Beruflich Dokumente
Kultur Dokumente
Abstract
This step-by-step guide provides instructions for setting up a test environment for
creating and deploying Active Directory Rights Management Services (AD RMS) rights
policy templates on the Windows Server® Code Name "Longhorn" operating system.
This document supports a preliminary release of a software product that may be changed
substantially prior to final commercial release, and is the confidential and proprietary
information of Microsoft Corporation. It is disclosed pursuant to a non-disclosure
agreement between the recipient and Microsoft. This document is provided for
informational purposes only and Microsoft makes no warranties, either express or
implied, in this document. Information in this document, including URL and other Internet
Web site references, is subject to change without notice. The entire risk of the use or the
results from the use of this document remains with the user. Unless otherwise noted, the
example companies, organizations, products, domain names, e-mail addresses, logos,
people, places, and events depicted herein are fictitious, and no association with any real
company, organization, product, domain name, e-mail address, logo, person, place, or
event is intended or should be inferred. Complying with all applicable copyright laws is
the responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Active Directory, Microsoft, MS-DOS, Vista, Windows, Windows NT, and Windows Server
are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
The computers form a private intranet and are connected through a common hub or
Layer 2 switch. This configuration can be emulated in a virtual server environment if
desired. This step-by-step exercise uses private addresses throughout the test lab
configuration. The private network ID 10.0.0.0/24 is used for the intranet. The domain
controller is named CPANDL-DC for the domain named cpandl.com.
The following figure shows the configuration of the test environment:
Note
The AD RMS service account must have Write access to the rights policy
template shared folder in order for the rights policy template export function to
work correctly.
To create a shared folder for the AD RMS rights policy templates and set appropriate
permissions for the AD RMS service account, do the following:
9. Click OK twice.
10. Click the Security tab, and then click Edit.
11. Click Add, in the Enter the object names to select box type
CPANDL\ADRMSSRVC, and then click OK.
12. Click ADRMSSRVC (ADRMSSRVC@cpandl.com), and then, in the
Permissions forADRMSSRVC box, select the Modify check box in the Allow
column, and then click OK.
13. Click Close.
9
7. Click Add.
8. In the Language list, choose the appropriate language for the rights policy
template.
13. Select the View check box to grant the EMPLOYEES@CPANDL.COM group
Read access to any document created by using this AD RMS rights policy
template.
This guide assumes that an AD RMS cluster is already configured in a test environment.
Additionally, extra configuration is required on the AD RMS client workstation so that the
rights policy templates are accessible. To make the AD RMS rights policy templates
accessible, you must copy the AD RMS rights policy templates to the client computer and
create a registry entry that points to the location of the rights policy templates.
4. Create a new folder named ADRMSDocs. Click Organize, click New Folder, and
then type ADRMSDocs for the folder name.
5. Right-click the ADRMSDocs folder, and then click Properties.
In order for the AD RMS client computer to locate the templates, you must add a
registry entry and copy the AD RMS rights policy templates locally. To do this, you must
complete the following steps before rights-protecting a document:
Note
If DRM was not already created as a part of the key, you must create it
manually.
4. Select DRM, click Edit, point to New, click Expandable String Value, and then
type AdminTemplatePath.
5. Double-click the AdminTemplatePath registry value and type
%UserProfile%\AppData\Microsoft\DRM\Templates in the Value data box
where %UserProfile% equals C:\Users\<user name>, and then click OK.
6. Close Registry Editor.
7. Verify that the path C:\Users\nhollida\AppData\Microsoft\DRM\Templates\ is
valid. If it is not, create the appropriate folders.
8. Click Start, type \\ADRMS-SRV\ADRMSTemplates in the Start Search box, and
then press ENTER.
Note
Copying the AD RMS rights policy templates to the client computer is not
required if the rights policy templates do not have to be available offline.
12
Abstract
This step-by-step guide provides instructions for setting up an Active Directory Rights
Management Services (AD RMS) cluster from an extranet in a test environment on
Windows Server® 2008. The extranet will be verified by attempting to open a rights-
protected file from a client computer that is not on the organization's internal network.
This document supports a preliminary release of a software product that may be changed
substantially prior to final commercial release, and is the confidential and proprietary
information of Microsoft Corporation. It is disclosed pursuant to a non-disclosure
agreement between the recipient and Microsoft. This document is provided for
informational purposes only and Microsoft makes no warranties, either express or
implied, in this document. Information in this document, including URL and other Internet
Web site references, is subject to change without notice. The entire risk of the use or the
results from the use of this document remains with the user. Unless otherwise noted, the
example companies, organizations, products, domain names, e-mail addresses, logos,
people, places, and events depicted herein are fictitious, and no association with any real
company, organization, product, domain name, e-mail address, logo, person, place, or
event is intended or should be inferred. Complying with all applicable copyright laws is
the responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft, Active Directory, MS-DOS, Vista, Windows, Windows NT, and Windows Server
are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
Once complete, you can use the test AD RMS lab environment to assess how AD RMS
on Windows Server® 2008 can be created and deployed within your organization to
accommodate for extranet users.
Note
ISA Server 2006 Standard Edition is not required for AD RMS. Any reverse proxy
server that has the ability to listen on TCP ports 80 and 443 can be used. For the
purposes of this guide, we will use ISA Server 2006 Standard Edition.
Note
You will also need a USB flash drive or another medium to copy the files from the
AD RMS-enabled client to the AD RMS-enabled extranet client.
ISA-SRV Windows Server 2003 with SP1 Microsoft ISA Server 2006
Standard Edition
Note
This computer must
have two network
adapters so that ISA
Server 2006 can
distinguish between the
public and private IP
addresses.
The first five computers in the table form a private intranet and are connected through a
common hub or Layer 2 switch. Additionally, ISA-SRV has a second network adapter
installed that is exposed to the Internet. This allows for the ISA Server to accept requests
from the Internet and forward them to the AD RMS server. ADRMS-EXCLNT is a
computer that is not part of the same network. This configuration can be emulated in a
virtual server environment if desired.
This step-by-step exercise uses private addresses throughout the test lab configuration.
The private network ID 10.0.0.0/24 is used for the intranet. The domain controller is
named CPANDL-DC for the domain named cpandl.com. ADRMS-EXCLNT is configured
with an IP address of 10.0.100.2/24 in order to simulate a client computer on an extranet.
The following figure shows the configuration of the test environment:
8
Note
In a production environment, the ISA server's external address would be an IP
address available to the Internet, giving extranet users the ability to consume
rights-protected content.
• Configure the extranet cluster URL in the Active Directory Rights Management
Services console.
• Export the server authentication certificate, including the private key, on ADRMS-
SRV. This will be imported into the Personal certificate store on the ISA server (ISA-
SRV).
In order for users who are not connected to your organization's internal network to
consume rights-protected content, you must configure the AD RMS extranet cluster
URLs. These URLs are included in the AD RMS client licensor certificate and published
with all rights-protected content. These URLs should be an address that is available to all
computers on the Internet.
9
Note
You must configure the extranet cluster URLs before you can rights-protect
content. If you already have rights-protected content, the AD RMS-enabled client
must download a new client licensor certificate that includes the extranet cluster
URL.
Configuring the extranet cluster URLs is done through the Active Directory Rights
Management Services console. You should follow these steps to accomplish this task:
2. Follow the instructions that appear on your computer screen, and when prompted
for a computer name, type ISA-SRV.
Next, configure TCP/IP properties so that ISA-SRV has a static IP address of 10.0.0.5
and preferred DNS server with IP address 10.0.0.1 on the first network adapter. On the
second network adapter, use 10.0.100.1 as the IP address.
3. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.
4. Click the Use the following IP address option. In the IP address box, type
10.0.0.5. In the Subnet mask box, type 255.255.255.0. In the Preferred DNS
server box, type 10.0.0.1.
5. Click OK, and then click Close to close the Local Area Connection Properties
dialog box.
6. Click Start, point to Control Panel, point to Network Connections, click Local
Area Connection 2, and then click Properties.
7. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.
8. Click the Use the following IP address option. In the IP address box, type
10.0.100.1. In the Subnet mask box, type 255.255.255.0.
9. Click OK, and then click Close to close the Local Area Connection 2
Properties dialog box.
Next, join ISA-SRV to the cpandl.com domain.
6. Type your ISA Server product key in the Product Serial Number box, and then
click Next.
7. Select the Typical option, and then click Next.
8. Click Add, click Add Adapter, select the Local Area Connection check box,
click OK, and then click OK again.
9. Click Next three times, and then click Install.
10. When the installation is complete, click Finish.
11. Click OK. Read the information if desired, and then close Internet Explorer.
12. Click Exit to close Microsoft ISA Server 2006 Setup.
4. In the Web publishing rule name box, type AD RMS Extranet, and then click
Next.
5. Click Next twice accepting the default selections.
6. Select the Use SSL to connect to the published Web server or server farm
option, and then click Next.
7. In the Internal Site Name box, type adrms-srv.cpandl.com.
9. In the Path (optional) box, type /*, select the Forward the original host header
instead of the actual one specified in the Internal site name field on the
previous page check box, and then click Next.
10. In the Public name box, type adrms-srv.cpandl.com, and then click Next.
11. Click New to create a new Web listener.
12. In the Web listener name box, type HTTPS Port 443, and then click Next.
13. Select the Require SSL secured connections with clients option, and then
click Next.
14. Select the External check box, and then click Next.
15. Select the Use a single certificate for this Web listener option, and then click
Select Certificate.
16. Click the ADRMS-SRV.cpandl.com certificate, click Select, and then click Next.
17. In the Select how clients will provide credentials to ISA Server box, select
No Authentication, click Next, and then click Next again.
18. Click Finish to close the New Web Listener Wizard.
2. Follow the instructions that appear on your screen, and when prompted for a
computer name, type ADRMS-EXCLNT.
Next, configure TCP/IP properties so that ADRMS-EXCLNT has a static IP address of
10.0.100.2.
16
3. Select the Use the following IP address option. In IP address, type 10.0.100.2,
in Subnet mask, type 255.255.255.0.
4. Click OK, and then click Close to close the Local Area Connection Properties
dialog box.
5. Close the other open windows and return to the desktop.
In this guide, a test environment without an external DNS server is used. In order for the
extranet cluster URLs to resolve to its appropriate IP address, you must create a manual
entry in the HOSTS file that points to ISA-SRV.
Note
In a production environment, this step is not required because the extranet client
computer's Internet Service Provider will handle the DNS resolution.
To create an entry in the HOSTS file for AD RMS extranet cluster URL
1. Log on to ADRMS-EXCLNT as a member of the local Administrators group.
2. Click Start, point to All Programs, click Accessories, and then click Notepad.
3. Within Notepad, click File, and then click Open.
4. Navigate to C:\windows\System32\drivers\etc\HOSTS, and then click Open.
Note
To show the HOSTS file, when you get to the etc folder you must select
All Files (above the Open button).
5. On a new line at the bottom of the file, type 10.0.100.1 adrms-srv.cpandl.com.
6. In the Address Bar, click Certificate Error, and then click View Certificates.
7. On the Certificate Information page, click Install Certificate.
8. On the Welcome to the Certificate Import Wizard page, click Next.
9. Select the Place all certificates in the following store option, click Browse,
click Trusted Root Certification Authorities, and then click OK.
10. Click Next, and then click Finish.
11. Click Yes, accepting the security warning. This only happens because self-
signed certificates are used.
12. Click OK, confirming that the certificate import was successful.
Important
Only the Ultimate, Professional Plus, and Enterprise editions of Microsoft
Office 2007 allow you to create rights-protected content. All editions will allow
you to consume rights-protected content.
Note
A USB flash drive is not required in this scenario. Any means of getting the
document to the extranet client computer will work, such as attaching the
document to an e-mail message and sending it to Stuart. In that example, Stuart
would then open the document contained in the e-mail message on the extranet
client computer.
Use the following steps to restrict permissions on a Microsoft Word document:
Caution
Once this document has been consumed, any other user who logs on to
the computer with the same user account will also be able to consume
the document.
2. Insert the USB flash drive, and then double-click the ADRMS-TST.docx file.
3. In the User name box, type cpandl\srailson. In the Password box, type the
password for Stuart Railson, and then click OK.
The following message appears: "Permission to this document is currently
restricted. Microsoft Office must connect to https://adrms-
srv.cpandl.com/_wmcs/licensing to verify your credentials and download
your permissions."
4. Click OK.
7. Click View Permission in the message bar. You can see that
20
Abstract
This step-by-step guide provides instructions for deploying Microsoft Office SharePoint Server
2007 in an Active Directory Rights Management Services (AD RMS) environment. It includes the
necessary information for installing and configuring Office SharePoint Server 2007 in the newly
created AD RMS infrastructure, and verifying that Office SharePoint Server 2007 documents can
be rights-protected and consumed. In the appendix of this guide, you can also configure Office
SharePoint Server 2007 to work with Active Directory Federation Services (AD°FS) and AD RMS.
1
Copyright Information
This document supports a preliminary release of a software product that may be changed
substantially prior to final commercial release, and is the confidential and proprietary information
of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the
recipient and Microsoft. This document is provided for informational purposes only and Microsoft
makes no warranties, either express or implied, in this document. Information in this document,
including URL and other Internet Web site references, is subject to change without notice. The
entire risk of the use or the results from the use of this document remains with the user. Unless
otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this document may
be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by
any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,
without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, Active Directory, MS-DOS, SharePoint, Vista, Windows, Windows NT, and
Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
2
Contents
Deploying Active Directory Rights Management Services with Microsoft Office SharePoint Server
2007 Step-By-Step Guide ............................................................................................................ 5
About this Guide ........................................................................................................................... 5
What This Guide Does Not Provide .......................................................................................... 6
Deploying AD RMS in a Test Environment .................................................................................. 6
Appendix A: Configuring Active Directory Federation Services to work with Office SharePoint
Server 2007 ................................................................................................................................ 16
About this Appendix ................................................................................................................... 16
Configuring AD FS to work with Office SharePoint Server 2007 in a Test Environment ........... 16
Step 1: Setting up the infrastructure........................................................................................... 19
Step 2: Configuring Office SharePoint 2007 to work with AD FS .............................................. 21
Step 3: Verifying AD RMS functionality with Office SharePoint Server 2007 and AD FS. ........ 27
3
Deploying Active Directory Rights
Management Services with Microsoft Office
SharePoint Server 2007 Step-By-Step Guide
Important
Microsoft Windows SharePoint Services 3.0 does not have the Microsoft® Office
protector files that are required to automatically rights-protect a document when it is
uploaded. You must use Office SharePoint Server 2007 to do this.
This guide assumes that you previously completed the Active Directory Rights Management
Services Step-by-Step Guide, and that you have already deployed the following components:
• One Active Directory domain controller
• An AD RMS server
• An AD RMS database server
• An AD RMS-enabled client
In this guide, you will create a test deployment that includes an Office SharePoint Server 2007
server.
Office SharePoint Server 2007 provides an easy way to collaborate on documents by posting
them to an Office SharePoint Server 2007 site so that they can be accessed over the corporate
network. The goal of integrating an Office SharePoint Server 2007 deployment with an AD RMS
infrastructure is to be able to protect documents that are downloaded from the Office SharePoint
Server 2007 server by users of any given organization.
Note
Integrating Office SharePoint Server 2007 with AD RMS does not protect the documents
while they are on the server. When a document is uploaded to an Office SharePoint
Server 2007 site, the server removes all protection until a download request is received
by the Office SharePoint Server 2007 server. At this time, the Office SharePoint Server
2007 server applies the appropriate restrictions to the document before it is downloaded
to the client computer.
5
What This Guide Does Not Provide
This guide does not provide the following:
• An overview of AD RMS. For more information about the advantages that AD RMS can bring
to your organization, see http://go.microsoft.com/fwlink/?LinkId=84726.
• Guidance for setting up and configuring AD RMS in a production environment.
• Guidance for integrating Office SharePoint Server 2007 with AD RMS in a production
environment.
• Complete technical reference for AD RMS.
• Complete information about Office SharePoint Server 2007. For more information, see
http://go.microsoft.com/fwlink/?LinkId=74460.
ADRMS-DB Windows Server 2003 with SP1 Microsoft SQL Server™ 2005
with Service Pack 2 (SP2)
6
Computer Name Operating System Applications and Services
Standard Edition. Windows 2007
Server 2003 R2 must be used if
federated identity support with
Office SharePoint Server 2007 is
required. Otherwise,
Windows Server 2003 with SP1
can be used.
Note
Before installing and configuring the components in this guide, you should verify that your
hardware meets the minimum requirements for AD RMS
(http://go.microsoft.com/fwlink/?LinkId=84733).
The computers form a private intranet and are connected through a common hub or Layer 2
switch. This configuration can be emulated in a virtual server environment if desired. This step-
by-step exercise uses private addresses throughout the test lab configuration. The private
network ID 10.0.0.0/24 is used for the intranet. The domain controller is named CPANDL-DC for
the domain named cpandl.com. The following figure shows the configuration of the test
environment:
7
• Configure the Office SharePoint Server (SPS-SRV)
• Install Office SharePoint Server 2007
Use the following table as a reference when setting up the appropriate computer name, operating
system, and network settings that are required to complete the steps in this guide.
Important
Before you configure your computers with static Internet Protocol (IP) addresses, we
recommend that you first complete Windows product activation while each of your
computers still has Internet connectivity. You should also install any available critical
security updates from Windows Update (http://go.microsoft.com/fwlink/?LinkID=47370).
8
Next, configure TCP/IP properties so that SPS-SRV has a static IP address of 10.0.0.6. In
addition, configure the Domain Name System (DNS) Server service by using the IP address of
CPANDL-DC (10.0.0.1).
9
client from http://go.microsoft.com/fwlink/?LinkId=67935.
2. Double-click WindowsRightsManagementServicesSP2-KB917275-Client-ENU.exe to
start the installation.
3. Click Next.
4. Select the I agree option to accept the End User License Agreement, and then click Next
twice to start the installation.
5. Click Close to finish the installation.
Note
If you are using a self-signed certificate for your AD RMS cluster, you must import it into
the Trusted Certification Authorities certificate store on SPS-SRV before you can
consume rights-protected content.
Note
You will be asked for the Windows Server 2003 product CD in order to complete
the installation of the Application Server role.
6. Click Finish to complete the installation.
Next, install the .NET Framework 3.0. Office SharePoint Server 2007 requires the Windows
Workflow Foundation, which has been integrated into .NET Framework 3.0.
10
To install .NET Framework 3.0
1. Download Microsoft .NET Framework 3.0 from
http://go.microsoft.com/fwlink/?LinkId=73912.
2. Double-click dotnetfx3setup.exe, and then click Run in the Open File - Security
Warning dialog box.
3. Click the I have read and ACCEPT the terms of the License Agreement option, and
then click Install.
4. Click Exit to complete the installation.
Next, install Office SharePoint Server 2007.
11
• Restrict permissions by using AD RMS.
First, add the Office SharePoint Server 2007 site to the Internet Explorer Local Intranet zone on
the Office SharePoint Server 2007 computer.
Important
By default, the AD RMS cluster server certification pipeline ACL is configured to allow
only the local System account. You must add the permissions in order for Office
SharePoint Server 2007 to integrate with AD RMS.
12
6. Click Edit, and then click Add.
7. Click Object Types, select the Computers check box, and then click OK.
8. Type SPS-SRV, and then click OK.
9. Click OK to close the ServerCertification.asmx Properties sheet.
By default the Read & execute and the Read permissions are configured for the SPS-
SRV computer account object and all other accounts inherited from the parent folder.
10. Click Start, and then click Command Prompt.
11. Type iisreset, and then press ENTER.
Once the AD RMS cluster certification pipeline has been allowed so that SPS-SRV can
communicate with it, you must configure Office SharePoint Server 2007 to use the AD RMS
cluster:
13
Note
Office SharePoint Server 2007 will automatically apply AD RMS rights to the document
when it is downloaded from the Office SharePoint Server 2007 site. These rights are
determined by the Office SharePoint Server 2007 group membership for that site. For
example, a user who is in the Visitors Office SharePoint Server 2007 group will not be
able to modify the document when it is downloaded from the Office SharePoint Server
2007 site.
Note
Since Nicole Holliday is the author of this document, she will have full rights to
the document, regardless of the AD RMS rights that are applied to it.
3. Close Microsoft Office Word 2007.
4. Click Start, point to All Programs, and then click Internet Explorer.
5. Type http://SPS-SRV/in the address bar, and then click Go.
6. Click Document Center, and then click Documents.
7. Click Upload, click Upload Document, click Browse to locate and select ADRMS-TST,
and then click Open.
8. Click OK to upload the file, and then click Check In.
By uploading the document into this library, the document receives the restrictions set on
the library.
9. Log off as Nicole Holliday.
Finally, log on as Stuart Railson and open the document from the Office SharePoint Server 2007
site.
15
You have successfully deployed, integrated, and demonstrated the functionality of AD RMS and
Office SharePoint Server 2007, using the simple scenario of uploading a Microsoft Office
Word 2007 document to an Office SharePoint Server 2007 site. You can also use this
deployment to explore some of the additional capabilities of AD RMS through additional
configuration and testing.
16
Upon completion of this appendix, you will have a working AD RMS and Office SharePoint Server
2007 infrastructure with federation support. You can then test and verify the functionality as
follows:
• Create a document in the CPANDL.COM domain.
• Upload the document to a rights-protected document library.
• Have an authorized user in the TREYRESEARCH.NET domain open and work with the
document.
The test environment described in this guide include nine computers connected to a private
network and using the following operating systems, applications, and services:
Note
Domain controllers
running Windows 2000
Server with Service
Pack 4 can be used.
However, in this step-by-
step guide it is assumed
that you will be using
domain controllers running
Windows Server 2003 with
SP1.
ADRMS-DB Windows Server 2003 with SP1 Microsoft SQL Server™ 2005
Standard Edition
17
Computer Name Operating System Applications and Services
with Office SharePoint
Server 2007.
The computers form two private intranets and are connected through a common hub or Layer 2
switch. This configuration can be emulated in a virtual server environment, if desired. This
appendix exercise uses private addresses throughout the test lab configuration. The private
network ID 10.0.0.0/24 is used for the intranet. The domain controller for the domain named
cpandl.com is CPANDL-DC and the domain controller for the domain name treyresearch.net is
TREY-DC. The following figure shows the configuration of the test environment:
18
Step 1: Setting up the infrastructure
The following steps should be taken to prepare the existing test infrastructure for configuring
AD FS with Office SharePoint Server 2007:
• Install the claims-aware applications Windows component on SPS-SRV.
• Add a DNS host name record to the CPANDL.COM domain so that federated users can
access the Office SharePoint Server 2007 Web site.
• Add the external SharePoint Web site as a claims-aware application on ADFS-RESOURCE.
19
Note
Windows Server 2003 with SP2 is required for AD FS and Office SharePoint Server 2007
to work together. To download Windows Server 2003 with SP2, see
http://go.microsoft.com/fwlink/?LinkId=98598.
First, add the claims-aware application Windows component. This component is required for
AD FS and interfaces with the AD FS federation servers to submit claims.
Note
You will be asked for the Windows Server 2003 R2 product CD in order to
complete the installation of the claims-aware applications Windows component.
8. Click Finish to complete the installation.
Next, add a DNS host name record is required in the CPANDL.COM domain so that federated
users in the TREYRESEARCH.NET domain can access the Office SharePoint Server 2007 Web
site.
To create a DNS host name record for the external Office SharePoint Server 2007 Web
site
1. Log on to CPANDL-DC as cpandl\administrator or another user account in the local
Administrators group.
2. Click Start, point to Administrative Tools, and then click DNS.
3. Expand Forward Lookup Zones, right-click CPANDL-DC, and then click New Host (A).
4. In the Name box, type external-sps.
5. In the IP Address box, type 10.0.0.6, and then click Add Host.
6. Click OK, confirming that the host record was successfully created.
7. Click Done.
20
Finally, add the external SharePoint Web site as a claims-aware Windows application on ADFS-
RESOURCE: This should be done before a user is added to doc library.
21
To extend the internal Office SharePoint 2007 Web site and add it to the Extranet zone
on SPS-SRV.
1. Log on to SPS-SRV as cpandl\administrator or another user account in the local
Administrators group.
2. Click Start, point to Administrative Tools, and then click SharePoint 3.0 Central
Administration.
3. Click Application Management, click Create or Extend Web application, and then
click Extend an existing Web application.
4. Select the Create a new Web site option, and then type External Users Web site in the
Description box.
5. In the Web Application box, click Change Web Application, and then click http://sps-
srv.
6. In the Port box, type 443.
7. In the Host header box, type external-sps.cpandl.com.
8. In the Secure Sockets Layer (SSL) box, select the Yes option.
9. In the URL box, type https://external-sps.cpandl.com.
10. In the Zone box, click Extranet.
11. Click OK.
Before proceeding with this appendix, verify that the internal Web site was correctly extended. To
do this, open the Alternate Access Mappings and ensure that external-sps.cpandl.com is
available.
Next, add an SSL certificate to the external-sps.cpandl.com Web site by using IIS. AD FS
requires an SSL connection for all claims-aware Windows applications.
To add an SSL certificate to the external Office SharePoint 2007 Web site
1. Click Start, point to Administrative Tools, and then click Internet Information Services
(IIS) Manager.
2. Expand Web Sites, right-click External Users Web site, and then click Properties.
3. Click Directory Security, and then click Server Certificate.
4. On the Welcome to the Web Server Certificate Wizard page, click Next.
22
5. Choose whether to import from an existing certificate file or request a new certificate.
6. After the certificate is imported, close the External Users Web site properties sheet.
Next, configure the authentication provider on the external Web site to use Web Single Sign On
(SSO).
To configure the authentication provider of the Extranet Web application to use Web
SSO
1. Click Start, point to Administrative Tools, and then click SharePoint 3.0 Central
Administration, and then click Application Management.
2. Under the Application Security heading, click Authentication providers.
3. In the Web application box, click Change Web Application, and then click SharePoint
- 80.
4. Click Extranet.
5. For Authentication Type, select the Web single sign on option.
6. In the Membership provider name box, type SingleSignOnMembershipProvider2.
7. In the Role manager name box, type SingleSignOnRoleProvider2.
8. For Enable client integration, select the No option, and then click Save.
Next, configure the internal Web application to accept claims from the external Web site by
editing the web.config file for the internal Web site:
To configure the internal Web site to accept claims from the external Web site
1. Navigate to C:\inetpub\wwwroot\wss\VirtualDirectories\80.
2. Right-click web.config, and then click Open.
3. Select the Select the program from a list option, click Notepad, clear the Always use
the selected program to open this kind of file check box, and then click OK.
4. Add the following text under the line that reads <authentication mode ="Windows" />:
<membership>
<providers>
<add name="SingleSignOnMembershipProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" fs="https://adfs-
resource.cpandl.com/adfs/fs/federationserverservice.asmx" />
</providers>
</membership>
23
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
</providers>
</roleManager>
Important
If the internal SharePoint Web site is not able to resolve Terence Philip using the
procedure above, you should ensure all of the previous steps were completed correctly
before continuing through the rest of this appendix.
Next, edit the web.config file on the external Web site. There are several entries that must be
made to put each individual entry into its own procedure.
24
<section name="websso"
type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler,
System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35, Custom=null" />
</sectionGroup>
<providers>
<add name="SingleSignOnMembershipProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
</providers>
</membership>
25
<roleManager enabled="true" defaultProvider="SingleSignOnRoleProvider2">
<providers>
<add name="SingleSignOnRoleProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
</providers>
</roleManager>
<websso>
<authenticationrequired />
<auditlevel>55</auditlevel>
<urls>
<returnurl>https://external-sps.cpandl.com</returnurl>
</urls>
<fs>https://adfs-resource.cpandl.com/adfs/fs/federationserverservice.asmx</fs>
<isSharePoint />
</websso>
26
Step 3: Verifying AD RMS functionality with Office
SharePoint Server 2007 and AD FS.
To verify the functionality of AD RMS using AD FS and Office SharePoint Server 2007, you log on
to ADRMS-CLNT as Nicole Holliday, create a new Microsoft Word 2007 document, and upload it
to the Office SharePoint Server 2007 site into a rights-enabled document library configured such
that users who download the document will be able to read it but will not be able to print it. You
then log on to ADRMS-CLNT2 as Terrence Philip, download the document from the Office
SharePoint Server 2007 site and verify that the ability to print the document has been restricted.
Before you can consume rights-protected content, you must add the external Web application
(external-sps.cpandl.com) to the Local Intranet security zone on ADRMS-CLNT2.
Note
Since Nicole Holliday is the author of this document, she will have full rights to
the document, regardless of the AD RMS rights that are applied to it.
3. Close Microsoft Office Word 2007.
4. Click Start, point to All Programs, and then click Internet Explorer.
27
5. Type http://SPS-SRV/in the address bar, and then click Go.
6. Click Document Center, and then click Documents.
7. Click Upload, click Upload Document, click Browse to locate and select ADRMS-TST,
and then click Open.
8. Click OK to upload the file, and then click Check In.
By uploading the document into this library, the document receives the restrictions set on
the library.
9. Log off as Nicole Holliday.
Finally, log on to ADRMS-CLNT2 as Terrence Philip and open the document from the external
Office SharePoint Server 2007 site.
28
Step-by-Step Guide: Deploying SSTP Remote
Access
Microsoft Corporation
Published: September 2007
Abstract
Secure Socket Tunneling Protocol (SSTP) is a new form of VPN tunnel with features that allow
traffic to pass through firewalls that block PPTP and L2TP/IPsec traffic. SSTP provides a
mechanism to encapsulate PPP traffic over the SSL channel of the HTTPS protocol. The use of
PPP allows support for strong authentication methods such as EAP-TLS. The use of HTTPS
means traffic will flow through TCP port 443, a port commonly used for Web access. Secure
Sockets Layer (SSL) provides transport-level security with enhanced key negotiation, encryption,
and integrity checking.
This paper provides detailed information about how you can use three computers to create a test
lab with which to configure and test virtual private network (VPN) remote access with
Windows Server® 2008 and Windows Vista® with Service Pack 1 (SP1). These instructions are
designed to take you step by step through the configuration required for a Secure Socket
Tunneling Protocol (SSTP) connection.
1
Copyright Information
This document supports a preliminary release of a software product that may be changed
substantially prior to final commercial release, and is the confidential and proprietary information
of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the
recipient and Microsoft. This document is provided for informational purposes only and Microsoft
makes no warranties, either express or implied, in this document. Information in this document,
including URL and other Internet Web site references, is subject to change without notice. The
entire risk of the use or the results from the use of this document remains with the user. Unless
otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this document may
be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by
any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,
without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, MS-DOS, Windows, Windows NT, and Windows Server are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
2
Contents
Step-by-Step Guide: Deploying SSTP Remote Access .................................................................. 5
Secure Socket Tunneling Protocol ............................................................................................... 5
Setting up the test lab for SSTP remote access VPN connections ............................................. 7
Configuring DC1 ........................................................................................................................... 8
Configuring VPN1....................................................................................................................... 11
Configuring CLIENT1 ................................................................................................................. 25
Simulating a PPTP-based connection failure ............................................................................. 29
Configuring an SSTP-based connection .................................................................................... 33
Additional Resources ................................................................................................................. 38
3
Step-by-Step Guide: Deploying SSTP Remote
Access
This guide provides detailed information about how you can use three computers to create a test
lab with which to configure and test virtual private network (VPN) remote access with
Windows Server® 2008 and Windows Vista® with Service Pack 1 (SP1). These instructions are
designed to take you step by step through the configuration required for a Secure Socket
Tunneling Protocol (SSTP) connection.
Note
The following instructions are for configuring a test lab using a minimum number of
computers and procedure steps. To minimize setup time and complexity, services were
combined on the network servers rather than using individual computers to separate the
services in a more secure manner. This configuration is designed to reflect neither best
practices nor a desired or recommended configuration for a production network. The
configuration, including IP addresses and all other configuration parameters, is designed
to work only on a separate test lab network.
5
Sockets Layer (SSL) provides transport-level security with enhanced key negotiation, encryption,
and integrity checking.
6
Setting up the test lab for SSTP remote access
VPN connections
The infrastructure for the VPN test lab network consists of three computers, which perform the
following services:
• A server computer running Windows Server 2003 named DC1 that is acting as a domain
controller, a Domain Name System (DNS) server, and a file server on a private (intranet)
network.
• A server computer running Windows Server 2008 named VPN1 that is configured with
Routing and Remote Access and is acting as a VPN server. In addition, VPN1 is configured
with Active Directory Certificate Services and Internet Information Services (IIS) to allow Web
enrollment of the computer certificate required for an SSTP-based VPN connection. VPN1
has two network adapters installed.
• A client computer running Windows Vista with SP1 named CLIENT1 that is acting as a VPN
client on a public (Internet) network.
The following diagram shows the configuration of the VPN test lab.
Figure 2. Configuration of the SSTP connection test lab.
7
Configuring DC1
DC1 is a computer running Windows Server 2003 SP1 or R2, Standard or Enterprise Edition, that
is providing the following services:
• A domain controller for the Contoso.com Active Directory® domain.
• A DNS server for the Contoso.com DNS domain.
• A file server.
The configuration of DC1 requires the following steps:
• Install the operating system.
• Configure TCP/IP.
• Install Active Directory and DNS.
• Create a user account with remote access permission.
• Create a shared folder and file.
The following sections explain these steps in detail.
Configure TCP/IP
Configure TCP/IP properties so that DC1 has a static IP address of 192.168.0.1 with the subnet
mask 255.255.255.0 and a default gateway of 192.168.0.2.
8
Protocol (TCP/IP), and then click Properties.
3. Click Use the following IP address. In IP address, type 192.168.0.1. In Subnet mask,
type 255.255.255.0. In Default gateway, type 191.168.0.2. In Preferred DNS server,
type 192.168.0.1.
4. Click OK, and then click Close.
Note
You must restart the computer after you complete this procedure.
Note
In a real-world scenario, you would use Network Policy Server (NPS) to configure
and enable remote access policies.
3. Close Active Directory Users and Computers.
10
10. Under Permissions for Domain Users, under Allow, click Full Control to enable
permissions for documents in this folder.
11. Click OK two times to close the Sharing dialog boxes.
12. Double-click the CorpData folder and then right-click in the blank space. Point to New,
and then click Text Document.
13. Name the document VPNTest.txt.
14. Open VPNTest.txt and add some text.
15. Save and close VPNTest.txt.
Configuring VPN1
VPN1 is a computer running Windows Server 2008 that is providing the following roles:
• Active Directory Certificate Services, a certification authority (CA) that issues the computer
certificate required for an SSTP-based VPN connection.
• Certification Authority Web Enrollment, a service that enables the issuing of certificates
through a Web browser.
• Web Server (IIS), which is installed as a required role service for Certification Authority Web
Enrollment.
Note
Routing and Remote Access does not require IIS because it listens to HTTPS
connections directly over HTTP.SYS. IIS is used in this scenario so that CLIENT1 can
obtain a certificate over the Internet from VPN1.
• Network Policy and Access Services, which provides support for VPN connections through
Remote Access Service.
VPN1 configuration consists of the following steps:
• Install the operating system.
• Configure TCP/IP for Internet and intranet networks.
• Join the Contoso.com domain.
• Install the Active Directory Certificate Services and Web Server (IIS) server roles.
• Create and install the Server Authentication certificate.
• Install the Network Policy and Access Services (Routing and Remote Access) server role.
• Configure VPN1 to be a VPN server.
The following sections explain these steps in detail.
