Windows Server 2008 (R2) blog by Kurt Roggen [BE]

Windows Vista introduced a new format to display registry-based policy settings (aka Administrative Templates).  In Windows Vista, these registry-based policy settings are defined by standards-based XML files that have an .admx file name extension.  The .admx file format replaces the legacy .adm file format. 

The .adm file format uses a proprietary markup language.  Windows Vista does only ship with .admx files located in the %windir%\PolicyDefinitions folder.

In Windows Vista, Administrative Template files are divided into general .admX files and language-specific .admL files. The changes that are implemented since Windows Vista let administrators configure the same set of policies by using different (display) languages.  Administrators can configure policies by using the language-specific .adml files and the language-neutral .admx files.

In pre-Vista operating systems, all the default Administrative Template files are added to the ADM folder of a Group Policy object (GPO) on the domain controller's SYSVOL folder.  The SYSVOL folder is automatically replicated to other domain controllers in the same domain.  A policy file uses approximately 4 to 5 megabytes (MB) of hard disk space.  Because each domain controller stores a version of a policy, replication traffic is increased.  This is referred to as SYSVOL bloat.

Windows Vista/Server 2008 uses a central store to store Administrative Template files.  Since Windows Vista, the ADM folder is not created in a GPO as in earlier versions of Windows.  Therefore, domain controllers do not store or replicate redundant copies of .admx/l files.

To take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder on a domain controller.  The Central Store is a file location that is checked by the Group Policy tools.

The Group Policy tools use any .admx files that are in the Central Store.  The files that are in the Central Store are later replicated to all domain controllers in the domain.

A part of this replication optimisation happens by not inserting ADM(X) files into a GPO, another part, is due to all SYSVOL replication being done by DFSR (DFS-Replication) instead of FRS (File Replication Services) if you domain is running in "Windows Server 2008" domain functionality mode at least.  More about this in an upcoming blog post, so keep posted.

Group Policy tools use Administrative templates simply to visualise/populate policy settings in the user interface.  This allows administrators to manage registry-based policy settings.
The download below includes the Administrative template released for Windows Vista, in 35 following languages.

Download Administrative Templates (.admx) for Windows Vista

For more information on "How to create the central store": Q929841 and Managing Group Policy ADMX Files Step-by-Step Guide

You want to move your existing .ADM administrative templates to .ADMX/L.  No problem, have a look at the Microsoft licensed FullArmor migration tool below.  However, keep in mind that you can still use your existing .ADMs in the same way as before but with the above mentioned consequences.

Related downloads: ADMX Migrator

Related reading: TechNet Magazine - Group Policy Templates in Windows Vista - Darren Mar-Elia

The first time you connect to a network, you must choose a network location.  This automatically sets the appropriate firewall settings for the type of network that you connect to.
If you connect to networks in different locations (home network, public hotspots, at work), choosing a network location can help ensure that your computer is always set to an appropriate security level.

There are three network locations: Home (Private), Public and Work (Domain).
Let's have a quick look...

Home/Private

Choose this network location for home or small office networks when you trust the people and devices on the network.
Network discovery - which allows you to see other computers and devices on a network and allows other network users to see your computer - is on by default.

Public

Choose this network location for networks in public places (coffee shops or airports).  This location is designed to prevent your computer from being visible to other computers on the network and to help protect your computer from any malicious software. 
Network discovery is turned off for this network location.

Work/Domain

Anytime a Windows Vista/Windows Server 2008 computer can connect to and authenticate with an Active Directory domain controller of the domain for which it is a member, the network (location) is considered a (managed) domain network. 
Network discovery is turned off for this network location.

Domain networks are configured automatically when a computer connects to a domain controller. 
All other networks are considered public networks by default for security reasons.

Because you will be connecting to many different networks, Windows stores network profiles of each network using the network's DNS suffix and gateway MAC address.
These are stored in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles and HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures as Managed (domain) and Unmanaged (non-domain) networks.

Depending on your network configuration, Windows Vista might generate multiple network locations for a single network. 
You can merge two or multiple network locations so that they are recognized as a single network.

Vista determines the active network profile by using a feature/service called Network Location Awareness (NLA). 
NLA queries the network for 3 criteria:

1. Connectivity state of the network (Connected, Disconnected, ...)
2. Network Location type (Public, Private, Domain)
3. Network connection/interface used (LAN, WLAN, Bluetooth, Remote Access)

Windows Server 2008 allows you to control some of these settings for network locations in a limited way and can be found under "Computer Configuration\Policies\Windows Settings\Security Settings\Network List Manager Policies".

