Windows Server blog by Kurt Roggen [BE]

Service Pack 1 of System Center Configuration Manager 2007 adds support for running the systems management product on Windows Server 2008.  This update from Microsoft adds the required information for SCCM 2007 in the Security Configuration Wizard so that you can correctly lock down site systems.

"The Security Configuration Wizard (SCW) is an attack-surface reduction tool for the Microsoft Windows Server® 2008 operating system. SCW determines the minimum functionality required for a server's role or roles, and disables functionality that is not required. The Configuration Manager 2007 SP1 Windows Server 2008 SCW template supports both new and updated site system definitions and the required services and ports.

Feature Bullet Summary:

The Configuration Manager 2007 SP1 Windows Server 2008 SCW template adds support for the following new site systems:

• Out of Band Service Point
• Asset Intelligence Synchronization Point

The Configuration Manager 2007 SCW template renews support for the following site systems:

• Fallback Status Point (FSP)
• State Migration Point (SMP)
• PXE Service Point (PSP)
• Software Update Point (SUP)
• System Health Validator (SHV)
• Primary Site Server (PSS)
• Secondary Site Server (SSS)
• Server Locator Point (SLP)
• Management Point (MP)
• Reporting Point (RP)"

Yesterday, I was speaking about “Windows Server 2008: 10 reasons to upgrade” at the Belgian “Community Day 2008” (an event organized by all Belgian Microsoft-focused User Groups).
Here are some of the usergroups present: SQL Server User Group, System Center User Group, Exchange User Group, Visual Studio User Group, Windows Security User Group, etc…

If you are wondering what they are, here’s a quick list:

10 Reasons to upgrade to Windows Server 2008

1. Server Management Improvements – Server Manager, PowerShell, Group Policies (GPO/GPP)
2. Deployment Improvements - Windows Imaging, Windows Deployment Services
3. Web & Application platform - IIS 7.0 & .NET 3.0
4. Server Core
5. Security Improvements - RODC, NAP, Bitlocker
6. Failover Clustering
7. Presentation Virtualisation - Terminal Services (RemoteApps, Easy Print, TS Gateway, TS Session Broker)
8. Server Virtualisation: Hyper-V
9. Branch Office Improvements – RODC, Server Core, Role Seperation, DFS-R/DFS-N, Restartable AD
10.Works better together with Windows Vista

Anyway, you can download the full presentation here.

In part 1, we’ve talked about the Group Policy engine refresh cycle, but let’s dive a little bit deeper. 

Both Group Policy Client Side Extension (CSE) and Group Policy Preferences (GPP) Client Side Extensions (CSE) refresh according to this refresh cycle. 
When starting the refresh cycle (manual or automatically), all CSE are called in alphabetical order based on their GUID.  However, the very first CSE that is called is always the registry-CSE. Then the application goes on in alphabetical order. Each extension defines it's own processing behavior.

Below, you can find a sorted list (following the order of application) of all Group Policy CSE (Client Side Extensions) taken from the site of Mark Heitbrink - MVP Group Policy.
All extensions can be found under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions.

By default, some extensions will refresh in both foreground and background, some don’t.  How can you tell??

Under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions each of the Client Side Extensions has a sub-key.
For example, {5794dafd-be60-433f-88a2-1a31939ac01f} - the CSE for Group Policy Drive Maps – has a key called NoBackgoundPolicy with a value set to 1. This mean the extension will not process in the backgound and thus policy changes only take effect until the next system restart or user logon (read: foreground). 
All extensions with the NoBackgoundPolicy value set to 0 will process in backgound and foreground. If the value does not exist, it will also process in both foreground and background.
For the “GP Preference Files” (GUID {7150F9BF-48AD-4da4-A49C-29EF4A8369BA}), the key NoBackgroupPolicy is not there. This means it will process in the foreground and in the background.

Similar logic is used for other registry keys like NoSlowLink (read: do not allow processing acros slow network connection) and NoGPOListChanges (read: Process even if the Group Policy Objects have not changed).

CONCLUSION

Understanding the Group Policy refresh cycle is important if you are looking at optimizing the background refresh interval to modify the time it takes machines/users to re-evaluate whether new GPO settings have been made. The default refresh interval is different for domain controllers, non-domain controllers and user accounts. The refresh interval can be set anywhere from 7 seconds to 45 days. A longer interval reduces
how often a computer or user refreshes new GPO settings.  45 days is a extreme long time to wait between GPO updates/refreshes. However, if you configure the refresh interval too low, network traffic will increase and the user’s work can be affected. 
The Group Policy refresh cycle takes place in both foreground (startup/logon) and background.  Per Group Policy Client Side Extension (GP CSE), you can optimize this behavior if background refreshes are not required.
Both Group Policies as Group Policies Preferences - which are simply GP CSE - follow the same specified refresh intervals.

With Group Policies (and also Group Policy Preferences), settings are divided into two categories: Computer Configuration and User Configuration.
Computer Configuration settings are applied during startup of the operating system. User Configuration settings are applied during user logon on to a computer.

Once policy settings are applied at startup/logon, the settings are refreshed automatically to ensure they are up-to-date.  During Group Policy refresh, the client computer contacts the closest available
domain controller which provides a list of all the policy objects that apply to the computer and user at different levels (site, domain, OUs). The domain controller does this regardless of whether the version numbers on all the summarized policy objects have changed. By default, the computer processes the policy objects only if the version number of at least one of the policy objects has changed. If any one of the related policies has changed, all of the policies have to be processed again because of inheritance and the interdependencies within policies.