11
Install Windows Server 2008
1. On VPN1, start your computer using the Windows Server 2008 product disc. Follow the
instructions that appear on your screen. When prompted for a computer name, type
VPN1.
2. In the Initial Configuration Tasks window, under Provide Computer Information, click
Configure networking.
Note
If the Initial Configuration Tasks window is not already open, you can open it
by clicking Start, clicking Run, typing oobe in the text box, and then clicking OK.
Figure 3. Initial Configuration Tasks window.
Configure TCP/IP
Configure TCP/IP properties so that VPN1 has a static IP address of 131.107.0.2 for the public
(Internet) connection and 192.168.0.2 for the private (intranet) connection.
12
then click Properties.
2. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click
Properties.
3. Click Use the following IP address.
4. Configure the IP address and subnet mask with the following values:
a. On the interface connected to the public (Internet) network, type 131.107.0.2 for the
IP address, and type 255.255.0.0 for the subnet mask.
b. On the interface connected to the private (intranet) network, type 192.168.0.2 for the
IP address, type 255.255.255.0 for the subnet mask, and type 192.168.0.1 for the
preferred DNS server.
5. Click OK, and then click Close.
6. To rename the network connections, right-click a network connection, and then click
Rename.
7. Configure the network connections with the following names:
a. On the interface connected to the public (Internet) network, type Public.
b. On the interface connected to the private (intranet) network, type Private.
8. Close the Network Connections window.
Run the ping command from VPN1 to confirm that network communication between VPN1 and
DC1 is working.
Note
If the Initial Configuration Tasks window is not already open, you can open it
by clicking Start, clicking Run, typing oobe in the text box, and then clicking OK.
13
2. In the System Properties dialog box, on the Computer Name tab, click Change.
3. In Computer name, clear the text and type VPN1.
4. In Member of, click Domain, type contoso, and then click OK.
5. Enter administrator for the user name and P@ssword for the password.
6. When you see a dialog box welcoming you to the contoso.com domain, click OK.
7. When you see a dialog box telling you to restart the computer, click OK. Click Close, and
then click Restart Now.
Note
If the Initial Configuration Tasks window is not already open, you can open it
by clicking Start, clicking Run, typing oobe in the text box, and then clicking OK.
3. In the Add Roles Wizard dialog box, in Before You Begin, click Next.
4. Click Active Directory Certificate Services.
Figure 4. Select Server Roles window.
14
5. Click Next, and then click Next again.
6. In the Select Role Services dialog box, under Role services, click Certification
Authority Web Enrollment.
7. In the Add Roles Wizard dialog box, click Add Required Role Services.
Figure 5. Add Roles Wizard dialog box.
15
8. Click Next.
9. Click Standalone, and then click Next.
10. Click Root CA (recommended), and then click Next.
11. Click Create a new private key, and then click Next.
12. Click Next to accept the default cryptographic settings.
13. In the Configure CA Name dialog box, click Next to accept the default CA name.
Figure 6. Configure CA Name dialog box.
16
14. Click Next repeatedly to accept default settings.
15. In the Confirm Installation Selections dialog box, click Install. The installation might
take several minutes.
16. In the Installation Results dialog box, click Close.
17
5. Under Select a zone to view or change security settings, click Local intranet.
6. Change the security level for Local intranet from Medium-low to Low, and then click OK.
Note
In a real-world scenario, you should configure individual ActiveX® control
settings using Custom level rather than lowering the security level.
Figure 7. Internet Options dialog box.
18
2. Under Select a task, click Request a certificate.
3. Under Request a Certificate, click advanced certificate request.
4. Under Advanced Certificate Request, click Create and submit a request to this CA.
5. Click Yes to allow the ActiveX control.
Figure 8. Advanced Certificate Request page.
6. Under Identifying Information, in the Name field, type vpn1.contoso.com, and in the
Country/Region field, type US.
Note
The name is the certificate subject name and must be the same as the Internet
address used in the SSTP connection settings configured later in this document.
7. Under Type of Certificate Needed, select Server Authentication Certificate.
8. Under Key Options, select Mark keys as exportable, and then click Submit.
19
9. Click Yes in the confirmation dialog box.
The Server Authentication certificate is now pending. It must be issued before it can be installed.
9. In the middle pane, right-click the pending request, point to All Tasks, and then click
Issue.
20
10. In Internet Explorer, in the Certificate Pending page, click Home. If this page is not
visible, browse to http://localhost/certsrv.
11. Under Select a task, click View the status of a pending certificate request.
12. Under View the Status of a Pending Certificate Request, select the just-issued
certificate.
13. Click Yes to allow the ActiveX control.
14. Under Certificate Issued, click Install this certificate.
15. Click Yes in the confirmation dialog box.
Move the installed certificate from the default store location.
21
5. In the Select Computer dialog box, click Finish to accept the default setting of Local
computer.
6. Click OK to close the Add or Remove Snap-ins dialog box.
7. In the console tree pane, double-click Certificates - Current User, double-click
Personal, and then click Certificates.
8. In the middle view pane, right-click the vpn1.contoso.com certificate, point to All Tasks,
and then click Export.
9. In the Welcome page, click Next.
10. Click Yes, export the private key, and then click Next.
11. Click Next to accept the default file format.
12. Type P@ssword in both text boxes, and then click Next.
13. In the File to Export page, click Browse.
14. In the File name text box, type vpn1cert, and then click Browse Folders.
15. Under Favorite Links, click Desktop, and then click Save to save the certificate to the
desktop.
16. In the File to Export page, click Next.
17. Click Finish to close the Certificate Export Wizard, and then click OK in the
confirmation dialog box.
18. In the console tree pane, double-click Certificates (Local Computer), and then double-
click Personal.
19. Right-click Certificates, point to All Tasks, and then click Import.
20. In the Welcome page, click Next.
21. In the File to Import page, click Browse.
22. Under Favorite Links, click Desktop, and from the drop-down list, select Personal
Information Exchange for the file type.
Figure 11. Certificate Import Wizard.
22
23. In the middle view pane, double-click vpn1cert.
24. In the File to Import page, click Next.
25. In the Password text box, type P@ssword, and then click Next.
26. In the Certificate Store page, click Next to accept the Personal store location.
27. Click Finish to close the Import Export Wizard, and then click OK in the confirmation
dialog box.
Figure 12. Location of Server Authentication certificate.
23
Install Routing and Remote Access
Configure VPN1 with Routing and Remote Access to function as a VPN server.
24
Configure Routing and Remote Access
Configure VPN1 to be a VPN server providing remote access for Internet-based VPN clients.
Note
Normally, you would leave security enabled on the public interface. For the
purposes of testing lab connectivity, you should disable it.
8. Click From a specified range of addresses, and then click Next.
9. Click New, type 192.168.0.200 for the Start IP address, type 192.168.0.210 for the End
IP address, click OK, and then click Next.
10. Click Next to accept the default setting, which means VPN1 will not work with a RADIUS
server. In this scenario, Routing and Remote Access Server will use Windows
Authentication.
11. In the Completing the Routing and Remote Access Server Setup Wizard page, click
Finish.
12. If the dialog box that describes the need to add this computer to the remote access
server list appears, click OK.
13. In the dialog box that describes the need to configure the DHCP Relay Agent, click OK.
14. Close the Routing and Remote Access snap-in.
Configuring CLIENT1
CLIENT1 is a computer running Windows Vista with SP1 that functions as a remote access VPN
client for the Contoso.com domain.
25
CLIENT1 configuration consists of the following steps:
• Install the operating system
• Configure TCP/IP
The following sections explain these steps in detail.
Configure TCP/IP
Configure TCP/IP properties so that CLIENT1 has a static IP address of 131.107.0.3 for the
public (Internet) connection.
26
Prompt, and then click Run as administrator.
2. In the User Account Control dialog box, click Continue.
3. In the command window, type the following and then press ENTER:
notepad %windir%\system32\drivers\etc\hosts
4. Add the following text in a new line at the end of the document:
131.107.0.2 vpn1.contoso.com
5. Save and close the hosts file.
Run the ping command from CLIENT1 to confirm that network communication between CLIENT1
and VPN1 is working.
27
3. In the details pane, scroll down and double-click File and Printer Sharing (Echo
Request - ICMPv4-In) for the Public profile. Verify that this rule is enabled.
Figure 14. File and Printer Sharing (Echo Request - ICMPv4-In) Properties dialog box.
28
Simulating a PPTP-based connection failure
Now that the preceding steps have been completed, the lab infrastructure is in place. This section
will cover configuring your lab setup so that PPTP-based VPN connections will fail. This simulates
a real-world scenario in which the remote access server is behind a firewall that blocks PPTP
connections. This lab will use Windows Firewall with Advanced Security on VPN1 to serve as the
perimeter firewall.
29
3. Click Connect to a workplace, and then click Next.
4. Click Use my Internet connection (VPN).
5. Click I'll set up an Internet connection later.
6. In Internet address, type vpn1.contoso.com, and then click Next.
Note
The Internet address must be the same as the subject name previously
configured in this document. This requirement is for the SSTP connection used
later in this document.
7. In the Type your user name and password dialog box, type the following information:
a. In User name, type user1.
b. In Password, type P@ssword.
c. Click Remember this password.
d. In Domain, type contoso.
8. Click Create, and then click Close.
30
3. Verify that the connection was completed successfully by right-clicking VPN Connection,
and then clicking Status. The Media State should be "Connected."
4. In the VPN Connection Status dialog box, click Disconnect.
31
4. Under Action, select Block the connections, and then click OK.
Figure 17. Routing and Remote Access (GRE-In) Properties dialog box.
32
4. Click Close.
33
certificate chain, or CRL.
4. If you receive an alert about the Information Bar, click Close.
5. Click Download CA certificate.
6. In the File Download dialog box, click Open.
Figure 19. File Download dialog box for the security certificate.
34
9. In the Certificate Import Wizard, click Next.
10. In the Certificate Store dialog box, click Next to accept the default automatic store
location.
11. Click Finish.
12. In the confirmation dialog box, click OK.
13. Click OK to close the Certificate dialog box.
Now that the computer certificate has been imported, it must be installed. The default automatic
location for the installed certificate is in the Current User, Intermediate Certification Authority
store. The certificate must be moved to the Local Computer, Trusted Root Certification Authority
store on CLIENT1. Begin by configuring an MMC with user and computer certificate snap-ins.
35
Configure an MMC
1. On CLIENT1, click Start, click All Programs, click Accessories, and then click Run.
2. In Open, type mmc, and then click OK.
3. In the User Account Control dialog box, click Continue.
4. In the Console1 snap-in, click File, and then click Add/Remove Snap-in.
5. Under Available snap-ins, click Certificates, and then click Add.
6. Click Finish to accept the default setting of My user account.
7. Click Add, click Computer account, and then click Next.
8. In the Select Computer dialog box, click Finish to accept the default setting of Local
computer.
9. Click OK to close the Add or Remove Snap-ins dialog box.
Move the installed certificate from the default store location. Because the certificate does not
involve private key binding, you can simply copy and paste the certificate to the new certificate
store.
36
Configure and test an SSTP-based VPN connection
Now that the root CA certificate of the VPN server's computer certificate is in the Trusted Root
Certification Authorities certificate store on CLIENT1, configure and test an SSTP connection.
37
5. In the Connect VPN Connection dialog box, click Connect.
CLIENT1 should successfully connect to VPN1 using the SSTP connection. Verify that
you can access the corporate file server from the remote location.
6. Click Start, click All Programs, click Accessories, and then click Run.
7. In Open, type \\192.168.0.1\corpdata, and then click OK.
8. Double-click VPNTest to open it, and then add some text.
9. From the File menu, click Save As, type VPNTest2 for the file name, and then click
Save.
10. Close VPNTest2.
Additional Resources
• Routing and Remote Access Blog (http://go.microsoft.com/fwlink/?LinkId=82954)
38
• New Networking Features in Windows Server 2008 and Windows Vista
(http://go.microsoft.com/fwlink/?LinkId=71606)
39
DNS Server Global Query Block List
Microsoft Corporation
Published: November 2007
Author: Jim Groves
Editor: Jim Becker
Abstract
Clients of network protocols that rely on Domain Name System (DNS) name resolution to resolve
well-known host names are vulnerable to malicious users who use dynamic update to register
host computers that pose as legitimate servers. Examples of such protocols are the Web Proxy
Auto-Discovery Protocol (WPAD) and the Intra-site Automatic Tunnel Addressing Protocol
(ISATAP). The DNS server role in the Windows Server® 2008 operating system introduces a
global query block list that can help reduce this vulnerability. This document introduces this block
list, explains how it works, and describes how to take advantage of its features.
1
This document supports a preliminary release of a software product that may be changed
substantially prior to final commercial release, and is the confidential and proprietary information
of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the
recipient and Microsoft. This document is provided for informational purposes only and Microsoft
makes no warranties, either express or implied, in this document. Information in this document,
including URL and other Internet Web site references, is subject to change without notice. The
entire risk of the use or the results from the use of this document remains with the user. Unless
otherwise noted, the companies, organizations, products, domain names, e-mail addresses,
logos, people, places, and events depicted in examples herein are fictitious. No association with
any real company, organization, product, domain name, e-mail address, logo, person, place, or
event is intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this document may
be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by
any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,
without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Active Directory, Windows, Windows NT, and Windows Server are trademarks of the Microsoft
group of companies.
2
Contents
DNS server global query block list overview ................................................................................... 5
What is WPAD?............................................................................................................................ 5
What is ISATAP?.......................................................................................................................... 6
How the DNS server global query block list works ...................................................................... 6
Configuring the DNS server when you deploy or remove protocols ............................................... 9
Configuring the DNS server when you deploy WPAD or ISATAP ............................................... 9
Configuring the DNS server when you remove WPAD or ISATAP ............................................ 10
DNS server global query block list technical reference ................................................................. 10
Extensions to dnscmd ................................................................................................................ 11
Global query block list registry values ........................................................................................ 11
3
DNS server global query block list overview
Most TCP/IP networks support the dynamic update feature of Domain Name System (DNS)
because dynamic update is convenient for network administrators and users alike. Dynamic
update makes it possible for DNS client computers to register and dynamically update their
resource records with a DNS server whenever a client changes its network address or host
name. This reduces the need for manual administration of zone records, especially for clients that
frequently move or change locations and use Dynamic Host Configuration Protocol (DHCP) to
obtain an IP address. This convenience comes at a cost, however, because an authorized client
can register any unused host name, even a host name that might have special significance for
certain applications. This can allow a malicious user to "hijack" a special name and divert certain
types of network traffic to that user's computer.
Two commonly deployed protocols are particularly vulnerable to hijacking in this fashion: the Web
Proxy Automatic Discovery Protocol (WPAD) and the Intra-site Automatic Tunnel Addressing
Protocol (ISATAP). Even if a network does not deploy these protocols, clients that are configured
to use them are vulnerable to the hijacking that DNS dynamic update enables. To prevent such
hijacking, the DNS server role in the Windows Server® 2008 operating system includes a global
query block list that can help prevent a malicious user from hijacking DNS names that have
special significance.
What is WPAD?
Most Web browsers use WPAD to locate and apply configuration settings that enable them to use
a network proxy server. These configuration settings are contained in a file that is located on a
server. The browser locates this server by querying a DHCP server for the uniform resource
locator (URL) of the network's WPAD server. If this query is unsuccessful, the browser attempts
to locate the WPAD server by using standard DNS name-resolution queries.
For example, if the Web browser is running on a Windows-based computer named
laptop.acctg.corp.contoso.com, the browser attempts to find the WPAD configuration file by
looking for the following URLs:
• http://wpad.acctg.corp.contoso.com/wpad.dat
• http://wpad.corp.contoso.com/wpad.dat
• http://wpad.contoso.com/wpad.dat
When it locates the Wpad.dat file at any of these locations, the browser reads the contents of the
file, and then configures itself according to the settings in the file.
Unfortunately, you cannot secure this automatic discovery process. Any computer that is
registered in a DNS zone with the name wpad can provide a WPAD configuration to clients on the
5
network, even if the file contains settings that cause the clients to use a fake proxy server, for
example, to divert the client's Web browser to counterfeit Web sites. The dynamic update feature
of DNS makes it possible for a malicious user to accomplish this without requiring the intervention
of a DNS system administrator simply by giving a computer the name wpad and then connecting
it to the network. As long as there is no other computer in the zone with the same name, the
computer of the malicious user can register its name with the DNS server that is authoritative for
its zone and thereby direct all WPAD queries to itself.
The block list feature that is provided by the DNS server role in Windows Server 2008 helps
prevent the hijacking of WPAD by ensuring that queries for WPAD servers always fail unless
WPAD is excluded from the block list. For more information about how the block list works, see
How the DNS server block list works.
What is ISATAP?
ISATAP provides a transition between networks that are based on Internet Protocol version 4
(IPv4) and networks that are based solely on the newer IP version 6 (IPv6). ISATAP provides this
transition by using a tunneling approach to carry IPv6 traffic on an IP version 4 (IPv4)
infrastructure. In other words, ISATAP encapsulates IPv6 packets with an IPv4 header, which
allows the IPv6 packets to be transmitted through a single ISATAP router from one ISATAP-
enabled host to another. This transmission occurs wherever the hosts are located on the network,
regardless of whether the hosts are located on an IPv6-enabled subnet or on an IPv4-only
network.
ISATAP does not support automatic router discovery. Instead, ISATAP hosts use a potential
routers list (PRL) to discover available ISATAP routers. Most commonly, however, ISATAP hosts
construct their PRLs by using DNS to locate a host named isatap on the local domain. For
example, if the local domain is corp.contoso.com, an ISATAP-enabled host queries DNS to obtain
the IPv4 address of a host named isatap.corp.contoso.com.
Consequently, a malicious user can spoof an ISATAP router in much the same way as a
malicious user can spoof a WPAD server: A malicious user can use dynamic update to register
the user's own computer as a counterfeit ISATAP router and then divert traffic between ISATAP-
enabled computers on the network. To prevent this, the Windows Server 2008 DNS Server
service blocks name resolution of the isatap host name by default.
6
(A) or host (AAAA) resource record in the zone for the name. In this way, if a host (A) or host
(AAAA) resource record exists in the zone because a host has used dynamic update to register
itself with a blocked name, the DNS Server service does not resolve the name.
The block list automatically applies to all zones for which the server is authoritative. For example,
if the DNS server is authoritative for contoso.com and for europe.contoso.com, it ignores queries
for wpad.contoso.com as well as for wpad.europe.contoso.com. However, the DNS Server
service does not ignore queries for names in zones for which it is not authoritative. Specifically,
the DNS Server service does not ignore queries that it receives through a forwarder or a stub
zone, or as a result of normal recursion or forwarding. If the block list causes the DNS Server
service to ignore a request for a resource record that does exist in a zone, it logs an event that
explains why it did so.
Important
All DNS servers that are authoritative for a zone must be running Windows Server 2008
and must be configured with the same block list to ensure consistent results when clients
query for resolution of names in the block list.
Because the DNS Server service applies the block list for all resource records, not just host (A) or
host (AAAA) resource records, it ignores queries for such resource record types as mail
exchanger (MX) and service locator (SRV) resource records. However, because the DNS Server
service does not apply the block list to zone names themselves, an administrator can create a
zone named wpad.contoso.com, for example, and add host resource records to that zone. In this
case, the DNS Server service continues to resolve host names in the wpad.contoso.com zone.
The initial contents of the block list depend on whether WPAD or ISATAP is already deployed
when you add the DNS server role to an existing Windows Server 2008 deployment or upgrade
an earlier version of Windows Server running the DNS Server service. The next section describes
installation and upgrade scenarios and explains how the contents of the block list are affected.
7
Installing the DNS server role when neither WPAD
nor ISATAP is deployed
If neither WPAD nor ISATAP was deployed on the network when you installed or upgraded the
DNS Server service on a server running Windows Server 2008, the DNS Server service
configures the block list to ignore queries for hosts named wpad and isatap.
The DNS Server service configures the block list the first time that it runs after you install or
upgrade it. Whenever the DNS Server service starts, it checks for the existence of a particular
registry key. If that key does not exist, the DNS Server service has not yet configured the block
list. The DNS Server service then enumerates all locally authoritative zones looking for existing
host (A) or host (AAAA) resource records for the names wpad and isatap. When the DNS Server
service fails to find these records, it stores the default list, which consists of entries for the names
wpad and isatap, in the registry along with a registry key that indicates that the block list is
enabled.
Configuration of the block list takes place only when the DNS Server service starts the first time
after you install or upgrade it. If you subsequently implement WPAD or ISATAP on the network,
you must configure the affected DNS servers to remove the corresponding name from their block
lists. Similarly, if you subsequently remove WPAD or ISATAP from the network after you install
the DNS Server role in Windows Server 2008, you must add the corresponding name to the block
list of the affected DNS servers. For more information about configuring the DNS Server service,
see Configuring the DNS server when you deploy or remove protocols.
Note
When the DNS Server service configures itself, it does not attempt to determine whether
the existing resource record for a host named wpad or isatap identifies a legitimate
deployed server. Before you upgrade a Windows-based DNS server to Windows
Server 2008, ensure that the server's zones do not already contain resource records for
these host names if the WPAD or ISATAP protocols are not deployed on the network.
8
If you subsequently remove support for WPAD or ISATAP from your network, you should
reconfigure the affected DNS servers to enable blocking resolution of the corresponding names.
For more information, see Configuring the DNS server when you deploy or remove protocols.
Note
Before you replace the block list, you should run the dnscmd /info
/globalqueryblocklist command to verify the current contents of the block list.
9
Configuring the DNS server when you remove
WPAD or ISATAP
When you remove WPAD or ISATAP from your network, you should configure the block list to
prevent the hijacking that is described in DNS server global query block list overview. To do this,
you add the appropriate name to the block list of the DNS servers that are authoritative for the
zones where you previously registered the protocol's host name. To add the DNS server name to
the block list, you run the dnscmd /config /globalqueryblocklist command.
For example, if you remove support for WPAD from your network, you should run the following
command on all DNS servers that host the zone where the wpad name was registered:
dnscmd /config /globalqueryblocklist wpad isatap
This replaces the existing global query block list with a list that includes the name wpad.
10
Extensions to dnscmd
Windows Server 2008 extends the dnscmd command-line tool to make it possible for you to
configure and control the global query block list. The following table shows the commands that
you can use with dnscmd.
Command Description
dnscmd /info /enableglobalqueryblocklist Displays whether the global query block list is
enabled. If the block list is enabled, this
command returns the value 1. If the block list is
not enabled, this command returns the value 0.
dnscmd /info /globalqueryblocklist Displays the host names in the current block
list, if any.
dnscmd /config /enableglobalqueryblocklist Enables or disables the block list. If you want
[0 | 1] the DNS Server service to ignore queries for
the names in the block list, you set the value of
this command to 1. If you want to disable the
block list, you set the value of this command to
0. With a value of 0, the DNS Server service
does not ignore queries for names in the block
list.
dnscmd /config /globalqueryblocklist Removes all names from the block list.
dnscmd /config /globalqueryblocklist name Replaces the current block list with a list of the
[name]… names that you specify. By default, the global
query block list contains the following names:
• isatap
• wpad
The DNS Server service can remove either or
both of these names when the DNS Server
service starts the first time. For more
information, see Installation Scenarios for the
DNS server role.
11
•
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\En
ableGlobaQueryBlockList
If you set the value of this registry key to 1 (the default), it instructs the DNS Server service to
block name resolution in all zones that the server hosts for the names that are in the block
list. If you set the value of this registry key to 0, it instructs the DNS Server service not to
block name resolution for the names in the block list.
•
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\Gl
obalQueryBlockList
This registry key is a multistring value that contains the names that you want name resolution
to block.
12
Installing, Configuring, and Troubleshooting
the Microsoft Online Responder
Microsoft Corporation
Published: April 2007
Avi Ben-Menahem, Lead Program Manager, Microsoft Corporation
Editor: Debbie Swanson
Contributors:
Vishal Agarwal, Development Lead, Microsoft Corporation
Saurav Sinha, Developer, Microsoft Corporation
Oded Shekel, Program Manager, Microsoft Corporation
Jen Field, Program Manager, Microsoft Corporation
Shawn Corey, Software Development in Test, Microsoft Corporation
Rashmi Jha, Software Development in Test, Microsoft Corporation
Kelvin Yiu, Senior Program Manager, Microsoft Corporation
Yogesh Mehta, Program Manager, Microsoft Corporation
Abstract
This white paper describes the concepts behind and steps needed to install, configure, and
troubleshoot the Microsoft Online Responder, a role service that is used to implement online
1
certificate status protocol (OCSP) revocation checking in Active Directory Certificate Services
environments.
2
Copyright Information
This document supports a preliminary release of a software product that may be changed
substantially prior to final commercial release, and is the confidential and proprietary information
of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the
recipient and Microsoft. This document is provided for informational purposes only and Microsoft
makes no warranties, either express or implied, in this document. Information in this document,
including URL and other Internet Web site references, is subject to change without notice. The
entire risk of the use or the results from the use of this document remains with the user. Unless
otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this document
may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or
by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any
purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Active Directory, Microsoft, MS-DOS, Visual Basic, Visual Studio, Windows, Windows NT, and
Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
3
Contents
Installing, Configuring, and Troubleshooting the Microsoft Online Responder ............................... 7
Overview ...................................................................................................................................... 7
Understanding Revocation Checking Concepts .......................................................................... 7
CRLs ......................................................................................................................................... 8
OCSP ........................................................................................................................................ 9
Understanding the Online Responder's Components.................................................................. 9
OCSP Client............................................................................................................................ 10
Online Responder Web Proxy Cache ..................................................................................... 11
Online Responder Service ...................................................................................................... 11
Revocation Configuration ....................................................................................................... 12
Revocation Providers .............................................................................................................. 12
Exploring Online Responder Deployment Models ..................................................................... 13
Achieving Scalability and High Availability ............................................................................. 13
Deployment Models for Extranet Scenarios ........................................................................... 13
Deploying Microsoft Online Responder ..................................................................................... 16
Installing the Online Responder Service ................................................................................ 16
Preparing the Environment ..................................................................................................... 23
Configuring the CAs ............................................................................................................ 24
Configuring the OCSP Response Signing certificate template ........................................... 26
Configuring the OCSP Response Signing certificate template when using a Windows
Server 2008–based CA ................................................................................................ 27
Configuring the OCSP Response Signing certificate template when using a Windows
Server 2003–based CA ................................................................................................ 28
Configuring OCSP Response Signing template permissions .......................................... 29
Assigning an OCSP Response Signing template to a CA ............................................... 30
Renewing OCSP Response Signing certificates ............................................................. 31
Enrolling for an OCSP Response Signing certificate against a stand-alone CA ................ 32
Using an HSM to protect OCSP signing keys ..................................................................... 33
Modifying the Online Responder service credentials....................................................... 33
Configuring the OCSP Response Signing template ........................................................ 34
Configuring the Online Responder ......................................................................................... 34
Configuring Online Responder properties ........................................................................... 35
Web proxy settings........................................................................................................... 35
Audit settings.................................................................................................................... 36
Security settings ............................................................................................................... 38
Managing revocation configurations.................................................................................... 38
Creating a revocation configuration ................................................................................. 38
5
Modifying a revocation configuration ............................................................................... 41
Managing Array members ................................................................................................... 44
Adding Array members .................................................................................................... 44
Monitoring and managing Array members ....................................................................... 44
Performing Online Responder Backup and Restore .................................................................. 45
Troubleshooting the Online Responder ..................................................................................... 46
Online Responder Service Problems...................................................................................... 46
Online Responder Snap-In Messages .................................................................................... 56
Array Configuration messages ............................................................................................ 56
Revocation Configuration messages................................................................................... 58
Enabling CryptoAPI 2.0 Diagnostics .......................................................................................... 60
Additional Resources ................................................................................................................. 61
6
Installing, Configuring, and Troubleshooting
the Microsoft Online Responder
Overview
Public key infrastructure (PKI) consists of multiple components, including certificates, certificate
revocation lists (CRLs), and certification authorities (CAs). In most cases, applications that
depend on X.509 certificates, such as Secure/Multipurpose Internet Mail Extensions (S/MIME),
Secure Sockets Layer (SSL), Encrypting File System (EFS), and smart cards, are required to
validate the status of the certificates used when performing authentication, signing, or encryption
operations. The certificate status and revocation checking is the process by which the validity of
certificates is verified based on two main categories: time and revocation status.
• Time. Certificates are issued for a fixed period of time and considered valid as long as the
expiration date of the certificate is not reached, unless revoked before that date.
• Revocation status. Certificates can be revoked before their expiration date because of
multiple reasons such as key compromise or suspension. Before performing any operation,
applications often validate that the certificate was not revoked.
Although validating the revocation status of certificates can be performed in multiple ways, the
common mechanisms are CRLs, delta CRLs, and Online Certificate Status Protocol (OCSP)
responses. Common scenarios for using OCSP include:
• SSL/Transport Layer Security (TLS) certificate revocation checking
• Smart card logon
• Enterprise S/MIME
• Extensible Authentication Protocol (EAP)/TLS–based virtual private network (VPN)
Microsoft natively supports only CRL in operating systems prior to the Windows Vista® operating
system. Windows Vista and the Windows Server® 2008 operating system will natively support
both CRL and OCSP as a method of determining certificate status. The OCSP support includes
both the client component as well as the Online Responder, which is the server component.
7
1. The certificate chaining engine attempts to build the chain for the certificate inspected by
querying the local certificate store or by downloading from one of the URLs available in the
inspected certificate's authority information access extensions.
2. For all certificate chains that end in a trusted root, all certificates in the chain are validated.
This involves the following steps:
• Verify that each certificate's signature is valid.
• Verify that the current date and time fall within each certificate's validity period.
• Verify that each certificate is not corrupt or malformed.
3. Each certificate in the certificate chain is checked for revocation status. Revocation checking
is performed either by using a CRL or OCSP, based on the certificate configuration.
After the validation check is completed, the certificate chaining engine returns the results of the
validation check to the application that originated the validation request. The results will indicate if
all certificates in the chain are valid, if the chain terminates at a non-trusted root CA, if any
certificates in the chain are not valid, or if the revocation status for any of the certificates in the
chain cannot be determined.
For more information, see Certificate Revocation and Status Checking
(http://go.microsoft.com/fwlink/?LinkID=27081).
CRLs
A CRL is a file, created and signed by a CA, that contains serial numbers of certificates that have
been issued by that CA and are revoked. In addition to the serial number for the revoked
certificates, the CRL also contains the revocation reason for each certificate and the time the
certificate was revoked.
Currently, two types of CRLs exist: base CRLs and delta CRLs. Base CRLs maintain a complete
list of revoked certificates while delta CRLs maintain only those certificates that have been
revoked since the last publication of a base CRL.
The major drawback of CRLs is their potentially large size, which limits the scalability of the CRL
approach. The large size adds significant bandwidth and storage burdens to the CA and relying
party, and therefore limits the ability of the system to distribute the CRL. Bandwidth, storage
space, and CA processing capacity can also be negatively affected if the publishing frequency
gets too high. Numerous attempts have been made to solve the CRL size issue through the
introduction of partitioned CRLs, delta CRLs, and indirect CRLs. All these approaches have
added complexity and cost to the system without providing an ideal solution to the underlying
problem.
Another drawback of CRLs is latency; because the CRL publishing period is predefined,
information in the CRL might be out of date until a new CRL or delta CRL is published.
8
OCSP
OCSP is a Hypertext Transfer Protocol (HTTP) that allows a relying party to submit a certificate
status request to an OCSP responder. This returns a definitive, digitally signed response
indicating the certificate status. The amount of data retrieved per request is constant regardless
of the number of revoked certificates in the CA. Most OCSP responders get their data from
published CRLs and are therefore reliant on the publishing frequency of the CA. Some OCSP
responders can, however, receive data directly from the CA's certificate status database and
consequently provide near real-time status.
Scalability is the major drawback of the OCSP approach. Since it is an online process and is
designed to respond to single certificate status requests, it results in more server hits, requiring
multiple and sometimes geographically dispersed servers to balance the load. The response
signing and signature verification processes also take time, which can adversely affect the overall
response time at the relying party. Finally, since the integrity of the signed response depends on
the integrity of the OCSP responder's signing key, the validity of this key must also be verified
after a response is validated by the client.
9
OCSP Client
The OCSP client is fully integrated into the CryptoAPI 2.0 certificate revocation infrastructure. It
implements the recommendation specified in the draft Internet Engineering Task Force (IETF)
Public Key Infrastructure X.509 (PKIX) "Lightweight OCSP Profile for High Volume Environment"
and is optimized for high-volume scenarios.
The major difference between the Lightweight OCSP Profile and RFC 2560, "X.509 Internet
Public Key Infrastructure Online Certificate Status Protocol - OCSP," can be summarized as
follows:
• The Lightweight OCSP Profile supports both the Hypertext Transfer Protocol (HTTP) and
Secure Hypertext Transfer Protocol (HTTPS).
• Lightweight OCSP Profile responses must specify notBefore and notAfter dates, which are
not required in the full profile.
• Signed requests are not supported in the Lightweight OCSP Profile. The client cannot create
a signed request; if a signed request, which can be created by third-party OCSP clients, is
sent to the Online Responder an "Unauthorized" response is returned.
• With the Lightweight OCSP Profile, nonce is not supported in the request and ignored in the
response. However, the Online Responder supports the nonce extension and will return a
response that includes the nonce extension if configured to do so. For more information, see
Managing revocation configurations.
When an application calls CryptoAPI 2.0 to verify a certificate that specifies locations to Online
Responders, the revocation infrastructure performs the following basic steps (for each Online
Responder specified in the authority information access extension):
1. Search the local CryptoAPI 2.0 in-memory and disk caches to find a cached OCSP response
that has a valid time. The disk cache is located at: <drive>:\Users\<User
name>\AppData\LocalLow\Microsoft\CryptnetUrlCache.
Note
By default, response caching is performed by the OCSP client. This behavior can be
changed by modifying the ChainCacheResynchFiletime value located in the
HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType
0\CertDllCreateCertificateChainEngine\Config registry key. The
ChainCacheResynchFiletime value specifies the date and time to clear the in-
memory cache. The following Certutil commands can be used to modify the
ChainCacheResynchFiletime value:
• To set a registry value to the current date and time:
certutil –setreg chain\ChainCacheResyncFiletime @now
• To set a registry value to the current date and time plus 3 days and 1 hour:
certutil –setreg chain\ChainCacheResyncFiletime @now+3:1
2. If no acceptable cached response can be found, a request is sent by using the HTTP GET
method. In situations where the Online Responder does not support the GET method,
CryptoAPI 2.0 will retry the request by using the HTTP POST method. Only one certificate
can be validated per OCSP request. Moreover, it is not possible to configure CryptoAPI 2.0 to
always try the POST method first.
3. The signature on the response, including the delegated OCSP signer certificate, is verified. If
the certificate contains the id-pkix-ocsp-nocheck extension, identified by the object identifier
1.3.6.1.5.5.7.48.1.5, CryptoAPI will not verify the revocation status of the delegated OCSP
signer certificate.
Note
In addition to the OCSP ISAPI extension caching, the IIS HTTP.SYS library performs
caching for 120 seconds. Multiple requests to the Online Responder in that time period
will be served with the HTTP.SYS-cached response.
11
• Manages the Online Responder configuration. The Online Responder provides a
responder-wide set of attributes that can be configured. These attributes include public
interfaces, access control settings, audit settings, and Web proxy cache settings. All the
configuration information is stored in the registry under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OCSPSvc\Responder.