All configuration settings of the networks below relate to "Location type" (Private/Public), "Network Name" customization and "Network Icon" customization.

win2008.net Controls the current network location(win2008.net is my domain name).	Unidentified Networks Networks that cannot be identified due to a network issue or other...
Identifying Networks Controls transition network state while detecting/identifying current network.	All Networks Controls if users can change network name, location or icon for all networks.

Here's an example of the configuration made on the "win2008.net" network location in its original (unmanaged) state versus its managed state.

Related reading:

• Cable Guy - September - Network Location Types in Windows Vista
• Windows Vista Networking

To help you get started with Windows Server 2008, Microsoft Australia launched the Windows Server 2008 TechNet Portal.

Windows Vista SP1 will support the following delivery methods:

1. Express: Requires an internet connection, but minimizes the size of the download by sending only the changes needed for a specific computer.
   About approximately 65 MB for x86-based operating systems.
2. Stand-alone: Recommended for computers with limited Internet connectivity and for applying the service pack to multiple computers. The download size is (much) larger than the express package, but customers can apply a single package to any Windows Vista version and language combination (within a platform).
   About 450 MB (5 Language package) and about 550 MB (Full 36 language package) for x86-based operating systems.
3. Slipstream: The slipstream version of Windows Vista SP1 is media that already contains the service pack, which companies can use to deploy the operating system to new computers or to upgrade existing computers.  Availability will be limited. Microsoft will update Windows Vista retail media with Windows Vista SP1 slipstream media in the future.

Here's some quick facts on what Vista Service Pack 1 will bring:

• GPMC (Group Policy Management Console) will be uninstalled with Service Pack 1 and GPEdit will default to Local Group Policy editing.
• Reduces the number of UAC (User Account Control) prompts from 4 to 1 when creating or renaming a folder at a protected location.
• Adds support for exFAT, a new file system supporting larger overall capacity and larger files, which will be used in Flash memory storage and consumer devices.
  Overcomes FAT32’s 4 GB file limitation, FAT32’s 32 GB format limit.
• Contains additional application compatibility fixes for individual applications.
• Improves reliability by preventing data-loss while ejecting NTFS-formatted removable-media.
• Improves the success of peer-to-peer connections, such as Windows Meeting Space or Remote Assistance applications, when both PCs are behind symmetric firewalls.
• Improves Windows Vista’s built-in file backup solution to include EFS encrypted files in the backup.
• Improved SRT (Startup Repair Tool), which is part of the Windows Recovery environment (WinRE), can now fix PCs unbootable due to certain missing OS files.
• Improves the performance of browsing network file shares by consuming less bandwidth.
• Improves power consumption when the display is not changing by allowing the processor to remain in its sleep state which consumes less energy.
• Improves the speed of adding and extracting files to and from a compressed (zipped) folder.
• Significantly improves the speed of moving a directory with many files underneath.
• Improves performance over Windows Vista’s current performance across the following scenarios:
• 25% faster when copying files locally on the same disk on the same machine
• 45% faster when copying files from a remote non-Windows Vista system to a SP1 system
• 50% faster when copying files from a remote SP1 system to a local SP1 system
• Improves the time to read large images by approximately 50%.
• Improves IE performance on certain Jscript intensive websites, bringing performance in line with previous IE releases.
• Includes improvements to Windows Superfetch that help to further improve resume times, in many environments.
• Improves network connection scenarios by updating the logic that auto selects which network interface to use (e.g., should a laptop use wireless or wired networking when both are available).
• Removes the delay that sometimes occurs when a user unlocks their PC.
• New compression algorithm for the RDP (Remote Desktop Protocol) that helps reduce network bandwidth required to send bitmaps or images via RDP. The compression is transparent to all RDP traffic, and typically reduces the size of the RDP stream by as much as 25-60%, based on preliminary test results.
• Improves the security of running RemoteApp programs and desktops by allowing RDP files to be signed.
• Improves BitLocker Drive Encryption by offering an additional multi-factor authentication method that combines a key protected by the TPM (Trusted Platform Module) with a Startup Key stored on a USB storage device and a user-generated Personal Identification Number (PIN).
• Enhanced the BitLocker encryption support to volumes other than bootable volumes in Windows Vista (for Enterprise and Ultimate SKUs).
• Updated drivers are delivered primarily via Windows Update and directly from hardware vendors, not as part of a service pack.
• Allows users and administrators to control which volumes the disk defragmenter runs on.
• Allows users to rename or delete folders while working offline with redirected folders.
• Allows KMS (Key Management Service) to run within a Virtual Machine environment.
• Improves OS deployment by enabling 64-bit versions of Windows Vista to be installed from a 32-bit OS.
• Reports the amount of system memory installed rather than report the amount of system memory available to the OS. (for example: 4 GB x86 systems)
• Users are now required to enter a password hint during the initial setup of Windows Vista SP1.
• Improved reliability when working with external displays on a laptop.

