1. Saud Al-Mishari Microsoft Consultant Saudm@microsoft.com
Product Overview
Saud Al-Mishari
Microsoft Consultant

2. Agenda Windows Server™ 2003 R2 Principal Scenarios
Simplified Branch Server Management
Efficient Storage Management
Cost-Effective Virtualization
Identity and Access Management
Improved Web Platform
Windows Server 2003 R2 extends Windows Severs 2003 providing the most efficient way to manage and control access to local and remote resources while easily integrating into your existing Windows Server 2003 environment. Windows Server 2003 R2 enables new scenarios including simplified branch server management, efficient storage management and streamlined collaboration with partners, building upon the increased security, reliability and performance provided by SP1.

3. Branch Office Storage Management Virtualization Identity Management
Better connectivity, reliability, TCO – up to 50% WAN traffic reduction
Branch Office
Better control over storage setup and 10% lower management costs
Storage
Management
Enterprise Edition & Virtual Server R2: The best value in server virtualization
Virtualization
Key Talking Points:
Doing more with less just got better. Windows Server 2003 R2, an update release of the Windows Server 2003 operating system, makes it easier and more cost effective to extend connectivity and control to identities, locations, data, and applications throughout and beyond your organization.
Built on Windows Server 2003 with Service Pack 1 (SP1), R2 takes advantage of the stability and security of a proven code base while providing you with better:
Identity and access management
Manage a single identity across partner, web and UNIX applications
Key enabler: Active Directory Federation Services (ADFS)
Branch office server management
Better connectivity, reliability and TCO – up to 50% WAN traffic reduction
Key enabler: Distributed File System and Remote Differential Compression
Storage setup and management
Better control over storage setup and 10% lower management costs
Key enabler: File Server Resource Manager
Web application platform
Latest 64-bit & .NET technologies for double the web application performance
Key enablers: x64 and .NET Framework 2.0
Virtualization
Windows Server 2003 R2 Enterprise Edition with Virtual Server 2005 R2 provide the best value in server virtualization
Key enabler: Enterprise Edition licensing change – R2 EE includes 4 licenses for virtual instances
Windows Server 2003 R2 provides an end-to-end 64-bit platform, allowing you to scale your IT infrastructure to take advantage of the latest hardware advancements. The .NET Framework 2.0 included in Windows Server 2003 R2 is an integral component in providing a convenient platform to create, recreate, and migrate applications to take advantage of 64-bit computing power. With SQL Server 2005 and Visual Studio 2005, Microsoft will now provide a complete 64 bit application platform from the operating system to the database along with a development environment.
Other talking points
Integrated UNIX interoperability
UNIX interoperability features included in Windows Server 2003 R2, allows organizations to complete timely Windows migrations without jeopardizing viability of important UNIX-based line of business applications. Subsystem for UNIX-based Applications (SUA) is included in Windows Server 2003 R2. With SUA administrators can migrate legacy UNIX applications to SUA with little or no change to their original source code. Windows Server 2003 R2 also includes UNIX interoperation features for password synchronization and directory services integration.
Collaborate with Windows SharePoint® Services right out of the box
Windows SharePoint Services Service Pack 2 (SP2) is included in Windows Server 2003 R2, enabling better user productivity by allowing teams to share documents and eliminate version control issues more effectively than via or file shares.
Identity
Management
Manage a single identity across partner, web and UNIX apps
Latest 64-bit & .NET technologies for double the Web app performance
Web
Platform

4. Branch Office Storage Management Virtualization Identity Management
Distributed File System
Centralized File and Print Consoles
Better control over storage setup and 10% lower management costs
Storage
Management
Enterprise Edition & Virtual Server R2: The best value in server virtualization
Virtualization
Identity
Management
Manage a single identity across partner, web and UNIX apps
Latest 64-bit & .NET technologies for double the Web app performance
Web
Platform

5. Simplified Branch Server Management
Branch office challenges
Wide-Area Network (WAN)
WAN costs can be significant
WAN latency issues
Management costs
Lack of network admins on site in branch offices
Tape backup expensive, unreliable
Tools need to scale to large number of branches
Policy
Delegation UI
Lead-in:
The two broad challenges that the branch market faces are WAN costs/latency, and local manageability. This is due to their rather paradoxical requirements – local application performance with easy manageability. Simultaneously, many customers are in the process of or have already consolidated their central servers – they are now looking to branch servers as the next big consolidation gain. However, branch servers pose a unique challenge, particularly where additional bandwidth is expensive or unavailable. The productivity losses that occur when servers are centralized is usually not acceptable, and the possibility of losing connectivity altogether is normally too much of a risk. With these broad trends converging, the solution is to keep the servers in the branch, but treat the management of them much like disposable appliances. This provides a nice balance of productivity for the branch office workers and reduced administrative burden for IT.

6. Simplified Branch Server Management
Microsoft Branch Server Vision
Replaceable
Ease of deployment & replacement
Admin free
Not require admins in branch sites
Simple configuration from central site
Accelerator
Efficient use of WAN resources – just transfer file deltas
Rely on local cache to handle local requests
Forward to central server when WAN is available
The branch server functionality of Windows Server 2003 R2 is the most recent step in Microsoft’s roadmap to more effective branch server management. The specific features of Windows Server 2003 R2 that further this vision.

