Windows 7 Features That Require Server 2008 R2

Windows 7 & Server 2008 R2Windows 7 has been released to considerable acclaim.

Most reviewers claim to see not only improvements in speed and functionality, but better usability as well.

Some reviewers are going so far as to proclaim that Windows 7 is as user friendly as the latest Mac OS Snow Leopard.

Even more important for business users and Information Technology Professionals is the list of impressive new features that come with Windows 7. Many of these new Windows 7 technologies allow for IT Departments to better manage, support, and configure Windows 7 machines throughout the enterprise.

It is not surprising then that these Windows 7 features are at the top of the list of reasons IT groups are ready to initiate the massive undertaking of upgrading desktop computers throughout the company.

But, did you know that some of the best new Windows 7 features only work with Windows Server 2008? In fact, some features actually require the latest Windows Server release, Server 2008 R2.

And, a handful of functions not only require Windows Server 2008 R2, but they require that all domain controllers be Windows Server 2008!

This isn’t a trivial point when evaluating upgrading to Windows 7 in a large environment. Let’s take a look at some of the features of Windows 7 that require Server 2008 R2.

  •   DirectAccess

DirectAccess is one of the much-anticipated features in Windows 7. For the home user, DriectAccess provides little benefit, but in the business environment, it will be invaluable.

Whether they were employees traveling on business trying to connect from hotel rooms or other locations, or whether they were employees working from home, or IT administrators trying to remotely diagnose or fix a systems issue at 3:00 A.M. — the value of remote connectivity could not be denied.

Unfortunately, until the release of Windows 7, businesses had only a few unappetizing choices for providing remote access to workers.

They could open up a giant security hole by allowing full connectivity over unencrypted connections (like the hotel wireless network) and just hope that no one intercepted sensitive data, or worse piggybacked on the connection into the servers themselves. Obviously, this option was not popular.

They could create a DMZ area of sorts allowing connectivity only to specific resources that were sealed off from the “real” corporate network. However, this inevitably meant that whatever access the employee needed was behind the firewall and not available, and it did nothing to solve the problem of unencrypted data transfers.

Finally, companies could install a Virtual Private Network or VPN which would encrypt communications between the remote user and the company network as well as provide a means to authenticate remote users before they connected to the network.

Unfortunately, this required a whole other layer of client software, server setup, firewall configuration, and cost to make it work. Too often, the overall expense and effort of installation, support, and use of the VPN was such a burden that companies strictly limited who was permitted to use the service. Even for those with VPN installed, it was a clunky solution.

With Windows 7, Microsoft implemented DirectAccess. While DirectAccess offers many of the features found in VPN, it is not the same thing.

DirectAccess offers secure connections, like VPN, using IPSec in order to encrypt data passing between the client and network as it travels through the Internet. However, unlike VPN, DirectAccess provides an extra layer of “bi-directional” communications in which the remote computer can be connected and managed, without the user logging in. This is accomplished by authenticating the machine before the user ever attempts to connect.

This provides two huge benefits. First, because the machine must authenticate to the network first, a stolen username and password are worthless without an authorized computer. Thus, not only must a password be compromised, but a machine must be taken as well, which offers a much more obvious flag of a possible security breach.

Secondly, with the machine connected and authenticated over an Internet connection, the system can be remotely administered including installing patches, running scripts, or setting policies or profiles. With DirectAccess, users no longer have to worry that when the connect in a mad rush to download a critical presentation that their connection will be slowed to a crawl while a login script runs and updates are installed. Instead, these things can happen while the employee is asleep or watching T.V. in their hotel room.

DirectAccess is a native part of Windows 7 and integrates seamlessly with Windows Server 2008 R2 eliminating the need for managing an extra layer of security or tying Active Directory entries to VPN users.

Instead, all of the same profiles, policies, and object security features run with full affect ensuring that no one gets access to something they aren’t supposed to, while everyone gets access to everything they do need, all without any frantic 6:30 P.M. phone calls on Friday afternoon.

  •   BranchCache

While network connectivity has become widespread and WAN connections have dropped in price and increased in speed in larger cities, there are still tons of places where connectivity is expensive and slow. For companies with nationwide operations there are unpleasant choices to be made. Spend huge amounts of money on faster connections, or force employees in branch offices to suffer through slow authentication and slower data access.

With BranchCache you can have files stored on-site, either on a server, Windows 2008 Server, of course, or if there is no onsite server, files can be cached on the hard drives of other workstations. This way, if one person pulls down a file at 8:30 am and another person needs the same file at 9:15 am, the second user doesn’t need to download it across the WAN.

  •   BitLocker-to-Go

Windows 7 extends the drive encryption to USB keys and other removable drives. While BitLocker works without Server 2008, if you want to FORCE it to be used on USB key drives, you’ll need the Group Policy updates in Server 2008 R2. (Technically, you can’t force the drive to be encrypted, but you can disallow access to a non-encrypted drive.) Most importantly, the recovery password can be stored in Active Directory.

  •   RemoteApp

If you want to use Presentation Virtualization (making the application appear as if it installed locally) you’ll need Server 2008 (R1 or R2) and Windows 7. While you can technically get away with using Vista, advanced visuals like Aero won’t behave and will eliminate that “local install” feel.

  •   Sever 2008 Without Windows 7 and Vice Versa

In the real world, no upgrade to either the desktop OS nor the server OS will happen overnight. The question then becomes whether or not to upgrade to Windows Server 2008 R2 first or upgrade to Windows 7 first, or go the hybrid route and upgrade some of the server OS while also upgrading some of the desktop OS.

While at first glance, this sounds like the less desirable option, the reality is that this paradigm may actually serve many companies very well. The hybrid upgrade approach allows IT to upgrade by site or location, generally starting with the office with the highest concentration of the right IT personnel. By the time the IT guys are all running Windows 7 and at least a handful of the servers in the datacenter are running Windows Server 2008 R2, much of the infrastructure will not only be in place, but been tested as IT goes about its daily duties.

Working the bugs from a major upgrade out is a lot easier and less politically volatile when the ones dealing with the issues are both the people most capable of figuring out what the problem is, and the ones least likely to complain about the way things are being handled.

In the end, much of the handwringing going on about whether to put the chicken or the egg first may be moot. The only question is, which is the chicken, Windows Server 2008 or Windows 7?