• Retrieves and caches revocation information based on configuration. Based on the
revocation configuration, the Online Responder service can retrieve and cache revocation
information such as CRLs and delta CRLs for future use. For more information, see
Revocation Configuration.
• Signs responses. For each successful request, the Online Responder signs the response
with a pre-acquired signing key.
• Audits configuration changes. To conform to the Common Criteria requirements, all
configuration changes of the Online Responder can be audited. For more information about
audit settings, see Configuring the Online Responder.
Revocation Configuration
A revocation configuration is a set of definitions that configure the Online Responder service to
respond to a certificate status request for a specific CA. Every Online Responder can have one or
more revocation configurations. Revocation configurations include:
• CA certificate
• Signing certificate for OCSP responses
• Revocation provider–specific configuration
Revocation Providers
Revocation providers are the components that are responsible for retrieving and caching
revocation information that is used by the Online Responder service. When the Online Responder
service receives an OCSP request, it first locates the revocation configuration, which is
configured to provide revocation information for the CA that issued the certificate in question.
After located, the Online Responder service extracts the certificate serial number and searches a
local CRL. (For more information about the local CRL, see Managing revocation configurations.)
If no relevant information is found, the Online Responder service sends the serial number to the
revocation provider, which is used by that revocation configuration. The provider, in turn, returns
the status of the certificate to the Online Responder service.
Although the revocation providers were designed for extensibility to allow custom providers to be
developed and used by the Online Responder, the Windows Server 2008 Online Responder
provides only a default CRL-based revocation provider and does not allow new providers to be
added.
12
Exploring Online Responder Deployment Models
When deploying the Online Responder, different deployment models should be considered for
scalability, high availability, and security reasons.
13
In diagram 1 of Figure 3, the Online Responder is located in a protected local area network
(LAN), while all requests are redirected by an authenticated server that is running IIS, which is
located in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet).
The advantage of such a deployment model is that the firewall configuration requires only pass-
through for port 80 between IIS and the Online Responder. Similar results can be achieved by
using the reverse-proxy capability of Microsoft Internet Security and Acceleration (ISA) Server as
demonstrated in diagram 2 of Figure 3. To configure ISA Server 2006 Web publishing rules, use
the following steps:
1. Open the Microsoft Internet Security and Acceleration Server 2006 snap-in. Right-click the
Firewall Policy node, point to New, and click Web Site Publishing Rule.
2. Enter a name for the new rule, and click Next.
3. Verify that Allow is selected, and click Next.
4. If you are targeting a single server or a Network Load Balancing (NLB) cluster, click Publish
a single Web site or load balancer. If you are using ISA Server as the load balancer for an
Online Responder Array, click Publish a server farm of load balanced Web servers. Click
Next.
5. Click Use non-secured connections to connect the published Web server or server
farm, and click Next.
Note
SSL should not be used with OCSP.
14
6. Type the name that clients use to connect to the Online Responder. This is either the
computer name of the server running ISA Server or a DNS alias that is set up to point to the
server running ISA Server.
7. To limit the publishing rule to only forward OCSP requests, type ocsp/* in the Path box.
8. If you are using ISA Server as the load balancer, either select an existing server farm or
create a new server farm.
9. To create a new server farm, click New to start the New Server Farm Wizard. Enter a name
for the new server farm, and click Next.
10. Click Add to add servers by name or IP address.
11. Leave the default connectivity monitoring settings, and click Next.
12. Click Finish to close the wizard.
13. In the Public name box, enter the fully qualified domain name (FQDN) or IP address to be
used for the Online Responder.
14. In the Web listener list, click a Web listener. If a Web listener is not already set up, click New
to start the New Web Listener Wizard.
15. Enter a name for the Web listener, and click Next.
16. Click Do not require SSL secured connections with clients.
Note
SSL should not be used with OCSP.
17. Select the All Networks (and Local Host) check box to allow all network computers to
connect to the Online Responder service, and click Next.
18. In the Select how clients will provide credentials to ISA Server list, click No
Authentication, and then click Next.
Note
The Online Responder service is meant for anonymous access.
19. Click Next.
Note
Since no authentication settings are provided, there are no single sign-on settings to
configure.
20. Click Finish to close the wizard.
21. On the Select Web Listener page, click Next.
22. On the Authentication Delegation page, click Next.
23. On the User Sets page, click Next.
24. Click Finish to close the wizard.
25. After the wizard is finished, click Apply to enable the new policy.
15
26. After the rules are applied, click OK to close the dialog box.
16
2. If the Online Responder is being installed on a computer without any other AD CS role
services, click Add roles on the main page.
Note
If the Online Responder is installed on a computer where the CA or one of its
components is already installed, select the Active Directory Certificate Services node
in the left pane, and then click Add role services on the main page.
3. On the Select Server Roles page of the Add Roles Wizard (Figure 5), select the Active
Directory Certificate Services check box, and then click Next.
Figure 5: Select Server Roles
17
4. On the Select Role Services page (Figure 6), select the Online Certificate Status Protocol
check box.
Figure 6: Select Role Services
18
Because the Online Responder requires IIS, you are prompted to install IIS role services
(Figure 7). The following IIS features are required for the Online Responder to operate
properly:
Web Server
Common HTTP Features
• Static Content
• Default Document
• Directory Browsing
• Http Errors
• Http Redirection
Application Development
• .NET Extensibility
• ISAPI Extensions
Health and Diagnostics
• Http Logging
• Logging Tools
• Request Monitor
19
• Tracing
Security
• Request Filtering
Performance
• Static Content Compression
Management Tools
• IIS Management Console
• IIS 6 Management Compatibility
• IIS Metabase Compatibility
5. Click Add Required Role Services to install the required IIS services, and click Next.
Figure 7: Add Required Role Services
6. The next two steps allow selecting the role services for the Web server (IIS). Click Next
twice.
7. On the Confirm Installation Options page (Figure 8), click Install.
Figure 8: Confirm Installation Options
20
Note
The IIS installation process might take a long time to complete.
Figure 9: Installation Progress
21
8. When the installation is complete, the status of the installation process is displayed on the
Installation Results page.
Figure 10: Installation Results
22
9. Click Close.
As part of the setup process, a virtual directory named OCSP is created in IIS, and the ISAPI
extension used as the Web proxy is registered. You can manually register or un-register the Web
proxy by using either of the following commands:
certutil –vocsproot
23
Configuring the CAs
You must configure the CAs to include the Online Responder's URL as part of the authority
information access extension of issued certificates. This URL is used by the OCSP client to
validate the certificate status.
24
4. In the Add Location dialog box (Figure 12), type the full URL of the Online Responder,
which should be in the following form: http://<DNSServerName>/<vDir>
Note
When installing the Online Responder, the default virtual directory used in IIS is
OCSP.
Figure 12: Add Location dialog box
25
5. Click OK.
6. Select the location from the Location list.
7. Select the Include in the AIA extension of issued certificates and Include in the
online certificate status protocol (OCSP) extension check boxes, and then click OK.
Note
In Windows Server 2008, a version 3 template is introduced. The new template version
allows advanced cryptography support in addition to other enhancements. For more
26
information, see Windows Server 2008 CA Enhancements
(http://go.microsoft.com/fwlink/?LinkID=83212).
Configuring the OCSP Response Signing certificate template when using a Windows
Server 2008–based CA
In Windows Server 2008, a new certificate template is added to the available templates in Active
Directory Domain Services (AD DS). The new template, named OCSP Response Signing, is a
version 3 template preconfigured with the required extensions and attributes listed previously. No
modifications are required to the template or to the CA.
Figure 13 illustrates the flow that determines the behavior of the policy module in Windows
Server 2008 when processing a request for the OCSP Response Signing certificate.
Figure 13: OCSP Response Signing Certificate Request Processing
27
nocheck extension. If either the EDITF_ENABLEOCSPREVNOCHECK flag is enabled or the
template includes the CT_FLAG_ADDREVNOCHECK flag, the policy module will search for an
OCSP Signing EKU in the request and in the template. If both conditions are met, the policy
module will add the id-pkix-ocsp-nocheck extension and will remove the authority information
access and CRL distribution point extensions from the certificate. This flow allows the Windows
Server 2008–based CA to issue an OCSP Response Signing certificate from an enterprise CA as
well as from a stand-alone CA.
If an enterprise CA is used, no additional configuration is required except for enabling the CA to
issue certificates based on the OCSP Response Signing template. If a stand-alone CA is used,
the following commands should be used to enable or disable the
EDITF_ENABLEOCSPREVNOCHECK flag on the CA.
To enable the flag, run the following command:
certutil -v -setreg policy\editflags +EDITF_ENABLEOCSPREVNOCHECK
After enabling or disabling the flag, the CA should be restarted for the changes to take effect.
Configuring the OCSP Response Signing certificate template when using a Windows
Server 2003–based CA
One of the drawbacks of certificate templates is the inability to add custom extensions. This
introduces a problem creating and configuring the OCSP Response Signing template in Windows
Server 2003 and the ability to add the id-pkix-ocsp-nocheck extension. The following procedures
enable you to use the OCSP Response Signing template with a Windows Server 2003 CA.
To configure the certificate template for use with a Windows Server 2003 CA
1. Open the Certificate Templates snap-in.
Note
The snap-in must be opened from within Windows Server 2008. This is required
because only the new version of the snap-in supports the new version 3
templates and allows the duplication of version 3 templates.
2. Right-click the OCSP Response Signing template, and then click Duplicate. The
Duplicate Template dialog box (Figure 14) appears.
Figure 14: Duplicate Template dialog box
28
3. Click Windows 2003 Server, Enterprise Edition, and then click OK. This will create a
version 2 template, which can be issued by the Windows Server 2003–based CA and still
include the id-pkix-ocsp-nocheck extension.
Next, it is necessary to configure the CA to allow custom extensions to be included in certificate
requests.
To configure the template security settings to allow Online Responders to enroll for
signing certificates
1. Open the Certificate Templates snap-in.
2. Double-click the OCSP Response Signing template, and then click the Security tab.
3. Add the Online Responder computers to the Group or user names list.
4. To allow Online Responder computers to enroll for the OCSP Response Signing
29
certificate, select the Allow check box for the Read and Enroll permissions.
Note
The Autoenroll permission is not used by the Online Responder, which has a separate
implementation of autoenrollment that is explained in detail later in this document. The
default autoenrollment implementation limits a template to issuing one certificate per
client. By default, autoenrollment will renew only one of the signing certificates available
on the Online Responder computer and will archive the rest. In some cases,
autoenrollment will not use the original CA that issued the certificate for renewal. This is
not the behavior expected by the Online Responder, which requires renewal by the same
CA.
To configure the CA to issue certificates based on the newly created OCSP Response
Signing template
1. Open the Certification Authority snap-in.
2. Right-click Certificate Templates, click New, and then click Certificate Template to
Issue.
3. In the available templates list, click the OCSP Response Signing template, and then
click OK.
30
The following procedure is required only if a Windows Server 2003–based CA is used.
Note
The signing certificate should first be manually enrolled.
3. On the Actions menu, point to All Tasks, click Manage Private Keys, and then click
Add.
4. Type network service, and then click OK.
5. Verify that only the Read permission is allowed for the NETWORK SERVICE, and then
click OK.
6. Restart the Online Responder service by typing the following commands at a command
prompt:
net stop ocspsvc
31
To overcome this limitation, the Windows Server 2008–based CA was updated to allow the
renewal of OCSP Response Signing certificates by using existing keys. This feature is not
enabled by default. Use the following procedure to allow the renewal of OCSP Response Signing
certificates by using existing CA keys.
To allow the renewal of OCSP Response Signing certificates by using existing CA keys
1. On the CA computer, open a command prompt, and type:
certutil -setreg ca\UseDefinedCACertInRequest 1
2. Press ENTER.
3. Restart the CA service.
When using a Windows Server 2003–based CA, it is impossible to renew OCSP Response
Signing certificates after the CA certificate was renewed. To overcome this limitation, issue n
OCSP signing certificates for each Online Responder computer, where n = (the number of weeks
until the expiration date of the CA key)/2.
Note
This procedure must be performed before renewing the CA certificate.
Subject = "CN=testca,O=Contoso,OU=nt"
32
PrivateKeyArchive = FALSE
Exportable = TRUE
UserProtected = FALSE
MachineKeySet = TRUE
UseExistingKeySet = FALSE
RequestType = PKCS10
[EnhancedKeyUsageExtension]
object identifer="1.3.6.1.5.5.7.3.9"
[Extensions]
1.3.6.1.5.5.7.48.1.5 = Empty
After the enrollment process is complete, you must modify the ACL of the private key to allow the
Online Responder service to access the private key. For the required steps to configure private
key permissions, see Configuring the OCSP Response Signing certificate template.
33
5. Select the Allow service to interact with desktop check box, and click OK.
34
• Online Responder. This view provides general information about the Online Responder
configuration status and allows configuring of Online Responder properties.
• Revocation Configuration. This view allows adding, modifying, and deleting revocation
configurations. For more information about revocation configurations, see Managing
revocation configurations.
• Array Configuration. This view allows configuring, monitoring, and troubleshooting Online
Responder Array members. For more information about Array configurations, see Managing
Array members.
35
Audit settings
To comply with Common Criteria requirements for secure certificate issuance systems and to
provide a secure platform, certain event and configuration settings are logged to the Windows
security event log. The Online Responder allows the configuration of the following audit events
(Figure 18).
• Start/Stop the Online Responder Service. Every Start/Stop event of the Online Responder
service will be logged.
• Changes to the Online Responder configuration. All Online Responder configuration
changes, including audit settings changes, will be logged.
• Changes to the Online Responder security settings. All changes to the Online Responder
service request and management interfaces ACL will be logged.
• Requests submitted to the Online Responder. All requests processed by the Online
Responder service will be logged. This option can create a high load on the service and
should be evaluated on a case-by-case basis. Note that only requests that require a signing
36
operation by the Online Responder will generate audit events; requests for previously cached
responses will not be logged.
Figure 18: Audit settings
Audit events will be logged to the Windows security log only if the Audit object access policy is
enabled.
37
Security settings
The security settings for the Online Responder include two permission entries that can be set for
users and services to allow or deny access to the request and administration interfaces.
• Manage Online Responder. The Online Responder exposes a management interface
(IOCSPAdmin) that provides the ability to perform administrative tasks such as creating and
managing revocation configurations and to modify the Online Responder's global settings.
• Proxy Requests. The Online Responder exposes a request interface (IOCSPRequestD) that
allows the Online Responder Web proxy component to submit requests for certificate status
to the Online Responder service. This interface is not used by applications that submit the
OCSP request.
38
• Select a certificate for an existing enterprise CA. This option allows selecting the
CA certificate from the available CA certificates published in AD DS or by querying a
specific CA directly for its certificate. If this option is selected in step 4, the wizard will
prompt the user to select the CA certificate by browsing AD DS for published CAs or
for CA computer names (Figure 20). After identifying the CA certificate, you can verify
the certificate details by clicking the View Selected CA certificate link on the wizard
page.
Figure 20: Choose CA Certificate
39
• Select a certificate from the local certificate store. This option allows selecting a
CA certificate by browsing the certificate store on the current computer. If this option
is selected in step 4, the wizard will prompt the user to select the CA certificate by
browsing the local certificate store.
• Import certificate from a file. This option allows selecting a certificate file with a
*.cer extension. If this option is selected in step 4, the wizard will prompt the user to
select the CA certificate by browsing the file system for a certificate file with a *.cer
extension.
5. On the Select Signing Certificate page (Figure 21), the signing certificate must be
specified for each revocation configuration. The following options are available:
• Automatically select a signing certificate. If this option is selected, the Online
Responder will automatically search the Personal certificate store for the computer
hosting the Online Responder for a certificate that meets the following conditions:
• The certificate has an OCSP Signing EKU.
• The certificate was issued by the CA that was selected in step 4.
• The certificate is valid.
• The certificate has a matching private key.
40
The Auto-Enroll for an OCSP signing certificate check box allows configuring the
Online Responder to automatically enroll and renew OCSP Response Signing certificates
for the specified revocation configuration. If the CA that was selected in step 4 is
configured to issue the OCSP Response Signing template, this check box will be
selected and the Certification Authority and Certificate Template boxes will be filled in
automatically. Otherwise, the Auto-Enroll for an OCSP signing certificate check box
will not be selected.
Note
When the Online Responder's autoenrollment functionality is enabled, the enrolled
certificates will be stored in the certificate store for the Online Responder service and
not in the certificate store of the local computer. To view the current configuration
signing certificate, use the following steps:
1. Open the Certificates snap-in.
2. Click Service account, and click Next.
3. Click Local computer, and click Next.
4. Select the Online Responder service from the available services list, and click Finish.
5. The signing certificate for the current configuration can be found at the store named:
OCSPSVC\<configuration name>.
Note
The revocation provider will always look for a valid CRL and a delta CRL on the local
computer before trying to retrieve them from the network. If the Online Responder is
installed on the same computer as the CA, the values configured in the revocation
provider are ignored.
41
23) requires the certificate's serial number, the revocation reason, and the effective date for the
revocation.
Figure 23: Revoked Certificate Details dialog box
Revocation Provider. The Revocation Provider tab allows reconfiguring the revocation
provider for the specified revocation configuration. Clicking the Provider button will display the
same dialog box as in the Creating Revocation Configuration wizard.
Signing. The Signing tab (Figure 24) allows configuring the following response signing options:
• Hash algorithm. The hash algorithm to be used when signing the response.
• Do not prompt for credentials for cryptographic operations. If the signing key is strongly
protected by an additional password, selecting this option means the Online Responder will
not prompt the user for the password and will fail silently. Understanding this option is
important when using HSMs to store the OCSP signing key. If using an HSM and this option
is selected, CryptoAPI is instructed not to show the PIN dialog box for accessing the private
key, and the signing operation will fail. If this option is not selected, the PIN dialog box will be
displayed the first time the configuration is loaded, which can occur when the service starts or
when the revocation configuration is loaded for the first time.
Note
Do not select this option if HSM is used to protect private keys.
• Automatically use renewed signing certificates. This option instructs the Online
Responder to automatically use renewed signing certificates without asking the Online
Responder administrator to manually assign them.
• Allow Nonce requests. This option instructs the Online Responder to inspect and process
an OCSP request nonce extension. If a nonce extension is included in the OCSP request and
this option is selected, the Online Responder will ignore any cached OCSP response and will
create a new response that includes the nonce provided in the request. If this option is
disabled and a request that includes a nonce extension is received, the Online Responder
will reject the request with an "unauthorized" error.
42
Note
The Microsoft OCSP client does not support the nonce extension.
• Use any valid OCSP signing certificate. By default the Online Responder will only use
signing certificates that are issued by the same CA that issued that certificate being validated.
This option allows modifying the default behavior and instructs the Online Responder to use
any valid existing certificate that includes the OCSP Signing EKU extension.
Note
Windows Vista does not support this deployment model and will fail if this option is
selected.
• Online Responder Identifiers. This option is used to select whether to include the key hash
or the subject of the signing certificate in the response. This is required per RFC 2560.
Figure 24: Revocation Configuration dialog box, Signing tab
43
Managing Array members
To manage global settings and revocation configurations on multiple Online Responder
computers, the concept of "Array" is introduced. An Array is defined as one or more computers
that have the Online Responder service installed, logically grouped and managed by the Online
Responder snap-in. All computers that are members of an Array will have the same global
settings and the same revocation configurations. For each Array, one member is defined as the
Array controller; the role of the Array controller is to help resolve synchronization conflicts and to
apply updated revocation configuration information to all Array members.
When you first open the Online Responder snap-in, you will see that one Array member already
exists in the console tree. This member is the Array controller, which is the local computer by
default.
44
To manually assign a signing certificate
1. Select an Array member node.
2. Select the revocation configuration to assign a signing certificate to.
3. On the Action menu or in the Actions pane, click Assign Signing Certificate.
4. Select a signing certificate from the available signing certificates list, and then click OK.
Note
The Assign Signing Certificate operation should be used only when Manually select a
signing certificate was selected during the creation of a revocation configuration.
45
As described in "Renewing OCSP Response Signing certificates," backing up OCSP signing keys
is required only when using the Online Responder with a Windows Server 2003–based CA. Since
OCSP signing keys are unique to each revocation configuration of each Online Responder
computer, all signing keys available need to be backed up for each Online Responder computer.
To back up the Online Responder signing keys, you should perform a full system state backup.
46
Event ID 21
Event Name MSG_E_EXCEPTION
Event Source OnlineResponder or OCSPSvc
Description This event indicates an internal problem with the Online Responder service. Call
Microsoft Customer Service and Support to report the issue.
Diagnostics N/A
Resolve N/A
Event 0xC25A0016 - The Online Responder Service did not process a request from %1. The
request was very long, which can be caused by a denial-of-service attack. If the request was
rejected in error, modify the MaxIncomingMessageSize property for the service. Unless verbose
logging is enabled, this error will not be logged again for 20 minutes.
Event ID 22
Event Name MSG_E_POSSIBLE_DENIAL_OF_SERVICE_ATTACK
Event Source OnlineResponder or OCSPSvc
Description N/A
Diagnostics N/A
Resolve It is recommended that the originator of the request is located as this type of event might
point to a malicious user or application trying to compromise the Online Responder.
The MaxIncomingMessageSize value can be modified by creating a new registry DWORD value
under the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OCSPSvc\Responder
registry hive and setting the value to the maximum number of bytes you would like the Online
Responder to be able to process.
Event 0xC25A0017 - The Online Responder Service could not locate a signing certificate for
configuration %1(CAConfigurationID).(%2) (Error Message).
Event ID 23
Event Name MSG_E_CACONFIG_MISSING_SIGNINGCERT
Event Source OnlineResponder or OCSPSvc
Description This event occurs when the Online Responder service encounters a problem either
locating or loading a specific configuration's signing certificate.
Diagnostics The following reasons might cause this event:
• The OCSP Response Signing certificate is not present in the Personal certificate store for the
computer.
For AutoEnroll configurations in which the Online Responder service itself enrolls for its
certificate, this means that there may have been a problem with enrolling or installing the
signing certificate. Check the event log for additional errors or warnings that may be related
to this error. Then, check the status of the OCSP Response Signing certificate.
47
Note
If the revocation configuration is set up for automatic enrollment and renewal of the
OCSP Response Signing certificate, the signing certificate is located within the Online
Responder service account's certificate store. To view it, open MMC and add the
Certificates snap-in for "Service account" on the Online Responder computer, selecting
the "Online Responder Service" account. The certificate will be in the certificate store
under the node labeled with the revocation configuration name.
If the revocation configuration is set up for manual enrollment and renewal of the OCSP
Response Signing certificate, locate the signing certificate within the Online Responder
computer's Personal certificate store for the local computer. Open the Certificates snap-in for the
computer and locate the signing certificate in the Personal certificate store.
Resolve
1. If an OCSP Response Signing certificate is not present in the Personal certificate store for
the local computer, and the revocation is configured for manual OCSP Response Signing
certificate enrollment, you should enroll for a certificate manually.
2. For configurations in which the Online Responder service itself enrolls for its certificate,
manual enrollment will not work and you should check the event log for additional errors or
warnings related to a failure to enroll or install the OCSP Response Signing certificate. If no
additional information is available, verify the following:
a. Verify that the computer on which the Online Responder service is running has
connectivity to a CA. Use the Certification Authority snap-in on the CA to verify that the
CA is configured to issue certificates based on the OCSP Response Signing template.
b. Use the Certificate Templates snap-in to verify that the computer running the Online
Responder has Read and Enroll permissions on the OCSP Response Signing template.
3. If a valid OCSP Response Signing certificate exists, ensure that the Online Responder
service has access to the private key. By default, the Online Responder service runs as
Network Service, so the private key must be accessible by this user context. If the OCSP
Response Signing certificate private key is not accessible to Network Service, follow the
steps in "Enrolling for an OCSP Response Signing certificate" in the Configuring the OCSP
Response Signing certificate template section to correct the problem.
4. If the OCSP Response Signing certificate is not valid for signature purposes, ensure that you
enroll for a certificate that includes the id-kp-OCSPSigning EKU, labeled "OCSP Signing
(1.3.6.1.5.5.7.3.9)."
Event 0x825A0019 - The signing certificate for Online Responder configuration %1 will expire
soon.
Event ID 25
Event Name MSG_W_CACONFIG_SIGNINGCERT_EXPIRING
Event Source OnlineResponder or OCSPSvc
48
Description The signing certificate for the specified configuration is about to expire. Specifically,
if the Online Responder has been configured so that it can automatically enroll for signing
certificates, the certificate has entered the period in which it can be automatically re-enrolled. For
manual configurations, this means that the period when renewal reminders are triggered has
begun.
Diagnostics Review the expiration date of the specified certificate.
Locate the signing certificate as specified in the guidance for Online Responder event 23 above,
and note the Valid to field.
If the revocation configuration is set up for automatic enrollment of the OCSP Response Signing
certificate, further action may not be required. Check the expiration date on the certificate to
ensure you will have adequate time to verify when automatic re-enrollment has occurred.
Resolve For manual configurations, renew the signing certificate. To do this, right-click the
certificate, and click Renew Certificate with New Key to start the Certificate Renewal Wizard.
Note
The reminder duration is a responder-wide property, expressed as a percentage of the
certificate lifetime. The default value is 90 percent, but this value can be modified by
adding a DWORD registry key named ReminderDuration under
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OcspSvc\Responder\
%Revocation Configuration Name\
Enter a value between 1 and 100 to indicate the desired percentage. You must stop and restart
the Online Responder service in order for the new value to take effect.
Event 0xC25A001A - The signing certificate for Online Responder configuration %1 has expired.
OCSP requests for this configuration will be rejected.
Event ID 26
Event Name MSG_E_CACONFIG_SIGNINGCERT_EXPIRED
Event Source OnlineResponder or OCSPSvc
Description The signing certificate for the specified configuration has expired.
Diagnostics Review the expiration date of the specified certificate.
• If the revocation configuration is set up for automatic enrollment of the OCSP Response
Signing certificate, there may have been a problem with the automatic re-enrollment. Locate
the signing certificate within the Online Responder service account's certificate store as
specified in the guidance for Online Responder event 23 above. If the certificate has expired,
check the event log for additional errors or warnings related to a failure to enroll or to install
the OCSP Response Signing certificate automatically. If no other information is available,
verify the following:
a. Verify that the computer on which the Online Responder service is running has
connectivity to a CA. Use the Certification Authority snap-in on the CA to verify that the
CA is configured to issue certificates based on the OCSP Response Signing template.
49
b. Use the Certificate Templates snap-in to verify that the computer running the Online
Responder has Read and Enroll permissions on the OCSP Response Signing template.
• If the revocation configuration is set up for manual enrollment of the OCSP Response Signing
certificate, locate the signing certificate within the Online Responder computer's local
computer Personal certificate store, as specified in the guidance for Online Responder event
23 above.
Resolve For manual configurations, renew the signing certificate. To do this, right-click the
certificate, and click Renew Certificate with New Key to start the Certificate Renewal Wizard.
Event 0x825A001B - The signing certificate for Online Responder configuration %1 was not
updated.(%2) (Error Message).
Event ID 27
Event Name MSG_W_CACONFIG_UPDATE_THREAD_FAILED
Event Source OnlineResponder or OCSPSvc
Description This event can occur if the Online Responder service cannot update the signing
certificate in case of renewal.
Diagnostics This should happen only in the case of the system running out of resources.
Resolve If not enough system resources are available for the Online Responder to operate
normally, first restart the Online Responder service and then restart the computer or free system
resources. If the error persists, call Microsoft Customer Service and Support.
Event 0xC25A001D - Settings for Online Responder configuration %1 cannot be loaded. OCSP
requests for this configuration will be rejected (%2) (Error Message).
Event ID 29
Event Name MSG_E_CACONFIG_FAILTOLOAD
Event Source OnlineResponder or OCSPSvc
Description This event can occur if a revocation configuration is corrupted and cannot be loaded.
Diagnostics N/A
Resolve Follow these steps to resolve the problem:
1. Try to delete the revocation configuration through the Online Responder snap-in.
2. Re-create the specified revocation configuration.
If the configuration cannot be loaded through the Online Responder snap-in, follow these steps:
1. Navigate to the following registry hive:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OCSPSvc\Responder
2. Locate and delete the corrupted revocation configuration.
Note
If you are encountering this problem on an Array member, you should delete the
corrupted configuration from the Array member and then synchronize the Array to re-
50
create the revocation configuration. If you are encountering this problem on an Array
controller, temporarily set another computer as the Array controller, synchronize the
Array, and then reset the original computer to be the Array controller.
Event 0x825A001F - Performance counters for the Online Responder Service cannot be
initialized.
Event ID 31
Event Name MSG_W_PERF_COUNTER_INIT_ERROR
Event Source OnlineResponder or OCSPSvc
Description This event indicates an internal problem with the Online Responder service.
Diagnostics The computer hosting the Online Responder may be running low on memory.
Resolve Open a Windows Performance console window (Perfmon.exe) on the Online Responder
computer to evaluate system memory usage. If necessary, resolve resource issues by adding
physical or virtual memory, or adjusting memory allocation and hard disk use.
Use the Services snap-in to stop and restart the Online Responder service.
If the error persists, call Microsoft Customer Service and Support to report the issue.
Event The Online Responder Service failed to create an enrollment request for the signing
certificate template %2 for configuration %1 (%3) (Error Message).
Event ID 33
Event Name MSG_E_CACONFIG_CREATE_ENROLLMENT_REQUEST_FAILED
Event Source OnlineResponder or OCSPSvc
Description The Online Responder service tried to enroll or re-enroll for a signing certificate and
encountered an error while generating the certificate request. The error occurred before the
request could be submitted to a CA.
Diagnostics Check the event for the names of the certificate template for which the enrollment
request was attempted, as well as the error message. Check for other errors either before or after
this event in the event log that may provide more information.
Resolve Resolution will depend upon the error message and any other errors or warnings
logged.
Event The Online Responder Service encountered an error while submitting the enrollment
request for configuration %1 to certification authority %2. The request ID is %3 (%4) (Error
Message).
Event ID 34
Event Name MSG_E_CACONFIG_SUBMIT_ENROLLMENT_REQUEST_FAILED
Event Source OnlineResponder or OCSPSvc
Description The Online Responder service tried to enroll or re-enroll for a signing certificate and
encountered an error while submitting the certificate request to the CA.
51
Diagnostics The event description should contain more information about the cause of the error,
including the error message and the failed CA request ID, if one was returned.
Verify that the computer on which the Online Responder service is running has connectivity to a
CA. Use the Certification Authority snap-in on the CA to verify that the CA is configured to issue
certificates based on the OCSP Response Signing template.
Use the Certificate Templates snap-in to verify that the computer running the Online Responder
has Read and Enroll permissions on the OCSP Response Signing template.
In addition, the request ID provided as part of the error message can be used on the CA
computer to further diagnose the cause of the error.
Resolve After any permissions errors or other errors have been resolved, start a new enrollment
by using the Services snap-in to restart the Online Responder service on each Array member, or
alternatively by right-clicking Array Configuration in the Online Responder snap-in and clicking
Refresh Revocation Data.
If the error persists, check the event log on the CA for any other events related to enrollment
failures. Resolve any issues related to processing requests for OCSP Response Signing
certificates, and then restart the Online Responder service to reattempt the request.
Event The Online Responder Service failed to install the enrollment response for configuration
%1 for the signing certificate template %2. The request ID is %3 (%4) (Error Message).
Event ID 35
Event Name MSG_E_CACONFIG_INSTALL_ENROLLMENT_RESPONSE_FAILED
Event Source OnlineResponder or OCSPSvc
Description The Online Responder service was able to submit an enrollment request for a
signing certificate to a CA, but an error occurred while the response to the request was being
processed.
Diagnostics Check the event description to verify the name of the CA, the certificate template for
which the enrollment request was attempted, the request ID for the CA, and the error message.
In the Online Responder snap-in, right-click the revocation configuration, and then click View CA
Certificate. Verify that the CA certificate for which the revocation configuration is configured to
issue OCSP responses was used to sign the enrollment or renewal request. If the same CA
certificate was not used, update the OCSP configuration to use the correct CA certificate.
In the Online Responder snap-in, right-click the revocation configuration and click Edit
Properties. Click the Signing tab. If the Use any valid OCSP signing certificate check box is
selected, use the Certificates snap-in to ensure the CA certificate is in a root store or intermediate
store.
Resolve If you have updated the OCSP configuration to use the correct CA certificate, the OCSP
Response Signing certificate request and installation should be completed as part of that process.
Event 0xC25A0011 - The Online Responder web proxy failed to Initialize. %1 (Error Message).
Event ID 17
52
Event Name MSG_E_FAILED_TO_INITIALIZE
Event Source OnlineResponderWebProxy or OCSPISAPIExtension
Description The ISAPI extension failed to initialize because of an internal error.
Diagnostics The following reasons might cause the ISAPI extension to fail to initialize:
• The Online Responder service (ocspsvc.exe) is stopped.
• The DCOM security configuration for the IOCSPAdmin interface is incorrect, causing the
ISAPI to fail updating Web proxy information.
• Online Responder–wide configuration properties may be corrupt.
Resolve Follow these steps to resolve the problem.
1. Ensure that the ocspsvc.exe service is running.
2. Using the Dcomcnfg command-line tool, ensure that the Network Service has Activate
permissions for the IOCSPAdmin interface.
3. If you suspect the Online Responder–wide configuration properties are corrupt, uninstall and
re-install the Online Responder service, or follow the guidance for Online Responder event
29 above to delete and refresh the configuration via the registry or synchronization with other
Array members.
Event 0x425A0014 - Online Responder Service detected an invalid configuration for the %1
property. The value was changed from %2(ExistingValue) to %3 (AdjustedValue).
Event ID 20
Event Name MSG_I_ADJUST_PROPERTY_VALUES
Event Source OnlineResponderWebProxy or OCSPISAPIExtension
Description This event indicates that configuration values are not in the permitted range. This
can occur if the registry was manually modified.
Diagnostics N/A
Resolve Follow these steps to resolve the problem:
1. For Array members, either synchronize with the Array controller or reinstall the Online
Responder service.
2. For Array controllers, temporarily set another member as the Array controller, synchronize
the configuration, and then reset the original member as the Array controller. Otherwise,
reinstall the Online Responder service.
Event 0xC25D0010 - For configuration %1, Online Responder revocation provider failed to
update the CRL Information: %2. (Error Message).
Event ID 16
Event Name MSG_E_CRL_RETRIEVAL_FAILED
Event Source OnlineResponderRevocationProvider or OCSPRevInfoProvider
53
Description The Online Responder service could not retrieve a CRL required for the specified
revocation configuration.
Diagnostics Follow these steps to diagnose the problem:
1. Use the Online Responder snap-in to verify that the URLs configured for base and delta CRL
distribution points are valid.
a. Open the Online Responder snap-in. In the console tree, select the revocation
configuration node. In the details pane, right-click the revocation configuration specified in
the event description, and then click Edit Properties. Click the Revocation Provider
tab, and then click Provider.
b. Note the URLs configured in the Base CRL URLs and Delta CRL URLs lists. Using
network tools, verify that these URLs are accessible by the computer running the Online
Responder and that they contain CRL files.
2. Use the Certification Authority snap-in to verify the URLs to which the CA will publish base
and delta CRLs.
a. Open the Certification Authority snap-in, right-click the relevant CA, and then click
Properties. Click the Extensions tab, and note the URLs entered for the CRL
Distribution Point (CDP) extension.
b. Note the URLs for which the Publish CRLs to this location or Publish Delta CRLs to
this location check boxes are selected. Verify that these map to the same network
locations configured as base and delta CRLs in the Online Responder snap-in.
