                            Identity: Strong authentication required
                                            for all users

                                            Authorization: Machine health is
                            Local           validated or remediated before allowing
Datacenter                  Client          network access
 Servers

                                            Protection: All network transactions are
                                            authenticated and encrypted




             Policies are based on identity, not on location
DirectAccess
 Name Resolution:
  DNS and NRPT


Data Protection: IPsec



  Connectivity: IPv6
                                                 IPv6 Options
DirectAccess requires IPv6
                                      DirectAccess works best if the
If native IPv6 isn't available,       Corporate Network has native IPv6
remote clients use IPv6 Transition    deployed
Technologies
The corporate network can            Internet                                      Intranet
deploy native IPv6, transition
technologies, or NAT-PT


                                                                          NAT-PT




                                          Native IPv6

                                          IPv6 Translation Technologies

                                          IPv4
IPsec tightly integrates with IPv6, allowing rules engine to determine when and
how traffic should be protected




 End to edge                                                  End to edge
 End to end                                                   End to end
            DirectAccess                   Internet
             Connection                   Connection




• Remote DirectAccess clients utilize smart routing by default
• The Name Resolution Policy Table allows this to happen
  efficiently and securely
• Sends name queries to internal DNS servers based on pre-
  configured DNS namespace
 IP Address                   IPv6 Address
                                             • Native IPv6 support
  Assigned                       Used to
   by ISP:                      connect:     • Public IPv4 addresses will use
                                               6to4 to tunnel IPv6 inside IP
 PrivateIPv4
 Native IPv4
 Public IPv6                      6to4
                                 Teredo
                               Native IPv6
                                               Protocol 41
                                             • Private IPv4 addresses will
                                               use Teredo to tunnel IPv6
                                               inside IPv4 UDP (UDP 3544)

               DirectAccess
                   Client                    • If client cannot connect to
Native IPv6                                    DirectAccess Server, IP-HTTPS
   6to4          IP-HTTPS
                                               will connect over port 443
  Teredo
                                                   IPv6 Options
Native                                  DirectAccess works best if the
                                        Corporate Network has native IPv6
 - Servers can run any OS that fully    deployed
    supports IPv6
 - Requires IPv6 infrastructure
 - Best choice over time               Internet                                      Intranet

ISATAP
 - IPv6 inside IPv4
 - Servers must be Windows Server
    2008 or R2
 - No router upgrades                                                       NAT-PT




NAT-PT
 - Translates IPv6 to IPv4
                                            Native IPv6
 - Works with any OS                        IPv6 Translation Technologies


 - UAG has this built in                    IPv4
DirectAccess Client     Internet                  DirectAccess Server



                           IP-HTTPS

                      Encrypted IPsec+ESP




                                                     IPsec Gateway



                        IPsec Hardware Offload Supported
DirectAccess Server            Enterprise   Line of Business
                                              Applications
                                Network


                         No IPsec

                  IPsec Integrity Only
                         (Auth)
                      IPsec Integrity +
 IPsec Gateway           Encryption
DirectAccess Client                                                     DirectAccess Server

                              Tunnel 1: Infrastructure Tunnel
                                Auth: Machine Certificate
                               End: AD/DNS/Management


                              Tunnel 2: Application Tunnel
                      Auth: Machine Certificate + (User Kerb or Cert)
                                        End: Any
Client side only
Requires a leading dot
Static table that defines which DNS servers the client will use for
the listed names
Configurable via GPO at Computer Configuration
|Policies|Windows Settings|Name Resolution Policy
Can be viewed with
NETSH name show                                  NRPT
policy                           .ad.contoso.com 2001:db8:b90a:c7d8::178
                                                       2001:db8:b90a:c7d8::183
                                   .lab.contoso.com    2001:db8:b90a:c7a8::202
                                   *.sql.contoso.com   2001:db8:b90a:c7e4::801
Customer knowledge
  The customer should have a basic working knowledge or IPsec
  and TCP/IP
  The customer should be interested in learning about and
  deploying new technologies, such as IPv6
DirectAccess Clients: Windows 7, domain-joined
machines
DirectAccess Server: Windows Server 2008 R2, domain-
joined machines
DNS Servers supporting DirectAccess clients must be
Windows Server 2008 SP2 or later
Thin, expensive WAN links between main office and branch offices



• High link utilization
• Poor application responsiveness
• Trend towards data centralization
•   Reduce bandwidth utilization
•   Improve end user experience
•   Preserve e2e security
•   Simple to deploy
 ID
Data




       Data
 ID
Data
 ID




                                ID




                  Search
        ID                           Data


             ID



                           ID
       Data
                                   Enterprise


Distributed Cache                           Hosted Cache
Data cached amongst clients                 Data cached at the host server

