DFS-R or Branchcache?

ATTENTION!

I’d like to write more about DFS and Branchcache. Which subject within these two fields do you want to read more about? Do you have unanswered questions about any of these two technologies? Please use the comment section below and let me know what you want me to write regarding Brachcache or DFS. Thank you 🙂

Recently I’ve been discussing DFS replication (DFS-R) and Branchcache (BC) as solutions that allow users in regional offices access their files on a central fileserver across the WAN link. As always there is no “one size fits all” answer in the IT business, and so I’d like to share their different pros and cons with you all.

DFS-R was introduces in Windows Server 2003 R2 and replaced FRS (File replication Service) both for replicating Active Directory and for creating your own file server replication. DFS-R is implemented on a pr folder basis, and it will (after the initial sync) replicate only the changes within a file and not the entire file when a user make a change to it, and you can easily customize replication schedule and bandwidth consumption. The replication in DFS-R uses a multiple-master model so any server in the replication group can make changes and it replicates to all other members in the replication group, making this a very easy way to provide duplication of data which can be stored on servers either in the same site or a remote site. Note that DFS-R does not require DFS Namespaces though they are usually combined.

Branchcache is a feature introduced with Windows 7 and Windows Server 2008 R2 which allows a server or client in a remote site to cache data accessed from a file server. Whenever a file is accessed from a BC-enabled share, the client will create a cache of the files data which is now available for other clients is the same site when they try to access the same file. This way only a minimal amount of data, and the files metadata, has to be transferred over the WAN-link and the users can access most of the file over the local network. Branchcahe can be set up in hosted cache mode if the regional office has a local server. This will make this server host the cache and making it available to all local clients. For offices without a server, BC can be set up in “Branchcache distributed mode” which makes all the Windows 7 clients share their caches among themselves.

So what’s the big difference then? The biggest difference is that DFS-R is a replica of the data, while BC is only a cache. Because of this the two solutions act differently pretty much all the time.

Starting with redundancy, the DFS-R creates a complete replica of the data making it available in case one of the servers becomes unavailable, while BC requires the source file server to be available or the users can’t access the files.

DFS-R requires a local server which is Windows Server 2003 R2 or later, while BC can operate in offices without a local server, or a local server earlier than Windows Server 2008 R2.

BC requires Windows 7 Enterprise or Ultimate on the client and Windows Server 2008 R2 on the server, while DRS-R has no client requirements as the files is just another SMB share.

Filelocking is one of the most common challenge with DFS-R because when a user open a document the file is automatically locked for editing for other users, but only for user which uses the same server. The filelock does not replicate and so the file is available for editing on other servers which can cause a conflict. The last one who saves wins, and the other changes are stored in a folder which contains replication conflicts. This of cource something the administrators have to resolve in each such conflict. In BC there is only one file so filelocking works as normal and no users can edit a file that’s open.

As for bandwidth consumption it is really hard to tell as there are many factors that affects how much replication traffic will occur, but DFS-R provides more options to control and tune the replication. BC will save all changes to a file over the WAN-link and pull all file metadata which isn’t in the cache available at the local site. DFS-R will have a complete replica of all the files and after the initial synchronization when you set up DFS-R only the changed file blocks will ever cross the WAN again

Here a simple review of the differences

Filelock

  • DFS-R: Only within the same server, filelock is not replicated
  • BC: Filelock as usual

Filversions

  • DFS-R: If replication conflict, 2 or more versions, must be addressed by admin
  • BC: 1 version

Require server at regional office?

  • DFS-R:Yes
  • BC: Yes, for hosted cache mode. No, for distributed mode

Latency at file changes

  • DFS-R: Minimal (saved at local server, then replicated according to schedule)
  • BC: None

Server requirements

  • DFS-R: Windows 2003 R2 or more recent
  • BC: Windows 2008 R2 Enterprise

Client requirements

  • DFS-R: None
  • BC: Windows 7 Enterprise/Ultimate

Server implementation

  • DFS-R: Server Role, replication groups manually set up.
  • BC: Share property, GPO settings

Client implementation

  • DFS-R: None
  • BC: GPO settings

Available if WAN goes down?

  • DFS-R: Yes
  • BC: No

Data duplicaiton?

  • DFS-R: Yes, each server has a full copy of the data
  • BC: No, files are stored centrally with some data available locally

And if you have several regional offices, remember than you can use both solutions and give DFS-R to some offices and let the rest use Branchcache.

