While we probably won't see a flash mob of server admins breaking into Redmond on Tuesday to get a new copy of Windows Server 2012, there is reason to be excited about some of the cool improvements that made their way into the final product. In this piece, we'll kick into first gear to get a sense of how some of Server 2012's more interesting features drive. Later on, InformationWeek Labs will do a deeper exploration of each high impact feature to see where it shines, and where it doesn't.
Take a look at three changes that make Server 2012 worth a look now:
1. Dynamic Access Control
One of the largest data security and compliance challenges that all organizations have is getting a handle on the out-of-control proliferation of sensitive data on our corporate file systems. Larger organizations that have a lot to lose have generally deployed data loss prevention tools to tackle the problem. In Windows Server 2012, a new feature called Dynamic Access Control promises another route, presumably for groups that don't already have investments in another security tool to do the job.
Here's how DAC works: The file server role in Server 2012 contains a beefed up version of the Windows File Classification Infrastructure (which was first introduced in Server 2008 R2). The Windows FCI allows you to continuously audit data stored on a file system using conditional expressions and take policy action accordingly.
So for example, if an employee saved an excel spreadsheet on the network that contained social security data, you could configure a security policy that automatically applies certain permissions to the file. Or, you could configure a policy to automatically encrypt the document via Rights Management Server. Another choice would be to have a popup to appear telling the employee that saving the data to the network violates company policy.
We found that DAC worked quite well in the lab, and our only gripe was that it was a bit cumbersome to set up. If you're testing this feature in your lab, you'll need a Server 2012 DC, you'll need to install the file server role, and if you want to automatically protect data using RMS, then you'll need to light up the right management server role. Broadly speaking, you need to first create a file classification rule that describes the data you're looking for and how to classify it once found. Then you must create a central access rule which describes what do when a match is found. Then you must create a central access policy and deploy that group policy object to the file server hosting the shared drive in order to enforce your central access rule.
Dynamic Access Control is a really cool feature of Windows Server 2012, but it's not exactly plug and play to deploy. To be fair, any DLP package from any other vendor can be equally or even more difficult to deploy and manage.
2. Unified Remote Access
Many of the remote access features in prior versions of Windows Server have been consolidated into the remote access server role in Server 2012, including a new and improved version of DirectAccess. One of the biggest disappointments with DirectAccess in Server 2008 R2 was the inflexible and complex deployment scenarios that you simply had to accept in order to make DirectAccess work. All things considered, the first incarnation of DirectAccess wasn't mature enough or an easy enough to manage to become a viable alternative to other remote access solutions. DirectAccess in Server 2012 is much easier to deploy.
One of the most notable improvements is that you no longer need multiple DirectAccess servers in order for clients to access internal network resources; you can use network address translation (NAT) to route incoming connections through to a single DirectAccess server. There is also support for global server load balancing so Win8 clients can automatically connect to the closest network entry point. If you're using Windows 8 with DirectAccess in Server 2012, you'll also now have the ability to join a new machine to the domain without needing access to the internal network.
In the lab, deploying DirectAccess is mostly wizard driven proposition in Server 2012. The default deployment option encourages you to deploy both DirectAccess and VPN in order to support non-Windows 7 or Windows 8 clients (and therein lies a drawback with DirectAccess). If you've already deployed a best of breed IPSec and or SSL VPN to support XP, MacOS, Linux, or mobile devices, then you should simply install DirectAccess only. All of the group policy objects required to make DirectAccess work are pushed out to Active Directory during the setup wizard, and as a result all clients that can support DirectAccess will have the policy pushed out to them.
DirectAccess in Server 2012 doesn't require IPv6 per se, so your internal devices no longer need to be IPv6 enabled. In this scenario, the DirectAccess server will be your conduit to all of your IPv4 devices on the internal network.
Using our Windows 8 client in the lab, we had no problem deploying a single DirectAccess server through NAT. The best part about using Windows 8 with Server 2012 DirectAccess is that you can use a self-signed certificate to encrypt the Kerberos exchange between the client and the DirectAccess server. Win7 clients accessing a Server 2012 DirectAccess server still need to use PKI.
On the whole, DirectAccess is vastly improved in Server 2012. The drawback is, in order to realize many of those improvements, you need to deploy Windows 8 along with it.
3. Server Core
I'll state up front that this is no reason to migrate to Server 2012, but I'm including this new feature here because it addresses a pet peeve of mine. In Windows Server 2008, selecting Server Core as an installation option was an all-or-nothing proposition. If you built a server core box and later regretted that decision, your only recourse was to rebuild the box. And conversely, if you built a full UI server and wanted to take advantage of the reduced attack surface and performance that you enjoy with Server Core, then you were equally out of luck.
(If you're not familiar with Sever Core yet, it aims to help with private cloud chores. See what Microsoft has to say about the benefits, including your ability to increase density of VMs.)
In Server 2012, the Server Core and full UI installation options are no longer an all or nothing proposition. That's good news for security conscious admins, because it makes the process of hardening a Windows server playing a critical server role much easier.
In the lab, we built up a DHCP server that was also running the File and Storage Services role using the full UI option. The full UI server of course had the full shell loaded with 56 running services, using a PowerShell command to revert the server to a command line only version of the same server, we were able to shed 11 running services from the DHCP server, for a total of 45 running services. Security conscious admins could harden the OS even more, but as a quick hit security strategy, the ability to revert back and forth between Server Core and full UI is an enormously cool new option for server administrators.
For more detail on what else has changed in Windows Server 2012, see my first look at the beta version, which details the server management and Hyper-V features, among others.
Also, see Charles Babcock's look at Microsoft's addition of Azure management capabilities within Windows Server 2012, including the automated provisioning of virtual machines. This move amounts to white-labeling Azure, and and steps up the rivalry with VMware.
Extending core virtualization concepts to storage, networking, I/O, and application delivery is changing the face of the modern data center. In the Pervasive Virtualization report, we discuss all these areas in the context of four main precepts of virtualization. (Free registration required.)