    Recommended for branches                    Recommended for larger
    without any infrastructure                  branches
    Easy to deploy: enabled on                  Cache stored centrally: can
    clients through Group Policy                use existing server in the
                                                branch
    Cache availability decreases
    with laptops that go offline                Cache availability is high
                                                Enables branch-wide caching
                     3rd Party Applications

Office    CopyFile   Explorer       SharePoint   Office      BITS   WMP   IE



         SMB                                          HTTP


                        BranchCache™
            Group Policy to enable
            clients




Install BranchCache™
feature R2 content
servers
                                           Hosted
                                           Cache

                   IIS
     File Server
                                        Optionally, install a hosted
                         Group Policy   cache in your branch.
                         Management
Must run Server 2008 R2
HTTP server (IIS) - Install the BranchCache feature
from Server Manager
SMB server (File server) – Install the BranchCache
role service feature within the file server role
using Server Manager
That’s it…
Identify the “branch”
• An Active Directory Site
• An IP address range
• A collection of specific client computers



      Choose how to deploy
      • Group Policy
      • netsh



             Deploy to clients!
             • Group policy: Use built-in ADMX files
             • netsh: Run netsh branchcache set
               service distributed on all relevant clients
Setup the hosted cache
• Install the BranchCache feature on an R2 server
• Install a server-auth certificate for use with SSL
• Run netsh branchcache set service
  hostedserver on the hosted cache


   Identify Branch


      Choose how to deploy


            Deploy to clients!
            • Group policy: Use built-in ADMX files
            • netsh: Run netsh branchcache set service
              hostedclient location=<> on all clients
•   ConfigMgr 2007 SP2 with WS08R2 DP
•   May be used instead of Branch Distribution Point
•   Distributed Cache Mode only
•   BranchCache does not span subnets, BDP does
•   BranchCache does not work with XP, BDP does
•   Vista with BITS 4.0 has partial BranchCache features
•   If you have a server in the branch make it a DP
• Vista with BITS 4.0 supports HTTP
  BranchCahce Traffic but not SMB
• Can be used with ConfigMgr 2007 SP2 for
  software updates
• DP must be WS08R2
• Upgrade XP to Windows 7
• Customers using WSUS for patching will need
  3.0 SP2 to support BranchCache features on
  Windows Server 2008 R2.
• HTTP Streaming in AppV optimized using BranchCache
• Virtual applications only have to traverse the WAN link
  once
• Eliminate IIS Servers (AppV staging servers) from the
  branch office

Support available on Windows 7 and Windows Server 2008 R2
Goals
• Improve SharePoint, IIS responsiveness in branch offices
  without requiring separate branch infrastructure
• Enable Office Web Applications to see improved performance
  in branch offices
Integration
• IIS and SharePoint need to run on Windows Server 2008 R2
• Users never get stale content; if content is updated, the
  content identifiers change


Support available for Windows 7 and
Windows 2008 R2
• SMB 2.1 introduces “Leasing and OpLocks” – mechanisms
  to improve protocol behavior over the WAN link
• BranchCache integration ensures that data needs to move
  over the WAN link only once
• SMB Transparent Caching enables better road-warrior
  scenarios
• Offline Files enables file access even when WAN link is
  down
• All application semantics around locking are automatically
  maintained

Available on Windows 7 and Windows Server 2008
R2
Scale
• Distributed cache scales well to approximately 100 users per
  branch
  •   WS-Discovery traffic is a key consideration
  •   Results may vary
      • Highly dependant on content, workload and usage patterns


• Hosted Cache scalability is comparable to standard file server
  workloads
                Do no evil 

        Prevent peer discovery storms

   Support domain and workgroup scenarios

       Cache hashes during publication

Support multiple subnets in Hosted Cache mode

   Support configuration by GP and NetSH

    Use HTTP (tcp:80) for block downloads

   Use WS-D (UDP:3702) for peer discovery

             Support IPv4 & IPv6

   Support SCOM reporting and monitoring
              Cache content on the write path

Support Distributed Cache discovery beyond the local subnet

                   Use or require IPSec

         Respond to peers with latency >= 300ms

                       Require IPv6

            Be accessible during a WAN outage

                   Support PowerShell

            Support Internet or home scenarios

            Auto-start server service by default

               Provide cache migration tools

              Support SharePoint 14 at RTM
SMB1 Limitations
•   Considered “chatty”
•   Poor WAN performance due to limited request
    pipelining / compounding
•   Arbitrary limits on number of users, open files, shares
•   Protocol evolved through many releases over many years
    •   Difficult to extend, maintain and secure due to large number /
        variety of commands


Motivations for SMB2
•   Data access over WAN has become much more common
•   LAN performance also much increased
    (1Gb is here, 10Gb coming)
•   Build a solid foundation for continued innovation
                                      Limits                    SMB1           SMB2
Scalability for file                  Number of users           Max 2^16       Max 2^64
sharing greatly                       Number of open files      Max 2^16       Max 2^64
increased
                                      Number of shares          Max 2^16       Max 2^32