You can also force a refresh manually using gpupdate /force.  This will process all policies again, even if their version number has not changed.

By default, computer Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes. So, minimum refresh cycle is 90 minutes, maximum refresh cycle is 2 hours (120 min) and assures the load is spread when machines/users contact their domain controllers at the refresh cycle. This policy covers both workstations and member servers and excludes domain controllers.
You can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations.

By default, domain controllers Group Policy is updated every 5 minutes.
You can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the domain controller tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations.

Refresh intervals for computers and domain controllers 

By default, user Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes.
You can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the user tries to update user Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations.

Both User and Computer refresh intervals are typically different.  For example, the computer refresh could take place within 95 minutes and the user refresh could take place within 112 minutes.

Refresh intervals for users

Security settings are a exception to the processing rule. By default, these settings are refreshed every 16 hours (960 minutes) regardless of whether policy objects contain changes.
A random offset of up to 30 minutes is added to reduce impact on domain controllers and the network during updates (making the effective refresh window 960 to 990 minutes).

Security settings contain Registry permissions, File System permissions, Restricted Groups, Eventlog, System Services, …

Also, if the client computer detects that it is connecting over a slow network connection, it informs the domain controller and only the Security Settings and Administrative Templates are transferred over the network, which means that by default only the security settings are applied when a computer is connected over a slow link.

The way slow link detection (read: threshold) works, is configurable through Group Policy.  However, security settings are always enforced even when a slow network connection is detected.

Group Policy Security CSE (Client Side Extension)

Group Policy Scripts CSE (Client Side Extension)

Group Policy Preference Folder Options CSE

The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. 
Obviously, updates across slow connections can cause significant delays.

With Group Policy Preferences, you are able to go a step further and to configure the priority of the background refresh.

The MSIT pilot project of Windows Server 2008 Terminal Services was so successful that Microsoft IT went on to test the scalability and performance into the production environment. The environment acts as a SSL-based remote access solution and MSIT was able to create a scalable remote access solution that is accessible by using HTTPS connections from any location worldwide.

Read more: here

TS Gateway

The TS Gateway feature was introduced with Windows Server 2008. TS Gateway is one of the main features that the team wanted to test. The team determined that a successful implementation of TS Gateway was a key component of creating an easy-to-use universal remote access solution by using Terminal Services. 

TS Gateway is a Web server component. It provides the following primary functionalities:

• It acts as the endpoint of a Secure Sockets Layer (SSL) connection from a Terminal Services client. This feature allows for a connection from the Internet to any Remote Desktop–enabled computer.  The destination resource can be a terminal server farm, a terminal server in a lab environment, or even a desktop computer with Remote Desktop enabled.
• It performs authentication (TSCAP) and authorization (TSRAP) of the connecting user to determine whether the user is permitted to access the terminal server farm.
• It performs authorization (TSRAP) of the remote computer from which the user initiates the Terminal Services session to determine whether the connection is allowed.
• It forwards the user's connection to the destination resource by using Remote Desktop Protocol (RDP).

To perform these actions, the TS Gateway component listens on the Hypertext Transfer Protocol over SSL (HTTPS) port for Terminal Services clients. The Terminal Services client encapsulates the RDP traffic in Remote Procedure Call (RPC) over HTTPS and then sends the encapsulated traffic to the TS Gateway server.  The TS Gateway component unpacks the RDP traffic, creates a session to the destination resource, and then submits the RDP traffic.

TS Session Broker

The TS Session Broker is a Windows Server 2008 Terminal Services component that builds on the functionality that is available in the Windows Server 2003 Terminal Services Session Directory component. TS Session Broker is a supplementary Terminal Services role that provides load-balancing functionality and user session management to a Windows Server 2008–based terminal server farm. TS Session Broker provides the following two main functions:

• It directs a disconnected and then reconnected session to the correct terminal server.
• It directs new sessions to the terminal server that has the fewest Terminal Services sessions.
  

TS Web Access

The TS Web Access is a Terminal Services role that enables users to connect to TS RemoteApp applications or terminal server desktops from a Web browser.  After testing TS Web Access, the MSIT team determined that TS Web Access would provide several advantages to Terminal Services users, such as making TS RemoteApp applications easy to find from a Web-based front end.

The team decided that for its particular environment, the best approach would be to build a Terminal Services portal application to customize the functionality that is available in TS Web Access. This custom Web access portal is named TS Portal.

 
Customised TS Web Access website or the TS Portal

TS RemoteApp

TS RemoteApp is a Terminal Services component that is directed toward the end-user experience with terminal server applications. Instead of running within a terminal server (full) desktop, the terminal server application appears in a separate (seamless) window on the user's desktop. Additionally, other features, such as notification area icons that correspond to the TS RemoteApp application, appear on the user's desktop. The team felt that this technology would enhance the user experience with Terminal Services by providing an almost seamless experience between terminal server applications and the local applications that a user might run on the local desktop.

Download:

Step-by-Step Guides:

• TS RemoteApp Step-by-Step Guide
• TS Licensing Step-by-Step Guide
• TS Gateway Step-by-Step Guide
• TS Session Broker Load Balancing Step-by-Step Guide
• TS Web Access Step-by-Step Guide: Customizing TS Web Access by Using Windows SharePoint Services
• Configuring NLB with Terminal Services Step-by-Step Guide

Related reading:

• IT Showcase: Windows Terminal Services 2008 and TS Gateway
• Windows Server 2008 Terminal Services Planning and Design Guide
• Windows Server 2008 Terminal Services Technet website
• What’s New in Terminal Services for Windows Server 2008