7. Simplified Branch Server Management
Windows Server 2003 R2 Features for Branch
Easily manage your infrastructure with centralized management tools
DFS Management Console & Failover with Failback
Print Management Console
Keep your business running smoothly, by taking advantage of faster data replication
DFS: Remote Differential Compression
Reduce administration costs by eliminating local administration & local back-up
Remote server hardware management entails:
Hardware management makes Windows Server aware of IPMI instrumentation in the motherboard with a new driver
Events raised in the hardware’s system event log (SEL) are also displayed in the Windows event log
Sensor values and probes can be read and set through a new WMI provider (e.g., fan speed and temperature)
This makes IPMI accessible to all management tools and scripts that use WMI
R2 server also introduces the new Web Services for Management (WS-Management) protocol
Enables cross-firewall remote management of servers using WMI via HTTP and SOAP
Enables management of remote servers (with BMCs supporting WS-Management) when the operating system is not running
e.g., pre-boot and post-crash (power-cycle, change boot order)

8. Simplified Branch Server Management
Key Benefits
Centralized Management of File and Print Services
High Availability
Efficient Publishing & Collaboration
Key Enablers
DFS
Remote Differential Compression
Management Console
Failover with Failback
Print Management Console
KEY TAKEAWAY:
The branch office value proposition in R2 is: “Windows Server 2003 R2 is the most efficient way to provide more effective management & operation of branch office environments”
Scenarios:
The key scenario that we needed to enable is the ability to centrally backup the contents of locally generated file data in a WAN-friendly way, without the need for local backup devices or administration. Additionally, making sure that file data is highly available if the branch server is out of commission is also a key requirement, especially if it might take a day or two to get the local server backup and running. Lastly, providing a WAN-friendly mechanism of allowing branch office staff to access centrally published documents and collaborate with each other, including those in different branches.
Technology Enablers:
The key technology enablers in R2 are a new version of FRS called DFS (Distributed File System, which consists of two parts – replication (DFS-R) & namespaces (DFS-N)) that provides incredible efficiency gains over the WAN with a new compression technology called Remote Differential Compression (RDC). RDC provides the ability for just the changes to files to be shipped over the wire – for example, a change to a couple of words in a 3.5MB PPT will now only require 16KB to be shipped over the wire. RDC is a key component of DFS-R. (Incidentally, RDC is being implemented as a library that other file replication technologies can use, so you can expect to see future versions of robocopy, client side caching etc make use of it.)
Furthermore, the DFS Management console has been rewritten for R2. The highlights of the new console include a hierarchical namespace view, the ability to rename links and “projects” (not possible in the current console) and making it easier to delegate DFS administration tasks to non-domain admins (create and manage domain roots and individual roots). DFS will be manageable from the same console, but the distinctions are being made clearer.
Clients can now failback to a preferred server when its availability is restored, rather than being stuck to the hub server that they failed over to. (requires a client slide update (hotfix).
We are also providing a long time overdue print management console (PMC) that makes it so much easier to manage print servers & print queues, including forms & drivers, as well as making it easier to push new printer connections and drivers to client PCs. The PMC allows you to create consolidated views of printers across print servers based on parameters you specify, for instance only showing printers that are not ready and with jobs. It also provides a much easy mechanism for managing forms and drivers.
Other technologies revolving around management include the new Web Services for Management (WS-Management) protocol (which enables cross-firewall remote management of servers via HTTP and SOAP by taking advantage of WMI scripting) and the Intelligent Platform Management Interface (IPMI), which enables you to have more granular hardware management (moving hardware system event log events into the Windows event log, for example). Using a new WMI provider in R2, all WMI scripts & tools can access IPMI.
Futures:
In the short-term, you can expect to see guidance from Microsoft (in the way of a Windows Server System Reference Architecture (WSSRA), called the Branch Office Infrastructure Solution (BOIS)) that will provide prescriptive architectural guidance on how to design, build, deploy & manage a branch office infrastructure using Microsoft technologies. This guidance will span across Microsoft products, and so while including Windows Server 2003 for DNS/WINS, DHCP & File/print roles, will also recommend SMS (for secondary Site configuration), a MOM agent, and ISA for web caching. Thus, Windows Server 2003 R2 can be viewed as just a step on our road to delivering an end-to-end branch solution.
With respect to Longhorn Server, cached domain controlling, patch distribution and other technologies are on our radar, as well as even deeper integration with the Microsoft technology stack.
Note: While DFS is an essential enabling technology for the simplified branch server management scenario, it also plays an integral part in Efficient Storage Management.

10. Branch Office Storage Management Virtualization Identity Management
Distributed File System
Centralized File and Print Consoles
Storage
Management
File Server Resource Manager
Storage Manager for SANs
Enterprise Edition & Virtual Server R2: The best value in server virtualization
Virtualization
Identity
Management
Manage a single identity across partner, web and UNIX apps
Latest 64-bit & .NET technologies for double the Web app performance
Web
Platform

11. Efficient Storage Management
The Challenges of Storage Today
Storage growth estimates: % per year
Managing storage growth effectively is a challenge
Direct Attached Storage (DAS) solutions have limitations
Storage Area Network (SAN) solutions can be complex
Few IT professionals are storage experts:
35% of SMBs have moved from DAS to networked storage already
40% of SMBs are considering moving to networked storage
Costs of managing storage can be 10x the cost of storage
Process of consolidating File Servers/Storage is involving
Complex and error prone
Potential disruption to end users