Performance massively improved
•   Request compounding reduces “chattiness”
•   Larger reads/writes can fill the pipe even with significant link latency

                                      Total                     SMB1           SMB2
                                      Opcodes                   >100           19
Secure and robust
•   Durable handles
•   Message signing settings improved (HMAC SHA-256 replaces MD5)
•   Small command set reduces attack surface and complexity


Symbolic link support
•   Evaluation of symlinks involving remote paths is limited by default
•   Can only be created by administrators (via Group Policy)
Improved WAN utilization              Write Request
Benefits due to combination of:       Write Response
•   TCP stack improvements        Pre-Vista     Vista

•   SMB2 request pipelining
•   SMB2 large request support
•   CopyFileEx() improvements
    •   Large buffers
    •   Async, non-cached, IO
XCOPY, remote->Local, 1Gb / 100ms RTT

                                                             10490




                                                                     Throughput in kb/s
                                                      4991




                             814                483
            38     249

                 8 Mb file                        700 Mb file
                 XP-SMB1           Vista-SMB1     Vista-SMB2
Dramatic benefits in explorer directory enumeration,
due to a combination of:
•   compounding/speculative requests
•   directory and attribute caching
For this scenario, a directory containing about 50
Excel 2007 files was opened using Windows Explorer
Network – 1Gb/s, 100ms RTT



                                                           Vista SP1 SMB2

                                                           Vista SMB1

       0         1         2         3        4        5
                     Response Time in Seconds
First shipped in Windows Vista RTM
•     Not all protocol features utilized by Windows Vista RTM implementation
•     Dialect revved for Windows Server 2008 / Windows Vista SP1
Windows Server 2008 / Windows Vista SP1 enhancements
•     Uses request compounding
•     Cached: directory enumerations and file attributes
•     Cached: common share and file system property queries



                                                              Windows Vista SP1
    Client/ Server OS     Older Windows   Windows Vista RTM
                                                              Windows Server 2008
    Older Windows         SMB 1           SMB 1               SMB 1

    Windows Vista RTM     SMB1            SMB2 (v2.001)       SMB 1
    Windows Vista SP1
                          SMB1            SMB 1               SMB2 (v2.002)
    Windows Server 2008
Seamless transitions
Faster synchronization
Support for large files like Outlook PST’s
Per-user encryption
Improved “Slow-link Mode”
Ghosting – consistent client/server namespace
Better interoperability with DFS
Scriptable API support
Background Synchronization
•   Offline files are automatically synchronized in the background
•   Slow-link mode is ON by default (when round-trip latency ≥ 80ms)
•   Fully integrated with Sync Center, showing last update time
•   Configurable settings for IT administrators


Improved App File Open & Close
•   SMB optimizations reduce the exchanges required to open and save application files


Transparent Caching
•   Automatically cache the network file to the local client disk
•   The cached copy is only used if the local/server versions are the same
•   All files modifications are made on the server
•   Administrators can control by Group Policy (not enabled by default on fast networks)
for VDI
VDI is typically memory and disk IO constrained

•        Windows 7 generally has less disk IO than Windows XP
•        Windows 7 generally requires more RAM than Windows XP
•        Windows 7 is faster to provision than Windows XP
•        RAM is an temporal artificial limit


Recommendations:
•    Minimize unrequired system services
•    Minimize network traffic
•    Screensavers and screen redraws impact network IO
•    Ensure that applications are checked for disk IO efficiency
•    Ensure latest drivers are being used

http://blogs.msdn.com/rds/archive/2009/11/02/windows-7-with-rdp7-best-os-for-vdi.aspx
Aero Glass for Remote Desktop Server
•   Provides the same new Windows 7 look and feel when using RDS



Multimedia Support & Audio Input
•   Provides a high-quality multimedia experience with multimedia redirection
    capabilities



True Multiple Monitor Support
•   Allows users to view their remote desktop on multiple monitors configured
    the same way as if their desktop or applications were running locally


Enhanced Bitmap Acceleration
•   Allows rich media content, such as portable graphics stacks (Silverlight,
    Flash) and 3D content, to be rendered on the host and to be sent as
    accelerated bitmaps to the remote client


RemoteFX for VDI (Enabled through SP1)
•   Next Gen User Experience powered by the server graphics card
•   Only supported on Windows 7
For more Information please contact

Markus Erlacher
Technical Solution Professional - DataCenter

markus.erlacher@microsoft.com
Tel: +41 78 844 64 28
Mobile: + 41 78 844 64 28




Microsoft Switzerland
Richtistrasse 3
8304 Wallisellen

								
To top