Original URL: http://www.theregister.co.uk/2008/02/27/windows_2008_web_server_core_review/

Cut to the Web Server Core: Windows Server 2008

Apache not served

By Tim Anderson

Posted in Operating Systems, 27th February 2008 07:02 GMT

Review Windows Server 2008, due for its official launch today, is a major upgrade for Microsoft's server platform, the first for around five years. Requiring a graphical user interface (GUI) on a server operating system always seemed odd, even back in 1993 when Microsoft released Windows NT 3.1.

It has taken Microsoft until now to begin fixing the problem. Server 2008 comes with an installation option called Server Core, and although it is not quite GUI-free (Notepad and Regedit still run), it is command-line driven and lacks most of the baggage that previously came as standard. The snag with Server Core is that it is incomplete.

For example, you can install Microsoft's web server, Internet Information Services (IIS) 7.0, but you cannot install ASP.NET, PowerShell scripting, or SQL Server. PHP, on the other hand runs fine on Server Core. More about that in a moment.

To be precise, Microsoft has organized the capabilities of Windows Server into optional roles and features. There are 18 roles and 35 features available in our installation of Server 2008 Datacenter Edition. However, Server Core only supports eight roles, being essentially file and print, Active Directory and domain services, web server, and virtualization. There is also no way to upgrade a Server Core install to have full features, so it is only useful if you are sure from the outset what the box will need to do.

Beauty beats brains

Another sign of progress in separating Server 2008 from its desktop cousin Windows Vista is that "Desktop Experience" components like Windows Media Player and Desktop Themes are bundled into an optional feature that presumably few will install. This may be why Server 2008 feels snappier than Vista on the same hardware, even though both share the same core code.

Why can you not start with Server Core and build it up to the complete edition? "That's a beautiful design goal and our long-term ambition," according to Microsoft product manager Gareth Hall.

The problem is that Server 2008 is only partially componentized. It is not yet quite what it should be but Server Core is progress, being more lightweight and manageable. According to Microsoft, Server Core is preferable to a full install in scenarios where it will work, such as for Active Directory or virtualization. IIS has a powerful command-line tool called AppCmd that is ideal for Server Core. There are also numerous options for remote management, including Remote Desktop to the command line, Microsoft Management Console (MMC) snap-ins, Windows Management Instrumentation (WMI) scripts, and Windows Remote Shell.

Unfortunately for developers looking for an application server, Server Core is too limited.

That leads us on to IIS 7.0, a major upgrade. Like the open-source Apache web server, it is modular, so that you can install only those parts that are needed, and individual modules can in principle be replaced with custom versions. In addition, IIS 7.0 is more deeply integrated with .NET. In both IIS 6.0 and IIS 7.0, applications are isolated from one another though application pools, each of which can contain one or more applications.

IIS 7.0 has a new integrated application pool, which means the web server calls both native and managed modules in a single integrated pipeline. This is more efficient, and means that ASP.NET authentication applies to all content types, not just ASP.NET pages.

In previous versions, this was a huge annoyance and potential security hole. Developers had to jump through hoops to accomplish what should be simple tasks like protecting a ZIP file from unauthorized download, or use Windows authentication which is not always practical. The new pipeline means that you can use ASP.NET Forms Authentication for any content, even perhaps a PHP application. The old ISAPI application pool mode remains available for compatibility.

Another major change in IIS is the way it is configured. Most settings have been moved to the per-directory XML file called web.config. This uses inheritance, so for a particular site you can have default settings in a root web.config, and override this as needed in sub-directories. ASP.NET has always worked like this, but previously most other IIS settings could only be changed through IIS administration. This makes it easier to move applications, since they are configured in files that can simply be copied across, and makes life better for developers who only have file access to the web server, such as those using shared hosting. It is fascinating to see how Microsoft has retreated from the registry towards text configuration files, which is the Unix and Apache model.

Failed Request Tracing is another new feature worth mentioning. You can define what constitutes a failed request, by status code, time taken, or event severity, and have IIS log those requests in detail to a failed request log. The big advantage is the detail available. For example, Windows is prone to permission issues that can be hard to pin down.

Unfortunately, some administrators take the easy option and relax security generally instead of solving the specific issue. Failed Request Tracing makes it easier to identify and fix the exact problem.

PHP support is much improved. The key to this is built-in support for FastCGI, which keeps a CGI service loaded between requests with great speed benefits. A complication with PHP on Windows is that differences between Windows multi-threading and Unix multiple processes required either the use of a thread safe build, which is detrimental to compatibility with some extensions, or using a normal build but under CGI, which is slow.

Now you can use the non-thread safe build with FastCGI, which is great for both performance and compatibility. Setting up PHP on our test server was trivial, using manual configuration and the standard binary download from php.net.

IIS 7 v Apache

How does IIS now compare to Apache? Apache is the most popular web server by some margin, with more than 50 per cent market share according to Netcraft. Nevertheless, IIS has actually increased its share during the last couple of years, though meaningful figures are hard to track down because of domain parking and huge shared hosting providers. Security has also improved since IIS 6.0.

For most users, the choice between Apache and IIS makes itself. If you need ASP.NET and Windows integration, or to run SharePoint services, then IIS is the only choice. Otherwise, Apache has had all the advantages of cross-platform support, and great stability and extensibility thanks to its wide adoption and community. This balance will not change fundamentally with IIS 7.0, though some of the reasons for favoring Apache are now less compelling.

Per-directory configuration files in IIS should perform better then .htaccess files in Apache, and the most annoying characteristics of IIS for shared hosting have been resolved. We have not tested performance or scalability, though Microsoft's developer division general manager Scott Guthrie claims substantial gains over IIS 6.0. It has been tested for up to 20,000 sites on a single box, with "acceptable performance for shutdown and startup".

For those who do choose Server 2008, there are a bewildering range of editions, running from Web Server to DataCenter. Note that Server Core is an installation option, not an edition in itself. Significantly, the DataCenter edition comes with unlimited virtual image rights, making it best value for serious virtualization. Note, too, that the new Hyper-V virtualization technology remains in beta, even in the final Server 2008 release.

Other interesting features for developers include new Terminal Services features, including RemoteApp that lets you remote an individual application, rather than a complete desktop, and TS Web Access, which lets users start applications from a web link. In combination with TS Gateway, you can run Terminal Services over HTTPS making this a powerful option for firewall-friendly remote working.

Solid improvements

Whereas Vista has been a PR disaster, it is unlikely that its cousin Server 2008 will meet the same fate. There are solid improvements over the predecessor Server 2003, including IIS 7.0, granular installation, improved terminal services, the Server Core, command-line control, and changes to Active Directory. Hyper-V is nicely done, and although it is nothing special in relation to competing products from VMWare and others, its integration and neat tools will win users when it comes out of beta.

Don't get me wrong - there are frustrations. I banged my head on the desk when I saw that Server 2008 still sets “Hide extensions for known file types” and other such nonsense in IE. In other words, it’s still Windows; but a welcome upgrade nonetheless.®