Microsoft IT Gains Since Implementing Windows Server 2003
This article highlights the IT business value gained when Microsoft implemented the Windows Server 2003 operating system. The following stories provide a high-level look at the successes experienced at Microsoft during the rollout and ongoing operations of Windows Server 2003 and are limited to information about the base operating system product.
|
On This Page
 | IT Business Benefits |
| Windows Server 2003 Technology Stories |
IT Business Benefits
By upgrading from Windows Server 2000 to Windows Server 2003, we at Microsoft experienced first-hand the security, reliability, manageability, and performance improvements offered by this operating system.
Based on interviews with IT groups across Microsoft, the following benefits have been recorded since Windows Server 2003 was deployed:
| Area | Benefits | ||||||
Server Consolidation |
| ||||||
Availability |
| ||||||
Security | Internet Protocol security (IPSec) secure request mode has mitigated risk by segmenting Microsoft IT-managed computers from unmanaged computers at the network level. | ||||||
Remote Access |
| ||||||
Windows Rights Management Services (RMS) | Since March 2003, 80,000 unique RMS users have been recorded and 1.8 million licenses issued. | ||||||
Active Directory | The database size decreased by more than 5 gigabytes (GB)—35 percent of the original size. |
The rest of this article provides more details about the successes experienced across Microsoft as a result of deploying Windows Server 2003.
Windows Server 2003 Technology Stories
What follows are Microsoft IT success stories recorded since Windows Server 2003 was deployed. The following information is based on team interviews with IT groups from across Microsoft.
Availability and Consolidation
In March 2003, the results of a detailed internal availability test were published. The test compared Windows 2000 with Windows Server 2003 in the Microsoft environment. This three-week test resulted in an operating system availability of 99.9996 percent for Windows Server 2003, compared to 99.986 percent reported for Windows 2000 on a comparable set of servers.
In the past, the Microsoft IT organization built an infrastructure to handle and accommodate instability in the production environment. The greater stability and performance in Windows Server 2003 has allowed for greater streamlining and consolidation. As of April 2004, Microsoft IT consolidated roughly 25 percent of its infrastructure, with a July 2004 goal of a 29-percent consolidation.
While running Microsoft Windows NT Server 4.0, the Microsoft Redmond campus had 120 servers supporting its printing needs. With Windows 2000, the team was able to reduce that number to 26 servers. And with Windows Server 2003, currently only four servers are in production. More than 1,500 print queues are supported by these four servers, of which two handle 620 public print queues with an average of 9.5 million pages printed per month.
IPSec
The security of Microsoft's global enterprise network is under continual threat, where untrusted devices present a significant area of risk for both unauthorized access and virus propagation. As of April 29, 2004, network segmentation using IPSec security technology had been deployed to all corporate domains (through secure request mode), requiring that network connectivity to the most trusted assets is verified.
Domain Controllers
Single Instance Store (SIS), Install From Media (IFM), and domain controller rename are just three of the new features in Windows Server 2003 that dramatically improved the ability of Microsoft IT to manage the environment by reducing complexity and increasing operational efficiency:
| • | SIS, an improved method for storing security descriptors, reduced the size of the global catalog database from 14 GB to 9 GB. This decrease reduced the time required for managing disk space through offline defragmentation in addition to allowing for on-disk backups for every domain controller. |
| • | Using the on-disk backups, domain controller promotions through the IFM feature reduced the time required to rebuild a remote server from four days (due to slow links and replication) to less than four hours. |
| • | In Windows 2000, renaming a domain controller required demoting and repromoting a server. Over time, naming standards changed, and server replacements resulted in inconsistent naming, which led to operational errors. By using the domain controller rename feature, which requires only a single restart, operations teams renamed nearly every domain controller in the forest to current standards, reducing errors and bringing consistency to service reporting. |
Active Directory Manageability
Active Directory improvements in Windows Server 2003 provided scalability that enabled password expiration, in one example, to be much more transparent to the Microsoft Identity Management team (IdM), operations teams, Help Desk, and users. Password expiration efficiencies allowed for reduction in staffing requirements to complete the process, compared to Windows 2000, where password expirations required full IdM staff support.
For more information about Active Directory, see the Active Directory page.
Windows and Service Pack Deployment
By migrating to Windows Server 2003, Microsoft IT was better able to deploy Windows upgrades and Microsoft IT service packs (IPAKs), which are standardized baseline platforms, using Terminal Services. The number of failed installations due to Terminal Services timeouts decreased by almost 50 percent after Windows Server 2003 was installed across the infrastructure. The ability to establish a connection directly to a server console greatly added functionality and ease both to Windows and IPAK deployments, as well as everyday troubleshooting.
In addition, Windows Server 2003, combined with Remote Management Boards (RMB), enabled Microsoft IT to manage all further deployments and patching from Redmond. This centralization made the change control process much tighter; it allowed Microsoft IT to react quicker to emergency patching and deployment situations and reduce headcount in the field.