12. Efficient Storage Management
Windows Server 2003 R2 Storage Management
File Server Resource Manager
(FSRM)
Capacity Management
Policy Management
File Screening
Quota
Management
Storage Manager for SANs
(SMFS)
Windows Server 2003 R2 storage management has two components.
(click) The first one is the File Server Resource Manager (FSRM), which handles:
(click) Capacity Management – This deals with disk and volume space information;
(click) Policy Management – This sets and enforces policies for systems and users, particularly screening for particular types of files users attempt to save in storage folders;
(click) Quota Management – This manages storage usage.
(click) The second component is Storage Manager for SANs (SMFS). It handles:
(click) Configuration Management – This configures and manages physical storage systems;
(click) this includes disk provisioning and disk management.
Configuration Management
Disk provisioning
Disk management

13. Efficient Storage Management
FSRM: Administrator Challenges
Capacity Management
Determine existing storage capacity usage across the organization
Determine whether usage effectively supports organizational goals
Define and implement storage policies
Adjust the policies as capacity needs grow and as organization needs change
Policy Management
No easy way to control the type of data stored on file servers
Unwanted content must be identified manually
Quota Management
User home directories often grow quickly causing servers to run out of space
Departmental shares can also grow unexpectedly
Administrators are only aware of storage crises when the server is already out of space

14. Efficient Storage Management
FSRM: User Scenarios and Benefits
Capacity Management
Identify where storage capacity is used inefficiently
Identify mechanisms to prevent future capacity misuse
Monitor usage patterns and utilization levels
Policy Management
Eliminate non-business files and improve storage utilization while reducing management costs
Implement policies to restrict unauthorized files in order to limit legal exposure
Promote a culture of accountability
Quota Management
Control the amount of space used for a folder or share and limit its impact on server utilization
Monitor disk space usage growth per volume, folder, or share
Slow down storage growth

15. Efficient Storage Management
SMFS: SAN Management and Provisioning
Administrator Challenges
Small-midsize market want SAN benefits, but
Existing tools are complex and expensive
Administrators have limited experience with SAN technologies
Want basic functionality enabling the administrator to easily share storage among servers
User scenarios and benefits
Offers basic SAN management functionality, including
Device discovery
LUN creation
Storage allocation
Enables
Shared storage solutions
Clustering

16. Efficient Storage Management
SMFS: SAN Management and Provisioning
Basics
Uses Virtual Disk Service (VDS) infrastructure
Allows Windows® administrators to perform basic array and LUN management
Targets small-scale SANs built from simplified hardware
MMC snap-in
Functionality
Discovery of storage arrays on a Fibre Channel or iSCSI SAN, including storage array properties, such as firmware info
Creation, deletion and expansion of storage array LUNs
Specification of LUN options, such as RAID levels
Allocation of LUNs to specific servers on the SAN
Monitor LUNs, including status/health and allocation to servers
Using VDS, integrates
iSCSI, iSNS, MPIO, HBA API
local storage management

17. Efficient Storage Management
Distributed File System (DFS)
Key storage technology
Leading file system virtualization product – virtualizes file servers and network-attached storage devices
Provides logical view to physical storage and unified global namespace
Users can connect to share without having to remember server name
Translates logical names to physical shares
Shares can be moved around without affecting clients – share location is transparent to clients
Failover √
Closest site referral
Root scalability
Multiple roots*
Failback support**
Admin. delegation
Target priority
DFS is not solely a feature of the simplified branch server management capability of Windows Server 2003 R2: it is an integral part of Efficient Storage Management. The same features that make it so effective in local file server management have found a natural use in managing branch server as well.
Failback requires a hotfix on client computers to work; please refer to KB This article applies to both Windows XP and Windows Server 2003; SP3 on the client and SP2 on the server.
To support multiple domain-based roots on a Standard Edition server, the following KB is needed: KB
* To support multiple domain-based roots on a Standard Edition server, the following Knowledge Base article is needed: KB
** Clients need a hotfix for failback. Refer to Knowledge Base article KB

18. Efficient Storage Management
Key Benefits
Simple SAN provisioning
File quota management, file screening, and file storage reporting
UNIX NFS connectivity
Key Enablers
Simple SAN Management for the IT Generalist
File Server Resource Management
Virtual Disk Services (VDS) 1.1
UNIX/Windows interoperability for streamlined cross-platform file server management
Hardware Compatibility Tests (HCT) 12.1
SIMPLE SAN MANAGEMENT: R2 will include a new SAN Management tools that makes it easy to deploy a small SAN hosted (front-ended) by Windows. This GUI based interface will guide the user on how to create LUNs and how to make them available for the application servers. This tool works for both Fibre Channel and for iSCSI and it also works for any storage arrays that have a VDS provider. Once LUNs are created, the tools also provide simple commands to delete and grow these LUNS so that applications can scale with demand
FSMT: We’re also integrating the File Server Migration Toolkit. This will allow IT pros to easily consolidate data from multiple Windows Servers (to their newly created SAN), while preserving the old UNCs so shortcuts and users favorites continue to work. (requires DFS)
STORAGE RESOURCE MANAGEMENT: Now all of the data is in one place, R2 also includes a new native Storage Resource Management tool specifically to do quota management. This gives administrators the ability to optimize how they want their disk storage to be used. The administrator can manage the size of storage made available to different users and also manage the types of files that can be stored to maximize the utilization of disks. In order to better plan, storage reports are also made available so that the administrator can monitor usage and distribution of storage to that he can easily re-assign storage to different groups before a critical situation occurs.
NFS Support: R2 also includes the ability to serve this newly consolidated data out to UNIX clients using their native protocols, Network File System. It also includes a client so Windows IT admins can connect to NFS Servers to copy data.
File Server Role Management Console: A new console is provided which pulls all of this functionality together.