3. On the computer to which the base CRL is published, examine the Freshest CRL extension
for the base CRL. Verify that this identifies a location where the delta CRL can be found.
a. Republish the current CRL, if necessary, by typing the following command at a command
prompt:
certutil -crl
b. Then, verify that Online Responder service can access the CRL. From the Online
Responder snap-in, right-click Array Configuration, and click Refresh Revocation
Data.
4. If the error persists, enable CryptoAPI 2.0 Diagnostics for more information.
To learn how to enable CryptoAPI 2.0 Diagnostics and understand the CryptoAPI diagnostics
information, see Enabling CryptoAPI 2.0 Diagnostics.
Resolve Depending on the results from the troubleshooting steps above and enabling CryptoAPI
2.0 Diagnostics, ensure that the CA publishes CRLs correctly and that they are available to the
Online Responder service.
Event 0xC25D0011 - For configuration %1, Online Responder revocation provider either has no
CRL information or has stale CRL information.
Event ID 17
54
Event Name MSG_E_INVALID_CRL
Event Source OnlineResponderRevocationProvider or OCSPRevInfoProvider
Description The Online Responder service could not retrieve a CRL required for the specified
revocation configuration.
Diagnostics See diagnostics for event 16 above.
To learn how to enable CryptoAPI 2.0 Diagnostics and understand the CryptoAPI diagnostics
information, see Enabling CryptoAPI 2.0 Diagnostics.
Resolve Depending on the results from the troubleshooting steps above and enabling CryptoAPI
2.0 Diagnostics, ensure that the CA publishes CRLs correctly and that they are available to the
Online Responder service.
Event 0xC25D0012 - For configuration %1, Online Responder revocation provider found a delta
CRL referring to a newer Base CRL.
Event ID 18
Event Name MSG_E_MISMATCHED_BASE_DELTA_CRL
Event Source OnlineResponderRevocationProvider or OCSPRevInfoProvider
Description This event indicates that the delta CRL and the base CRLs do not match. The
Online Responder service downloaded a delta CRL containing updates to a base CRL that
cannot be found. A delta CRL cannot be used without a corresponding base CRL; therefore, the
delta CRL is not valid.
Diagnostics The following reasons might cause this event:
• The CA has failed to publish the base CRL but published the delta CRL correctly.
• The Online Responder service could not retrieve the base CRL but could retrieve the delta
CRL.
Use the following steps to diagnose the problem:
1. Use the Online Responder snap-in to check the URLs for the base and delta CRLs. Follow
the steps outlined in event 16 above to make sure the CA and Online Responder URLs are
configured correctly for base and delta CRL publishing and retrieval.
2. Use the Certificates snap-in for the Online Revocation service account on the Online
Responder computer to locate the current delta CRL. Check the BaseCRLNumber specified
in the "delta CRL indicator" extension of the delta CRL. This number should reference the
version number of a published base CRL.
3. If this number does not match the version number of a published base CRL, republish both
the base and delta CRLs by typing the following command at a command prompt:
certutil –crl
4. Retrieve updated CRL data on the Online Responder. Either restart the Online Responder
service on each Array member or right-click Array Configuration in the Online Responder
55
snap-in and click Refresh Revocation Data. Then verify that the base and delta CRLs
match.
Note
If the problem persists, you can enable CryptoAPI 2.0 Diagnostics to diagnose the root of
the problem. For more information, see Enabling CryptoAPI 2.0 Diagnostics.
Resolve Depending on the results from the troubleshooting steps above and enabling CryptoAPI
2.0 Diagnostics, ensure that the CA publishes CRLs correctly and that they are available to the
Online Responder service.
Message Offline
Description Offline status of an Array member means that the member could not be contacted to
retrieve the Online Responder properties or revocation configuration information.
Diagnose N/A
Resolve Follow these steps to resolve the problem:
1. Ensure that the Array member computer is running.
2. Ensure that the Online Responder service (ocspsvc.exe) is running on the Array member
computer.
3. Check network connectivity to the Array member by using the Ping command-line tool.
4. Using the Dcomcnfg command-line tool, validate that the current user has the proper
permissions to the IOCSPAdmin interface.
Message Responder Properties not present on Array Controller.
Description This error can occur if Online Responder settings were deleted from the Array
controller and the current user does not have the necessary permissions to update the registry.
Diagnose N/A
Resolve A user with permissions to manage the Online Responder should open the Online
Responder snap-in. This will allow the synchronization engine to re-synchronize the properties
and revocation configurations of the Array.
Message Responder Properties are not synchronized.
Description This message is displayed if an Array member was offline while a revocation
configuration or Online Responder properties were changed.
56
Diagnose N/A
Resolve A user with permissions to manage the Online Responder should open the Online
Responder snap-in. This will allow the synchronization engine to re-synchronize the properties
and revocation configurations of the Array.
Message Online
Description The Array member is functional.
Diagnose N/A
Resolve N/A
Message Status Unknown
Description Unknown Array member status is displayed if the Array controller is offline and the
Array member's properties or revocation configuration information cannot be evaluated. Note that
it does not necessarily mean that the Array member is not functional.
Diagnose N/A
Resolve Follow these steps to resolve the problem:
1. Ensure that the Array controller computer is running.
2. Ensure that the Online Responder service (ocspsvc.exe) is running on the Array controller
computer.
3. Check network connectivity to the Array controller by using the Ping command-line tool.
4. Using the Dcomcnfg command-line tool, validate that the current user has the proper
permissions to the IOCSPAdmin interface.
Message Array Controller Name on Member is Incorrect.
Description This situation can occur if a new Array controller was assigned to the Array and the
security settings to the entire Array were modified while the Array member was offline.
Diagnose Follow this step to diagnose the problem:
• Validate that the current user has permissions to the IOCSPAdmin interface.
Resolve A user with permissions to manage the Online Responder should open the Online
Responder snap-in. This will allow the synchronization engine to re-synchronize the properties
and revocation configurations of the Array. Right-click Array Configuration, and click
Synchronize Members with Array Controller to resynchronize the Online Responder's
configuration data to all Array members.
Message Array Member Name(s) on Member is Incorrect.
Description This situation can occur if a new Array member was added to the Array and the
security settings to the entire Array were modified while the Array member was offline.
Diagnose Follow this step to diagnose the problem:
• Validate that the current user has permissions to the IOCSPAdmin interface.
57
Resolve A user with permissions to manage the Online Responder should start the Online
Responder snap-in. This will allow the synchronization engine to re-synchronize the properties
and revocation configurations of the Array. Use the Synchronize members with array
controller action of the Array node to resynchronize the Online Responder's configuration data to
all Array members.
58
Resolve If the Array member is online and available, use the Synchronize members with array
controller action of the Array node to resynchronize the Online Responder's configuration data to
all Array members.
Message Working
Description "Working" status means that the revocation configuration is functioning as expected.
Diagnose N/A
Resolve N/A
Message Bad signing certificate on Array Controller.
Description This message occurs when the Online Responder service encounters a problem
either locating or loading a specific configuration's signing certificate.
Diagnose For diagnostics steps, see event 23 above.
Resolve For resolution steps, see event 23 above.
Message Bad signing certificate on member(s).
Description This message occurs when the Online Responder service encounters a problem
either locating or loading a specific configuration's signing certificate.
Diagnose For diagnostics steps, see event 23 above.
Resolve For resolution steps, see event 23 above.
Message Signing certificate status is not yet available for the Array Controller.
Description This message indicates that a signing certificate is not available for the specified
revocation configuration.
Diagnose This message can appear after creating or renaming a revocation configuration or after
changing signing properties.
Resolve Refresh the information in the Online Responder snap-in by clicking Refresh in the
Actions pane.
Message Signing certificate status is not yet available for member(s).
Description This message indicates that a signing certificate is not available for the specified
revocation configuration.
Diagnose This message can appear after creating or renaming a revocation configuration or after
changing signing properties.
Resolve Refresh the start page by clicking Refresh in the Actions pane.
Message Revocation provider is not working on the Array Controller.
Description This message indicates that a revocation provider is incorrectly configured on the
Array controller.
Diagnose N/A
Resolve Follow these steps to resolve the problem:
1. Open the revocation provider properties for the specified revocation configuration.
59
2. Validate that all parameters are correct and within the permitted value range.
Message OCSP signing templates could not be retrieved. %(ErrorMessage).
Description This message indicates that the Online Responder service was not able to retrieve a
list of certificate templates able to issue OCSP Response Signing certificates. Because of this,
the Online Responder service is not able to enroll for a signing certificate.
Diagnose Follow these steps to diagnose the problem:
1. Verify that the computer on which the Online Responder service is running has connectivity
to a CA. Use the Certification Authority snap-in on the CA to verify that the CA is configured
to issue certificates based on the OCSP Response Signing template.
2. Use the Certificate Templates snap-in to verify that the computer running the Online
Responder has Read, Enroll, and Autoenroll permissions on the OCSP Response Signing
template.
Resolve Follow these steps to resolve the problem:
1. Configure the CA to issue certificates based on the OCSP Response Signing template.
2. Use the Certificate Templates snap-in to grant the computer running the Online Responder
Read, Enroll, and Autoenroll permissions on the OCSP Response Signing template.
Note
Event Viewer is an MMC snap-in and you need administrative privileges to
access it.
2. In the Event Viewer, navigate to Application Logs, Microsoft, Windows, and then
CryptoAPI 2.0 for the CryptoAPI 2.0 channel.
60
3. Right-click Operational, and then click Log Properties.
4. Select the Enable Logging check box. This enables CryptoAPI 2.0 Diagnostics logging.
5. To save the log to a file, right-click Operational, and then click Save Log File as.
You can save the log file in the .elf format (which can be opened by using the Event
Viewer) or in the standard .xml format.
6. If data is present in the logs before you reproduce the problem, it is recommended that
you clear the logs. This allows only the data relevant to the problem to be collected from
the saved logs. To clear the logs, right-click Operational, and then click Clear Log.
You can also enable logging and save the logs using the wevtutil.exe tool.
Additional Resources
• Internet X.509 Public Key Infrastructure – Certificate and Certificate Revocation List (CRL)
Profile (http://go.microsoft.com/fwlink/?LinkID=71066)
• RFC 2560, "X.509 Internet Public Key Infrastructure Online Certificate Status Protocol -
OCSP" (http://go.microsoft.com/fwlink/?LinkID=71068)
• The Internet Engineering Task Force (http://go.microsoft.com/fwlink/?LinkID=121)
• Windows Server 2008 CA Enhancements (http://go.microsoft.com/fwlink/?LinkID=83212)
61
Server Core Installation Option of Windows
Server 2008 Step-By-Step Guide
Microsoft Corporation
Published: October 2007
Author: Jaime Ondrusek
Abstract
This step-by-step guide provides the instructions you need to build a server in your test lab based
on the Server Core installation option of the Windows Server® 2008 operating system. This
includes installing and performing the initial configuration of the Server Core installation, installing
server roles or features, and managing a server that is running a Server Core installation.
1
Copyright Information
This document supports a preliminary release of a software product that may be changed
substantially prior to final commercial release, and is the confidential and proprietary information
of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the
recipient and Microsoft. This document is provided for informational purposes only and Microsoft
makes no warranties, either express or implied, in this document. Information in this document,
including URL and other Internet Web site references, is subject to change without notice. The
entire risk of the use or the results from the use of this document remains with the user. Unless
otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this document
may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or
by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any
purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Active Directory, Microsoft, MS-DOS, Visual Basic, Visual Studio, Windows, Windows NT, and
Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
2
Contents
Server Core Installation Option of Windows Server 2008 Step-By-Step Guide .............................. 5
What is a Server Core installation? .............................................................................................. 5
What’s new in the Server Core installation option? .................................................................. 5
Who should use this guide?...................................................................................................... 6
Benefits of a Server Core installation ....................................................................................... 6
In this guide............................................................................................................................... 6
Deploying a Server Core installation: Overview........................................................................... 6
Prerequisites for deploying a Server Core installation.............................................................. 7
Known issues for deploying a Server Core installation ............................................................ 7
Steps for manually installing a Server Core installation ........................................................... 7
Using an unattend file to install a Server Core installation ....................................................... 7
Configuring a Server Core installation: Overview ........................................................................ 8
Administrative credentials ......................................................................................................... 8
Known issues for configuring a Server Core installation .......................................................... 8
Steps for configuring a Server Core installation ....................................................................... 9
Installing a server role on a server running Server Core installation: Overview ........................ 11
Prerequisites for installing a server role on a server running Server Core installation........... 12
Known issues for installing a server role on a Server Core installation.................................. 12
Steps for installing a server role on a Server Core installation ............................................... 13
Available server roles .......................................................................................................... 13
DNS Server role .................................................................................................................. 13
DHCP Server role ................................................................................................................ 14
File Services role ................................................................................................................. 14
Print Services role ............................................................................................................... 15
Active Directory Lightweight Directory Services role........................................................... 16
Active Directory Domain Services role ................................................................................ 16
Streaming Media Services role ........................................................................................... 16
Web Server (IIS) role ........................................................................................................... 17
Installing Windows Features: Overview ..................................................................................... 17
Prerequisites for installing an optional feature on a server running a Server Core installation
............................................................................................................................................. 18
Known issues for installing an optional feature on a server running a Server Core installation
............................................................................................................................................. 18
Steps for installing an optional feature on a server running a Server Core installation.......... 19
Available optional features .................................................................................................. 19
Managing a Server Core installation: Overview ......................................................................... 20
Prerequisites for managing a server running Server Core installation ................................... 20
3
Known issues for managing a server running a Server Core installation ............................... 20
Steps for managing a Server Core installation ....................................................................... 22
Administering a Server Core installation .................................................................................... 25
Prerequisites for administering a Server Core installation ..................................................... 26
Known issues for administering a Server Core installation .................................................... 26
Steps for administering a Server Core installation ................................................................. 26
Configuration and installation .............................................................................................. 26
Networking and firewall ....................................................................................................... 29
Updates, error reporting, and feedback .............................................................................. 30
Services, processes, and performance ............................................................................... 31
Event logs ............................................................................................................................ 32
Disk and file system............................................................................................................. 33
Hardware ............................................................................................................................. 34
Logging bugs and feedback ....................................................................................................... 34
Additional references ................................................................................................................. 35
Appendix A: Sample Server Core installation - Unattend.xml ................................................... 37
4
Server Core Installation Option of Windows
Server 2008 Step-By-Step Guide
This step-by-step guide provides instructions for building a server in your test lab that is based on
the Server Core installation option of the Windows Server® 2008 operating system. It includes
information about installation, initial configuration, and managing a server that is running a Server
Core installation.
5
Who should use this guide?
The target audience for the Server Core installation option of Windows Server 2008 includes:
• IT planners and analysts who are technically evaluating the product.
• Enterprise IT planners and designers for organizations.
• IT professionals who are managing the AD DS, AD LDS, DHCP Server, DNS Server, File
Services, Print Services, Streaming Media Services, and Web Server (IIS) roles.
In this guide
• Deploying a Server Core installation: Overview
• Configuring a Server Core installation: Overview
• Installing a server role on a server running a Server Core installation: Overview
• Installing Windows Features: Overview
• Managing a Server Core installation: Overview
• Administering a Server Core installation
• Logging bugs and feedback
• Additional references
• Appendix A: Sample Server Core installation - Unattend.xml
6
Prerequisites for deploying a Server Core installation
To complete this task, you will need the following:
• The Windows Server 2008 installation media
• A valid product key
• A computer on which you can perform a clean Server Core installation
7
Manager.
2. Copy the Unattend.xml file to a local drive or shared network resource.
3. Boot your computer to Windows Preinstallation Environment (Windows PE), Windows
Server 2003, or Windows XP.
4. Insert the media disk with the Server Core installation of Windows Server 2008 Beta 3
into your hard disk drive. If the auto-run setup window appears, click Cancel.
5. At a command prompt, change to the drive that contains the installation media.
6. Type the following at a command prompt:
setup /unattend:<path>\unattend.xml
where path is the path to your Unattend.xml file.
7. Allow Setup to complete.
Note
Appendix A of this document contains a sample unattend file with comments that
explain the settings in the sample configuration. This sample can be modified for
use in your environment.
Note
You can use an unattended setup to configure these settings during installation. For more
information about unattended settings, see the Windows Automated Installation Kit
(Windows AIK) (http://go.microsoft.com/fwlink/?LinkId=81030).
Administrative credentials
If you are going to join a server running a Server Core installation to an existing Windows domain,
you need a user name and password for an account that has the administrative credentials to join
a computer to the domain.
8
• Because there is no Web browser, you cannot activate a Server Core installation or access
the Internet through a firewall that requires users to log on.
Note
A DHCP address is provided by default. You should perform this procedure only if you
need to set a static IP address.
• Joining a domain
• Activating the server
• Configuring the firewall
9
DefaultGateway is the default gateway
4. At the command prompt, type:
netsh interface ipv4 add dnsserver name="<ID>" address=<DNSIP>index=1
Where:
ID is the number from step 2 above
DNSIP is the IP address of your DNS server
5. Repeat step 4 for each DNS server that you want to set, incrementing the index=
number each time.
Notes
• If you set the static IP address on the wrong network adapter, you can change back to
using the DHCP address supplied by using the following command:
• netsh interface ipv4 set address name="<ID>" source=dhcp
• where ID is the number of the network adapter from Step 2.
To join a domain
1. At a command prompt, type:
netdom join <ComputerName> /domain:<DomainName> /userd:<UserName>
/passwordd:*
Where:
ComputerName is the name of the server that is running the Server Core installation.
DomainName is the name of the domain to join.
UserName is a domain user account with permission to join the domain.
2. When prompted to enter the password, type the password for the domain user account
specified by UserName.
3. If you need to add a domain user account to the local Administrators group, type the
following command:
net localgroup administrators /add <DomainName>\<UserName>
4. Restart the computer. You can do this by typing the following at a command prompt:
shutdown /r /t 0
10
To activate the server
• At a command prompt, type:
slmgr.vbs -ato
If activation is successful, no message will return in the command prompt.
Notes
• You can also activate by phone, using a KMS server, or remotely by typing the following
command at a command prompt of a computer that is running Windows Vista or
Windows Server 2008:
• cscript windows\system32\slmgr.vbs <ServerName> <UserName> <password>:-ato
Notes
• You can also use the Windows Firewall snap-in from a Windows Vista or Windows
Server 2008 computer to remotely manage the firewall on a server running a Server Core
installation. To do this, you must first enable remote management of the firewall by
running the following command on the computer running a Server Core installation:
• netsh advfirewall set currentprofile settings remotemanagement enable
11
More information about the command-line tools for configuring the server roles is available in the
Additional references section at the end of this guide.
Note
This section includes a procedure for each server role in the previous list. You need to
complete the procedure(s) for only the server roles that you want to install.
12
• The Web Server (IIS) role does not support ASP.NET in Server Core installations. Because
there is no support for managed code, the following IIS features are not available in Server
Core installations:
• IIS-ASPNET
• IIS-NetFxExtensibility
• IIS-ManagementConsole
• IIS-ManagementService
• IIS-LegacySnapIn
• IIS-FTPManagement
• WAS-NetFxEnvironment
• WAS-ConfigurationAPI
Note
Ocsetup.exe syntax is case sensitive so be sure to follow the examples explicitly.
Note
Using /w prevents the command prompt from returning until the installation
completes. Without /w, there is no indication that the installation completed.
2. Configure a DNS zone at the command prompt by typing dnscmd or by remotely using
the DNS MMC snap-in.
13
Note
Typing start /w ocsetup DNS-Server-Core-Role /uninstall at the command prompt will
uninstall the DNS Server role.
Note
Typing start /w ocsetup DHCPServerCore /uninstall at the command prompt will
uninstall the DHCP Server role.
14
start /w ocsetup DFSR-Infrastructure-ServerEdition
• For Services for Network File System (NFS), type:
start /w ocsetup ServerForNFS-Base
start /w ocsetup ClientForNFS-Base
Note
Uninstall any file server role options by using these commands with the /uninstall option.
15
Active Directory Lightweight Directory Services role
Notes
• Uninstall the AD LDS role by typing the following at a command prompt:
• start /w ocsetup DirectoryServices-ADAM-ServerCore /uninstall
Note
Dcpromo.exe can also be used to demote a domain controller to a server.
16
Web Server (IIS) role
Notes
• To uninstall the Web Server (IIS) role, use the following command:
• start /w pkgmgr /uu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-
ProcessModel
Note
Failover Clustering is not available in Windows Server 2008 Standard Edition.
Note
For more information about the hardware that is required for optional features, see the
Additional References section at the end of this document.
There are no prerequisites for the following optional features:
• Subsystem for UNIX-based applications
• Backup
• Simple Network Management Protocol (SNMP)
• Windows Internet Name Service (WINS)
• Telnet client
18
Steps for installing an optional feature on a server running a
Server Core installation
To install an optional feature on a Server Core installation of Windows Server 2008, perform the
following procedure.
Note
The Ocsetup.exe syntax is case sensitive so be sure to follow the examples explicitly.
Notes
To install the remote administration tool for BitLocker, type the following at a command
prompt:
start /w ocsetup BitLocker-RemoteAdminTool
• Backup: WindowsServerBackup
• Simple Network Management Protocol (SNMP): SNMP-SC
• Windows Internet Name Service (WINS): WINS-SC
• Telnet client: TelnetClient
19
Note
To remove an optional feature, use start /w ocsetup with the appropriate role name and
the /uninstall switch.
20
The script is located in the \Windows\System32 folder of a server running a Server Core
installation. At a command prompt, open the folder, and then use the following command to
display the usage instructions for the previous options:
cscript scregedit.wsf /?
Note
You can use this command with the /cli option to display a list of common command-line
tools and their usage.
• If you close all Command Prompt windows, to open a new Command Prompt window, you
can press CTRL+ALT+DEL, click Start Task Manager, click File, click Run, and then type
cmd.exe. Alternatively, you can log off and log back on.
• Any command or tool that attempts to launch Windows Explorer will not work. For example,
start . used from a command prompt will not work.
• TheRunonce feature is not supported in Server Core installations.
• There is no support for HTML rendering or HTML help in Server Core installations.
• Server Core installations do not support running managed code. Any management tools and
utilities that run locally on a server running a Server Core installation must be written in native
Win32 code.
• Server Core installations do not generate any notifications for activation, new updates, or
password expiration because these notifications require the Windows Explorer shell, which is
not part of the Server Core installation.
• If you need to write a script for managing a server running a Server Core installation, which
requires the secure inclusion of an administrative password, see the scripting column on
Microsoft TechNet (http://go.microsoft.com/fwlink/?LinkID=56421).
• Server Core installations support Windows Installer in quiet mode so that you can install tools
and utilities from Windows Installer files.
• Windows Firewall can be configured at a command prompt by using netsh advfirewall.
• When installing Windows Installer packages on a server running a Server Core installation,
use the /qb option to display the basic user interface.
• To change the time zone on a computer running a Server Core installation of Windows
Server 2008, run control timedate.cpl.
• To change international settings on a computer running a Server Core installation of
Windows Server 2008, run control intl.cpl.
• To use the Disk Management MMC snap-in remotely, start the Virtual Disk Service on a
server running a Server Core installation. To do this, type the following at a command
prompt:
net start VDS
• Control.exe will not run on its own. You must run it with either Timedate.cpl or Intl.cpl.
21
• Winver.exe is not available in Server Core installations. To obtain version information use
Systeminfo.exe.
Notes
• For more information about command-line tools, see "Steps for administering a Server
Core installation" later in this document.
• You can find further information at the Command-Line Reference A-Z ().
22
command-line tools.
6. When you have finished remotely managing the computer, type logoff in the command
prompt to end your Terminal Server session.
Notes
• If you are running the Terminal Services client on a previous version of Windows, you
must turn off the higher security level that is set by default in Windows Server 2008. To
do this, after step 1, type the following command at the command prompt:
• cscript C:\Windows\System32\Scregedit.wsf /cs 0
Notes
• For more information about command-line tools, see "Steps for administering a Server
Core installation" later in this document.
• You can find further information at the Command-Line Reference A-Z ().
Often it is useful to run Cmd.exe in a Command Prompt window on your local computer, rather
than in the Terminal Services client. To do this, you need a standard Windows Server 2008
installation and the latest Terminal Services client.
To manage a server running a Server Core installation by using the Windows Remote
Shell
1. To enable Windows Remote Shell on a server running a Server Core installation, type the
following command at a command prompt:
WinRM quickconfig
2. On another computer, at a command prompt, use WinRS.exe to run commands on a
server running a Server Core installation. For example, to perform a directory listing of
23
the Windows folder, type:
winrs -r:<ServerName> dir c:\windows
Where:
ServerName is the name of the server running a Server Core installation.
Note
The WinRM quickconfig setting enables a server running a Server Core installation to
accept Windows Remote Shell connections. This setting can also be set in an unattend
file. See the example in Appendix A at the end of this document.
Important
• For more information about using different security credentials to run commands, see the
command-line help for WinRS.exe by typing winrs -? at a command prompt.
24
Play will start and install the driver.
• If the driver for the hardware is not included, proceed with the steps 2 and 3.
2. Copy the driver files to a temporary folder on the server running a Server Core
installation.
3. At a command prompt, open the folder where the driver files are located, and then run
the following command:
pnputil -i -a <driverinf>
Where:
driverinf is the file name of the .inf file for the driver.
4. If prompted, restart the computer.
To obtain a list of drivers that are installed on the server running a Server Core
installation
• At a command prompt, type:
sc query type= driver
Note
You must include the space after the equal sign for the command to complete
successfully.
25
• Hardware
• Remote administration
Task Steps
26
Task Steps
set
27
Task Steps
Where:
path/filename is the path to and name of the paging
file
initialsize is the starting size of the paging file in
bytes.
maxsize is the maximum size of the page file in
bytes.
28
Task Steps
Task Steps
Configure your server to bypass the proxy for At a command prompt, type:
internet addresses. netsh winttp set proxy <servername>:<port
number>bypass-list="<local>"
29
Task Steps
Task Steps
30
Task Steps
4. At a command prompt, type:
pkgmgr /n:<update>.xml
Task Steps
31
Task Steps
following:
• sc query
• net start
Event logs
Task Steps
32
Task Steps
wevtutil epl <log name>
Task Steps
33
Task Steps
command prompt, type:
fsutil /?
Hardware
Task Steps
Add a driver for a new hardware device. 1. Copy the driver to a folder at
%homedrive%\<driver folder>.
2. At a command prompt, type:
pnputil -i -a %homedrive%\<driver
folder>\<driver>.inf
Remove a driver for a hardware device. 1. For a list of loaded drivers, at a command
prompt, type:
sc query type= driver
2. At the command prompt, type:
sc delete <service_name>
34
that in the comment area on the Web site, you need to provide the name of this step-by-step
guide.
Additional references
The following resources provide additional information about the Server Core installation of
Windows Server 2008:
• If you need product support, see the Microsoft Connect Web site
(http://go.microsoft.com/fwlink/?LinkId=49779)
• To access newsgroups for Server Core installation, follow the instructions that are provided
on the Microsoft Connect Web site (http://go.microsoft.com/fwlink/?LinkId=50067).
• If you are a beta tester and part of the special Technology Adoption Program (TAP) beta
program, you can contact your appointed Microsoft development team member for
assistance.
The following resources provide additional information about some of the commands that are
used to install and configure Server Core installations and server roles:
Active Directory
Windows Server 2003 Active Directory
(http://go.microsoft.com/fwlink/?LinkID=19802)
Backup
Backing Up and Recovering Data
(http://go.microsoft.com/fwlink/?LinkID=22347)
Failover Clustering
Clustering Services
(http://go.microsoft.com/fwlink/?LinkID=50520)
DHCP
Dynamic Host Configuration Protocol (http://go.microsoft.com/fwlink/?LinkID=56423)
35
Dfscmd
Dfscmd Overview
(http://go.microsoft.com/fwlink/?LinkId=49658)
DNS
Windows Server 2003 Domain Name System (DNS)
(http://go.microsoft.com/fwlink/?LinkID=56422)
Dnscmd
Dnscmd Overview
(http://go.microsoft.com/fwlink/?LinkId=49656)
Dnscmd Syntax
(http://go.microsoft.com/fwlink/?LinkId=49659)
Dnscmd Examples
(http://go.microsoft.com/fwlink/?LinkId=49660)
File Server
File and Storage Services
(http://go.microsoft.com/fwlink/?LinkID=26716)
Multipath I/O
Microsoft Storage Technologies: Multipath I/O
(http://go.microsoft.com/fwlink/?LinkId=50521)
Netsh
Netsh Overview
(http://go.microsoft.com/fwlink/?LinkId=49654)
36
Network File System
Performance Tuning Guidelines for Microsoft Services for Network File System
(http://go.microsoft.com/fwlink/?LinkID=62727)
Removable Storage
Removable Storage
(http://go.microsoft.com/fwlink/?LinkID=62728)
Note
See the unattend file documentation for more information about unattend file settings.
Windows System Image Manager, which is provided as part of the Windows Automated
Installation Kit, provides an excellent environment for authoring unattend files.
<unattend xmlns="urn:schemas-microsoft-com:unattend" xmlns:ms="urn:schemas-microsoft-
com:asm.v3" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State">
<!-- Do not have empty elements. Delete such elements instead. Values should be assumed
to be case sensitive. Boolean types have valid values as true,false,0,1 and are case
sensitive. Other examples of case sensitive values are Drive Letters (only upper case C-Z
supported), Format, Type. -->
<settings pass="windowsPE">
<UserData>
<AcceptEula>true</AcceptEula>
<FullName>MyFullName</FullName>
<Organization>MyOrganizationName</Organization>
<ProductKey>
<WillShowUI>OnError</WillShowUI>
37
<Key>Sensitive*Data*Deleted</Key>
</ProductKey>
</UserData>
<ImageInstall>
<OSImage>
<WillShowUI>Never</WillShowUI>
<InstallTo>
<DiskID>0</DiskID>
<PartitionID>1</PartitionID>
</InstallTo>
<InstallFrom>
<MetaData>
<Key>/IMAGE/Name</Key>
<!—Specify that server core is to be installed. To install server, the value is Windows
Longhorn Server%SKU%core. This example is for the Standard edition -->
</MetaData>
</InstallFrom>
</OSImage>
</ImageInstall>
</component>
</settings>
<settings pass="specialize">
<ComputerName>MyCompName</ComputerName>
</component>
<component name="Microsoft-Windows-TerminalServices-RDP-WinStationExtensions"
publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"
processorArchitecture="x86">
<!-- Enable support for pre-Windows Vista/Windows Server Longhorn Terminal Services
clients -->
<UserAuthentication>0</UserAuthentication>
</component>
38
<component name="Microsoft-Windows-TerminalServices-LocalSessionManager"
publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"
processorArchitecture="x86">
<fDenyTSConnections>false</fDenyTSConnections>
</component>
<component name="Microsoft-Windows-Web-Services-for-Management-Core"
publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"
processorArchitecture="x86">
<ConfigureWindowsRemoteManagement>true</ConfigureWindowsRemoteManagement>
</component>
<Identification>
<Credentials>
<Domain>UserDomain</Domain>
<Username>UserName</Username>
<Password>UserPassword</Password>
</Credentials>
<JoinDomain>DomainToBeJoined</JoinDomain>
<!-- You can either have JoinDomain or JoinWorkgroup but not both.
<JoinWorkgroup>work</JoinWorkgroup>
-->
</Identification>
</component>
</settings>
<settings pass="oobeSystem">
<Display>
<HorizontalResolution>1024</HorizontalResolution>
<VerticalResolution>768</VerticalResolution>
<ColorDepth>16</ColorDepth>
</Display>
39
<UserAccounts>
<DomainAccounts>
<DomainAccountList>
<Domain>DOMAIN</Domain>
<DomainAccount>
<Name>TestAccount1</Name>
<Group>Administrators</Group>
</DomainAccount>
</DomainAccountList>
</DomainAccounts>
</UserAccounts>
</component>
</settings>
</unattend>
Note
For <computername>, if you use * the name will be randomly generated.
40
Server Manager Scenarios Step-by-Step
Guide
Microsoft Corporation
Published: September 2007
Abstract
Server Manager is a new tool that is included in Windows Server® 2008 to guide information
technology administrators through the process of installing, configuring, and managing server
roles and features that are part of Windows Server 2008. This document describes Server
Manager and includes a set of scenarios to demonstrate how Server Manager helps
administrators deploy and manage server roles.
1
This document supports a preliminary release of a software product that may be changed
substantially prior to final commercial release, and is the confidential and proprietary information
of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the
recipient and Microsoft. This document is provided for informational purposes only and Microsoft
makes no warranties, either express or implied, in this document. Information in this document,
including URL and other Internet Web site references, is subject to change without notice. The
entire risk of the use or the results from the use of this document remains with the user. Unless
otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this document
may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or
by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any
purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Active Directory, Microsoft, MS-DOS, Visual Basic, Visual Studio, Windows, Windows NT, and
Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
2
Contents
Server Manager Scenarios Step-by-Step Guide ............................................................................. 5
In this guide .................................................................................................................................. 5
Who should use this step-by-step guide ...................................................................................... 5
Server Manager overview ............................................................................................................ 6
Requirements for Server Manager ............................................................................................... 6
Scenario Overview ....................................................................................................................... 6
Scenario 1: Completing the configuration of a new installation of Windows Server 2008 by
using Initial Configuration Tasks ........................................................................................... 7
Scenario 2: Performing initial configuration tasks in the Server Manager console .................. 7
Participating in CEIP by using Server Manager .................................................................... 8
Changing automatic updating settings by using Server Manager ......................................... 8
Participating in Windows Error Reporting by using Server Manager .................................... 8
Scenario 3: Adding Terminal Services and viewing its status .................................................. 9
Adding Terminal Services and TS Web Access .................................................................... 9
Managing Terminal Services by using Server Manager ..................................................... 10
Removing Terminal Services by using Server Manager ..................................................... 10
Scenario 4: Using Remote Server Administration Tools to manage Print Services remotely 11
Adding Remote Server Administration Tools for Print Services .......................................... 11
Managing Print Services remotely by using the Print Management snap-in ...................... 12
Removing Remote Server Administration Tools for Print Services..................................... 12
Scenario 5: Adding and removing the Print Services role by using the Server Manager
command line ...................................................................................................................... 13
Adding Print Services by using the Server Manager command line ................................... 13
Removing Print Services role services by using the command line .................................... 14
Removing Print Services by using the command line ......................................................... 15
Scenario 6: Adding File Services and Windows Server Backup by using an answer file ...... 15
Adding File Services and Windows Server Backup by using an answer file ...................... 15
Managing File Services and Windows Server Backup........................................................ 16
Removing all roles and features by using an answer file .................................................... 17
Scenario 7: Adding Windows Server virtualization ................................................................. 18
Installing Windows Server virtualization .............................................................................. 18
Managing Windows Server virtualization by using Server Manager ................................... 19
Removing Windows Server virtualization by using Server Manager .................................. 19
Additional resources ................................................................................................................... 20
3
Server Manager Scenarios Step-by-Step
Guide
Server Manager is a new tool available with Windows Server® 2008 that guides information
technology administrators through the process of installing, configuring, and managing server
roles and features that are part of Windows Server 2008.
This step-by-step guide provides an overview of Server Manager and walkthroughs of several
common scenarios for using Server Manager in your enterprise, focusing on new and enhanced
features of Server Manager. This guide helps you learn about how Server Manager functions as a
server role deployment, decommissioning, and management tool. The guide also describes how
Server Manager helps improve productivity, so IT pros can spend less time deploying, managing,
and maintaining their infrastructures, and spend more time using Windows Server 2008 software
packages to add business value.