Internet Security and Acceleration Server
The conversion to Windows Server 2003 enabled the Microsoft Internet Security and Acceleration (ISA) Server owners to spend less time managing the patching and operating system level of the servers and more time fine-tuning ISA Server. With Microsoft ISA Server 2004 and Windows Server 2003, Microsoft IT saw a significant improvement in the stability of the servers. This combination has also enabled Microsoft IT to undertake an ambitious project to reduce the number of computers running ISA Server worldwide by 30 percent.
For more information about the features and benefits of ISA Server, see the ISA Server home page.
Remote Access Service
The improved stability and availability of Windows Server 2003 translates directly into greatly improved service stability for remote access users. This stability has decreased the need for RAS system reboots by 90 percent—and increased availability as detailed in the following example.
In January 2004, severe weather prompted many employees to work remotely, creating an unplanned test of the stability, robustness, and flexibility of the deployed remote access solution, and in particular the virtual private network (VPN) servers. On that day, the solution supported more than 8,300 concurrent remote users with no performance issues. Twenty-five to thirty percent of the total Microsoft Puget Sound community was connected remotely, including critical teams such as the Microsoft IT 24-hour operations teams, software developer groups, finance and human resources organizations, managers, and executives, while the service performed at 98 percent of total designed capacity.
On many VPN servers, the user capacity significantly exceeded 500 ports used—with little impact on performance. In the past when using Windows 2000, demand that neared 400 ports would have very negatively impacted the service.
Security
The default security configuration in Windows Server 2003—specifically, Internet Information Services (IIS)—addresses previous security issues and risks and provides a more secure platform for application integration for applications such as Microsoft Systems Management Server (SMS) 2003. SMS 2003 relies on IIS and its related components and protocols, such as HTTP. With Windows 2000, the development and security teams had to build a security template to improve the security settings of these Windows IIS components, and then ensure that these changes would not negatively impact the transactions of the SMS application. With Windows Server 2003, these configuration modifications were incorporated as default settings and required no additional configuration after components were installed. As a result, total cost of ownership (TCO) was decreased, but more importantly, the potential for security risks was reduced if post-installation configuration steps were inconsistently executed.
By default, Windows Server 2003 now treats everything except Windows Update as being on the Internet or a high-security zone. There are options to add Trusted and Intranet sites during unattended setup and programmatically using scripts or Group Policy. This provides a safety feature to prevent administrators from inadvertently running unsafe or hostile scripts, executables, applets, and Web controls that might harm or compromise servers.
Another example of an important security upgrade in Windows Server 2003 is the ability to run local services with the least amount of privileges necessary.
Exchange Server and Clustering
With the new capabilities of Windows Server 2003 clustering, the IT messaging team was able to consolidate many servers throughout the Microsoft organization. Along with the new features in Microsoft Exchange and Microsoft Outlook 2003, Windows Server 2003 clustering enabled the team to reduce the number of servers dramatically while increasing availability.
Windows Server 2003 clustering also enabled the team to effectively use enterprise storage solutions and take full advantage of the hardware. Windows clustering enabled worldwide deployments to have between three and seven nodes in a cluster, considerably lowering total cost of ownership and enabling a more centralized approach to administration.
During upgrades, security patches, or other downtime, the IT messaging team can effectively move 4,000 mailboxes in a matter of minutes, with little user impact. Before this clustered solution was available, customers experienced from 15 minutes to a few hours of downtime. Windows Server 2003 is also a key factor in obtaining 99.99 percent availability in Exchange for seven weeks.
RPC over HTTP
The RPC over HTTP protocol is a new feature in Windows Server 2003. Outlook 2003 uses it to provide an easy and security-enhanced way for users to remotely access e-mail. RPC over HTTP enables users to enjoy the full Outlook experience at home or when traveling with a laptop. All they need is a connection to the Internet and a computer running Microsoft Office 2003, configured for RPC over HTTP. No RAS, smart card, or Outlook Web Access is required.
During the week of April 16, 2004, 16,111 unique users were logged at Microsoft as using RPC over HTTP.
Windows Rights Management Services
Windows Rights Management Services (RMS) is a Microsoft .NET–connected Web service provided by Windows Server 2003. RMS is a free-of-charge, downloadable software component, available at Windows Server 2003 Feature Packs. RMS works with RMS-enabled applications to provide a means for protecting sensitive information, such as e-mail and documents. These rights policies are associated directly with the protected content and remain in place whether the item is forwarded, shared, or even moved to a portable device, such as a CD-ROM, or universal serial bus (USB) drive.
Microsoft IT’s RMS infrastructure includes 13 servers in four separate forests. Since March 2003, more than 80,000 unique users have used this technology and more than 1.8 million licenses have been issued.
For more information about this technology, see the Windows Rights Management Services page.
Enterprise Storage
Windows Server 2003 includes several new storage features which enable more efficient and cost-effective use of storage assets. The new StorPORT driver was designed for enterprise-class storage platforms and has resulted in improved performance and reliability. The new Multipath I/O (MPIO) framework provides a low-cost, multipath option that allows hosts to access heterogeneous storage arrays. The new Volume Shadow Copy Service feature increases application availability through efficient backup and restore operations and data sharing.