20. Branch Office Storage Management Virtualization Identity Management
Distributed File System
Centralized File and Print Consoles
Storage
Management
File Server Resource Manager
Storage Manager for SANs
Virtualization
Enterprise Edition licensing change
Identity
Management
Manage a single identity across partner, web and UNIX apps
Latest 64-bit & .NET technologies for double the Web app performance
Web
Platform

21. Change: Windows Server 2003 R2 Licensing Multiple instances per license for EE
Windows Server 2003 R2 Standard Edition
Windows Server 2003 R2 Enterprise Edition
Server A
5 licenses for WS 2003 R2 STD
Each license allows user to run 1 instance in a physical or virtual OS environment on licensed server
Same rule applies to WS 2003 (STD and EE)
1 license for Virtual Server
1 license for WS 2003 R2 EE
Run 1 instance in a physical OS environment on licensed server
Run up to 4 instances in virtual OS environments on licensed server
Run instances of STD in place of EE in virtual OS environments

22. Windows Server Virtualization Licensing
Current Rights: For each SW license, you may install and use 1 copy of the software on 1 device
New Use Rights:
License by Running Instances
Customer pays for what they use
Enhanced Virtual Use Rights in Windows Server 2003 R2 Enterprise
1 Physical Instance and up to 4 virtual
Enables Flexible Deployment
Supports Common Enterprise Scenarios (Server Consolidation, Application Isolation, etc)
1 install = 1 license
SAN or file server w/
many images
Servers
(i.e. devices)
Multiple instances per device
Edition
Virtual Instances
Channel
Price
Standard 1
All
Unchanged
Enterprise 4
Datacenter
1 per Proc
OEM

23. Summary Windows Server 2003 R2 Principal Scenarios
Identity and Access Management
Efficient Storage Management
Simplified Branch Server Management
Improved Web Platform
Cost-Effective Virtualization
UNIX Interoperability
Windows Server 2003 R2 extends Windows Severs 2003 providing the most efficient way to manage and control access to local and remote resources while easily integrating into your existing Windows Server 2003 environment. Windows Server 2003 R2 enables new scenarios including simplified branch server management, efficient storage management and streamlined collaboration with partners, building upon the increased security, reliability and performance provided by SP1. Windows Server 2003 R2 demonstrates Microsoft’s commitment to Windows Server roadmap and allows customers to confidently plan server operating system purchasing and adoption. Windows Server 2003 R2 can be slipstreamed into existing Windows Server 2003 environments without retesting/recertifying existing roles or applications, or upgrading to new Client Access Licenses.

25. Branch Office Storage Management Virtualization Identity Management
Distributed File System
Centralized File and Print Consoles
Storage
Management
File Server Resource Manager
Storage Manager for SANs
Virtualization
Enterprise Edition licensing change
Identity
Management
Active Directory Federation Services
UNIX Identity Management
Latest 64-bit & .NET technologies for double the Web app performance
Web
Platform

26. Identity and Access Management
Challenge: Extending access across users, apps, platforms
Your SUPPLIERS
Their APPLICATIONS
Your CUSTOMERS
IT administrators today face exponential growth in service requests involving identity and access management. Organizations need to both manage how users access applications on a variety of application platforms and to extend their IT infrastructure to provide partners, suppliers, customers, and remote employees access to an increasing number of applications.
At the same time, IT organizations are expected to positively impact their business by improving customer loyalty and retention, reducing operational costs, and responding quickly and efficiently to change.
Managing many applications on multiple platforms for a growing number of internal and external users presents the following administrative and security challenges:
• Providing business partners access to applications and collaboration tools without sacrificing security to the applications or to the internal network.
• Limiting the number of passwords users need to get secure access to applications. Having too many passwords often leads users to employ poor security practices, such as writing passwords on sticky notes.
• Managing the administrative burden of keeping duplicate user data in multiple application directories, while not overloading a centralized directory with application-specific data.
• Leveraging existing administrative tools across a larger set of application environments.
Your PARTNERS
Their APPLICATIONS
Your EMPLOYEES Your APPLICATIONS
Your PLATFORMS
Your REMOTE and VIRTUAL EMPLOYEES

27. Identity and Access Management
Windows Server 2003 R2 Features
Active Directory Application Mode (ADAM)
Lightweight, domain-independent mode of Active Directory for application directory scenarios
Interoperability with Domain Mode for authentication
Benefit: Tailor directory services infrastructure for local control/autonomy or shared services
UNIX Identity Management
Server for Network Information Service (NIS) helps integrate Windows and UNIX domains
Password synchronization simplifies password maintenance across platforms
Benefit: Efficient multi-platform identity management
Active Directory Federation Services (ADFS)
Windows Server 2003 R2 offers functionality that extends connectivity and control of identity management for internal and external collaboration. The following Windows Server 2003 R2 features deliver distinct advantages for identity and access management:
• UNIX Identity Management: Windows Server 2003 R2 provides Windows and UNIX integration, which helps to establish uninterrupted user access and efficient management of network resources across operating systems, through the following updated identity management solutions:
• Server for NIS helps integrate Windows and UNIX-based Network Information Service (NIS) servers by enabling an Active Directory domain controller to act as a master NIS server for one or more NIS domains. Identity Management for UNIX includes an easy-to-use wizard that a Windows domain administrator can use to export NIS domain maps to Active Directory entries.
• Password Synchronization helps integrate Windows and UNIX servers by simplifying the process of maintaining secure passwords. With Password Synchronization, users do not need to maintain separate passwords for their Windows and UNIX accounts or remember to change the password in multiple locations. Password Synchronization automatically changes a user password on both UNIX and Windows networks whenever the user changes his or her password.
• Active Directory Application Mode (ADAM): ADAM, an independent mode of Active Directory without infrastructure features, provides directory services for applications. Operating as a stand-alone data store or interacting with an Active Directory domain controller, ADAM's flexibility enables administrators to tailor their directory services infrastructure to varying degrees of local control/autonomy or shared services. ADAM provides a data store and services for accessing that data store, uses standard application programming interfaces (APIs) for accessing application data, and works with ADFS to provide a user store for extranet application authentication.
• Active Directory Federation Services (ADFS): ADFS provides Web-based extranet authentication/authorization, single sign-on (SSO), and federated identity services for Windows Server environments, which increases the value of existing Active Directory deployments to B2C extranet, intra-company (multi-forest) federation, and B2B internet federation scenarios.
Extranet authentication and SSO services extend the strong authentication and distributed session capabilities Windows has for internal networks to internet-facing perimeter networks. Identity federation makes it possible for two organizations to share a user's Active Directory identity information securely over federation trusts, facilitating collaboration with partners and delegating user management.