The infrastructure master and how to live with it

The Active Directory has 5 FSMO roles which are dedicated for certain tasks in a domain enviroment which should not be performed by all domain controller. The role Infratructure Master has cause a bit of confusion ever since it appeared in Active Directory  in Windows 2000 so here’s a quick explanation of it.

The Infrastructure Master is a domain-wide role (which means one in every domain and not one pr forest) and is used in a multiple domain forest to track and check all references to resources, such as user account, in the other domains. These references are knows as “phatom records” and are used by domain controller who are not Global Catalogs(GC). I’ve heard statements that infrastructure master can’t reside on a GC but that’s not exactly true, the infrastructure master can reside on any domain controller. However it will not function properly unless it resides on a non-GC DC in a multiple-domain forest.

So:

  • If your forest has only1 domain: Infrastructure Master is unemployed and you are free to place it anywhere
  • If all DCs in your forest are also GCs: Infrastructure Master is unemployed and you are free to place it anywhere
  • If your forest has at least 2 domains AND not all of your DCs are GCs: Place the infrastructure master on a non-GC DC.

Also notice that when upgrading your domain to 2008 R2, you must (as part of the preparation) run adprep /domainprep command on the server hosting the infrastructure master role.

Server Core vs Minimal interface vs Full interface

DISCLAIMER: This article contains some information from Windows 8. Windows 8 is currently in beta and there’s no guarantee that the final product will behave the same or contain the same features. Nothing in Windows 8 is final and everything is subject to change.

One of my favourite feature in Windows 2008 was the Server Core option, where you installed the server without any GUI and only had a command prompt, notepad and registry editor to set up and manage your server with. This part sounds a lot worse than it really is because you usually just set up your server once with basic configuration and then administer it remotely.

Advantage: Besides a slightly less hardware consumption, the big profit is that the server is automatically immune to several exploits as a large portion of the code for a regular Windows Server is not installed at all. Internet Explorer is the prime example here, and Server Core cannot be affected by IE vulnerabilites since IE does not exist at all. Less code = smaller attacksurface = fewer applicable patches = fewer reboots.

Disadvantage: Server Core is limited in which roles/features it can host and the fact that managing/troubleshooting it can be a bit trickier. It got a lot better in 2008 R2 as Server Core got more features like powershell and the “sconfig” command and could host more roles and features. But it was still a bit scary and slightly risky from a management point of view. Also 3rd party software could be challenging or impossible to install and run on Server Core.

In Windows Server 8 (or Windows server 2012 as the name will be at launch) Microsoft have made huge changes to the Server Core:

  • 3 configuration options: Server Core,  Minimal Interface and Full interface
  • Minimal interface is basically Server Core with local management tools and mmc consoles and can run more roles.
  • You can switch between the 3 configurations at will, though it requires a reboot each time
  • “Server Core” can run quite a few server roles and “Minimal interface” configuration can run almost all roles and features. (I have not tried every single one yet, and RDSH is an exception)

Changing between the GUI configurations

Full Interface -> Minimal Interface / Server Core
The easiest transition is from the “Full Interface” and  “Minimal Interface” configurations. If you have the “Full Interface” on your server you just have to launch Server Manager and choose “Remove Roles and Features” from the Manage-menu. Navigate to “features” and scroll down to and expand “User Interfaces and Infrastructure”. In a “Full Interface” configuration both “Server Graphical Shell” and “Graphical Management Tools…..” are installed. Removing “Server Graphical Shell” will put your server into “Minimal interface” and if you also remove “Graphical Management Tools…” your server goes into Server Core.

Taken from a “Minimal interface” configuration. Installing the highlighted feature puts the server into “Full interface” configuration

Minimal interface -> Server Core
Launch Server Manager and follow the same instructions as for “Full Interface”. Remove “Graphical Management Tools…” to put the server in “Server Core” configuration. Minimal interface -> Full interface Launch Server Manager and add the feature “Server Graphical Shell” to put the server in “Full interface” configuration. (Screenshot above)

Server Core -> Minimal interface

  • If you have another Windows 8 Server or client I strongly recommend you use Server Manager remotely from that server or client to install the features “Graphical Management Tools…” for “Minimal interface” and “Server Graphical Shell” for “Full interface”.
  • If you don’t have any way to manage the server remotely with the Windows 8 Server Manager, then you have the “sconfig” command that brings up a text based menu for server configuration. From there you can easily restore the GUI which puts the server into “Full Interface” configuration. (Screenshot)