DNS
Windows Server 2003 introduced to Active Directory application partitions with the built-in ability to migrate DNS records. Leveraging domain-wide DNS application partitions, the replication scope of more than 180,000 objects was limited to the authoritative domain controllers. Because DNS objects are the most frequently changed items in the directory, limiting the replication scope increased replication efficiency and reduced network requirements.
Forestwide directory partitions allow all domain controllers in the forest to be authoritative for a zone. Because Active Directory replication depends directly on the root domain DNS zone and all global catalog DNS records are held in the root domain zone, by publishing this information to all domain controllers in the forest, Microsoft IT removed the requirement that domain controllers and users contact a domain controller in a root domain. Removing this requirement has increased customer response time and has improved performance during network outages.
64-Bit Computing
Microsoft IT has deployed several domain controllers on 64-bit platforms, with Itanium-based operating systems currently in production and x64-based operating systems in test. As a result, Microsoft IT reduced the number of domain controllers in particular environments while maintaining the level of Active Directory performance to support authentication and directory functionality for applications.
Microsoft IT continues to work with the development teams and other business groups to develop Microsoft SQL Server 2005 64-bit platforms and evaluate 64-bit SAP implementations on the Itanium platform. The x64 architecture greatly interests Microsoft customers as a transitional platform from 32-bit to 64-bit computing, because it supports both environments natively and is expected to be priced competitively against today's traditional P4 Xeon systems.
For more information about 64-bit computing, see the Windows Server 2003 64-Bit Versions page.
Hyperthreading
Windows Server 2003 improves support for Intel 32-bit processors in a manner that enables the operating system and applications to see a single hyperthreading-enabled processor as two CPUs. Code that is written to take full advantage of symmetric multiprocessing (SMP) can run up to 30 percent faster with the feature enabled. Because this is a commodity change to the latest IA-32 processors, there is no price premium. By using Windows Server 2003 on current hardware and enabling hyperthreading, this performance gain is achieved for no additional cost.
Memory Management
The addition of the /USERVA switch in Windows Server 2003 enables more precise control over the kernel-user split of the 4-GB address space. By using this switch, Microsoft IT can tune the operating system more effectively for applications that require or perform better with more user address space. And they can do so while preserving enough kernel resources for critical operating system operations, such as system I/O, better than was possible with only 3 GB.
The more detailed setting of /USERVA=3030 has been successful with the large Exchange servers at Microsoft. This setting provides added user address space to increase the size of the Jet cache. The increased size of the cache improves the performance of the store process, while leaving more non-paged pool (NPP) memory and system page table entries (PTE) than if just 3 GB were used. This leaves more resources for storage and network I/O, both of which are used heavily on the scaled-up Exchange mailbox servers at Microsoft.
.NET Framework
Microsoft IT’s IPAK has been rewritten for .NET to use the capabilities mentioned previously. For the future, Microsoft IT is also evaluating generic code that provides functions that behave differently depending on the context in which they are used. Such code also provides integration with the System Definition Model framework, which allows applications and the environment to interact. Self-describing applications and infrastructures communicate their own requirements, constraints, and relationships.
Microsoft IT will be able to model changes, potentially understand their impact before implementation, and then in just one action make all downstream adjustments automatically.
For more information about the System Definition Model, see the DSI Web site.
System32 Tools
A standardized and fully-supported set of utilities are now available as part of the default operating system installation. In the past, such utilities were available only through feature pack releases, such as optional toolkits, companion CDs, resource kits, or as Web downloads.
In Windows Server 2003 IPAKs, Microsoft IT no longer manages as many internally created tools. These became an administrative burden during beta program cycles, where teams were required to update many tools for each build. The standardized System32 tool set also helps eliminate the earlier problem of differing tool versions with inconsistent features and executables that could get deleted or changed inadvertantly by an administrator.
Windows Management Instrumentation Capabilities
Windows Management Instrumentation (WMI) in Windows Server 2003 is more powerful than previous versions, exposing more of the operating system and its services for information collection and management of system configuration.
Microsoft IT now uses WMI scripting and application programming interfaces (APIs) as the preferred way to gather information and manage systems, rather than using external tools and executables. Tracing within the operating system and applications also provides a better view into what is happening at a lower level and the ability to track functionality through multiple processes or applications. As a result, Microsoft IT can better troubleshoot issues and examine performance.
Windows Server 2003 Service Pack 1 Additions
Scheduled for release in the latter half of 2004, Windows Server 2003 Service Pack 1 (SP1) will contain improvements designed to help improve server security, including the following features:
| • | Windows Firewall is a host-based firewall that can restrict incoming access on a port basis or a protocol basis. A server can be configured to allow incoming communication only to services that the server is designed to provide, reducing the attack surface of the server. |
| • | Enhanced RPC security allows only authenticated RPC calls, which helps to avoid transmissions of worms and other viruses. Today, these worms primarily propagate by way of unauthenticated RPC calls. |
| • | Security Server Roles (SSR) allows for role-based configuration of a system to enable only the necessary services and functions, further reducing the potential attack surface of the server. |