28. Identity and Access Management Active Directory Federation Services (ADFS)
Extend value of Active Directory deployments to facilitate secure web application access for employees, partners and customers
Web SSO: Extranet authentication and single sign-on
Identity Federation: Distributed web SSO across domains
Promotes IT efficiency, end user productivity, and better security
Works with existing Active Directory deployments
Interoperable with 3rd party security solutions and heterogeneous application platforms
Key Message – ADFS helps customers do more with less by providing seamless access across organization and security boundaries.
Our solution to this problem in R2 is Active Directory Federation Services. (note that this name is subject to change)
Customers have been enjoying the benefits of intranet single sign-on using Active Directory, and ADFS will allow customers to extend this capability across security and organizational boundaries to partners and suppliers – a combined Web SSO and Federation solution that makes it easier to do business with each other. Customers will be able to reduce costs and effort when implementing Web SSO for internal systems or across security boundaries with multiple partners.
With ADFS, userid & passwords will be managed by organizations that owns them and not the hosting company. This reduces the cost of IT management, by reducing the number of directories required, help desk calls for password reset, and also improves security as organizations can internally enforce strong authentication as well as automatically restrict access to partner sites upon disabling a user’s local AD account.
Since ADFS is integrated with other Microsoft identity management technologies, it rounds out a complete set of tools for internal and external authentication and authorization management. In particular, ADFS is built to integrate with new technologies like ADAM (use Windows Server for extranet web apps without literally adding the users to the external domain) and Authorization Manager (roles-based access control to operation-level app capabilities, with roles membership managed by the account partner).
Since this technology is based on industry standard, organizations will not have to dictate specific products on partner/suppliers in order to interoperate. This results in a faster time to market and greatly reduced deployment and development costs. IBM, Netegrity, Oblix, OpenNetwork and Ping Identity have all shown interop with this product.
Promotes IT efficiency, end user productivity, and better security
IT efficiency: Centralized user administration, “native” delegated administration, lower password reset costs
End-user productivity: SSO to internal & partner web applications, fewer passwords for users to forget
Security: Automated de-provisioning, strong authentication, auditing/logging of access to partner applications AD
IIS
Company A
Company B

29. ADFS Scenario: Web SSO
Customers
Business
Partners
User credentials and attributes managed in Active Directory/ADAM at the application
Benefits:
Single sign-on to farm of IISv6 web apps
Stronger authentication via forms, client-side certs
ADAM support: LDAP user store in perimeter
Support for “road warrior” applications
Windows Integrated Auth for internal users
ADFS auth for external users
Employees
Key Idea: ADFS extends its set of platform-level authentication services to support the extranet-located, non-domain web application scenario with ADFS. Now when you use Windows Server and IIS for an extranet application, you can use forms auth, and give users a SSO session cookie so they don’t have to logon for access to any other web applications in a trusted domain. This is important since so many web apps are in fact a collection of apps – you don’t want users being challenged over and over for credentials (think online banking, and the separate-but-collocated checking, credit card and loan applications).
An interesting variation on this scenario is the B2E (business to employee) scenario, where an organization has web applications that it would like employees to access from both inside the firewall and when traveling or at home – without requiring VPN access, and without requiring a separate, duplicate identity in the extranet (think OWA, but for any web application). ADFS’ integration with Windows Integrated Auth means that employees get Kerberos single sign-on from their work desktops, and authenticate against the same Active Directory account (using forms-based auth and a one-way forest trust from the DMZ into the internal network) when away from the office.