Related reading:

• Windows Vista Service Pack 1 Beta Whitepaper
• Windows Vista SP1 Guides for IT Professionals

Clustering is available in Windows Server 2008 Enterprise and Windows Server 2008 Datacenter editions.  The improvements to failover clusters (formerly known as server clusters) are aimed at simplifying clusters, making them more secure, and enhancing cluster stability. Cluster setup and management are easier with the new MMC Snap-In management interface, and complexity is reduced by providing the user with a simple interface to create, manage and use their failover cluster. Setup is more straightforward, with fewer steps and less configuration. Also, Cluster setup is fully scriptable so that you can automate your deployment. Security and networking in clusters have been improved, as has the way a failover cluster communicates with storage.

For the complete story: Microsoft Clustering team blog

Volume Activation (VA) 2.0 is designed to automate and manage the activation process while addressing the piracy and product key management problems associated with Volume License Keys (VLKs) issued for Windows XP and Windows Server 2003.  Volume Activation 2.0 eliminates the use of product keys at installation and enables better protection and management of customer-specific product keys through some new and enhanced activation management tools.
All installations of Windows Vista and Windows Server 2008 must be activated.

Multiple activation options exist for volume customers: MAK independent, MAK proxy and KMS.
Let's have a closer look at KMS... 

The Key Management Server (KMS) is used to establish a local activation service (Key Management Service) that is hosted locally/internally in your environment.
Use of the KMS eliminates any need for individual machines to connect to Microsoft to activate. 

A KMS key is used to enable/activate the Key Management Service on a KMS server/host machine.  A KMS server/host can run natively on Windows Vista, Windows Server 2008 and even Windows Server Core 2008.  Computers running volume license editions of Windows Vista and Windows Server 2008 are KMS clients and try to locate the KMS server/host using one of the two methods:

1. Auto-Discovery: the KMS client uses Domain Name Service (DNS) records to automatically locate a local KMS host (DNS RR - Resource Record).
2. Direct connection: the administrator specifies the KMS host location and communication port (default port is 1688, but configurable).

Windows Server 2008 KMS clients require a KMS activation threshold (n-count) of only 5 physical machines to activate. Windows Vista clients require a KMS activation threshold of 25 physical machines.  A single KMS server/host can support and activate unlimited KMS clients. A KMS client must connect with KMS host anonymously at least once every six months (180 days). 

The current Windows Server 2003 based KMS (Key Management) activation infrastructure requires an update to support Windows Server 2008 systems and Virtualization.
This update will be released at Windows Server 2008 launch timeframe. 

Windows Server 2008 systems

Virtualization

Both KMS server/host and KMS client will support running inside virtual machines. 
The KMS server/host can now run on a Windows Vista-based virtual machine or a Windows Server 2008-based virtual machine. So you can start considering to put the KMS server/host on a virtual machine.  The KMS clients (read: all Windows Vista clients and Windows Server 2008 installations) running in virtual machines can now also be activated through the KMS server/host.  However, only physical computers are added to the KMS count.

One final remark!! KMS and MAK keys apply to product groups rather than being edition-specific. This greatly simplifies key management by reducing the number of possible keys.
KMS keys are hierarchical by Volume Product Group: a KMS key can activate systems with any of the Windows editions in its corresponding product group as well as Windows editions listed in lower product groups, as the table below illustrates.

For more information:

• Volume Activation 2.0 on Technet
• Volume Activation 2.0 Technical white papers (Overview, Planning Guide, Deployment Guide, Operations Guide)

"March 11 sees the official launch of brand new versions of Windows Server 2008, SQL Server 2008 and Visual Studio 2008. But what the day is really about are the everyday heroes who transform our products into powerful products for solving real IT problems at work. In other words, you!

We are calling it Heroes Happen Here. And we're proud to invite miracle workers like yourself, not only to the launch itself, but also to our TechDays 2008 (previous known as Developer & IT Pro Days).  A series of technical sessions that take place on 12th and 13th March, during which IT professionals and developers alike will get the chance to go into every single aspect of each pack. So if you'd like to boost your powers even further, this is one event you don't want to miss."

For more information: www.heroeshappenhere.be