The scenarios described in this step-by-step guide include initial server configuration tasks as
well as deployment, management, and removal of server roles and features.
In this guide
• Who should use this step-by-step guide
• Server Manager overview
• Requirements for Server Manager
• Scenario overview
5
Server Manager overview
Server Manager makes server administration more efficient by allowing administrators to use a
single tool to do the following:
• View and make changes to server roles and features installed on the server.
• Perform management tasks associated with the operational lifecycle of the server, such as
starting or stopping services, and managing local user accounts.
• Perform management tasks associated with the operational lifecycle of roles, role services,
and features installed on the server.
• Determine server status, identify critical events, and analyze and troubleshoot configuration
issues or failures.
Scenario Overview
The following scenarios guide you through several common uses for Server Manager and its
related technologies Initial Configuration Tasks and Remote Server Administration Tools.
• Scenario 1: Completing the configuration of a new installation of Windows Server 2008 by
using Initial Configuration Tasks
• Scenario 2: Performing initial configuration tasks in the Server Manager console
• Scenario 3: Adding Terminal Services and viewing its status
• Scenario 4: Using Remote Server Administration Tools to manage Print Services remotely
• Scenario 5: Adding and removing the Print Services role by using the Server Manager
command line
• Scenario 6: Adding File Services and Windows Server Backup by using an answer file
• Scenario 7: Adding Windows Server virtualization
6
Scenario 1: Completing the configuration of a new installation of
Windows Server 2008 by using Initial Configuration Tasks
After Windows Server 2008 Setup is finished, an administrator logs on to the server for the first
time, and the Initial Configuration Tasks window automatically opens. The administrator
completes configuration of the new server by using commands in the Initial Configuration Tasks
window.
Note
If you accidentally close Initial Configuration Tasks, click Start, and then click Run. Type
oobe in the Open text box, and then click OK or press ENTER.
8
2. Expand the Resources and Support area, if it is not already open.
3. Click Turn on Windows Error Reporting.
4. In the Windows Error Reporting Configuration dialog box, select one of the following
options:
• Yes, automatically send detailed reports.
• Yes, automatically send summary reports.
The other settings—Ask me about sending reports every time an error occurs, and I
don't want to participate, and don't ask me again—disable Windows Error Reporting.
Ask me about sending reports every time an error occurs prompts you to report
errors only as they occur.
5. Click OK.
Note
The TS Web Access role service depends on Web Server (IIS) and Windows
System Resource Manager (WSRM). Server Manager prompts you to install IIS
and WSRM if they are not already installed on the computer.
3. The Terminal Services installation process requires an administrator to specify several
configuration options. Complete the configuration pages of the Add Roles Wizard based
on what is most appropriate for your organization. For more information about configuring
Terminal Services, and detailed step-by-step guides, see the Terminal Services page on
the Windows Server TechCenter (http://go.microsoft.com/fwlink/?LinkId=48555).
9
Managing Terminal Services by using Server Manager
The administrator opens the Terminal Services snap-ins and performs Terminal Services
management tasks in the Server Manager window.
10
5. After confirming that you want to remove Terminal Services, on the Confirm Removal
Selections page, click Remove.
Note
Installing Remote Server Administration Tools does not install any roles, role
services, or features on a computer. For each role, role service, or feature you
select within Remote Server Administration Tools, you are installing only
management tools and snap-ins that allow you to perform administration tasks
for specified roles, role services, or features installed on other computers.
4. Click Next, and then click Install.
5. When installation is complete, close the wizard.
To manage the remote print server and make sure it is discoverable on the network, the
administrator restarts the print spooler service on the computer running the Server Core
installation of Windows Server 2008. To restart the spooler services on the computer running the
Print Services role, type the commands net stop spooler, followed by net start spooler, at the
command prompt.
11
Managing Print Services remotely by using the Print Management snap-in
After restarting the spooler service, the administrator is ready to manage Print Services remotely
from the computer running the full installation of Windows Server 2008.
Note
Removing Remote Server Administration Tools does not remove any roles, role
services, or features from a computer. For each role, role service, or feature you
select within Remote Server Administration Tools, you are removing only
management tools and snap-ins that allow you to perform administration tasks
for specified roles, role services, or features installed on other computers.
5. When removal is complete, close the wizard.
12
Scenario 5: Adding and removing the Print Services role by
using the Server Manager command line
A company has purchased a new server. The new computer must run Print Services for the
engineering department. After installing Windows Server 2008 on the computer and completing
initial configuration tasks, a system administrator adds the Print Services role to the server by
using the Server Manager command line.
Note
The Server Manager command is not case sensitive.
Note
ServerManagerCmd.exe also automatically installs all required roles, role
services, or features. In this scenario, Server Manager automatically installs Web
Server (IIS) and Windows Process Activation Services.
3. When installation is complete, the Command Prompt window displays the following
message:
Success: Installation succeeded.
4. Verify that the Print Server role service of Print Services was installed by typing the
following at the prompt:
ServerManagerCmd.exe -query
Ensure that the Print Services line item in the -query command results is checked and
highlighted, and that the Print Server child object is checked and highlighted. Also ensure
that other role services of Print Services are not checked.
5. At the command prompt, type the following, and then press ENTER:
ServerManagerCmd.exe -install Print-Internet Print-LPD-Service
Note
13
You can install each additional role service one at a time, or use the
–allSubFeatures option to install all the child elements of a role or feature.
Server Manager automatically skips those elements already installed on the
computer, in this case the Print Server role service.
6. When installation is complete, the Command Prompt window displays the following
message:
Success: Installation succeeded.
7. Verify that the LPD Service and Internet Printing Service role services were installed by
typing the following at the command prompt:
ServerManagerCmd.exe -query
Ensure that the Print Services line item in the -query command results is checked and
highlighted, and that all role services of Print Services are now checked and highlighted.
14
Removing Print Services by using the command line
After several months, the administrator moves core printing services to a different server, so that
this server can be repurposed. The administrator removes the Print Services role completely from
this computer by using the command line.
Note
roles, role services, or features that are installed due to dependencies, such as Web
Server (IIS) and Windows Process Activation Service, are not removed with the removal
of Print Services.
Note
For the complete Server Manager command-line schema, see the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=81203).
Adding File Services and Windows Server Backup by using an answer file
The administrator creates an XML answer file to use with the Server Manager command line to
add the File Services role and the Windows Server Backup subfeature on the server.
15
To install File Services and Windows Server Backup by using an answer file
1. Create the following answer file for the Server Manager command line, and save it to a
convenient location as an XML document:
<?xml version="1.0" encoding="utf-8" ?>
<ServerManagerConfiguration Action="Install"
xmlns="http://schemas.microsoft.com/sdm/Windows/ServerManager/Configuration/2007/1"
xmlns:xs="http://www.w3.org/2001/XMLSchema">
Note
Although the only role service of File Services installed by this answer file is DFS
Namespace, the File Services role is installed.
2. If a Command Prompt window is not already open, open a Command Prompt window
with elevated privileges by right-clicking the Command Prompt executable or the
Command Prompt object on the Start menu, and then clicking Run as administrator.
3. At the prompt, type the following, and then press ENTER:
ServerManagerCmd.exe -inputPath <answerfile.xml> -whatIf -restart
The placeholder answerfile represents the path and name of the XML answer file created
in Step 1. The -whatIf parameter displays a list of all software installed as a result of the
command, including dependent roles, role services, and features.
Adding -restart to the command line restarts the computer automatically when
installation is complete, if restarting is required by the software that you are removing. In
this instance, a restart of the server is required to install Windows Server Backup.
4. When installation is complete, the Command Prompt window displays the following
message:
Success: Installation succeeded.
5. Open the Server Manager console by clicking Start, pointing to Administrative Tools,
and then clicking Server Manager.
6. Verify that the File Services role is installed with the DFS Namespace role service, and
that the Windows Server Backup subfeature of Windows Server Backup Features is also
installed.
16
To manage File Services and Windows Server Backup
1. Back up the server. For more information about backing up your server, see the Help
provided with Windows Server Backup Features.
2. If Server Manager is not already open, open Server Manager by clicking Start, pointing to
Administrative Tools, and then clicking Server Manager.
3. In the Server Manager hierarchy pane, expand Roles, and then select File Services to
view the role management home page for File Services.
4. View the status of event messages and services related to File Services. Expand the File
Services node in the hierarchy pane.
5. Select the DFS Management node to open the DFS Management snap-in. Add, remove,
or modify namespaces. Add a new replication group, following the steps in the wizard.
<ServerManagerConfiguration Action="Remove"
xmlns="http://schemas.microsoft.com/sdm/Windows/ServerManager/Configuration/2007/1"
xmlns:xs="http://www.w3.org/2001/XMLSchema">
2. If a Command Prompt window is not already open, open a Command Prompt window
with elevated privileges by right-clicking the Command Prompt executable or the
Command Prompt object on the Start menu, and then clicking Run as administrator.
3. At the prompt, type the following, and then press ENTER:
ServerManagerCmd.exe -inputPath <answerfile.xml> -whatIf -restart
The placeholder answerfile represents the path and name of the XML answer file created
in Step 1. The -whatIf parameter displays a list of all software removed as a result of the
command, including dependent roles, role services, and features.
17
Adding -restart to the command line restarts the computer automatically when
installation is complete, if restarting is required by the software that you are removing.
4. When removal is complete, the Command Prompt window displays the following
message:
Success: Removal succeeded.
5. Open the Server Manager console by clicking Start, pointing to Administrative Tools,
and then clicking Server Manager.
6. Verify that the File Services role and Windows Server Backup are no longer installed on
the computer.
Important
The Windows Server virtualization scenario is only for computers running The 64-bit
edition of Windows Server 2008, and that have support at the processor level for
virtualization. More specific hardware requirements for Windows Server virtualization are
described in the Windows Server virtualization Step-by-Step Guide on the Windows
Server TechCenter (http://go.microsoft.com/fwlink/?LinkId=98822). It is strongly
recommended that you review these hardware requirements before completing any of the
tasks in this scenario.
19
Additional resources
• Server Manager on Windows Server TechCenter
(http://go.microsoft.com/fwlink/?LinkId=48541)
• Server ManagerTechnical Overview (http://go.microsoft.com/fwlink/?LinkId=85101)
• Server ManagerCommand-Line Schema (http://go.microsoft.com/fwlink/?LinkId=81203)
20
Step-by-Step Guide for Configuring a Two-
Node File Server Failover Cluster in Windows
Server 2008
Microsoft Corporation
Published: September 2007
Author: Jan Keller
Editor: Ronald Loi
Abstract
A failover cluster is a group of independent computers that work together to increase the
availability of applications and services. The clustered servers (called nodes) are connected by
physical cables and by software. If one of the cluster nodes fails, another node begins to provide
service (a process known as failover). This guide describes the steps for installing and
configuring a file server failover cluster that has two nodes. By creating the configuration in this
guide, you can learn about failover clusters and familiarize yourself with the Failover Cluster
Management snap-in.
1
This is a preliminary document and may be changed substantially prior to final commercial
release of the software described herein. The information contained in this document represents
the current view of Microsoft Corporation on the issues discussed as of the date of publication.
Because Microsoft must respond to changing market conditions, it should not be interpreted to be
a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any
information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, no part of this document may be reproduced, stored in or introduced into a
retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission
of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, MS-DOS, Windows, Windows Server, Windows Vista, and Active Directory are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.
2
Contents
Step-by-Step Guide for Configuring a Two-Node File Server Failover Cluster in Windows Server
2008 ............................................................................................................................................. 5
In this guide............................................................................................................................... 5
Overview for a two-node file server cluster .................................................................................. 5
Shared folders in a failover cluster ........................................................................................... 7
Requirements for a two-node failover cluster .............................................................................. 8
Hardware requirements for a two-node failover cluster ............................................................ 8
Software requirements for a two-node failover cluster ........................................................... 10
Network infrastructure and domain account requirements for a two-node failover cluster .... 11
Steps for installing a two-node file server cluster....................................................................... 12
Step 1: Connect the cluster servers to the networks and storage .......................................... 12
Step 2: Install the failover cluster feature ............................................................................... 13
Step 3: Validate the cluster configuration ............................................................................... 15
Step 4: Create the cluster ....................................................................................................... 17
Steps for configuring a two-node file server cluster ................................................................... 19
Additional references ................................................................................................................. 22
3
Step-by-Step Guide for Configuring a Two-
Node File Server Failover Cluster in Windows
Server 2008
A failover cluster is a group of independent computers that work together to increase the
availability of applications and services. The clustered servers (called nodes) are connected by
physical cables and by software. If one of the cluster nodes fails, another node begins to provide
service (a process known as failover). Users experience a minimum of disruptions in service.
This guide describes the steps for installing and configuring a file server failover cluster that has
two nodes. By creating the configuration in this guide, you can learn about failover clusters and
familiarize yourself with the Failover Cluster Management snap-in interface in
Windows Server® 2008 Enterprise or Windows Server® 2008 Datacenter.
Note
The failover cluster feature is not available in Windows Web Server 2008 or Windows
Server 2008 Standard.
In Windows Server 2008, the improvements to failover clusters (formerly known as server
clusters) are aimed at simplifying clusters, making them more secure, and enhancing cluster
stability. Cluster setup and management are easier. Security and networking in clusters have
been improved, as has the way a failover cluster communicates with storage. For more
information about improvements to failover clusters, see
http://go.microsoft.com/fwlink/?LinkId=62368.
In this guide
Overview for a two-node file server cluster
Shared folders in a failover cluster
Requirements for a two-node failover cluster
Steps for installing a two-node file server cluster
Steps for configuring a two-node file server cluster
Additional resources
5
other services and applications. This guide describes how to configure a two-node file server
cluster.
A failover cluster usually includes a storage unit that is physically connected to all the servers in
the cluster, although any given volume in the storage is only accessed by one server at a time.
The following diagram shows a two-node failover cluster connected to a storage unit.
Storage volumes or logical unit numbers (LUNs) exposed to the nodes in a cluster must not be
exposed to other servers, including servers in another cluster. The following diagram illustrates
this.
6
Note that for the maximum availability of any server, it is important to follow best practices for
server management—for example, carefully managing the physical environment of the servers,
testing software changes before fully implementing them, and carefully keeping track of software
updates and configuration changes on all clustered servers.
The following scenario describes how a file server failover cluster can be configured. The files
being shared are on the cluster storage, and either clustered server can act as the file server that
shares them.
7
Requirements for a two-node failover cluster
To create a failover cluster with two nodes (regardless of the service or application that the nodes
provide), you need the hardware, software, accounts, and network infrastructure described in the
sections that follow.
We recommend that you first use the information provided in this guide in a test lab environment.
A Step-by-Step guide is not necessarily meant to be used to deploy Windows Server features
without the accompanying documentation (as listed in the Additional references section), and it
should be used with discretion as a stand-alone document.
Important
You should use only hardware components that are compatible with Windows
Server 2008.
• Network adapters and cable (for network communication): The network hardware, like
other components in the failover cluster solution, must be compatible with Windows
Server 2008. If you use iSCSI, your network adapters must be dedicated to either network
communication or iSCSI, not both.
In the network infrastructure that connects your cluster nodes, avoid having single points of
failure. There are multiple ways of accomplishing this. You can connect your cluster nodes by
multiple, distinct networks. Alternatively, you can connect your cluster nodes with one
network that is constructed with teamed network adapters, redundant switches, redundant
routers, or similar hardware that removes single points of failure.
Note
If you connect cluster nodes with a single network, the network will pass the
redundancy requirement in the Validate a Configuration Wizard. However, the report
from the wizard will include a warning that the network should not have single points
of failure.
For more details about the network configuration required for a failover cluster, see Network
infrastructure and domain account requirements for a two-node failover cluster, later in this
topic.
Device controllers or appropriate adapters for the storage:
• For Serial Attached SCSI or Fibre Channel: If you are using Serial Attached SCSI or
Fibre Channel, in all clustered servers, the mass-storage device controllers that are
8
dedicated to the cluster storage should be identical. They should also use the same
firmware version.
Note
With Windows Server 2008, you cannot use parallel SCSI to connect the storage
to the clustered servers.
• For iSCSI: If you are using iSCSI, each clustered server must have one or more network
adapters or host bus adapters that are dedicated to the cluster storage. The network you
use for iSCSI cannot be used for network communication. In all clustered servers, the
network adapters you use to connect to the iSCSI storage target should be identical, and
we recommend that you use Gigabit Ethernet or higher.
For iSCSI, you cannot use teamed network adapters, because they are not supported
with iSCSI.
For more information about iSCSI, see the iSCSI FAQ on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=61375).
• Storage: You must use shared storage that is compatible with Windows Server 2008.
For a two-node failover cluster, the storage should contain at least two separate volumes
(LUNs), configured at the hardware level. One volume will function as the witness disk
(described in the next paragraph). One volume will contain the files that are being shared to
users. Storage requirements include the following:
• To use the native disk support included in failover clustering, use basic disks, not
dynamic disks.
• We recommend that you format the partitions with NTFS (for the witness disk, the
partition must be NTFS).
• For the partition style of the disk, you can use either master boot record (MBR) or GUID
partition table (GPT).
The witness disk is a disk in the cluster storage that is designated to hold a copy of the
cluster configuration database. (A witness disk is part of some, not all, quorum
configurations.) For this two-node cluster, the quorum configuration will be Node and Disk
Majority, the default for a cluster with an even number of nodes. Node and Disk Majority
means that the nodes and the witness disk each contain copies of the cluster configuration,
and the cluster has quorum as long as a majority (two out of three) of these copies are
available.
9
• Confirm compatibility of the storage: Confirm with manufacturers and vendors that the
storage, including drivers, firmware, and software used for the storage, are compatible with
failover clusters in Windows Server 2008.
Important
Storage that was compatible with server clusters in Windows Server 2003 might not
be compatible with failover clusters in Windows Server 2008. Contact your vendor to
ensure that your storage is compatible with failover clusters in Windows Server 2008.
Failover clusters include the following new requirements for storage:
• Because improvements in failover clusters require that the storage respond correctly to
specific SCSI commands, the storage must follow the standard called SCSI Primary
Commands-3 (SPC-3). In particular, the storage must support Persistent Reservations as
specified in the SPC-3 standard.
• The miniport driver used for the storage must work with the Microsoft Storport storage
driver.
• Isolate storage devices, one cluster per device: Servers from different clusters must not
be able to access the same storage devices. In most cases, a LUN that is used for one set of
cluster servers should be isolated from all other servers through LUN masking or zoning.
• Consider using multipath I/O software: In a highly available storage fabric, you can deploy
failover clusters with multiple host bus adapters by using multipath I/O software. This
provides the highest level of redundancy and availability. For Windows Server 2008, your
multipath solution must be based on Microsoft Multipath I/O (MPIO). Your hardware vendor
will usually supply an MPIO device-specific module (DSM) for your hardware, although
Windows Server 2008 includes one or more DSMs as part of the operating system.
Important
Host bus adapters and multipath I/O software can be very version sensitive. If you
are implementing a multipath solution for your cluster, you should work closely with
your hardware vendor to choose the correct adapters, firmware, and software for
Windows Server 2008.
10
Network infrastructure and domain account requirements for a
two-node failover cluster
You will need the following network infrastructure for a two-node failover cluster and an
administrative account with the following domain permissions:
• Network settings and IP addresses: When you use identical network adapters for a
network, also use identical communication settings on those adapters (for example, Speed,
Duplex Mode, Flow Control, and Media Type). Also, compare the settings between the
network adapter and the switch it connects to and make sure that no settings are in conflict.
If you have private networks that are not routed to the rest of your network infrastructure,
ensure that each of these private networks uses a unique subnet. This is necessary even if
you give each network adapter a unique IP address. For example, if you have a cluster node
in a central office that uses one physical network, and another node in a branch office that
uses a separate physical network, do not specify 10.0.0.0/24 for both networks, even if you
give each adapter a unique IP address.
For more information about the network adapters, see Hardware requirements for a two-node
failover cluster, earlier in this guide.
• DNS: The servers in the cluster must be using Domain Name System (DNS) for name
resolution. The DNS dynamic update protocol can be used.
• Domain role: All servers in the cluster must be in the same Active Directory domain. As a
best practice, all clustered servers should have the same domain role (either member server
or domain controller). The recommended role is member server.
• Domain controller: We recommend that your clustered servers be member servers. If they
are, you need an additional server that acts as the domain controller in the domain that
contains your failover cluster.
• Clients: As needed for testing, you can connect one or more networked clients to the failover
cluster that you create, and observe the effect on a client when you move or fail over the
clustered file server from one cluster node to the other.
• Account for administering the cluster: When you first create a cluster or add servers to it,
you must be logged on to the domain with an account that has administrator rights and
permissions on all servers in that cluster. The account does not need to be a Domain Admins
account, but can be a Domain Users account that is in the Administrators group on each
clustered server. In addition, if the account is not a Domain Admins account, the account (or
the group that the account is a member of) must be given the Create Computer Objects
permission in the domain.
Note
There is a change in the way the Cluster service runs in Windows Server 2008, as
compared to Windows Server 2003. In Windows Server 2008, there is no Cluster
service account. Instead, the Cluster service automatically runs in a special context
11
that provides the specific permissions and privileges that are necessary for the
service (similar to the local system context, but with reduced privileges).
Note
Review Hardware Requirements for a Two-Node Failover Cluster earlier in this guide, for
details about the kinds of network adapters and device controllers that you can use with
Windows Server 2008.
For a failover cluster network, avoid having single points of failure. There are multiple ways of
accomplishing this. You can connect your cluster nodes by multiple, distinct networks.
Alternatively, you can connect your cluster nodes with one network that is constructed with
teamed network adapters, redundant switches, redundant routers, or similar hardware that
removes single points of failure (If you use a network for iSCSI, you must create this network in
addition to the other networks).
For a two-node file server cluster, when you connect the servers to the cluster storage, you must
expose at least two volumes (LUNs). You can expose additional volumes as needed for thorough
testing of your configuration. Do not expose the clustered volumes to servers that are not in the
cluster.
12
4. Follow the manufacturer's instructions for physically connecting the servers to the
storage.
5. Ensure that the disks (LUNs) that you want to use in the cluster are exposed to the
servers that you will cluster (and only those servers). You can use any of the following
interfaces to expose disks or LUNs:
• The interface provided by the manufacturer of the storage.
• If you are using iSCSI, an appropriate iSCSI interface.
• Microsoft Storage Manager for SANs (part of the operating system in Windows
Server 2008). To use this interface, you need to contact the manufacturer of your
storage for a Virtual Disk Service (VDS) provider package that is designed for your
storage.
6. If you have purchased software that controls the format or function of the disk, follow
instructions from the vendor about how to use that software with Windows Server 2008.
7. On one of the servers that you want to cluster, click Start, click Administrative Tools,
click Computer Management, and then click Disk Management. (If the User Account
Control dialog box appears, confirm that the action it displays is what you want, and then
click Continue.) In Disk Management, confirm that the cluster disks are visible.
8. If you want to have a storage volume larger than 2 terabytes, and you are using the
Windows interface to control the format of the disk, convert that disk to the partition style
called GUID partition table (GPT). To do this, back up any data on the disk, delete all
volumes on the disk and then, in Disk Management, right-click the disk (not a partition)
and click Convert to GPT Disk.
For volumes smaller than 2 terabytes, instead of using GPT, you can use the partition
style called master boot record (MBR).
Important
You can use either MBR or GPT for a disk that is used by a failover cluster, but you cannot
use a disk that you converted to dynamic by using Disk Management.
If you purchased software that controls the format or function of the disk, contact the vendor
for instructions about how to use that software with Windows Server 2008.
9. Check the format of any exposed volume or LUN. We recommend NTFS for the format
(for the witness disk, you must use NTFS).
13
To install the failover cluster feature on the servers
1. If you recently installed Windows Server 2008, the Initial Configuration Tasks interface
is displayed, as shown in the following illustration.
If this interface is displayed, under Customize This Server, click Add features. Then
skip to step 3.
2. If the Initial Configuration Tasks interface is not displayed and Server Manager is not
running, click Start, click Administrative Tools, and then click Server Manager. (If the
User Account Control dialog box appears, confirm that the action it displays is what you
want, and then click Continue.)
Server Manager
14
In Server Manager, under Features Summary, click Add Features.
3. In the Add Features Wizard, click Failover Clustering, and then click Install.
4. Follow the instructions in the wizard to complete the installation of the feature. When the
wizard finishes, close it.
5. Repeat the process for each server that you want to include in the cluster.
15
2. Confirm that Failover Cluster Management is selected and then, in the center pane
under Management, click Validate a Configuration.
16
3. Follow the instructions in the wizard to specify the two servers and the tests, and then run
the tests. To fully validate your configuration, run all tests before creating a cluster.
4. The Summary page appears after the tests run. To view Help topics that will help you
interpret the results, click More about cluster validation tests.
5. While still on the Summary page, click View Report and read the test results.
To view the results of the tests after you close the wizard, see
SystemRoot\Cluster\Reports\Validation Report date and time.html
where SystemRoot is the folder in which the operating system is installed (for example,
C:\Windows).
6. As necessary, make changes in the configuration and rerun the tests.
7. To view Help topics about cluster validation after you close the wizard, in Failover Cluster
Management, click Help, click Help Topics, click the Contents tab, expand the contents
for the failover cluster Help, and click Validating a Failover Cluster Configuration.
17
To run the Create Cluster wizard
1. To open the failover cluster snap-in, click Start, click Administrative Tools, and then
click Failover Cluster Management. (If the User Account Control dialog box appears,
confirm that the action it displays is what you want, and then click Continue.)
2. Confirm that Failover Cluster Management is selected and then, in the center pane
under Management, click Create a cluster.
18
Steps for configuring a two-node file server
cluster
To configure a two-node file server failover cluster, follow these steps:
19
6. Review the text on the first page of the wizard, and then click Next.
20
7. Click File Server, and then click Next.
8. Follow the instructions in the wizard to specify the following details:
• A name for the clustered file server
• Any IP address information that is not automatically supplied by your DHCP
settings—for example, a static IPv4 address for this clustered file server
• The storage volume or volumes that the clustered file server should use
9. After the wizard runs and the Summary page appears, to view a report of the tasks the
wizard performed, click View Report.
10. To close the wizard, click Finish.
11. In the console tree, make sure Services and Applications is expanded, and then select
the clustered file server that you just created.
12. Under Actions, click Add a shared folder.
The Provision a Shared Folder Wizard appears. This is the same wizard that you would
use to provision a share on a nonclustered file server.
13. Follow the instructions in the wizard to specify the following settings for the shared folder:
• Path and name.
• NTFS permissions (optional).
21
• Advanced settings for the SMB protocol (optional). SMB is used by Windows-based
clients. The settings include:
- User limits.
- Offline settings (caching).
- Access-based enumeration, described in Shared folders in a failover cluster, earlier
in this guide.
• Whether the NFS protocol will be used, for support of UNIX-based clients (optional).
14. After completing the wizard, confirm that the clustered file server comes online. If it does
not, review the state of the networks and storage and correct any issues. Then right-click
the new clustered file server and click Bring this service or application online.
15. To perform a basic test of failover, right-click the clustered file server, click Move this
service or application to another node, and click the available choice of node. When
prompted, confirm your choice.
You can observe the status changes in the center pane of the snap-in as the clustered
file server instance is moved.
Additional references
The following resources provide additional information about failover clusters:
• For more information about iSCSI, see the iSCSI FAQ on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=61375).
• For information about the improvements in failover clusters as compared to server clusters in
Windows Server 2003, see "What's New in Failover Clusters" on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=62368).
22
Step-by-Step Guide for Configuring a Two-
Node Print Server Failover Cluster in
Windows Server 2008
Microsoft Corporation
Published: September 2007
Author: Jan Keller
Editor: Ronald Loi
Abstract
A failover cluster is a group of independent computers that work together to increase the
availability of applications and services. The clustered servers (called nodes) are connected by
physical cables and by software. If one of the cluster nodes fails, another node begins to provide
service (a process known as failover). This guide describes the steps for installing and
configuring a print server failover cluster that has two nodes. By creating the configuration in this
guide, you can learn about failover clusters and familiarize yourself with the Failover Cluster
Management snap-in.
1
This is a preliminary document and may be changed substantially prior to final commercial
release of the software described herein. The information contained in this document represents
the current view of Microsoft Corporation on the issues discussed as of the date of publication.
Because Microsoft must respond to changing market conditions, it should not be interpreted to be
a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any
information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, no part of this document may be reproduced, stored in or introduced into a
retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission
of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, MS-DOS, Windows, Windows Server, Windows Vista, and Active Directory are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.
2
Contents
Step-by-Step Guide for Configuring a Two-Node Print Server Failover Cluster in Windows Server
2008 ............................................................................................................................................. 5
In this guide............................................................................................................................... 5
Overview for a two-node print server cluster ............................................................................... 5
Requirements for a two-node failover cluster .............................................................................. 7
Hardware requirements for a two-node failover cluster ............................................................ 7
Deploying storage area networks with failover clusters ........................................................ 9
Software requirements for a two-node failover cluster ............................................................. 9
Network infrastructure and domain account requirements for a two-node failover cluster .... 10
Steps for installing a two-node print server cluster .................................................................... 11
Step 1: Connect the cluster servers to the networks and storage .......................................... 11
Step 2: Install the failover cluster feature ............................................................................... 12
Step 3: Validate the cluster configuration ............................................................................... 14
Step 4: Create the cluster ....................................................................................................... 16
Steps for configuring a two-node print server cluster................................................................. 17
Additional references ................................................................................................................. 20
3
Step-by-Step Guide for Configuring a Two-
Node Print Server Failover Cluster in
Windows Server 2008
A failover cluster is a group of independent computers that work together to increase the
availability of applications and services. The clustered servers (called nodes) are connected by
physical cables and by software. If one of the cluster nodes fails, another node begins to provide
service (a process known as failover). Users experience a minimum of disruptions in service.
This guide describes the steps for installing and configuring a print server failover cluster that has
two nodes. By creating the configuration in this guide, you can learn about failover clusters and
familiarize yourself with the Failover Cluster Management snap-in interface in
Windows Server® 2008 Enterprise or Windows Server® 2008 Datacenter.
Note
The failover cluster feature is not available in Windows Web Server 2008 or Windows
Server 2008 Standard.
In Windows Server 2008, the improvements to failover clusters (formerly known as server
clusters) are aimed at simplifying clusters, making them more secure, and enhancing cluster
stability. Cluster setup and management are easier. Security and networking in clusters have
been improved, as has the way a failover cluster communicates with storage. For more
information about improvements to failover clusters, see
http://go.microsoft.com/fwlink/?LinkId=62368.
In this guide
Overview for a two-node print server cluster
Requirements for a two-node failover cluster
Steps for installing a two-node print server cluster
Steps for configuring a two-node print server cluster
Additional resources
5
A failover cluster usually includes a storage unit that is physically connected to all the servers in
the cluster, although any given volume in the storage is only accessed by one server at a time.
The following diagram shows a two-node failover cluster connected to a storage unit.
Storage volumes or logical unit numbers (LUNs) exposed to the nodes in a cluster must not be
exposed to other servers, including servers in another cluster. The following diagram illustrates
this.
Note that for the maximum availability of any server, it is important to follow best practices for
server management—for example, carefully managing the physical environment of the servers,
6
testing software changes before fully implementing them, and carefully keeping track of software
updates and configuration changes on all clustered servers.
The following scenario describes how a print server failover cluster can be configured.
Important
You should use only hardware components that are compatible with Windows
Server 2008.
• Network adapters and cable (for network communication): The network hardware, like
other components in the failover cluster solution, must be compatible with Windows
Server 2008. If you use iSCSI, your network adapters must be dedicated to either network
communication or iSCSI, not both.
In the network infrastructure that connects your cluster nodes, avoid having single points of
failure. There are multiple ways of accomplishing this. You can connect your cluster nodes by
multiple, distinct networks. Alternatively, you can connect your cluster nodes with one
network that is constructed with teamed network adapters, redundant switches, redundant
routers, or similar hardware that removes single points of failure.
Note
If you connect cluster nodes with a single network, the network will pass the
redundancy requirement in the Validate a Configuration Wizard. However, the report
from the wizard will include a warning that the network should not have single points
of failure.
7
For more details about the network configuration required for a failover cluster, see Network
infrastructure and domain account requirements for a two-node failover cluster, later in this
topic.
• Device controllers or appropriate adapters for the storage:
• For Serial Attached SCSI or Fibre Channel: If you are using Serial Attached SCSI or
Fibre Channel, in all clustered servers, the mass-storage device controllers that are
dedicated to the cluster storage should be identical. They should also use the same
firmware version.
Note
With Windows Server 2008, you cannot use parallel SCSI to connect the storage
to the clustered servers.
• For iSCSI: If you are using iSCSI, each clustered server must have one or more network
adapters or host bus adapters that are dedicated to the cluster storage. The network you
use for iSCSI cannot be used for network communication. In all clustered servers, the
network adapters you use to connect to the iSCSI storage target should be identical, and
we recommend that you use Gigabit Ethernet or higher.
For iSCSI, you cannot use teamed network adapters, because they are not supported
with iSCSI.
For more information about iSCSI, see the iSCSI FAQ on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=61375).
• Storage: You must use shared storage that is compatible with Windows Server 2008.
For a two-node failover cluster, the storage should contain at least two separate volumes
(LUNs), configured at the hardware level. One volume will function as the witness disk
(described in the next paragraph). One volume will contain the print drivers, print spooler
directory, and print monitors. Storage requirements include the following:
• To use the native disk support included in failover clustering, use basic disks, not
dynamic disks.
• We recommend that you format the partitions with NTFS (for the witness disk, the
partition must be NTFS).
• For the partition style of the disk, you can use either master boot record (MBR) or GUID
partition table (GPT).
The witness disk is a disk in the cluster storage that is designated to hold a copy of the
cluster configuration database. (A witness disk is part of some, not all, quorum
configurations.) For this two-node cluster, the quorum configuration will be Node and Disk
Majority, the default for a cluster with an even number of nodes. Node and Disk Majority
means that the nodes and the witness disk each contain copies of the cluster configuration,
and the cluster has quorum as long as a majority (two out of three) of these copies are
available.
8
Deploying storage area networks with failover clusters
When deploying a storage area network (SAN) with a failover cluster, follow these guidelines:
• Confirm compatibility of the storage: Confirm with manufacturers and vendors that the
storage, including drivers, firmware, and software used for the storage, are compatible with
failover clusters in Windows Server 2008.
Important
Storage that was compatible with server clusters in Windows Server 2003 might not
be compatible with failover clusters in Windows Server 2008. Contact your vendor to
ensure that your storage is compatible with failover clusters in Windows Server 2008.
Failover clusters include the following new requirements for storage:
• Because improvements in failover clusters require that the storage respond correctly to
specific SCSI commands, the storage must follow the standard called SCSI Primary
Commands-3 (SPC-3). In particular, the storage must support Persistent Reservations as
specified in the SPC-3 standard.
• The miniport driver used for the storage must work with the Microsoft Storport storage
driver.
• Isolate storage devices, one cluster per device: Servers from different clusters must not
be able to access the same storage devices. In most cases, a LUN that is used for one set of
cluster servers should be isolated from all other servers through LUN masking or zoning.