The “sconfig” menu with the option to restore the graphical interface

  • Last option is to use dism or powershell to install either the GUI or just the graphical management tools. It will use Windows Update as source but I’ve had a few problems with it (a bug or perhaps user error? ;)) so if you’re asked for the source you need to mount a .wim-image from the installation media first.
  1. Create a folder to mount the .wim-image to. In this example c:\mount
  2. You need to locate the index number in the .wim file for an image with gui-installation (like “SERVERDATACENTER”). Use the command  dism wimfile:d:\sources\install.wim (d:\ is the installation DVD, adjust accordingly) Notice the index number from the output for the server version that does not end with “core”. Screenshot further down
  3. Mount that image with the following command: Dism /mount-wim /WimFile:d:\sources\install.wim /Index:<#_from_step_2> /MountDir:c:\mount /readonly (d:\ is the installation DVD, adjust accordingly). Screenshot further down
  4. Start powershell and run Install-WindowsFeature Server-Gui-Mgmt-Infra –Restart –Source c:\mount\windows\winsxs to get to “Minimal interface” configuration, or run Install-WindowsFeature Server-Gui-Mgmt-Infra,Server-Gui-Shell –Restart –Source c:\mount\windows\winsxs to get to “Full interface” configuration.
  5. Instead of Powershell you can use dism. Follow step 1-3 and then run dism /online /Enable-Feature /Featurename:ServerCore-FullServer /FeatureName:Server-gui-mgmt /source:c:\mount\windows\winsxs to get to “Minimal interface” configuration, or run dism /online /Enable-Feature /Featurename:ServerCore-FullServer /FeatureName:Server-gui-mgmt /FeatureName:Server-GUI-Shell /source:c:\mount\windows\winsxs to get “Full interface” configuration.

The index of a .wim-file. We want the images without “core in the end.

Mounting the correct image in the .wim-file before running the installation

Wrapping up, the Server Core is in my opinion one of the most underestimated security featuers of  Windows Server family, and this time the improvements from 2008 R2 to Windows 8 are huge, and I can think of only 3rd party software as a valid reason to run servers in Full interface configuration instead of Minimal interface configuration.

I love the new Server Manager, part 2

DISCLAIMER:
This article contains some information from Windows 8. Windows 8 is currently in beta and there’s no guarantee that the final product will behave the same or contain the same features. Nothing in Windows 8 is final and everything is subject to change.

Ok, going on from part 1 where I introduced the new server manager in Windows 8 server beta. The best part is coming right up, and that’s the approach Microsoft have put into centralized management of several servers, also those that are not in your AD.

Notice the “All Servers” link on the left side? By right-clicking  there or in the “manage” menu on the top-right, you can add other Windows 8 Servers to manage. These can be in the same or another Active Directory or they can be standalone servers. When the new servers are added, several cool things happen. The servers are added to “all servers” as a list where you can see basic information as IP, events, services, BPA results and even a simple performance monitor on each server. Additionally the server manager automatically creates a group for each server role and group the servers by their installed roles. And the  servers are moved in and out of these groups on the fly when you add or remove roles. Ref the screenshot below you can see that I have serves that are AD, DNS, DHCP etc and when you navigate into each group you see only the servers, services and event that are relevant to that group. A real life example would be that you’ll automatically have all your Win8 Domain Controllers grouped and if you navigate into this group you will only see the domain controller-relevant services and events and you don’t have to filter out those services and events yourself. That is really awesome when you have to troubleshoot or just do a quick health inspection.

“All Servers” and the automatically added server groups

Another magic part in the new server manager is when you right-click a server you’ve added. Here you find everything you need for remote management. All role-spesific tools depending on which roles the server has installed. You can also remotely reboot, add roles and features, start up powershell or an rdp-session. You can even configure NIC teaming from here. As I just wrote, everything you need for remote management.

Right-click shows you the magic of Server Manager

By default Windows 8 Server are installed as a Server Core and I think it is a really good move. Now that Server Manager gives you basically everything you need for remote management you can have your servers in either “Core” or “minimal interface” configuration and manage it all from your workstation. Server Manager and powershell will probably suit all your needs, and should you absolutely need a GUI you can always add it and then remove it after you’re done with it.

Next time I’ll show and explain Server Core, minimal interface and full interface versions of Windows Server 8.