30. ADFS Scenario: Identity Federation
Cross Organization Namespace Manages:
Trust -- Keys
Security -- Claims required
Privacy -- Claims allowed
Audit -- Identities, authorities
Business
Partners
User credentials and attributes managed in “home realm” by partner organization
Benefits:
Single sign-on to internal and partner web applications
Fewer passwords for users to forget
Lower password reset costs
Centralized administration, delegated to partners
Automated restriction of partner app access
Logging of inbound and outbound access requests
Key Idea: In addition, ADFS enables the federation scenario, which is fundamentally different in that it breaks out authentication from the access control decision, and places it at the user/account side of the relationship. Instead of a user authenticating to an extranet site by typing her credentials, the user’s corporate network and AD environment (“home realm”) automatically generates a SAML (security Assertion Markup Language) security token for the end user that, when presented to the resource/application, is used to grant access rights. The key to enabling this sort of distributed access control is the federated trust the two partners set up – which includes a key exchange, and negotiation on the types of data about users the application will require (“claims”). Through federation, the end user gets SSO to all of their internal network applications (through standard Windows integrate auth), plus SSO to partner applications through federation.
Federated SSO works with two types of applications:
claims-based applications – written specifically to consume ADFS claims through ASP.Net Roles or Authorization Manager (a particularly elegant solution in that it provides a simple user interface for administrators to define user roles and map them to operations in a web application – abstracting user management from the application development process, and reducing the amount of application rework required).
“traditional” windows-based web applications – which use local Active Directory accounts, like SharePoint – ADFS can automatically map a security token to a local AD account, instantly enabling SSO for these applications, even outside the firewall

31. ADFS: Standards-Based Solution
AD Users
.Net Apps
Java, UNIX, Linux Users
Java, UNIX, Linux Apps
Multi-vendor, multi-platform interoperability via Web Services specifications
WS-Federation
Key Idea: Federation sounds like a great concept, but if it only worked between Microsoft environments, it wouldn't get very far. For federation to be a successful concept, it needs to be standards-based, and that’s what WS-Federation is for. Part of the WS-* set of web services specifications designed by Microsoft and other technology companies, WS-Federation enables distinct security solutions to share identity information in a common format. This means, for example, that if a company managing users in Active Directory wanted to federate its users with an application provider that enabled access control with Netegrity SiteMinder, that would be possible using WS-Federation. A number of leading identity management companies have either been involved in the writing of the specs or pledged their support for the specification in their products.
Important to note there are two major components to WS-Federation – the Passive Requestor Profile and the Active Requestor Profile. The Passive profile supports federation between browser-based applications using HTTPS, and is supported in ADFS v1 in R2. Active Profile is a more advanced spec that supports rich client applications that speak SOAP instead of proprietary protocols like RPC – which is the future direction of Windows-based application development with technologies like Indigo. Active client support will be available in ADFS v2 in the Longhorn timeframe.
IBM PingID BMC CA Quest Centrify + others…
Active Directory Federation Services

32. Identity and Access Management
Key Benefits
Provide secure web application access to employees, partners and customers, across security boundaries
Enable single sign-on for employees across internal and partner applications
Centrally manage identities across Windows and UNIX systems
Tailor directory services infrastructure to meet varying needs for decentralization or control
Key Enablers
ADFS, ADAM, UNIX Identity Management
Web Services Architecture (WS-*) interoperability specifications
Key Message – ADFS helps customers do more with less by providing seamless access across organization and security boundaries.
Our solution to this problem in R2 is Active Directory Federation Services. (note that this name is subject to change)
Customers have been enjoying the benefits of intranet single sign-on using Active Directory, and ADFS will allow customers to extend this capability across security and organizational boundaries to partners and suppliers – a combined Web SSO and Federation solution that makes it easier to do business with each other. Customers will be able to reduce costs and effort when implementing Web SSO for internal systems or across security boundaries with multiple partners.
With ADFS, userid & passwords will be managed by organizations that owns them and not the hosting company. This reduces the cost of IT management, by reducing the number of directories required, help desk calls for password reset, and also improves security as organizations can internally enforce strong authentication as well as automatically restrict access to partner sites upon disabling a user’s local AD account.
Since ADFS is integrated with other Microsoft identity management technologies, it rounds out a complete set of tools for internal and external authentication and authorization management. In particular, ADFS is built to integrate with new technologies like ADAM (use Windows Server for extranet web apps without literally adding the users to the external domain) and Authorization Manager (roles-based access control to operation-level app capabilities, with roles membership managed by the account partner).
Since this technology is based on industry standard, organizations will not have to dictate specific products on partner/suppliers in order to interoperate. This results in a faster time to market and greatly reduced deployment and development costs. IBM, Netegrity, Oblix, OpenNetwork, and Ping Identity have all shown interop with this product.
Extends value of AD infrastructure for extranet scenarios
Classic SSO: Extranet authentication and single sign-on
Identity Federation: B2B/B2C Commerce and Collaboration
Promotes IT efficiency, end user productivity, and better security
IT efficiency: Simplified delegated administration, lower password reset costs
End-user productivity: SSO to internal & partner web applications, fewer passwords for users to forget
Security: Stronger authentication via forms & client-side certs, automatic de-provisioning
Tight integration with Windows Server technologies
AD: profile-based access management to external partner applications
ADAM: extranet application user store
Authorization Manager: extranet role-based access control (RBAC)
Windows SharePoint Services: Extranet WSS
WS-* specification support for interoperability with 3rd party security solutions

33. Branch Office Storage Management Virtualization Identity Management
Distributed File System
Centralized File and Print Consoles
Storage
Management
File Server Resource Manager
Storage Manager for SANs
Virtualization
Enterprise Edition licensing change
Identity
Management
Active Directory Federation Services
UNIX Identity Management
Web
Platform
.NET Framework 2.0
Windows SharePoint Services

34. Web Platform Challenges in Managing Collaboration & Web Infrastructure
Online Collaboration
Enabling effective collaboration across boundaries
Managing interactions among employees, partners and suppliers
Intuitively sharing content, documents & information
Developing Web Applications
Efficiently developing applications that scale with your needs
Customizing & extending the Web platform to fit your needs
Delivering rich application scenarios and user experiences
Extending Applications and Infrastructure
Enabling online extension of Line-of-Business applications
Leveraging and interoperating with legacy investments
Cost of managing and maintaining Web infrastructure
Organizations expect their Web infrastructure to provide and support business impacting applications built in a collaborative online workplace. As of today, this has not become a reality for many organizations. While online collaboration exists to make distributed work groups more efficient, often contributors find it limited by who, what, where and how the system connects. In addition, current web applications may not be compelling to the user or customer, or they do not meet or scale with the organization’s ever changing needs. Extending this infrastructure to support Line-of-Business applications may also be difficult because infrastructure is too rigid, contains too many legacy components, or maintenance costs are too prohibitive.