• Consider using multipath I/O software: In a highly available storage fabric, you can deploy
failover clusters with multiple host bus adapters by using multipath I/O software. This
provides the highest level of redundancy and availability. For Windows Server 2008, your
multipath solution must be based on Microsoft Multipath I/O (MPIO). Your hardware vendor
will usually supply an MPIO device-specific module (DSM) for your hardware, although
Windows Server 2008 includes one or more DSMs as part of the operating system.
Important
Host bus adapters and multipath I/O software can be very version sensitive. If you
are implementing a multipath solution for your cluster, you should work closely with
your hardware vendor to choose the correct adapters, firmware, and software for
Windows Server 2008.
9
Network infrastructure and domain account requirements for a
two-node failover cluster
You will need the following network infrastructure for a two-node failover cluster and an
administrative account with the following domain permissions:
• Network settings and IP addresses: When you use identical network adapters for a
network, also use identical communication settings on those adapters (for example, Speed,
Duplex Mode, Flow Control, and Media Type). Also, compare the settings between the
network adapter and the switch it connects to and make sure that no settings are in conflict.
If you have private networks that are not routed to the rest of your network infrastructure,
ensure that each of these private networks uses a unique subnet. This is necessary even if
you give each network adapter a unique IP address. For example, if you have a cluster node
in a central office that uses one physical network, and another node in a branch office that
uses a separate physical network, do not specify 10.0.0.0/24 for both networks, even if you
give each adapter a unique IP address.
For more information about the network adapters, see Hardware requirements for a two-node
failover cluster, earlier in this guide.
• DNS: The servers in the cluster must be using Domain Name System (DNS) for name
resolution. The DNS dynamic update protocol can be used.
• Domain role: All servers in the cluster must be in the same Active Directory domain. As a
best practice, all clustered servers should have the same domain role (either member server
or domain controller). The recommended role is member server.
• Domain controller: We recommend that your clustered servers be member servers. If they
are, you need an additional server that acts as the domain controller in the domain that
contains your failover cluster.
• Clients: As needed for testing, you can connect one or more networked clients to the failover
cluster that you create, and observe the effect on a client when you move or fail over the
clustered print server from one cluster node to the other.
• Account for administering the cluster: When you first create a cluster or add servers to it,
you must be logged on to the domain with an account that has administrator rights and
permissions on all servers in that cluster. The account does not need to be a Domain Admins
account, but can be a Domain Users account that is in the Administrators group on each
clustered server. In addition, if the account is not a Domain Admins account, the account (or
the group that the account is a member of) must be given the Create Computer Objects
permission in the domain.
Note
There is a change in the way the Cluster service runs in Windows Server 2008, as
compared to Windows Server 2003. In Windows Server 2008, there is no Cluster
service account. Instead, the Cluster service automatically runs in a special context
10
that provides the specific permissions and privileges that are necessary for the
service (similar to the local system context, but with reduced privileges).
Note
Review Hardware Requirements for a Two-Node Failover Cluster earlier in this guide, for
details about the kinds of network adapters and device controllers that you can use with
Windows Server 2008.
For a failover cluster network, avoid having single points of failure. There are multiple ways of
accomplishing this. You can connect your cluster nodes by multiple, distinct networks.
Alternatively, you can connect your cluster nodes with one network that is constructed with
teamed network adapters, redundant switches, redundant routers, or similar hardware that
removes single points of failure (If you use a network for iSCSI, you must create this network in
addition to the other networks).
For a two-node print server cluster, when you connect the servers to the cluster storage, you
must expose at least two volumes (LUNs). You can expose additional volumes as needed for
thorough testing of your configuration. Do not expose the clustered volumes to servers that are
not in the cluster.
11
4. Follow the manufacturer's instructions for physically connecting the servers to the
storage.
5. Ensure that the disks (LUNs) that you want to use in the cluster are exposed to the
servers that you will cluster (and only those servers). You can use any of the following
interfaces to expose disks or LUNs:
• The interface provided by the manufacturer of the storage.
• If you are using iSCSI, an appropriate iSCSI interface.
• Microsoft Storage Manager for SANs (part of the operating system in Windows
Server 2008). To use this interface, you need to contact the manufacturer of your
storage for a Virtual Disk Service (VDS) provider package that is designed for your
storage.
6. If you have purchased software that controls the format or function of the disk, follow
instructions from the vendor about how to use that software with Windows Server 2008.
7. On one of the servers that you want to cluster, click Start, click Administrative Tools,
click Computer Management, and then click Disk Management. (If the User Account
Control dialog box appears, confirm that the action it displays is what you want, and then
click Continue.) In Disk Management, confirm that the cluster disks are visible.
8. If you want to have a storage volume larger than 2 terabytes, and you are using the
Windows interface to control the format of the disk, convert that disk to the partition style
called GUID partition table (GPT). To do this, back up any data on the disk, delete all
volumes on the disk and then, in Disk Management, right-click the disk (not a partition)
and click Convert to GPT Disk.
For volumes smaller than 2 terabytes, instead of using GPT, you can use the partition
style called master boot record (MBR).
Important
You can use either MBR or GPT for a disk that is used by a failover cluster, but you cannot
use a disk that you converted to dynamic by using Disk Management.
If you purchased software that controls the format or function of the disk, contact the vendor
for instructions about how to use that software with Windows Server 2008.
9. Check the format of any exposed volume or LUN. We recommend NTFS for the format
(for the witness disk, you must use NTFS).
12
To install the failover cluster feature on the servers
1. If you recently installed Windows Server 2008, the Initial Configuration Tasks interface
is displayed, as shown in the following illustration.
If this interface is displayed, under Customize This Server, click Add features. Then
skip to step 3.
2. If the Initial Configuration Tasks interface is not displayed and Server Manager is not
running, click Start, click Administrative Tools, and then click Server Manager. (If the
User Account Control dialog box appears, confirm that the action it displays is what you
want, and then click Continue.)
Server Manager
13
In Server Manager, under Features Summary, click Add Features.
3. In the Add Features Wizard, click Failover Clustering, and then click Install.
4. Follow the instructions in the wizard to complete the installation of the feature. When the
wizard finishes, close it.
5. Repeat the process for each server that you want to include in the cluster.
14
2. Confirm that Failover Cluster Management is selected and then, in the center pane
under Management, click Validate a Configuration.
15
3. Follow the instructions in the wizard to specify the two servers and the tests, and then run
the tests. To fully validate your configuration, run all tests before creating a cluster.
4. The Summary page appears after the tests run. To view Help topics that will help you
interpret the results, click More about cluster validation tests.
5. While still on the Summary page, click View Report and read the test results.
To view the results of the tests after you close the wizard, see
SystemRoot\Cluster\Reports\Validation Report date and time.html
where SystemRoot is the folder in which the operating system is installed (for example,
C:\Windows).
6. As necessary, make changes in the configuration and rerun the tests.
7. To view Help topics about cluster validation after you close the wizard, in Failover Cluster
Management, click Help, click Help Topics, click the Contents tab, expand the contents
for the failover cluster Help, and click Validating a Failover Cluster Configuration.
16
To run the Create Cluster wizard
1. To open the failover cluster snap-in, click Start, click Administrative Tools, and then
click Failover Cluster Management. (If the User Account Control dialog box appears,
confirm that the action it displays is what you want, and then click Continue.)
2. Confirm that Failover Cluster Management is selected and then, in the center pane
under Management, click Create a cluster.
6. Review the text on the first page of the wizard, and then click Next.
18
List of Services and Applications in the High Availability Wizard
19
you want to configure.
Always perform management tasks on the clustered print server. Do not manage the
individual cluster nodes as print servers.
14. Right-click the clustered print server, and then click Add Printer. Follow the instructions
in the wizard to add a printer.
This is the same wizard you would use to add a printer on a nonclustered server.
15. When you have finished configuring settings for the clustered print server, to close the
instance of the Failover Cluster Management interface with Print Management in the
console tree, click File and then click Exit.
16. To perform a basic test of failover, right-click the clustered print server instance, click
Move this service or application to another node, and click the available choice of
node. When prompted, confirm your choice.
You can observe the status changes in the center pane of the snap-in as the clustered
print server instance is moved.
Additional references
The following resources provide additional information about failover clusters:
• For more information about iSCSI, see the iSCSI FAQ on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=61375).
• For information about the improvements in failover clusters as compared to server clusters in
Windows Server 2003, see "What's New in Failover Clusters" on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=62368).
20
Step-by-Step Guide for Windows Deployment
Services in Windows Server 2008
Microsoft Corporation
Published: September 2007
Author: Trina Gorman
Editor: Dia Reeves
Abstract
This guide provides an introduction to Windows Deployment Services in Windows Server® 2008.
It includes an overview of features, tasks you can use to test Windows Deployment Services, and
details about the technology.
1
Copyright Information
This document supports a preliminary release of a software product that may be changed
substantially prior to final commercial release, and is the confidential and proprietary information
of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the
recipient and Microsoft. This document is provided for informational purposes only and Microsoft
makes no warranties, either express or implied, in this document. Information in this document,
including URL and other Internet Web site references, is subject to change without notice. The
entire risk of the use or the results from the use of this document remains with the user. Unless
otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this document
may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or
by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any
purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Active Directory, Microsoft, MS-DOS, Visual Basic, Visual Studio, Windows, Windows NT, Active
Directory, and Windows Server are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries.
This product contains graphics filter software; this software is based, in part, on the work of the
Independent JPEG Group.
All other trademarks are property of their respective owners.
2
Contents
Windows Deployment Services Role Step-by-Step Guide .............................................................. 5
In this guide .................................................................................................................................. 5
What is Windows Deployment Services? .................................................................................... 5
What’s new in Windows Deployment Services? ....................................................................... 6
Who should use this guide?...................................................................................................... 7
Benefits of Windows Deployment Services .............................................................................. 7
Installing Windows Deployment Services .................................................................................... 8
Prerequisites for installing Windows Deployment Services ...................................................... 8
Steps for installing Windows Deployment Services.................................................................. 9
Upgrading from a server running Windows Server 2003 with SP1 or SP2 ................................. 9
Configuring Windows Deployment Services .............................................................................. 10
Known issues with configuring Windows Deployment Services............................................. 11
Steps for configuring Windows Deployment Services ............................................................ 11
Using the Windows interface ............................................................................................... 12
Using WDSUTIL at a command prompt .............................................................................. 13
Configuring the boot menu ......................................................................................................... 13
Prerequisites for configuring the boot menu ........................................................................... 13
Known issues with configuring the boot menu ....................................................................... 14
Steps for configuring the boot menu ....................................................................................... 14
Creating and modifying images.................................................................................................. 15
Prerequisites for creating and modifying images.................................................................... 16
Known issues with creating images ........................................................................................ 16
Steps for creating images ....................................................................................................... 16
Boot images......................................................................................................................... 16
Install images....................................................................................................................... 19
Installing an operating system.................................................................................................... 21
Prerequisites for installing an operating system ..................................................................... 21
Steps for installing an operating system ................................................................................. 21
Using unattend files .................................................................................................................... 21
Prerequisites for using unattend files...................................................................................... 22
Known issues with using unattend files .................................................................................. 22
Steps for using unattend files ................................................................................................. 22
Configuring unattended installation for the Windows Deployment Services client ............. 22
Configuring unattend installation for Windows Setup.......................................................... 23
Creating a multicast transmission .............................................................................................. 24
Prerequisites for creating a multicast transmission ................................................................ 24
Known issues in creating a multicast transmission ................................................................ 24
3
Steps for creating a multicast transmission ............................................................................ 25
Using the Windows interface ............................................................................................... 25
Using WDSUTIL .................................................................................................................. 26
Transport Server ........................................................................................................................ 28
Configuring Transport Server ................................................................................................. 28
Known issues with configuring Transport Server ................................................................ 28
Steps for configuring Transport Server ............................................................................... 28
Creating a namespace with Transport Server ........................................................................ 29
Prerequisites for creating a namespace with Transport Server .......................................... 29
Steps for creating a namespace with Transport Server ...................................................... 29
Steps for client computers to join a namespace ................................................................. 32
Additional references ................................................................................................................. 33
Appendix A: Sample client unattend file .................................................................................... 33
4
Windows Deployment Services Role Step-by-
Step Guide
This guide contains step-by-step guidance for how to use the Windows Deployment Services role
in Windows Server® 2008. This guide does not pertain to the Windows Deployment Services
Update for Windows Server 2003 (which is included in Windows Automated Installation Kit
(Windows AIK) and in Windows Server 2003 SP2). For more information about the update, see
http://go.microsoft.com/fwlink/?LinkId=66145.
To download a .doc version of this guide, see http://go.microsoft.com/fwlink/?LinkId=89381.
To provide feedback about this topic, e-mail wdsdoc@microsoft.com.
Note
This guide focuses primarily on the functionality of the complete installation of Windows
Deployment Services (Deployment Server). For information about how to configure and
use Transport Server, see the Transport Server section.
In this guide
• What is Windows Deployment Services?
• Installing Windows Deployment Services
• Upgrading from a server running Windows Server 2003 with SP1 or SP2
• Configuring Windows Deployment Services
• Configuring the boot menu
• Creating and modifying images
• Installing an operating system
• Using unattend files
• Creating a multicast transmission
• Transport Server
• Additional references
• Appendix A: Sample client unattend file
5
can use it to set up new computers by using a network-based installation. This means that you do
not have to be physically present at each computer and you do not have to install each operating
system directly from a CD or DVD. The components of Windows Deployment Services are
organized into the following three categories:
• Server components. These components include a Pre-Boot Execution Environment (PXE)
server and Trivial File Transfer Protocol (TFTP) server for network booting a client to load
and install an operating system. Also included is a shared folder and image repository that
contains boot images, install images, and files that you need specifically for network boot.
There is also a networking layer, a multicast component, and a diagnostics component.
• Client components. These components include a graphical user interface that runs within
the Windows Pre-Installation Environment (Windows PE). When a user selects an operating
system image, the client components communicate with the server components to install the
image.
• Management components. These components are a set of tools that you use to manage
the server, operating system images, and client computer accounts.
• Ability to deploy Windows Vista and • Ability to transmit data and images using
Windows Server 2008. multicast functionality.
• Support for Windows PE as a boot • Ability to transmit data and images using
operating system. multicast functionality on a standalone
• Support for the Windows image (.wim) server (when you install Transport Server).
format. • Does not support RISETUP images or
• Ability to transmit data and images using OSChooser screens.
multicast functionality. • Enhanced TFTP server.
• Ability to transmit data and images using • Supports network boots of x64-based
multicast functionality on a standalone computers with Extensible Firmware
server (when you install Transport Server). Interface (EFI).
• An extensible and higher-performing PXE • Metric reporting for installations.
server component.
• A new boot menu format for selecting boot
operating systems.
6
Changes from RIS Changes from Windows Deployment Services on
Windows Server 2003
• A new graphical user interface that you can
use to select and deploy images and to
manage Windows Deployment Services
servers and clients.
7
Installing Windows Deployment Services
Prerequisites for installing Windows Deployment Services
The following are requirements for installing this role, depending on if you choose Deployment
Server or Transport Server during the installation.
8
Steps for installing Windows Deployment Services
You can install Windows Deployment Services using the Initial Configuration Wizard or Server
Manager.
• To start the installation using the Initial Configuration Wizard, click Add roles on the Initial
Configuration Tasks startup screen. Click Next and then select Windows Deployment
Services.
• To start the installation using Server Manager, click Add roles which is located within the
Roles Summary pane. Click Next and then select Windows Deployment Services.
During the installation, you have two installation options to choose from:
• Transport Server. This option provides a subset of the functionality of Windows Deployment
Services. It contains only the core networking parts. You can use Transport Server to create
multicast namespaces that transmit data (including operating system images) from a
standalone server. You should use this option if you want to transmit data using multicasting,
but do not want to incorporate all of Windows Deployment Services.
• Deployment Server. This option provides the full functionality of Windows Deployment
Services, which you can use to configure and remotely install Windows operating systems.
With Windows Deployment Services, you can create and customize images and then use
them to re-image computers. Deployment Server is dependent on the core parts of Transport
Server.
Important
This guide focuses primarily on the functionality of Deployment Server. For
information about how to configure and use Transport Server, see Transport Server.
9
(http://go.microsoft.com/fwlink/?LinkId=94643). Then use the instructions below to change
from Legacy mode (default) to Native mode.
• If RIS was installed on the server when you installed Windows Deployment Services, it will be
in Legacy or Mixed mode—you will need to change it to Native mode before upgrading.
• If RIS was not installed on the server when you installed Windows Deployment Services, the
server will be in Native mode and therefore ready to be upgraded to Windows Server 2008.
Use the following procedures to change the server mode to Native.
10
• Creating a shared folder that contains the files necessary for PXE boot, the files for booting
Windows PE into RAMDISK, Windows PE boot images, and install images for Windows Vista
or Windows Server 2008.
• Configuring the answer settings of the PXE listener to control whether and how the server
services incoming client boot requests.
• If Microsoft DHCP is installed on the same physical computer as Windows Deployment
Services, the configuration wizard does the following (if you configure Windows Deployment
Services by using WDSUTIL, you have to manually make these changes):
• Adds DHCP option tag 60, with the PXE client setting selected, to all DHCP scopes (as a
DHCP global option). This is necessary so that a booting PXE client can be notified that
there is a listening PXE server on the network.
• Selects the Do not Listen on port 67 option. This is necessary so that booting clients
can find the DHCP server on the network.
11
• WDSUTIL at a command prompt.
To add the default boot image included in the product installation DVD
1. Click the server to which you want to add the boot image.
2. Right-click the Boot Images node, and then click Add Boot Image.
3. Browse to choose the default boot image (boot.wim) located on the Windows
Server 2008 DVD, in the \Sources directory.
4. Click Open, and then click Next.
5. Follow the instructions in the wizard to add the image.
To add the default install image(s) included in the product installation DVD
1. Click the server to which you want to add the install image.
2. Right-click the Install Images node, and then click Add Install Image.
3. Specify a name for the image group, and then click Next.
4. Browse to select the default install image (install.wim) located on the Windows Vista or
Windows Server 2008 DVD, in the \Sources directory, and then click Open.
5. To add a subset of the images included in the install.wim, then clear the check boxes for
the images that you do not want to add to the server. You should only add the images for
which you have licenses.
6. Follow the instructions in the wizard to add the images.
12
procedure.
• Create a custom install image.
Note
Help for WDSUTIL is available by typing WDSUTIL /? at a command prompt.
13
Known issues with configuring the boot menu
Note the following issues and limitations with the boot menu:
• The boot menu can contain no more than 13 boot images. This is because of a limitation
in the number of characters displayed from within the operating system loader boot menu.
• The name of the .wim file that contains the boot image cannot contain any spaces. This
file can contain only letters or numbers.
• Double-byte character sets used as image names might not display properly in the
boot menu. This issue pertains to localized strings. Limitations within the BIOS character
sets do not allow the characters to display properly.
Note
The default behavior is for x64-based computers to display both x86-based and x64-
based boot images when both are available. To change this default, run WDSUTIL /Set-
Server /Defaultx86x64ImageType:{x86|x64|both}.
The following procedures outline how to add more boot images to the boot menu. To view help
for WDSUTIL, type WDSUTIL /? at a command prompt.
14
the server list, and then choose the server to which you want to add the boot image.
2. Right-click the Boot Images node, and then click Add Boot Image.
3. Click Browse to locate the boot image that you want to add. The boot image must be
located on the server and it can be the same or different architecture.
4. Follow the instructions in the wizard to add an additional boot image.
5. When you have completed this procedure and you PXE boot a client computer, a boot
menu will appear that shows both boot images.
Note
Help for WDSUTIL is available by typing WDSUTIL /? at a command prompt.
To make any additional changes to the boot menu, use Bcdedit.exe to edit the default.bcd file
located at %REMINST%\boot\<architecture>. You can run bcdedit /? at a command prompt to
see the command line options.
For more information about Bcdedit, see Boot Configuration Data Editor Frequently Asked
Questions (http://go.microsoft.com/fwlink/?LinkID=65818).
15
Prerequisites for creating and modifying images
To create and modify boot or install images, adhere to the following prerequisites:
• Ensure that there is enough disk space to create and store the new images.
• Be a member of the Local Administrators Group on the Windows Deployment Services
server.
• Match the version of Sysprep.exe with the version of the operating system that you want to
capture.
• Install the Windows AIK if you are creating bootable ISO images
(http://go.microsoft.com/fwlink/?LinkId=81030).
• Have a writeable CD or DVD and a disk-burning utility (if you are burning an image to
media—for example a discover image),
Boot images
Boot images are the images that you boot a client computer into before installing the operating
system image. The boot image presents a boot menu that contains the images that users can
install onto their computers. These images contain Windows PE 2.0 and the Windows
Deployment Services client. You can use the default boot image (boot.wim) that is included in the
Windows Server 2008 installation media in the \Sources directory. Except in advanced scenarios
(for example, if you need to add drivers to the image), you will not need to modify this file.
Important
You should use only the boot.wim file from the Windows Server 2008 DVD. If you use the
boot.wim file from the Windows Vista DVD, you will not be able to use the full functionality
of Windows Deployment Services (for example, multicasting).
You can create the following types of boot images using Windows Deployment Services:
• Capture images. The images that you boot a client computer into in order to capture the
operating system into a .wim file.
• Discover images. The images used to install an operating system onto a computer that is
not PXE enabled.
16
Create a capture image to capture a custom operating system into a .wim file
Capture images are boot images that launch the Windows Deployment Services Capture Utility
instead of Setup. When you boot a reference computer (that has been prepared with Sysprep)
into a capture image, a wizard creates an install image of the reference computer and saves it as
a .wim file.
You can also create media (CD, DVD, USB drive, and so on) that contains a capture image, and
then boot a computer from the media. After you create the install image, you can add the image
to the server for PXE boot deployment. These images provide an alternative to the command-line
utility, ImageX.exe.
17
WDSUTIL /Add-Image /Imagefile:<captureimage> /ImageType:boot
Note
Help for WDSUTIL is available by typing WDSUTIL /? at a command prompt.
4. Once you have created the capture image, follow the instructions in the Install Image
section to boot a client computer into the capture image and capture the operating
system.
Create a discover image to install an image onto a computer that is not PXE enabled
Discover images are boot images that force Setup.exe to launch in Windows Deployment
Services mode and then discover a Windows Deployment Services server. These images are
typically used to deploy images to computers that are not PXE enabled or that are on networks
that do not allow PXE. When you create a discover image and save it to media (CD, DVD, USB
drive, and so on), you can then boot a computer to the media. The discover image on the media
locates a Windows Deployment Services server, and the server deploys the install image to the
computer.
Note
You can configure discover images to target a specific Windows Deployment Services
server. This means that if you have multiple servers in your environment, you can create
a discover image for each, and then name them based on the name of the server.
18
/Filepath:<discoverimage>
3. If you want to add the discover image back to the image store, type the following where
<discoverimage> is the file path and file name of the discover image you want to add to
the image store:
WDSUTIL /Add-Image /ImageFile:<discoverimage> /ImageType:boot
Note
Help for WDSUTIL is available by typing WDSUTIL /? at a command prompt.
Note
Using the Windows copy command to copy the image to media will not create a
bootable disk.
Install images
You can build custom install images from reference computers and deploy them to client
computers. A reference computer can be a computer with a standard Windows installation or a
Windows installation that has been configured for a specific environment. First, you boot a
computer (which has been prepared with Sysprep) into a capture image, then the capture image
creates an install image of the computer.
19
Create a capture image to capture a custom operating system in .wim format for more
information).
2. Create a reference computer (install the operating system, applications, and make any
other changes that you want).
3. At a command prompt on the reference computer, change folders to
\Windows\System32\Sysprep or the folder that contains Sysprep.exe and Setupcl.exe.
4. Type one of the following:
• On computers running Windows Vista, run sysprep /oobe /generalize /reboot
Note
If you prefer, you can also use the Sysprep graphical user interface by
double-clicking Sysprep.exe.
• On computers running Windows XP, run sysprep -mini -reseal
5. When the computer restarts, press F12.
6. In Windows Boot Manager, select the capture image, and then click Next.
7. Choose the appropriate drive, and then provide a name and description for the image.
Click Next to continue.
Important
You will only see drives that contain operating systems prepared with Sysprep. If
you do not run the command in step 4, you will not see any drives to capture.
8. Click Browse and browse to a local location where you want to store the captured install
image.
Important
You must enter a local location to save the new image or you will not be able to
capture the image. This requirement is enforced to avoid image corruption in the
event of a network malfunction.
9. Type a name for the image (use the .wim file name extension), and then click Save.
10. Click Upload image to WDS server.
11. Type the name of the Windows Deployment Services server, and then click Connect.
12. If prompted for credentials, provide a user name and password for an account with
sufficient permissions to connect to the Windows Deployment Services server.
13. On the Image Group list, choose the image group in which to store the image.
14. Click Finish.
20
Installing an operating system
Windows Deployment Services relies on Pre-Boot Execution Environment (PXE) technology to
allow a client computer to network boot and remotely connect over a TCP/IP network connection
to a Windows Deployment Services server.
21
• Windows Deployment Services client unattend file. This file uses the Unattend.xml format
and is stored on the Windows Deployment Services server in the \WDSClientUnattend folder.
It is used to automate the Windows Deployment Services client user interface screens (such
as entering credentials, choosing an install image, and configuring the disk).
• Image unattend file. This file uses the Unattend.xml or Sysprep.inf format, depending upon
the version of the operating system in the image. It is stored in a subfolder (either $OEM$
structure or \Unattend) in the per-image folder. It is used to automate the remaining phases of
setup (for example, offline servicing, Sysprep specialize, and mini-setup).
Note
Help for WDSUTIL is available by typing WDSUTIL /? at a command prompt.
23
• <imagegroupname> is the name of the image group containing the image file.
• <unattendfile> is the path and file name of the unattend file to associate with the
image.
WDSUTIL /Set-Image /Image:<imagename> /ImageType:install
/ImageGroup:<imagegroupname> /UnattendFile:<unattendfile>
Note
For information about using multicast functionality with Transport Server, see the
Transport Server section.
24
/rpcport:<portnum>), you must restart the service before the changes will take effect. If you
do not restart the service, the server will use the old values and may not answer clients. To
restart the service, you can either 1) right-click Windows Deployment Services in the MMC
snap-in and click Restart or 2) run net stop wdsserver and then run net start wdsserver
from the command line.
Note
Content is transferred over the network only if clients request data. If no clients are
connected (that is, the transmission is idle), then data will not be sent over the
network.
Configuring transmissions
After a transmission is created, you can do the following:
• Start the transmission. If the transmission is on a Scheduled-Cast, there is at least one
client, and the transmission has not started yet, you can right-click the transmission, and click
Start.
25
• Delete the transmission. If you right-click the transmission and click Delete, the multicast
transmission stops and each client installation will fall back to using unicast. That is, the client
installations will not be deleted or stopped, but they will not use the multicast transmission to
complete the installation.
• Deactivate the transmission. If you right-click and click Deactivate, each client that is
currently installing will continue, but no new clients will be joined to the transmission. After
each current client installation is complete, the transmission will be deleted. If there are no
clients when you click this option, then it will be deleted instantly.
• View properties. To view the properties, right-click the transmission, and click Properties.
Note that you cannot edit the properties of a transmission after it is created. To make a
change after you have created a transmission, you need to delete and recreate it.
• Refresh the transmissions and data. To do this, right-click a transmission and click
Refresh. You can also refresh the data by pressing F5.
Using WDSUTIL
Creating a multicast transmission for an install image
You have two options for transmission type: Auto-Cast and Scheduled-Cast.
• To create an Auto-Cast transmission, run:
WDSUTIL /New-MulticastTransmission /Image:<image name> /FriendlyName:<friendly
name> /ImageType:Install /ImageGroup:<Image group name> /TransmissionType:AutoCast
• To create a Scheduled-Cast transmission, run:
26
WDSUTIL /New-MulticastTransmission /Image:<image name> /FriendlyName:<friendly
name> /ImageType:Install /ImageGroup:<Image group name>
/TransmissionType:ScheduledCast [/Time:<yyyy/mm/dd:hh:mm>][/Clients:<no of clients>]
Configuring transmissions
After a transmission is created, you can start it, delete it, deactivate it, and view its properties.
• To start the transmission, run:
WDSUTIL /Start-MulticastTransmission /Image:<image name> /ImageType:Install
/ImageGroup:<image group name>
Note
You can only start the transmission if it is on a Scheduled-Cast, there is at least one
client, and the transmission is not started.
• To delete the transmission, run:
WDSUTIL /Remove-MulticastTransmission /Image:<image name> /ImageType:Install
/ImageGroup:<image group name> /Force
• To deactivate the transmission, run:
WDSUTIL /Remove-MulticastTransmission /Image:<image name> /ImageType:Install
/ImageGroup:<image group name>
• To view properties, run:
WDSUTIL /Get-MulticastTransmission /Image:<image name> /ImageType:Install
/ImageGroup:<image group name>
Note
You should use this option with caution because the installation will fail and the
computer could be left in an unusable state.
• To disconnect a client from a multicast transmission but continue to transfer the
image by using unicasting, run:
27
WDSUTIL /Disconnect-Client /ClientID:<id>
• To view client <id> for each transmission, run:
WDSUTIL /Get-MulticastTransmission /Image:<image name> /ImageType:Install
/ImageGroup:<image group name> /show:clients
Transport Server
During installation, you can choose to install only Transport Server. This option provides a subset
of the functionality of Windows Deployment Services. It contains only the core networking parts.
You can use Transport Server to create multicast namespaces that transmit data (including
operating system images) from a standalone server. The standalone server does not need Active
Directory, DHCP or DNS. You can use Transport Server in advanced scenarios as a part of a
custom deployment solution.
Important
After configuring any of these settings, you must restart the WDSServer service to apply
the changes. To restart the service, run net stop wdsserver and then run net start
wdsserver at a command prompt.
• To configure multicast IP addressing, run:
WDSUTIL /Set-TransportServer /ObtainIPv4From:Range /Start:<start Ipv4 Address>
/End:<end Ipv4 Address>
• To set the UDP port range, run
28
WDSUTIL /Set-TransportServer [/Server:<name>] /StartPort:x /EndPort:y
• To set the network profile, run
WDSUTIL /Set-TransportServer [/Server:<name>] /Profile:{10Mbps|100Mbps|1Gbps|Custom}
29
WDSUTIL /New-Namespace [/Server:<server>] /Namespace:<namespace name>
/FriendlyName:<friendly name> [/Description:<description>] /ContentProvider:<name>
/ConfigString:<config string> /NamespaceType:AutoCast
For example:
WDSUTIL /New-Namespace /FriendlyName:"Custom AutoCast Namespace"
/Namespace:"Custom Auto 1" /ContentProvider:WDS /ConfigString:D:\Images
/NamespaceType:AutoCast
Common commands
The following are the most commonly used commands with Transport Server. See Options
explanation for more information about each parameter.
• To start the transmission, run:
WDSUTIL /Start-Namespace /Namespace:<name>
Note
To start a transmission, the transmission must be a Scheduled-Cast and there must
be at least one client who has requested the transmission of data.
• To display information about a namespace and the clients connected to it (for
example, computer name, MAC address, IP address, speed, and percent complete),
run:
WDSUTIL /Get-Namespace /Namespace:<name> /Show:Clients
• To remove a namespace, run:
WDSUTIL /Remove-Namespace [/Server:<server name>] /Namespace:<namespace name>
[/Force]
For example:
• To remove the namespace after current client downloads are complete, run: WDSUTIL
/Remove-Namespace /Namespace:"Custom Auto 1"
• To remove the namespace immediately and stop any current client downloads, run:
WDSUTIL /Remove-Namespace /Server:MyWDSServer /Namespace:"Custom Auto 1"
/Force
• To stop a client installation completely, run:
WDSUTIL /Disconnect-Client /ClientID:<id> /Force
Important
You should use this option with caution because the installation will fail and the
computer could be left in an unusable state.
• To discontinue the download for a client but continue to transfer the image through
another method (such as SMB copy), run:
WDSUTIL /Disconnect-Client /ClientID:<id>
30
• To view the client <id> for each namespace, run:
WDSUTIL /Get-Namespace /Namespace:<name> /show:clients
Options explanation
Option Description
/Namespace:<Namespace name> Specifies the name of the namespace. This is not the
friendly name and it must be unique.
• Deployment Server: The syntax for namespace name
is
/Namspace:WDS:<ImageGroup>/<ImageName>/<Ind
ex>. For example: WDS:ImageGroup1/install.wim/1
• Transport Server: This value should match the name
given when creating the namespace on the server.
/FriendlyName:<friendly name> Specifies the friendly name of the namespace. This name
does not need to be unique.
/ConfigString:<config string> Specifies the configuration string for the content provider.
If you are using the Windows Deployment Services
content provider (WDS), specify the path to the directory
where content is stored (for example
D:\Photos\Landscapes). This path can be anywhere on
the server.
31
Option Description
namespace will start (allowed only for Scheduled-Cast).
To join a namespace
1. Install Wdsmcast.exe onto the client computer.
• If the client has an operating system (Windows Vista or Windows Server 2003), you
can install the Windows AIK. Wdsmcast.exe is in the Tools directory.
• If the client does not have an operating system, then you need to add Wdsmcast.exe
to a Windows PE image and boot the client into the image. Instructions for doing this
are included in the Windows AIK (http://go.microsoft.com/fwlink/?LinkId=81030).
2. Run the following from the client computer:
WDSMCAST /Transfer-File /Server:<server name> /Namespace:<namespace name>
/Username:<domain and user name> [/Password:<password>] /SourceFile:<file path>
/DestinationFile:<file path>
Option Explanation
/Namespace:<Namespace name> Specifies the name of the namespace. This is not the
friendly name and it must be unique.
• Deployment Server: The syntax for namespace name
is
/Namspace:WDS:<ImageGroup>/<ImageName>/<Ind
ex>. For example: WDS:ImageGroup1/install.wim/1
• Transport Server: This value should match the name
32
Option Explanation
given when creating the namespace on the server.
/Username:<domain and user name> Domain and user name to connect to the server with. Can
be in the format Domain\User or User@Domain.
[/Password:<password>] Password for the user. If this is not specified, you will be
prompted to enter it.
/DestinationFile:<file path> Complete file path and name for the destination file.
Additional references
• For a newsgroup about Windows Deployment Services, see Setup and Deployment
(http://go.microsoft.com/fwlink/?LinkId=87628)
• Windows AIK (http://go.microsoft.com/fwlink/?LinkId=81030)
• Windows AIK User's Guide for Windows Vista (http://go.microsoft.com/fwlink/?LinkID=53552)
• Sysprep (http://go.microsoft.com/fwlink/?LinkId=87732)
• For more information about the Windows Deployment Services Update for Windows
Server 2003, see the following:
• Windows Deployment Services Update Step-by-Step Guide for Windows Server 2003
(http://go.microsoft.com/fwlink/?LinkId=66145)
• Deploying and Managing the Windows Deployment Services Update on Windows
Server 2003 (http://go.microsoft.com/fwlink/?LinkId=81031)
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="windowsPE">
33
<WindowsDeploymentServices>
<Login>
<WillShowUI>OnError</WillShowUI>
<Credentials>
<Username>username</Username>
<Domain>wds-dom</Domain>
<Password>my_password</Password>
</Credentials>
</Login>
<ImageSelection>
<WillShowUI>OnError</WillShowUI>
<InstallImage>
<ImageGroup>ImageGroup1</ImageGroup>
<Filename>Install.wim</Filename>
</InstallImage>
<InstallTo>
<DiskID>0</DiskID>
<PartitionID>1</PartitionID>
</InstallTo>
</ImageSelection>
</WindowsDeploymentServices>
<DiskConfiguration>
<WillShowUI>OnError</WillShowUI>
<Disk>
<DiskID>0</DiskID>
<WillWipeDisk>false</WillWipeDisk>
<ModifyPartitions>
<ModifyPartition>
<Order>1</Order>
<PartitionID>1</PartitionID>
<Letter>C</Letter>
34
<Label>TestOS</Label>
<Format>NTFS</Format>
<Active>true</Active>
<Extend>false</Extend>
</ModifyPartition>
</ModifyPartitions>
</Disk>
</DiskConfiguration>
</component>
<component name="Microsoft-Windows-International-Core-WinPE"
publicKeyToken="31bf3856ad364e35"
<SetupUILanguage>
<WillShowUI>OnError</WillShowUI>
<UILanguage>en-US</UILanguage>
</SetupUILanguage>
<UILanguage>en-US</UILanguage>
</component>
</settings>
</unattend>
35
Step-by-Step Guide to Deploying Policies for
Windows Firewall with Advanced Security
Microsoft Corporation
Published: October 2007
Author: Dave Bishop
Editor: Scott Somohano
Technical Reviewers: Sarah Wahlert, Tom Baxter, Siddharth Patil, L. Joan Devraun
MVP Reviewers: Michael Gotch, Rodrigo Immaginario, Robert Stuczynski
Abstract
This guide shows you how to centrally configure and distribute commonly used settings and rules
for Windows Firewall with Advanced Security by describing typical tasks in a common scenario.
you get hands-on experience in a lab environment using Group Policy management tools to
create and edit GPOs to implement typical firewall settings. You also configure GPOs to
implement common server and domain isolation scenarios and see the effects of those settings.
1
The information contained in this document represents the current view of Microsoft Corporation
on the issues discussed as of the date of publication. Because Microsoft must respond to
changing market conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the
date of publication.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, no part of this document may be reproduced, stored in or introduced into a
retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission
of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted in examples herein are fictitious. No
association with any real company, organization, product, domain name, e-mail address, logo,
person, place, or event is intended or should be inferred.
Microsoft Windows Server, Windows Vista, and Windows XP are trademarks of the Microsoft
group of companies.
2
Contents
Step-by-Step Guide to Deploying Policies for Windows Firewall with Advanced Security ............. 5
Scenario Overview ....................................................................................................................... 5
Technology Review for Deploying Windows Firewall with Advanced Security ............................ 8
Network Location Awareness ................................................................................................... 8
Host Firewall ........................................................................................................................... 10
Connection Security and IPsec............................................................................................... 11
Group Policy ........................................................................................................................... 12
Requirements for Performing the Scenarios .............................................................................. 13
Examining Default Settings on Clients and Servers .................................................................. 17
Step 1: Starting Windows Firewall in Control Panel ............................................................... 18
Step 2: Examining the Basic Options Available by Using the Control Panel Interface .......... 19
Step 3: Examining the Basic Options by Using the Netsh Command-Line Tool .................... 21
Step 4: Examining the Basic Options Available When Using the Windows Firewall with
Advanced Security MMC snap-in ........................................................................................ 22
Deploying Basic Settings by Using Group Policy....................................................................... 23
Step 1: Creating OUs and Placing Computer Accounts in Them ........................................... 24
Step 2: Creating the GPOs to Store Settings ......................................................................... 25
Step 3: Adding the GPO Setting to Enable the Firewall on Member Client Computers ......... 26
Step 4: Deploying the Initial GPO with Test Firewall Settings ................................................ 27
Step 5: Adding the Setting that Prevents Local Administrators from Applying Conflicting Rules
............................................................................................................................................. 28
Step 6: Configuring the Rest of Your Client Computer Firewall Settings ............................... 31
Step 7: Creating WMI and Group Filters ................................................................................ 33
Step 8: Enabling Firewall Logging .......................................................................................... 37
Creating Rules that Allow Required Inbound Network Traffic .................................................... 38
Step 1: Configuring Predefined Rules by Using Group Policy ............................................... 38
Step 2: Allowing Unsolicited Inbound Network Traffic for a Specific Program ....................... 40
Step 3: Allowing Inbound Traffic to a Specific TCP or UDP Port ........................................... 43
Step 4: Allowing Inbound Network Traffic that Uses Dynamic RPC ....................................... 44
Step 5: Viewing the Firewall Log ............................................................................................ 48
Creating Rules that Block Unwanted Outbound Network Traffic ............................................... 50
Step 1: Blocking Network Traffic for a Program by Using an Outbound Rule ........................ 50
Step 2: Deploying and Testing Your Outbound Rule.............................................................. 51
Deploying a Basic Domain Isolation Policy ................................................................................ 52
Step 1: Creating a Connection Security Rule that Requests Authentication .......................... 53
Step 2: Deploying and Testing Your Connection Security Rules ........................................... 54
Step 3: Changing the Isolation Rule to Require Authentication ............................................. 57
3
Step 4: Testing Isolation with a Computer That Does Not Have the Domain Isolation Rule.. 57
Step 5: Creating Exemption Rules for Computers that are Not Domain Members ................ 58
Isolating a Server by Requiring Encryption and Group Membership ......................................... 59
Step 1: Creating the Security Group ....................................................................................... 60
Step 2: Modifying a Firewall Rule to Require Group Membership and Encryption ................ 60
Step 3: Creating a Firewall Rule on the Client to Support Encryption .................................... 61
Step 4: Testing the Rule When CLIENT1 Is Not a Member of the Group .............................. 63
Step 5: Adding CLIENT1 to the Group and Testing Again ..................................................... 63
Creating Rules that Allow Specific Computers or Users to Bypass Firewall Block Rules ......... 64
Step 1: Adding and Testing a Firewall Rule that Blocks All Telnet Traffic.............................. 65
Step 2: Modifying Your Telnet Allow Rule to Override Block Rules ....................................... 66
Summary .................................................................................................................................... 67
Additional References ................................................................................................................ 67
4
Step-by-Step Guide to Deploying Policies for
Windows Firewall with Advanced Security
This step-by-step guide illustrates how to deploy Active Directory® Group Policy objects (GPOs)
to configure Windows Firewall with Advanced Security in Windows Vista® and
Windows Server® 2008. Although you can configure a single server locally by using Group Policy
Management tools directly on the server, that method is not consistent or efficient when you have
many computers to configure. When you have multiple computers to manage, create and edit
GPOs, and then apply those GPOs to the computers in your organization.
The goal of a Windows Firewall with Advanced Security configuration in your organization is to
improve the security of each computer by blocking unwanted network traffic from entering the
computer. Network traffic that does not match the rule set of Windows Firewall with Advanced
Security is dropped. You can also require that the network traffic which is allowed must be
protected by using authentication or encryption. The ability to manage Windows Firewall with
Advanced Security by using Group Policy allows an administrator to apply consistent settings
across the organization in a way that is not easily circumvented by the user.
In this guide, you get hands-on experience in a lab environment using Group Policy management
tools to create and edit GPOs to implement typical firewall settings. You also configure GPOs to
implement common server and domain isolation scenarios and see the effects of those settings.
Scenario Overview
In this guide, you learn about how to create and deploy settings for Windows Firewall with
Advanced Security by stepping through procedures that illustrate the common tasks you have to
perform in a typical scenario.
Specifically, you configure settings in GPOs to control the following Windows Firewall with
Advanced Security options:
• Enable or disable the Windows Firewall, and configure its basic behavior.
• Determine which programs and network ports are allowed to receive inbound network traffic.
• Determine which outbound network traffic is allowed or blocked.
• Support network traffic that uses multiple or dynamic ports, such as those that use Remote
Procedure Call (RPC), or the File Transfer Protocol (FTP).
• Require that all network traffic entering specific servers be protected by Internet Protocol
security (IPsec) authentication and optionally encrypted.
5
You work with several computers that perform common roles found in a typical network
environment. These include a domain controller, a member server, and a client computer, as
shown in the following illustration.
The scenario described in this guide includes viewing and configuring firewall settings, and
configuring a domain isolation environment. It also includes server isolation, which requires group
membership to access a server and can optionally require that all traffic to the server is
encrypted. Finally, it includes a mechanism to allow trusted network devices to bypass firewall
rules for troubleshooting.
Each of the scenario steps are described in the following sections.
6
Instrumentation (WMI) and security group filtering to restrict applying the GPO to computers that
are running the correct version of Windows.
The GPO that you configure includes some of the basic Windows Firewall with Advanced
Security settings that are part of a typical enterprise's GPO settings, such as:
• Any local firewall setting created by a user, even a local administrator, is ignored.
• Ensure that the firewall is enabled with your specified handling of network traffic, and cannot
be disabled.
• The computer does not display the notification when Windows Firewall with Advanced
Security blocks a program from listening on a network port.
7
Creating rules that allow specific computers or users to bypass
firewall block rules
In this section, you configure firewall and connection security rules to allow specific authorized
users or computers, such as the network port scanners used by network troubleshooting and
security teams, to bypass the firewall.
8
Windows detects the following network location types:
• Public. By default, the public network location type is assigned to all networks when they are
first connected. A public network is considered to be shared with the public, with no
protection between the local computer and any other computer.
• Private. The private network location type can be manually selected by a local administrator
for a connection to a network that is not directly accessible by the public. This connection can
be to a home or office network that is isolated from publicly accessible networks by using a
firewall device or a device that performs network address translation (NAT). Wireless
networks should be protected by using an encryption protocol such as Wi-Fi Protected
Access (WPA) or WPAv2. A network is never automatically assigned the private network
location type; it must be assigned by the administrator. Windows remembers the network,
and the next time that you connect to it, Windows automatically assigns the network the
private network location type again.
• Domain. The domain network location type is detected when the local computer is a member
of an Active Directory domain, and the local computer can authenticate to a domain controller
for that domain through one of its network connections. If those conditions are met then the
domain network location type is automatically assigned. An administrator cannot manually
assign this network location type.
Windows Firewall with Advanced Security stores its setting and rules in profiles, and supports one
profile for each network location type. The profile associated with the currently detected network
location type is the one that is applied to the computer. If the network location type changes then
the rules the profile associated with the new network location type automatically apply.
When you have multiple network adapters attached to your computer, you can be attached to
networks of different types. Windows Vista and Windows Server 2008 only support one active
network location type at a time. Windows automatically selects the network location type for the
least secure network. For example, if a computer has two active connections, one to a public
network and one to a private network, Windows selects the public network type to enable the
more rigorous security rules in its profile to protect the computer.
Windows XP and Windows Server 2003 support a domain profile that is identical in concept to the
one described above. However, instead of supporting both a private and public profile, the earlier
9
versions of Windows support only a 'standard' profile. So if you create rules by using the
Windows Firewall node in the Administrative Templates section of the Group Policy editor then
you can only specify that they apply to the domain and standard profiles. If you specify the
standard profile and then apply these rules to a computer that is running Windows Vista or
Windows Server 2008 then the rules apply when the computer’s network location profile is set to
either private or public. The rules in the domain profile still apply only when the computer’s
network location profile is set to domain.
For more information about network location awareness and its use in Windows Firewall with
Advanced Security, see the section "Network location-aware host firewall" in Getting Started with
Windows Firewall with Advanced Security at http://go.microsoft.com/fwlink/?linkid=64343.
Host Firewall
Windows Firewall with Advanced Security includes a host-based firewall component that is a
protective boundary for the local computer, which monitors and restricts information that travels
between your computer and its attached networks or the Internet. It provides an important line of
defense against someone who might try to access your computer without your permission.
In Windows Vista and Windows Server 2008, the host firewall in Windows Firewall with Advanced
Security is turned on by default, with unsolicited inbound network traffic blocked, and all outbound
traffic allowed.
Network traffic consists of a packet or a stream of packets that are sent from a source port on one
computer to a destination port on another computer. A port is just an integer value in the network
packet that identifies the program on the sending or receiving end of the connection. Generally,
only one program listens on a port at a time. To listen on a port, the program registers itself and
the port numbers to which it must listen with the operating system. When a packet arrives at the
10
local computer, the operating system examines the destination port number, and then provides
the contents of the packet to the program registered to use that port. When using the TCP/IP
protocol, a computer can receive network traffic addressed by using a specific transport protocol
such as TCP or UDP, and on any one of the ports numbered from 1 to 65,535. Many of the lower
numbered ports are reserved for well-known services, such as a Web server that uses Hyper
Text Transport Protocol (HTTP) on TCP port 80, Telnet remote terminal services on TCP port 23,
or Simple Mail Transfer Protocol (SMTP) on port 25.
Windows Firewall with Advanced Security works by examining the source and destination
addresses, source and destination ports, and protocol numbers of a packet, and then comparing
them to the rules that are defined by the administrator. When a rule matches a network packet
then the action specified in the rule (to allow or block the packet) is taken. In Windows Vista and
Windows Server 2008, functionality in Windows Firewall with Advanced Security is expanded to
include allowing or blocking network packets based on whether they are protected by IPsec
authentication or encryption.
For more information about the host firewall functionality and the new features added to Windows
Firewall with Advanced Security in Windows Vista and Windows Server 2008, see Getting Started
with Windows Firewall with Advanced Security at http://go.microsoft.com/fwlink/?linkid=64343,
and Windows Firewall on TechNet at http://go.microsoft.com/fwlink/?linkid=95393.
11
• Source authentication. Source authentication ensures that each computer that is
participating in a connection receives proof that the other computer (and optionally the user
on the other computer) is truly the entity that it claims to be.
Authentication involves each computer providing some form of credentials to the other
computer that can be proved to be from the claimed source. Kerberos tokens, which can be
checked with a domain controller, or a computer or user certificate which can be
cryptographically checked against its trusted root certificate, are among the authentication
methods generally used.
• Data integrity. Data integrity ensures that the packet that is received is identical to the
packet that was transmitted, and that it was not damaged or modified in transit.
A network packet that is part of the network connection includes a cryptographic hash of the
packet. The hash is calculated by the sending computer, encrypted, and included in the
packet. The receiving computer calculates its own hash on the received packet, and after
decrypting the included hash, compares the two hash values. If they match, the packet is
accepted and processed. If they do not match, then the packet was damaged or possibly
modified in transit, and is dropped.
• Data confidentiality. Data confidentiality ensures that the information included in the
network connection cannot be accessed or read by non-authorized computers or users.
When specified, every network packet that is part of the network connection has its data
payload encrypted. Various strength encryption protocols are available for use.
For more information about IPsec, see:
• Getting Started with Windows Firewall with Advanced Security at
http://go.microsoft.com/fwlink/?linkid=64343
• Introduction to Server and Domain Isolation at http://go.microsoft.com/fwlink/?linkid=94631
For more information about the IPsec functionality in Windows Firewall with Advanced Security
and its use in supporting serer and domain isolation, see:
• The IPsec page on TechNet at http://go.microsoft.com/fwlink/?linkid=95394
• The Server and Domain Isolation page on TechNet at
http://go.microsoft.com/fwlink/?linkid=95395
Group Policy
Group Policy enables you to perform your administrator tasks more efficiently because it enables
centralized computer and user management. Centrally managing the configuration settings of
computers and users on the network can decrease the total cost of ownership for the IT
infrastructure.
12
How Group Policy works
Group Policy is a technology available as part of an Active Directory domain services
implementation. When member computers connect to an Active Directory domain, they
automatically retrieve and apply Group Policy objects (GPOs) from the domain controller.
A GPO is a collection of settings that can be created by a domain administrator, and then applied
to groups of computers or users in the organization.
Windows Vista allows you to use Group Policy to centrally manage a greater number of features,
components, and security settings than you were able to do in earlier versions of Windows. For
example, the number of Group Policy settings has increased from approximately 1,800 in
Windows Server 2003 with Service Pack 1 to approximately 2,500 in Windows Vista and
Windows Server 2008. These new policy settings help you manage desktops, servers, security
settings, and many other aspects of running your network.
Configuration settings and rules that you want to apply to the computers in your organization are
stored in Group Policy objects (GPOs) that are maintained on the domain controllers of an Active
Directory domain. The GPOs are automatically downloaded to all assigned computers when they
connect to the domain. They are then merged with the local GPO stored on the computer, and
then applied to the computer's active configuration. Group Policy provides easy centralized
management, and detailed control of which computers receive which GPOs.
Because the capabilities of both firewall rules and the implementation of IPsec are significantly
enhanced in Windows Vista and Windows Server 2008, we recommend that administrators leave
existing GPO settings in place for earlier versions of Windows and create new GPOs for
computers that are running Windows Vista and Windows Server 2008. By applying the new
GPOs to the same set of containers as the old GPO settings, and by using WMI filters with each
GPO, you can ensure that you apply the most appropriate settings to each computer in your
organization.
For more information about Group Policy, see Windows Server Group Policy at
http://go.microsoft.com/fwlink/?linkid=93542.
Caution
If you accidentally apply Windows Firewall with Advanced Security settings to a GPO that
applies to production computers, you can affect their ability to communicate with other
computers.
The computers needed for a test lab for this guide include the following:
13
1. DC1 is a computer that is running Windows Server 2008, Standard or Enterprise Edition, that
is configured to provide the following functions:
• The primary domain controller for the Contoso.com Active Directory domain
• A Domain Name System (DNS) server that can resolve names for the Contoso.com DNS
zone
2. MBRSVR1 is a computer that is running Windows Server 2008, Standard or Enterprise
Edition, configured to provide the following functions:
• A domain member in the Contoso.com domain
• A manager and editor of the Group Policy objects in the Contoso.com domain
• A Telnet server
3. CLIENT1 is a computer that is running Windows Vista, Business, Enterprise, or Ultimate
Edition, that is configured as follows:
• A domain member in the Contoso.com domain
Hardware requirements
You must meet the following hardware requirements in order to set up the test lab:
• Three computers that can run the operating systems required for the roles used in this guide
(see the "Software Requirements" section later in this guide).
• The computers must be connected to each other by using a network, but we recommend that
you use a stand-alone, isolated network that contains nothing but the computers that are
used in this guide. The computers can be physical computers attached to a physical network,
or virtual machines running in a Microsoft® Virtual Server or Virtual PC environment and
connected to an isolated virtual network.
Caution
If you connect your test network to your production environment or to the Internet then we
strongly recommend that you ensure that all computers are updated with the latest
security updates and are running appropriate antivirus protection software.
Note
The steps in this guide assume that your computers are on an isolated test lab network,
and that the names, IP addresses, and so on, do not interfere with the operation of other
computers on your production environment..
Software requirements
• For DC1: Windows Server 2008, Standard or Enterprise Edition.
• For MBRSVR1: Windows Server 2008, Standard or Enterprise Edition.
• For CLIENT1: Windows Vista, Business, Enterprise, or Ultimate Edition.
14
Required common procedures
The procedures that are shown here frequently occur in this guide, and the steps for them are not
included in-line. See the steps listed here any time that you must refer to them.
• The User Account Control dialog box appears whenever you try to perform an
administrative task. If your account is a member of the local Administrators group then you
can click Continue when you are prompted. If your user account is not an administrator then
you must provide the credentials (user name and password) of an account that has the
required permissions.
Use the following procedure when you are instructed to open an administrator command
prompt.
• Use the following procedure when you are instructed to open the Windows Firewall with
Advanced Security MMC snap-in.
15
• Default Gateway: Leave blank
• DNS Server address: 192.168.0.1
4. Name the computer DC1. Restart the computer when you are prompted.
5. Install Active Directory by using the following settings:
• Include DNS as part of the installation.
• Create a new domain in a new forest, and name the domain contoso.com.
• Use the password Pass@word1 for all user accounts.
6. After installing Active Directory, restart the computer when you are prompted.
7. Create a new user account in Contoso named Admin1, with a password of
Pass@word1.
8. Add Admin1 to the group Domain Administrators.
Now install the member server, and then configure the required services.
16
4. Identify the network location type as Work.
5. Configure the network to use the following settings:
• IP address: 192.168.0.101
• Subnet mask: 255.255.255.0
• Default Gateway: Leave blank
• DNS Server address: 192.168.0.1
6. Name the computer CLIENT1. Restart the computer when you are prompted.
7. Using the Turn Windows features on and off option in the Program and Features
control panel program, install the Telnet Client onto the computer.
8. Join the computer to the contoso.com domain, and then restart the computer when you
are prompted.
18
2. Click Start, and then click Control Panel.
In Windows Server 2008, the default Control Panel view is Classic View.
3. Click Windows Firewall.
4. On the Windows Firewall page, note the following default settings that are part of a
typical Windows Server 2008 installation:
• Windows Firewall is enabled.
Note
If the computer that is running Windows Server was upgraded from an earlier
version of Windows Server that included Windows Firewall then the On/Off
state is preserved in the upgrade.
• Unsolicited inbound connections that do not have an exception are blocked.
• When a program tries to listen for incoming connections and is prevented from doing
this by the firewall, a notification is not displayed to the user.
Note
This differs from the default setting on Windows Vista.
• The current settings are those assigned to the Domain network location profile
because the computer is joined to a domain and authenticated.
19
To examine the options available in the Windows Firewall icon in Control Panel
1. On both CLIENT1 and MBRSVR1, click Change settings on the Windows Firewall
page.
2. Examine the tabs for the few settings that you can configure by using this interface. Any
changes you make here apply only to the currently configured network location profile
(Domain network). Compare the differences between the default settings on MBRSVR1
and CLIENT1.
• General tab. On this tab, you can enable or disable the firewall. In addition, you can
choose to block all incoming connections, even when an exception exists that
ordinarily allows that connection.
Caution
Do not disable the firewall by stopping the Windows Firewall (MpsSvc)
service. The Windows Firewall service also implements Windows Service
Hardening, which provides additional protections for other Windows services.
Microsoft does not support disabling the Windows Firewall service. Instead,
use the interface shown here in the Windows Firewall icon in Control Panel
or use the Windows Firewall with Advanced Security MMC snap-in. For more
information about Windows Service Hardening, see Windows Vista Security
and Data Protection Improvements at
http://go.microsoft.com/fwlink/?linkid=98656.
Note
Disabling the firewall by using the Off setting on the Windows Firewall
Settings page does not stop the Windows Firewall (MpsSvc) service. It does
stop Windows Firewall from filtering any inbound or outbound network traffic
according to the configured rules.
On MBRSVR1, you see no differences on the General tab compared to a computer
that is running Windows Vista, unless the operating system was upgraded from an
earlier version of Windows Server that had Windows Firewall installed but disabled.
When a computer that is running Windows Server is upgraded to a later version of
Windows Server, the On/Off state of the Windows Firewall is maintained.
• Exceptions tab. On this tab you can see the exceptions that have been defined to
allow specific network connections. The selected exceptions are enabled. Most of the
entries displayed here represent predefined rule sets that are included with Windows.
If you click the name of an exception and then click Properties, a description of the
exception appears. You can also create your own custom program-based and port-
based exceptions on this page. You can specify a scope to an exception: any
computer, the local subnet only, or a custom list of addresses and subnets.
A computer that is running Windows Server 2008 and configured to have a network
20
server role, such as a domain controller, typically has many more exceptions enabled
to allow access to its services than other computers. For example, the MBRSVR1
computer has the Telnet exception rule enabled because you installed that service
as part of the setup for this guide. The rule was created and enabled automatically
during the installation of the Telnet service.
By default on computers that are running Windows Server 2008, the Notify me when
Windows Firewall blocks a new program option is not selected.
• Advanced tab. On this tab you can specify which network connections, as defined in
Network and Sharing Center, are protected by the Windows Firewall. By default, all
network connections are protected. You can also use the Restore Defaults button to
remove the complete custom configuration that you have applied to the firewall.
3. On bothCLIENT1 and MBRSVR1, click OK on the Windows Firewall Settings page,
close Windows Firewall, and then close Control Panel.
Important
You must use the advfirewall context instead of the older firewall or ipsec
contexts. Advfirewall is new to the netsh command in this version of Windows.
The firewall and ipsec contexts still exist, but are provided only for compatibility
with Group Policy settings that are created by using an earlier version of
Windows.
3. Examine the output and compare to what you saw earlier in the Windows Firewall icon in
Control Panel. Your output resembles the following figure.
21
The values State, Firewall Policy, and InboundUserNotification correspond to the
basic settings that you examined in the Windows Firewall icon in Control Panel in the
previous steps. The other settings shown in the netsh output are not configurable by
using the Windows Firewall icon in Control Panel. They are configurable by using the
netsh command-line tool, and the Windows Firewall with Advanced Security MMC snap-
in.
4. Close the command prompt.
To examine the basic options by using the Windows Firewall with Advanced Security
MMC snap-in
1. On MBRSVR1, open Windows Firewall with Advanced Security.
2. Examine the three panes of the Windows Firewall with Advanced Security snap-in.
• The navigation pane enables you to select from the main functional areas.
• The details pane displays information about currently selected functional area.
• The actions pane displays shortcuts to available tasks that are relevant to the
currently selected functional area.
3. In the navigation pane, select the node labeled Windows Firewall with Advanced
Security.
22
The details pane displays the basic state information for each network location profile.
Because MBRSVR1 is connected to the domain, the entry for that network location profile
in the Overview section reads Domain Profile is Active.
4. In the navigation pane, right-click Windows Firewall with Advanced Security, and then
click Properties.
5. Note that there are four tabs, one for each network location profile and one for IPsec
settings. The changes you make on each profile tab only apply to the computer when the
specified network location profile is active. The IPsec Settings tab enables you to
configure the default IPsec protocol parameters that are used when a connection security
rule does not specify otherwise.
6. Click the Private Profile tab as an example. Note that for each profile, you can enable or
disable the firewall, configure the default firewall behavior for handling unsolicited
inbound connections and outbound connections, and specify logging options.
7. Click Customize in the Settings section. Note that for each profile, you can configure
notifications and how your computer responds to incoming multicast or broadcast
network traffic.
The Rule merging section is configurable only when you are managing the settings of a
Group Policy object (GPO). The settings here indicate whether the Group Policy
administrator allows a local Administrator to apply their own locally created firewall and
connection security rules. If set to No then only GPO-supplied rules are applied to the
computer and any locally defined rules are ignored.
8. Click Cancel to return to the main Properties page.
9. Click Customize in the Logging section to examine the options available for creating a
log file to capture details about the firewall's operation. Even though a log file name is
specified, nothing is written to the file until you select Yes in one of the two lists.
10. Set the value of both lists to No to disable logging. You will use this in a later section of
the guide.
11. Click Cancel two times to return to the Windows Firewall with Advanced Security snap-in.
12. You can click the other functional areas to see the currently configured Inbound Rules,
Outbound Rules, and Connection Security Rules, but do not change any of them at
this point.
23
GPO is linked to one or more Active Directory containers, such as a site, a domain, or an
organizational unit (OU). The settings in the GPO are then applied automatically to the users and
computers whose objects are stored in those Active Directory containers. You can configure the
work environment for your users once, and then rely on Group Policy to enforce your settings.
For an overview of Group Policy, see the Group Policy technology review in this guide. For more
information about Group Policy, see Windows Server Group Policy at
http://go.microsoft.com/fwlink/?linkid=93542.
24
Organizational Unit.
3. In the Name box, type MyMemberServers, and then click OK.
4. Right-click contoso.com again, and then click New, and then click Organizational Unit.
5. In the Name box, type MyClientComputers, and then click OK.
6. In the navigation pane, click Computers.
7. In the details pane, right-click CLIENT1, and then click Move.
8. In the Move dialog box, click MyClientComputers, and then click OK.
9. In the details pane, right-click MBRSVR1, and then click Move.
10. In the Move dialog box, click MyMemberServers, and then click OK.
When you have finished, your display resembles the following figure.
25
3. In the navigation pane, right-click Group Policy Objects, and then click New.
4. In the Name box, type Firewall Settings for WS2008 Servers, and then click OK.
5. In the navigation pane, right-click Group Policy Objects, and then click New.
6. In the Name box, type Firewall Settings for Vista Clients, and then click OK.
7. Select the Group Policy Objects node, and your display resembles the following figure.
To add the GPO setting to enable the firewall on member client computers
1. On MBRSVR1, in Group Policy Management, click Group Policy Objects, right-click
Firewall Settings for Vista Clients, and then click Edit.
2. In Group Policy Management Editor, right-click the top node Firewall Settings for
Vista Clients [DC1.contoso.com] Policy, and then click Properties.
3. Select the Disable User Configuration settings check box, and then click OK.
Note
You can remove either the user or computer section whenever it is not needed.
This improves performance on the client computer when it is applying a GPO.
4. In the Confirm Disable dialog box, click Yes, and then click OK.
5. Under Computer Configuration, expand Windows Settings, expand Security
Settings, and then expand Windows Firewall with Advanced Security.
6. Click the node Windows Firewall with Advanced Security -
LDAP://cn={GUID},cn=policies,cn=system,DC=contoso,DC=com, where GUID is a
26
unique number assigned to your domain.
7. In the details pane, under Overview, notice that for each network location profile
Windows Firewall state is not configured, and then click Windows Firewall
Properties.
8. On the Domain Profile tab, click the drop-down list next to Firewall state, and then click
On (recommended).
Note
This might appear to be an unnecessary step, because the firewall is turned on
by default on the client computers. However, a local administrator can disable the
firewall if you leave this setting as Not configured. Setting it in the GPO as
shown in this step turns it on and prevents the local administrators from disabling
it.
9. Click OK to save your changes. Note in the details pane that Domain Profile now shows
Windows Firewall is on.
27
2. In the Group Policy objects list, click Firewall Settings for Vista Clients, and then click
OK.
In the next procedure, you confirm that the client computer receives and applies the new GPO
settings.
Important
Although this setting prevents a local administrator from applying a rule, it also prevents
Windows Firewall with Advanced Security from prompting the user about a new program
and creating an inbound rule when the user approves. If you enable this setting then you
must ensure that every program that requires firewall rules has the correct rules defined
in your GPOs.
28
To confirm that a local administrator can create a conflicting rule
1. On CLIENT1, at the administrator command prompt, run ping dc1.
The ping command works, which indicates that it can communicate with DC1.
2. Start the Windows Firewall with Advanced Security snap-in.
3. Under Windows Firewall with Advanced Security, right-click Outbound Rules, and
then click New Rule.
4. On the Rule Type page of the New Outbound Rule Wizard, click Custom, and then
click Next.
5. On the Program page, select All programs, and then click Next.
6. On the Protocol and Ports page, use the default settings, and then click Next.
7. On the Scope page, use the default settings, and then click Next.
8. On the Action page, use the default settings, and then click Next.
9. On the Profile page, clear the check boxes for Private and Public, but leave Domain
selected, and then click Next.
10. On the Name page, enter the name A Test Rule (use an 'A' as the first character to
ensure the rule appears at the top of the list), and then click Finish.
This creates a firewall rule that blocks all network traffic, effectively breaking
communications for the computer.
11. Return to the command prompt window, and run ping dc1 again.
The ping command fails, as shown in the following figure, because the local firewall rule
blocks outgoing communications.
29
12. In the Windows Firewall with Advanced Security snap-in, click Outbound Rules in the
navigation pane, right-click A Test Rule, and then click Disable Rule. You must disable
the rule to re-enable communication for the next steps.
13. Leave the Administrator: Command Prompt window and Windows Firewall with
Advanced Security snap-in open.
In the next procedure, you modify the GPO assigned to the client computer to prevent locally
defined rules from being merged and applied to the active firewall configuration. Also, you disable
the notification that asks the user whether to allow a program for which there are no rules.
To prevent the computer from using rules and settings defined by local administrators
1. On MBRSVR1, in Group Policy Management, click Group Policy Objects, right-click
Firewall Settings for Vista Clients, and then click Edit.
2. In Group Policy Management Editor, expand Computer Configuration, expand
Windows Settings, expand Security Settings, and then expand Windows Firewall
with Advanced Security.
3. Right-click Windows Firewall with Advanced Security -
LDAP://cn={GUID},cn=policies,cn=system,DC=contoso,DC=com, and then click
Properties.
4. On the Domain Profile tab, in the Settings section, click Customize.
5. Change the Display a notification setting to No. This prevents Windows from displaying
a notification to the user whenever a program is blocked.
6. In the Rule merging section, change the Apply local firewall rules list to No.
7. In the Rule merging section, change the Apply local connection security rules list to
No.
8. Click OK two times to return to Group Policy Management Editor.
In the next step, you refresh Group Policy on CLIENT1, and then confirm that locally defined rules
cannot block network communications.
30
the rules delivered in the GPO.
4. In the navigation pane of the Windows Firewall with Advanced Security snap-in,
expand Monitoring, and then click Firewall to see the list of rules active on the local
computer.
No rules are listed. You have not created any rules in the GPO, and no local rules are
active because of the settings that you included in the GPO.
5. Before proceeding, delete your rule. In the navigation pane, click Outbound Rules. In
the details pane, right-click A Test Rule, click Delete, and then click Yes on the
confirmation dialog box.
6. Leave both Administrator: Command Prompt and the Windows Firewall with
Advanced Security snap-in open.
To see that a local administrator can modify settings that are not enforced by a GPO
1. On CLIENT1, in the Windows Firewall with Advanced Security snap-in, in the
navigation pane, right-click the top node Windows Firewall with Advanced Security,
and then click Properties.
2. On the Domain Profile tab, change Outbound connections to Block, and then click
OK.
3. In Administrator: Command Prompt, type ping dc1, and then press ENTER.
Notice that the command fails, because all outgoing network traffic is blocked by
Windows Firewall with Advanced Security.
4. In the Windows Firewall with Advanced Security snap-in, right-click the top Windows
Firewall with Advanced Security node, and then click Properties.
5. Change Outbound connections back to Allow (default) to restore regular operation,
31
and then click OK.
In the next procedure, you configure the settings in Group Policy so that a local administrator
cannot change or disable them.
Note
The Inbound connection setting enables you to Block all connections. This is
a security feature to support a quick mitigation of a malware threat, and cannot
be blocked by Group Policy.
4. In the Settings section, click Customize, and then notice that the settings that you
configured in Group Policy cannot be locally changed.
5. Click Cancel two times to return to the Windows Firewall with Advanced Security
snap-in.
6. Close the Windows Firewall with Advanced Security snap-in.
32
Step 7: Creating WMI and Group Filters
When the network includes client computers that run a variety of Windows operating systems,
two computers in the same OU might require different settings to achieve the same configuration.
For example, a computer that is running Windows XP might require a different setting than a
computer that is running Windows Vista. Two GPOs would be required in that case, one to apply
to computers that are running Windows XP, and one to apply to computers that are running
Windows Vista. There are two frequently used techniques used to ensure that GPOs only apply
to the correct computers:
• Add a Windows Management Instrumentation (WMI) filter to the GPO. A WMI filter enables
you to specify criteria that must be matched before the linked GPO is applied to a computer.
By letting you filter the computers to which the settings apply, this reduces the need to further
subdivide your OUs in Active Directory.
• Grant or deny the Apply Policy security permission in the access control list (ACL) for the
GPO. If you put your computers in security groups, you can then deny the Apply Policy
permission to the groups that should not use the GPO.
Important
Windows XP and Windows Server 2003 use different tools and produce different firewall
and IPsec settings than the Windows Firewall with Advanced Security tool included with
Windows Vista and Windows Server 2008. Mixing the settings together on the same
computer can cause unexpected connectivity problems that are very difficult to
troubleshoot. We recommend that you use the Windows Firewall with Advanced Security
snap-in for settings to create the GPOs for computers that are running Windows Vista or
Windows Server 2008, and use the tools provided in Windows XP or
Windows Server 2003 to create the GPOs intended for those operating systems.