35. Web Platform Microsoft Web Platform Vision
Extending Business Infrastructure over the Web and controlling development and management costs just got better
Accelerate and extend efficient collaboration
Reduce development and management costs of Web Services and applications
Reduce Infrastructure costs with a secure, high-performance Web server

36. Web Platform Windows Sharepoint Services (WSS)
Accelerated Deployment and Customization
True one-click installation
Simple customization with 30 new applications
Reach Partners & Customers
Leverage extended extranet scenarios
Take Advantage of Latest Technology
64 bit Support
Kerberos Enabled by Default
SQL Server 2005 Support
Visual Studio 2005 Support
Partners
Customers
Employees & Resources

37. Web Platform
ASP.NET 2.0 Reduce development and management costs of Web applications
Faster Development & Deployment
Deliver rich web scenarios to market 40% faster
70% Reduction in Code Length
Deploy Pre-Compiled
Accelerated Configuration & Management
Replace/extend all built-in features + services
Unified Management w/ MMC Plug In
Build DSI-ready applications
Built-in Data Caching and Security
Enhanced Logging Framework
25-40% Web Service Performance Gains
Development & Deployment
Full extensibility and pre-compilation allow you to simplify and accelerate deployment of ASP.NET web applications
Pre-compilation simplifies deployment and speeds application servicing and response time
Replace/extend all built-in ASP.NET features + services to fit your Enterprise infrastructure needs
Customize ASP.NET services for any enterprise environment
Configuration & Management
Simplify configuration and management:
ASP.NET 2.0 includes an management tool that integrates with IIS as an MMC plug in to create a unified management experience.
ASP.NET 2.0 also contains a new configuration API making it easier to set config settings programmatically through scripts.
Performance & Security
Build DSI-ready applications
ASP.NET 2.0 features an enhanced logging framework to make it simpler for applications to be instrumented (health monitoring etc.) – a key part of Dynamic Systems Initiative
25-40% Web Service Performance Gains
The results indicate that Web Service performance is roughly 25% better in .NET 2.0 than .NET 1.1 when the soap object size is large and hence deserialization/serialization operations are more intensive. The difference is even more dramatic for smaller SOAP message sizes, with the echostruct size 20 test showing .NET 2.0 beta2 performance to be roughly 40% better than .NET 1.1. In all cases using the 50-client methodology, .NET outperforms both Sun JWSDP 1.5 and IBM Websphere 6.0, often by wide margins.

38. Web Platform
IIS 6.0 Reduce Infrastructure costs with a secure, high-performance Web server
Reduce Downtime & Errors
Event Tracing for Windows enables quick error removal
2x Virtual Memory for 32 bit applications on x64
Improve Security and Hardening
Simple Lockdown with Security Configuration Wizard
More Performance for Less Money with x64
Support 2x many connections
Decrease CPU by up to 47%

39. Web Platform Key Benefits Key Enablers
Robust, easy to implement & manage collaboration
Faster development of powerful, secure Web applications
Secure, reliable, .NET-integrated Web platform
Key Enablers
Windows SharePoint Services, ADFS
.NET Framework ASP.NET 2.0, Web Services
Internet Information Services (IIS) 6.0, x64, SP1

40. Editions and Features
Features
Standard Edition
Enterprise Edition
Datacenter Edition
File Server Resource Manager √
Storage Manager for SANs
Active Directory Federation Services (ADFS)
ADFS Proxy
ADFS Web Agents
Active Directory Application Mode
Distributed File System – Replication with Remote Differential Compression
Distributed File System – Cross-File Remote Differential Compression* √*
Print Management Console
Microsoft Management Console 3.0
Windows SharePoint Services V2 SP2
.NET Framework 2.0
Subsystem for UNIX Applications
UNIX Interop (NIS Server, Password Sync, NFS Admin, etc)
x64 Availability
WS-Management
* Only one of the replication partners is required to be an Enterprise Edition or Datacenter Edition

41. © 2006 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
All other trademarks are property of their respective owners. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

42. UNIX Interoperability
Appendix
UNIX Interoperability

43. UNIX Interoperability
Customer Challenges
Customers with heterogeneous systems want to use UNIX applications in Windows environment
Developers want to take advantage of robustness of new development environments
Goal
Compile and run custom UNIX-based applications on computers running Windows server-class operating systems
Integrate with latest developer tools
Features
Subsystem for UNIX Applications (SUA)
Built for Visual Studio® 2005 and .NET Framework 2.0
UNIX to Windows application portability (Visual Studio & .NET)
Subsystem for UNIX-based Applications (SUA) is a source-compatibility subsystem for compiling and running custom UNIX-based applications on a computer running a Windows server-class operating system. Administrators can perfect their applications in SUA with little or no change to their original source code.
Subsystem for UNIX-based Applications provides an operating system for POSIX processes. SUA, along with its package of support utilities (such as shells and a Telnet client) available for download on the Microsoft Beta website, provides a complete UNIX environment. The download package includes a comprehensive set of scripting utilities and a software development kit (SDK) designed to fully support the development capabilities of SUA while providing a complete UNIX-based application development experience.
SUA also supports case-sensitive file names, job control, compilation tools, and the use of over 300 UNIX commands, utilities, and shell scripts. Because the subsystem installs separately from the Windows kernel, it offers true UNIX functionality without any emulation.
New features in this release include:
Database (OCI/ODBC) library connectivity. SUA supports connectivity to Oracle and Microsoft SQL Server™ from database applications, through the Oracle Call Interface (OCI) and the Open Database Connectivity (ODBC) standard.
Microsoft Visual Studio Debugger Extension for debugging POSIX applications. SUA includes support for debugging the POSIX processes using the Visual Studio IDE.
Utilities based on SVR-5 and BSD UNIX environments. The SUA download package supports two different UNIX environments: SVR-5 and BSD.

44. UNIX Interoperability
Customer Situation
Customer has existing UNIX systems running side by side with Windows systems and needs to share files and data between platforms
Customer is using SAMBA for cross-platform file sharing but is unhappy with the solution due to
Performance
Security
One-way authentication
Lack of support
Windows Server 2003 R2 provides Seamless UNIX/Windows Interoperability
Authenticating users across platforms
File sharing across multiple operating systems
Tested and supported by Microsoft
Seamless UNIX/Windows Interoperability
Authenticating users across platforms
File sharing across multiple operating systems
Tested and supported by Microsoft
UNIX/Windows cross-platform management
Consolidation of administration and monitoring across platforms
Pull NIS schema into Active Directory
Bidirectional Password Synchronization and user name mapping
Leverage existing UNIX IT skills
Similar look and feel for Administrators and Developers in both environments
Customers can download or port same utilities they use on UNIX/Linux
UNIX to Windows application portability
Complete UNIX subsystem on with Windows Kernel
Ability to extend UNIX application to Windows via Visual Studio & .NET

45. UNIX Interoperability
Cross-platform Management
Customer Situation
Customer wishes to have a single mechanism for management of both UNIX and Windows systems instead of maintaining separate tools and methods for each platform
Windows Server 2003 R2 provides UNIX/Windows cross-platform management
Consolidation of administration and monitoring across platforms
Remotely monitor and administer Windows-based systems in the same fashion and with the same tools as UNIX-based systems
Pull NIS schema into Active Directory
Bidirectional Password Sync, user name mapping
Password Synchronization
Two-way between Windows and UNIX
HP-UX 11i
Sun Solaris 8 & 9
IBM AIX 5L 5.2
Red Hat Linux 9.0
Mapping Server
Map Windows User and Group Accounts to UNIX
Seamless UNIX/Windows Interoperability
Authenticating users across platforms
File sharing across multiple operating systems
Tested and supported by Microsoft
UNIX/Windows cross-platform management
Consolidation of administration and monitoring across platforms
Pull NIS schema into Active Directory
Bidirectional Password Synchronization and user name mapping
Leverage existing UNIX IT skills
Similar look and feel for Administrators and Developers in both environments
Customers can download or port same utilities they use on UNIX/Linux
UNIX to Windows application portability
Complete UNIX subsystem on with Windows Kernel
Ability to extend UNIX application to Windows via Visual Studio & .NET

46. UNIX Interoperability
UNIX Skills Integration
Customer Situation
Customer is concerned about resource investment in training UNIX-based IT staff on the Windows platform
Windows Server 2003 R2 allows the customer to leverage existing UNIX IT skills
Similar look and feel for Administrators and Developers in both environments
Customers can download or port the same utilities they use on UNIX/Linux
BSD utilities
GNU utilities
SVR-5 utilities
Seamless UNIX/Windows Interoperability
Authenticating users across platforms
File sharing across multiple operating systems
Tested and supported by Microsoft
UNIX/Windows cross-platform management
Consolidation of administration and monitoring across platforms
Pull NIS schema into Active Directory
Bidirectional Password Synchronization and user name mapping
Leverage existing UNIX IT skills
Similar look and feel for Administrators and Developers in both environments
Customers can download or port same utilities they use on UNIX/Linux
UNIX to Windows application portability
Complete UNIX subsystem on with Windows Kernel
Ability to extend UNIX application to Windows via Visual Studio & .NET

47. UNIX Interoperability
.NET
Framework
Windows OS Kernel
File
System
Security
Directory
SUA
Win32
Subsystem
Common
Services
App
UNIX
Windows
Evolved
Hybrid App
UNIX Application Portability
Customer Situation
Customer cannot move off of “burning platform” because of dependency on custom-developed legacy code
Windows Server 2003 R2 provides UNIX to Windows Application Portability
Application usage across environments
Complete UNIX subsystem on the Windows Kernel
Seamless UNIX/Windows Interoperability
Authenticating users across platforms
File sharing across multiple operating systems
Tested and supported by Microsoft
UNIX/Windows cross-platform management
Consolidation of administration and monitoring across platforms
Pull NIS schema into Active Directory
Bidirectional Password Synchronization and user name mapping
Leverage existing UNIX IT skills
Similar look and feel for Administrators and Developers in both environments
Customers can download or port same utilities they use on UNIX/Linux
UNIX to Windows application portability
Complete UNIX subsystem on with Windows Kernel
Ability to extend UNIX application to Windows via Visual Studio & .NET
Integration Methods
Direct invocation
Pipes
Sockets
Shared memory
COM
XML web service