In this step, you apply and test a WMI filter that restricts a GPO to applying only to computers that
are running Windows Vista.
33
Windows XP from the list.
9. In the confirmation dialog box, click Yes.
The policy now only applies to computers that are running a Windows operating system
reporting a version number that starts with the characters"5.1". Because Windows Vista
is version 6.0, the policy does not apply to that operating system.
10. Leave the Group Policy Management MMC snap-in running.
In the next procedure, you deploy the GPO to see that it no longer applies to the client computer
that is running Windows Vista.
34
8. Leave the Group Policy Management snap-in running.
In the next procedure, you deploy the policy to see that it now does apply to the client computer
that is running Windows Vista.
In the next procedure, you set the permissions on the GPO to grant the apply policy permission
only to members of your new computer group.
35
/force. Wait for the command to finish.
2. Type gpresult /r /scope computer. Examine the Applied Group Policy Objects
section and verify that the only GPO listed is Default Domain Policy.
3. Look down several more lines under The following GPOs were not applied because
they were filtered out for an entry for Firewall Settings for Vista Clients.
4. If it is still open, close the Windows Firewall with Advanced Security snap-in, and then
restart it.
5. In the navigation pane, right-click Windows Firewall with Advanced Security on Local
Computer, and then click Properties.
6. Confirm that all the controls are enabled again because the GPO no longer applies.
7. Click Cancel to close the Properties page.
In the next procedure, you add the computer to the new group.
36
• HOWTO: Leverage Group Policies with WMI Filters at
http://go.microsoft.com/fwlink/?linkid=93760
• Windows Server Group Policy at http://go.microsoft.com/fwlink/?linkid=93542
37
Creating Rules that Allow Required Inbound
Network Traffic
By default, Windows Firewall with Advanced Security blocks all unsolicited inbound network
traffic. To enable programs that depend on such traffic to run correctly, you must create rules with
specified criteria.
38
the list, and then click Next.
6. On the Predefined Rules page, examine the list of rules, leave them all selected, and
then click Next.
Note
In a production environment, carefully consider which profiles you apply the rules
to. You may want to consider rules for other profiles to control how the firewall
works on computers that are away from the network, such as portable computers
which are taken home. You might want to consider applying your rules to all the
profiles to ensure that your organization's computers continue to be protected
when they are away from the organization's network. Some rule modifications
may be required to allow expected program behavior on a home or public
network that is different from the organization's network.
7. On the Action page, because we want to create an exception for traffic that would by
default be blocked, select Allow the connection, and then click Finish.
The list of enabled rules now appears in the details pane for Inbound Rules.
With the list of rules now in the GPO, deploy the GPO to the client computer.
39
To test the rules on the client computer
1. On CLIENT1, in Administrator: Command Prompt, run gpupdate /force. Wait until the
command finishes.
2. In the navigation pane of the Windows Firewall with Advanced Security snap-in,
expand Monitoring, and then click Firewall.
Note the list of rules that is now active on the local computer.
3. Click View, and then click Add/Remove columns.
4. If the Rule Source column is not displayed, click Rule Source in the Available columns
list, and then click Add.
5. Click Move Up to position Rule Source directly after Name, and then click OK.
Note
Adding the Rule Source column is useful in troubleshooting scenarios, but it can
make the listing of the rules slower. We recommend that you remove the column
from the view when you do not need it.
6. Note that all the rules identify the GPO Firewall Settings for Vista Clients as the source
of the rule. Even if you disable the locally defined Core Networking rules under Inbound
Rules, these rules from the GPO still apply to the computer.
7. Close the Group Policy Management Editor for the client GPO.
40
In this section, as a first example, you create a firewall rule that allows inbound traffic for the
Telnet service through the firewall, and then you deploy that rule to MBRSVR1 by using Group
Policy.
Note
We recommend that you create rules that are as specific as possible. That
means you may want to specify both the program, to ensure the rule only allows
traffic when that program is running, and the port, to ensure that the program can
only receive on the desired port number. To see all the options in the wizard, use
the Custom rule type.
5. In the text box for This program path, type %systemroot%\system32\tlntsvr.exe.
6. Because programs can host multiple services, we recommend that you also limit the rule
to the specific service you want. Next to Services, click Customize.
7. Click Apply to this service, select Telnet, click OK, and then click Next.
Note
The list of services includes only the services currently installed on the computer
on which you are editing the GPO. If the service you want to specify is not
installed on this computer, you can use the option Apply to service with this
service short name, and then type the service name in the text box. To discover
the service short name, use the Services MMC snap-in on a computer on which
the service is installed.
8. On the Protocols and Ports page, click Next. You restrict the rule to a specific port in
the next section.
9. On the Scope page, click Next.
10. On the Action page, click Allow the Connection, and then click Next.
11. On the Profile page, clear the Private and Public check boxes. Confirm that Domain is
selected, and then click Next.
12. On the Name page, type Allow Inbound Telnet, and then click Finish.
41
Before you deploy the GPO, configure some other settings to ensure that local rules cannot
interfere with your domain provided rule.
42
2. Close the Telnet session by typing exit, and then pressing ENTER.
In this procedure, you confirm that it is not the local Telnet rule that was created when the Telnet
Server service was installed on MBRSVR1. You disable that rule and confirm that Telnet still
works because your GPO applied rule is active.
To show that the firewall rule allows Telnet network traffic on a specified port
1. On MBRSVR1, at an Administrator: Command Prompt, type tlntadmn config
port=25, and then press ENTER. This configures your Telnet server to listen on port 25
instead of the default port 23.
2. On CLIENT1, at a command prompt, type telnet mbrsvr1 25. This instructs the client to
use port 25 for its connection instead of the default port 23.
The connection succeeds.
In the next section, you configure the rule to allow traffic only on a port number you specify.
43
In this procedure, you refine the Telnet exception rule to limit the allowed inbound network traffic
only to TCP port 23.
44
In earlier versions of Windows, dynamically assigned ports have been a challenge for firewall
administrators. Either they had to create rules to open large ranges of port numbers in the
dynamically assigned range (all ports greater than 1024), or they had to limit the program to using
a much smaller number of ports than it was designed to use. Creating rules to open many ports
that are not currently being actively used increases the surface area of a computer's vulnerability
to attack. Limiting programs to using fewer ports might compromise the programs' performance.
Neither situation is a good solution.
Note
To determine whether your program must use ports that are dynamically assigned by
RPC, see the documentation provided by your program's vendor. Alternatively, you can
examine the traffic going to and from your program by using a network protocol analyzer
such as Microsoft Network Monitor. You can download Network Monitor at
http://go.microsoft.com/fwlink/?LinkID=94770.
In Windows Vista and Windows Server 2008, this problem is solved by the introduction of rules
that can directly support RPC port requirements for programs. To configure this support for a
program you must create the following rules:
• An inbound rule that allows inbound network traffic for RPC Endpoint Mapper service. This
rule allows the computer to receive traffic sent to the port 135. The rule must also be
configured to use the allow action, and the program path of the RPC Endpoint Mapper
service.
• An inbound rule that specifies Dynamic RPC for the port number. When an incoming request
from a remote computer is received by the RPC Endpoint Mapper service on port 135 (see
the previous rule), the service assigns a dynamic port number to the request and replies to
the remote computer by using that number. The IP address of the remote computer and the
dynamic port number are stored in an internal table. When the remote computer then sends a
packet to the new port number, this rule allows Windows to match the port number and IP
address to the entries stored in the table. If a match is found, it allows the inbound traffic.
The advantage is that any port in the RPC ephemeral range can be used without having to
explicitly define a rule to open that port. The port is only usable by a program that was assigned
the use of the port by the endpoint mapper. No unused ports are left open, reducing the
vulnerability of the server.
In this section, you create rules for the Remote Event Log service that use Dynamic RPC.
Although Windows Vista and Windows Server 2008 have predefined rules that provide this
capability, you create the rules manually to see the steps involved.
To begin, confirm that the Remote Event Log service is not currently working remotely from the
client because the firewall on MBRSVR1 is blocking the traffic.
To confirm that the Remote Event Log service is not working remotely
1. On CLIENT1, click Start, type event viewer in the Start Search box, and then press
45
ENTER.
2. Click Action, and then click Connect to another computer.
3. In the Another computer text box, type MBRSVR1, and then click OK.
4. After several seconds, the connection attempt fails as shown in the following figure,
because Windows Firewall with Advanced Security on MBRSVR1 is blocking the required
network traffic. Click OK.
To allow this service to work, begin by creating a rule that supports inbound traffic to the RPC
Endpoint Mapper service.
To create a rule that allows inbound network traffic to the RPC Endpoint Mapper service
1. On MBRSVR1, in Group Policy Management Editor for your server GPO, in the
navigation pane, right-click Inbound Rules, and then click New rule.
2. On the Rule Type page, click Custom, and then click Next.
3. In the This program path text box, type %systemroot%\system32\svchost.exe.
4. Next to Services, click Customize.
5. Click Apply to this service, select Remote Procedure Call (RPC) with a short name of
RpcSs, click OK, and then click Next.
6. On the warning about conflicting with Windows service-hardening rules, click Yes.
7. On the Protocol and Ports page, for Protocol type, select TCP.
8. For Local Port, select RPC Endpoint Mapper, and then click Next.
9. On the Scope page, click Next.
10. On the Action page, click Next.
11. On the Profile page, clear the Private and Public check boxes, and then click Next.
12. On the Name page, type Allow RPC Endpoint Mapper, and then click Finish.
Next, create a rule that allows the incoming traffic from the remote Event Log client. Since the
incoming port number is assigned dynamically by the RPC Endpoint Mapper service, you specify
Dynamic RPC instead of a specific port number.
46
Note
The Event Log we are using as an example service is hosted in
%systemroot%\system32\svchost.exe. Be sure to use the path of the executable file
hosting the service that you want to create rules for when in a production environment.
To create a rule that allows inbound network traffic to your RPC-enabled service
1. On MBRSVR1, in Group Policy Management Editor, in the navigation pane, right-click
Inbound Rules, and then click New rule.
2. On the Rule Type page, click Custom, and then click Next.
3. In the This program path text box, type %systemroot%\system32\svchost.exe. The
Remote Event Log service is another service hosted by that file.
4. Next to Services, click Customize.
5. Click Apply to this service, select Windows Event Log with a short name of Eventlog,
click OK, and then click Next.
6. On the warning about conflicting with Windows service-hardening rules, click Yes.
7. On the Protocol and Ports page, for Protocol type, select TCP.
8. For Local Port, select Dynamic RPC, and then click Next.
9. On the Scope page, click Next.
10. On the Action page, click Next.
11. On the Profile page, clear the Private and Public check boxes, and then click Next.
12. On the Name page, type Allow Remote Event Log Service, and then click Finish.
Now you can apply the GPO to MBRSVR1.
13. At an Administrator: Command Prompt, run gpupdate /force. Wait for the command
to finish.
14. If it is not already open, open the Windows Firewall with Advanced Security snap-in.
15. Expand Monitoring, click Firewall, and then confirm that your new rules are now active
on the computer.
Now you can try to connect to the Remote Event Log service from the client again.
47
To confirm that the Remote Event Log service is working
1. On CLIENT1, in Event Viewer, click Action, and then click Connect to another
computer.
2. In the Another computer text box, type MBRSVR1, and then click OK.
3. The attempt succeeds, and the top node in the navigation page shows that the viewer is
connected to MBRSVR1.contoso.com.
48
was an inbound (RECEIVE) or outbound (SEND) packet.
• The following entries represent the allowed Telnet connections on ports 23 and 25:
2007-07-18 10:10:48 ALLOW TCP 192.168.0.101 192.168.0.100 52174 23
2007-07-18 10:15:54 ALLOW TCP 192.168.0.101 192.168.0.100 52175 25
• The following entry represents a blocked Telnet connection attempt on port 25:
2007-07-18 10:28:28DROP TCP 192.168.0.101 192.168.0.100 52180 25
• The following entries shows the allowed Remote Event Log connection:
2007-07-18 10:49:59 ALLOW TCP 192.168.0.101 192.168.0.100 52191 135
2007-07-18 10:50:00 ALLOW TCP 192.168.0.101 192.168.0.100 52192 49153
5. Close Notepad.
Note
In production troubleshooting scenarios, you can import your log file into Microsoft Excel
to more easily search, sort, and filter the entries. Use the space character as the
separator when you import the log file.
You should only turn on logging when you need it, such as when you are troubleshooting.
Because we are finished, turn the logging off.
49
Creating Rules that Block Unwanted Outbound
Network Traffic
By default, Windows Firewall with Advanced Security allows all outbound network traffic. If your
organization prohibits specific network programs on organization computers, you can help
enforce that prohibition by blocking the network traffic that the programs require to operate
correctly.
By default, inbound network traffic to a computer that does not match a rule is blocked, but
nothing prevents outbound traffic from leaving a computer. To block the network traffic for
prohibited programs, you must create an outbound rule that blocks traffic with specific criteria
from passing through Windows Firewall with Advanced Security.
Caution
Blocking the ports needed by a program prevents any program that uses those ports from
communicating on the network. Make sure that no program that the users require use the
same ports.
50
Windows Firewall with Advanced Security -
LDAP://{GUID},cn=policies,cn=system,DC=contoso,DC=com.
4. Click Outbound Rules, and then notice that no rules are currently defined.
5. Right-click Outbound Rules, and then click New Rule.
6. On the Rule Type page, click Custom, and then click Next.
Note
If you select the Port rule type, you can only specify the local port number to
block. We want to block remote port 23. Therefore, specify the Custom rule type.
7. On the Program page, click All programs, and then click Next.
8. On the Protocol and Ports page, change the Protocol type to TCP.
9. In the Remote ports list, click Specific Ports, type 23 in the text box, and then click
Next.
Note
Be sure to specify the Remote port, not Local. This differs from the inbound
rules you set earlier, because this rule applies to the client instead of the server.
10. On the Scope page, click Next.
11. On the Action page, click Block the connection, and then click Next.
12. On the Profile page, clear the Private and Public check boxes, and then click Next.
13. On the Name page, type Block Outbound Telnet, and then click Finish.
51
6. Type exit and the press ENTER to end the Telnet session.
52
Steps for creating connection security rules to enforce domain
isolation
In this section, you create connection security rules that specify that the computers in your
domain require authentication for inbound network traffic and request authentication for outbound
traffic.
Step 1: Creating a Connection Security Rule that Requests Authentication
Step 2: Deploying and Testing Your Connection Security Rules
Step 3: Changing the Isolation Rule to Require Authentication
Step 4: Testing Isolation with a Computer That Does Not Have the Domain Isolation Rule
Step 5: Creating Exemption Rules for Computers that are Not Domain Members
53
Caution
In a production environment, we recommend that you set request mode first and
allow the GPO to fully propagate to the network. Confirm that all your computers
are communicating successfully by using IPsec before changing the rules to
require mode. Setting the rule to require mode first can result in computers that
cannot communicate until all the computers receive and apply the GPO. In a later
step, you modify the rule to change it to require inbound authentication.
11. On the Authentication Method page, click Computer (Kerberos V5), and then click
Next.
12. On the Profile page, clear the Private and Public check boxes, and then click Next.
13. On the Name page, type Request Inbound Request Outbound, and then click Finish.
54
Now, ensure that both computers receive and apply the new GPO.
55
7. Click OK.
8. In the navigation pane, click Quick Mode, and then double-click the SA that is displayed.
9. Examine the settings, which show that any traffic between the two computers using any
protocol is protected using the Encapsulating Security Payload (ESP) integrity algorithm
Secure Hash Algorithm (SHA1). ESP integrity uses a cryptographically protected
checksum to ensure that the packets that are received have not been modified after they
are sent. Any packets that fail the integrity tests are silently dropped.
Note
SAs have a limited lifetime. Therefore, if you let the connection sit idle long
enough, the SA can expire and be removed from the list. By sending more
network traffic, the SA is renegotiated and reappears in the list.
10. Type exit at the Telnet prompt to end the Telnet session.
56
Step 3: Changing the Isolation Rule to Require Authentication
In this step, modify the rule that you created so that authentication is required instead of
requested. Clients that cannot authenticate, or that do not have a connection security rule to
authenticate the traffic, cannot communicate with computers that are domain members.
Note
Although using Require inbound and outbound would work for this guide, in a
production environment it is usually not practical to require outbound
authentication. Domain-member computers often must initiate communications
with computers that are not in the domain, such as remote Web sites.
Confirm that the computers can still communicate even though authentication is required.
57
To remove the GPO from CLIENT1
1. On MBRSVR1, switch to Group Policy Management.
2. Under MyClientComputers, right-click Domain Isolation, and then click Link Enabled
to disable the link.
In the next procedure, you refresh the GPO on CLIENT1 and try to communicate with MBRSVR1.
Note
If the computers on the network are all running Windows Vista, Windows Server 2008, or
if they can run the Simple Policy Update for Windows Server 2003 and Windows XP
(http://go.microsoft.com/fwlink/?LinkID=94767), then you probably do not need to add
exemption rules as illustrated here. Fewer exemption rules means less complexity for
your connection security and firewall rule GPOs.
58
Isolation GPO open.
2. In the navigation pane, right-click Connection Security Rules, and then click New rule.
3. On the Rule Type page, click Authentication exemption, and then click Next.
4. On the Exempt Computers page, click Add.
5. In the IP Address dialog box, click Predefined set of computers.
6. Click the list to expand it, select DNS servers, and then click OK.
7. On the Exempt Computers page, click Next.
8. On the Profile page, clear the Private and Public check boxes, and then click Next.
9. On the Name page, type Exempt DNS servers from domain isolation, and then click
Finish.
The new rule appears in your GPO.
Note
You can use a network traffic analyzer such as Microsoft Network Monitor to see
the network packets before and after you apply this rule to confirm that IPsec
attempts are not made to the DNS server after the exemption rule is applied. To
download Network Monitor, see Microsoft Network Monitor at
http://go.microsoft.com/fwlink/?LinkID=94770.
Important
Even though this guide only demonstrates how to use a computer group,
remember that you can also specify user group membership as a requirement,
as long as the authentication method that is used includes user authentication as
well as computer authentication. This enables you to specify that only users who
are members of group X can access the protected server, and only when they
are using a computer that is a member of group Y. An authorized user that uses
a non-authorized computer cannot access the protected server, nor can an
authorized computer be used by a non-authorized user to access the protected
server.
10. Click OK to close the Allow Inbound Telnet Properties page.
11. Close the Group Policy Management Editor.
61
Firewall Settings for Vista Clients, and then click Edit.
2. In the Group Policy Management Editor, expand Windows Settings, expand Security
Settings, expand Windows Firewall with Advanced Security, expand Windows
Firewall with Advanced Security -
LDAP://cn={GUID},cn=policies,cn=system,DC=contoso,DC=com, right-click
Outbound Rules, and then click New Rule.
3. On the Rule Type page, click Custom, and then click Next.
4. On the Program page, click All Programs, and then click Next.
Note
By restricting the rule to the Telnet port number (in the next step), instead of the
program name, any correctly configured Telnet client can be used. If you specify
a program by path and file name then only that specific program works, and other
Telnet client programs fail. This configuration is recommended only for outbound
rules. For inbound rules, we recommend that you use both a port restriction and
a program restriction. That way the port is only open when the program is
running. If you do not specify a program then the port remains open all the time.
5. On the Protocol and Ports page, change the Protocol type to TCP.
6. Change the Remote port list to Specific Ports, type 23 in the text box, and then click
Next.
7. On the Scope page, under Which remote IP addresses does this rule match, select
the These IP addresses check box. Make sure to select the remote option.
8. To the right of the Remote address section, click Add.
9. In the IP Address dialog box, type 192.168.0.100 (the IP address of MBRSVR1) in the
top text box, click OK, and then click Next.
10. On the Action page, click Allow the connection if it is secure, click Require the
connections to be encrypted, and then click Next.
11. On the Computers page, click Next.
12. On the Profile page, clear the Private and Public check boxes, and then click Next.
13. Name the rule Allow only encrypted Telnet to MBRSVR1, and then click Finish.
14. At an Administrator: Command Prompt, run gpupdate /force. Wait until the command
finishes.
62
Step 4: Testing the Rule When CLIENT1 Is Not a Member of the
Group
CLIENT1 has a firewall rule and a connection security rule that meet all the requirements to
communicate with MBRSVR1, but CLIENT1 has not yet been added to the computer group that is
referenced in the inbound Telnet firewall rule for MBRSVR1. In this step, you try to connect to
both the Remote Event Viewer service and the Telnet service on MBRSVR1.
Now, to see the effect of your new rules, try to connect to MBRSVR1 using Telnet.
63
6. Click OK to close the group Properties page.
64
Steps for creating rules that allow specific computers or users to
bypass the firewall
In this section of the guide, you create a firewall rule that blocks all Telnet network traffic, and
then test it with your existing Telnet allow rule you created in a previous section. Then you modify
your existing Telnet allow rule to include the Override Block Rules setting, and confirm that you
can connect from your approved computer.
Step 1: Adding and Testing a Firewall Rule that Blocks All Telnet Traffic
Step 2: Modifying Your Telnet Allow Rule to Override Block Rules
Step 1: Adding and Testing a Firewall Rule that Blocks All Telnet
Traffic
Create a rule that blocks all Telnet traffic, and then test it by using the existing Telnet allow rule to
see that the cumulative effect is to block Telnet traffic.
65
other rule says to block all Telnet traffic. In the next procedure you see what Telnet connectivity is
available when these two rules are both in place.
66
Summary
Windows Firewall with Advanced Security is an important element in a defense-in-depth security
strategy to help secure the computers in your organization, and help mitigate against threats that
either bypass your perimeter firewall or originate from within the network.
In this guide, you were introduced to the features of the new Windows Firewall with Advanced
Security included with Windows Vista and Windows Server 2008:
• You used Windows Firewall with Advanced Security to set up basic inbound and outbound
firewall rules.
• You created Group Policy objects that configure firewall settings on all the computers in a
domain, and ensured that users cannot override those settings.
• You created a set of basic domain isolation rules that restrict domain-member computers
from accepting network traffic from computers that are not members of the domain.
• You created connection security rules that isolate servers which store sensitive information,
by restricting access to only computers that are members of approved groups.
• Finally, you created rules that enabled specific trusted computers to bypass firewall
requirements.
Additional References
For more information about the technologies discussed in this guide, see the following locations.
IPsec
• IPsec (http://go.microsoft.com/fwlink/?linkid=95394)
This page contains links to the documentation currently available for Internet Protocol
security (IPsec), for both the version available on Windows XP with Service Pack 2 (SP2) and
67
Windows Server 2003 with SP2, and the version available as connection security rules in
Windows Firewall with Advanced Security on Windows Vista and Windows Server 2008.
• Simplifying IPsec Policy with the Simple Policy Update
(http://go.microsoft.com/fwlink/?linkid=94767)
This article describes a downloadable update available for Windows XP with SP2 and
Windows Server 2003 with Service Pack 1 (SP1). (The update is built into Windows
Server 2003 Service Pack 2). The update changes the behavior of IPsec negotiation so that
the IPsec policy rules can be simplified, in some cases significantly reducing the number of
required IP filters and their ongoing maintenance.
Group Policy
• Group Policy (http://go.microsoft.com/fwlink/?linkid=93542)
This page contains links to the documentation currently available for Group Policy, for both
the version available on Windows XP with SP2 and Windows Server 2003 with SP2, and the
version available on Windows Vista and Windows Server 2008.
• HOWTO: Leverage Group Policies with WMI Filters
(http://go.microsoft.com/fwlink/?linkid=93760)
This article describes how to create a WMI filter to set the scope of a GPO based on
computer attributes, such as operating system version number.
68
Using Identity Federation with Active
Directory Rights Management Services Step-
by-Step Guide
Microsoft Corporation
Published: September 2007
Author: Brian Lich
Editor: Carolyn Eller
Abstract
This step-by-step guide provides instructions for setting up a test environment to deploy and
evaluate Active Directory Rights Management Services (AD RMS) with federated identity support
in Windows Server® 2008. It includes the necessary information for installing and configuring
AD RMS and AD FS and verifying AD RMS features after configuration is complete.
1
This document supports a preliminary release of a software product that may be changed
substantially prior to final commercial release, and is the confidential and proprietary information
of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the
recipient and Microsoft. This document is provided for informational purposes only and Microsoft
makes no warranties, either express or implied, in this document. Information in this document,
including URL and other Internet Web site references, is subject to change without notice. The
entire risk of the use or the results from the use of this document remains with the user. Unless
otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this document may
be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by
any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,
without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, Active Directory, MS-DOS, Windows, Windows NT, and Windows Server are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.
2
Contents
Using Identity Federation with Active Directory Rights Management Services Step-by-Step Guide
...................................................................................................................................................... 5
About This Guide.......................................................................................................................... 5
What This Guide Does Not Provide .......................................................................................... 5
Deploying AD RMS with Identity Federation Support in a Test Environment .............................. 6
3
Using Identity Federation with Active
Directory Rights Management Services Step-
by-Step Guide
5
• Guidance for setting up and configuring AD RMS in a production environment.
• Complete technical reference for AD RMS or AD FS.
• Guidance for setting up AD FS with Microsoft Office SharePoint Server 2007 and AD RMS.
For more information about using identity federation with Office SharePoint Server 2007 and
AD RMS, see Appendix A of the Deploying Active Directory Rights Management Services
with Microsoft Office SharePoint Server 2007 Step-By-Step Guide
(http://go.microsoft.com/fwlink/?LinkId=93136).
Note
Domain controllers
running Windows 2000
Server with Service
6
Computer Name Operating System Applications and Services
Pack 4 can be used.
However, in this step-by-
step guide it is assumed
that you will be using
domain controllers running
Windows Server 2003 with
SP2.
ADRMS-DB Windows Server 2003 with SP2 Microsoft SQL Server™ 2005
Standard Edition with Service
Pack 2 (SP2)
Note
Before installing and configuring the components in this guide, you should verify that your
hardware meets the minimum requirements for AD RMS
(http://go.microsoft.com/fwlink/?LinkId=84733).
The computers form two private intranets and are connected through a common hub or Layer 2
switch. This configuration can be emulated in a virtual server environment, if desired. This step-
by-step exercise uses private addresses throughout the test lab configuration. The private
network ID 10.0.0.0/24 is used for the intranet. The domain controller for the domain named
cpandl.com is CPANDL-DC and the domain controller for the domain name treyresearch.net is
TREY-DC. The following figure shows the configuration of the test environment:
7
Step 1: Setting up the CP&L Enterprises
Domain
Before you install AD FS and the AD RMS Identity Federation Support role service, you need to
make changes to the infrastructure of the CPANDL domain. In this step, you will perform the
following tasks to install the required Active Directory Federation Services resource partner and
add it to the CP&L Enterprises infrastructure.
This section includes the following procedures:
8
• Install Windows Server 2008 Enterprise on the AD FS resource partner (ADFS-RESOURCE)
• Create the ADFSADMIN user account
• Add the ADFSADMIN user account to the local Administrators group on ADFS-RESOURCE
This step assumes that you have completed the Windows Server Active Directory Rights
Management Services Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=72134).
Use the following table as a reference when setting up the appropriate computer names,
operating systems, and network settings that are required to complete the steps in this guide.
Important
Before you configure your computers with static Internet Protocol (IP) addresses, we
recommend that you first complete Windows product activation while each of your
computers still has Internet connectivity. You should also install any available critical
security updates from Windows Update (http://go.microsoft.com/fwlink/?LinkID=47290).
Important
Windows Server 2008 Enterprise is required for the federation servers.
9
To configure TCP/IP properties on the ADFS-RESOURCE computer
1. Log on to ADFS-RESOURCE with the ADFS-RESOURCE\Administrator account or
another user account in the local Administrators group.
2. Click Start, click Control Panel, click Network and Internet, double-click Network and
Sharing Center, click Manage Network Connections, right-click Local Area
Connection, and then click Properties.
3. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click
Properties.
4. Select the Use the following IP address option. In IP address, type 10.0.0.7, in Subnet
mask, type 255.255.255.0.
5. Select the Use the following DNS server addresses option. In Preferred DNS server,
type 10.0.0.1.
6. Click OK, and then click Close to close the Local Area Connection Properties dialog
box.
Next, join the ADFS-RESOURCE computer to the CPANDL domain:
10
To add ADFSADMIN to the CPANDL Domain
1. Log on to CPANDL-DC with the CPANDL\Administrator account or another account in
the local Administrators group.
2. Click Start, point to Administrative Tools, and then click Active Directory Users and
Computers. This opens the Active Directory Users and Computers console.
3. In the console tree, expand cpandl.com, right-click Users, point to New, and then click
User.
4. In the New Object – User dialog box, type ADFSADMIN in Full name and User logon
name boxes, and then click Next.
5. In the New Object – User dialog box, type a password of your choice in the Password
and Confirm password boxes. Clear the User must change password at next logon
check box, click Next, and then click Finish.
11
• Configure the computer for the federation account partner (ADFS-ACCOUNT)
• Configure the AD RMS-enabled client computer (ADRMS-CLNT2)
Use the following table as reference when setting up the appropriate computer names, operating
systems, and network settings that are required to complete the steps in this guide.
Important
Before you configure your computers with static Internet Protocol (IP) addresses, it is
recommended that you first complete Windows product activation while each of your
computers still has Internet connectivity.
12
To install Windows Server 2003 Standard Edition
1. Start your computer using the Windows Server 2003 product CD. (You can use any
edition of Windows Server 2003 except the Web Edition to establish the domain)
2. Follow the instructions that appear on your computer screen, and when prompted for a
computer name, type TREY-DC.
In this step configure TCP/IP properties so that TREY-DC has a static IP address of 10.0.0.30.
Note
If you need to use fewer computers to test this scenario, you can use the Dcpromo tool to
create two new Active Directory forests on both of the federation servers rather than
configuring separate domain controllers. As a security best practice, domain controllers
should not run as both federation servers and domain controllers in a production
environment.
13
7. Select the Install and configure the DNS server on this computer and set this
computer to use this DNS server as its preferred DNS server option, and then click
Next.
8. Select the Permissions compatible only with Windows 2000 or Windows
Server 2003 operating systems option, and then click Next.
9. In the Restore Mode Password and Confirm Password boxes, type a strong password,
and then click Next.
10. Click Next.
11. When the Active Directory Installation Wizard is done, click Finish.
12. Click Restart Now.
Note
You cannot change the domain functional level once you have raised it.
5. Click OK, and then click OK again.
14
3. Right-click TREY-DC, and then click Properties.
4. Click the Forwarders tab.
5. In the Selected domain's forward IP address list section, type 10.0.0.1, and then click
Add.
6. Click OK.
Next, configure the DNS forwarder on the CPANDL-DC computer:
ADFSADMIN ADFSADMIN
15
6. In the New Object – User dialog box, type a password of your choice in the Password
and Confirm password boxes. Clear the User must change password at next logon
check box, click Next, and then click Finish.
7. Perform steps 3-6 for Terrence Philip (tphilip).
Next, add e-mail addresses to user accounts from the table above.
Important
Windows Server 2008 Enterprise is required for the federation servers.
In this step configure TCP/IP properties so that the ADFS-ACCOUNT computer has a static IP
address of 10.0.0.31.
16
Subnet mask, type 255.255.255.0.
5. Select the Use the following DNS server addresses option. In Preferred DNS server,
type 10.0.0.30.
6. Click OK, and then click Close to close the Local Area Connection Properties dialog
box.
Next, join the ADFS-ACCOUNT computer to the TREYRESEARCH domain:
17
Configure the AD RMS-enabled client computer
(ADRMS-CLNT2)
To configure the ADRMS-CLNT2 client computer in the TREYRESEARCH domain, you must
install Windows Vista, configure TCP/IP properties, and then join the computer to the
TREYRESEARCH domain. You must also install an AD RMS-enabled application. In this
example, Microsoft Office Word 2007 Enterprise Edition is installed on the client.
18
5. Click More, and in the Primary DNS suffix of this computer box, type
treyresearch.net.
6. Click OK, and click OK again.
7. When a Computer Name/Domain Changes dialog box appears prompting you for
administrative credentials, provide the credentials for treyresearch\administrator, and
then click OK.
8. When a Computer Name/Domain Changes dialog box appears welcoming you to the
treyresearch.net domain, click OK.
9. When a Computer Name/Domain Changes dialog box appears telling you that the
computer must be restarted, click OK, and then click Close.
10. In the System Settings Change dialog box, click Yes to restart the computer.
Next, we need to configure ADRMS-CLNT2 for federation support with AD RMS. This registry
entry assigns the AD FS home realm for AD RMS.
Important
Only the Ultimate, Professional Plus, and Enterprise editions of Microsoft Office 2007
allow you to create rights-protected content. All editions will allow you to consume rights-
protected content.
19
Step 3: Installing and Configuring AD FS
Now that you have configured the computers that will be used as federation servers, you are
ready to install Active Directory Federation Services (AD FS) components on each of the
computers. This section includes the following procedures:
• Install the Federation Service on ADFS-RESOURCE and ADFS-ACCOUNT
• Configuring ADFS-ACCOUNT to work with AD RMS
• Configuring ADFS-RESOURCE to work with AD RMS
Note
If you choose to use self-signed certificates in your test environment, select the
Create a self-signed certificate for SSL encryption option, and then click
Next.
11. On the Choose a Token-Signing Certificate page, select the Choose an existing
20
token-signing certificate option, click the appropriate certificate, and then click Next.
Note
If you choose to use self-signed certificates in your test environment, select the
Create a self-signed token-signing certificate option, and then click Next.
12. Select the Create a new trust policy option, and then click Next.
13. Read the Introduction to Web Server (IIS) page, and then click Next.
14. Keep the Web server default check box selections, and then click Next
15. Click Install.
16. When the installation has completed, click Close.
17. Log on to ADFS-ACCOUNT as TREYRESEARCH\ADFSADMIN.
18. Repeat steps 2–13 for the ADFS-ACCOUNT computer using the
TREYRESEARCH\ADFSADMIN user account.
Note
The Federation Service URI value is case sensitive.
6. In the Federation Service endpoint URL box, confirm that https://ADFS-
ACCOUNT.treyresearch.net/adfs/ls/ is shown.
7. On the Display Name tab, in Display name for this trust policy, type Trey Research,
21
and then click OK.
Next, create a custom claim that will be used with AD RMS.
Note
The claim name value is case-sensitive.
4. Select the Custom claim option, and then click OK.
Important
Great care should be taken when allowing proxy addresses through a federated trust. If
proxy addresses through federation are allowed, it is possible for a malicious user to
spoof an authorized user's credentials and access the user's rights-protected content. If
proxy addresses through federation is a requirement of your organization, you should
implement a claims transformation module that will examine a proxy address from a
federated user and make sure that it matches the forest in which the request originated.
The option to allow a proxy address from a federated user is turned off by default in the
Active Directory Rights Management Services console.
Next, add an Active Directory account store to the Federation Service for the TREYRESEARCH
domain.
22
extraction.
9. In the Attribute box, type ProxyAddresses, and then click OK.
Finally, add a resource partner to the Federation Service in the TREYRESEARCH domain.
Note
The Federation Service URL value is case sensitive.
7. In the Federation Service endpoint URL box, type https://adfs-
resource.cpandl.com/adfs/ls/, and then click Next.
8. On the Federation Scenario page, select the Federated Web SSO option, and then
click Next.
9. Select the UPN Claim and E-mail Claim check boxes, and then click Next.
10. Select the Pass all UPN suffixes through unchanged option, and then click Next.
11. Select the Pass all E-mail suffixes through unchanged option, and then click Next.
12. Ensure that the Enable this resource partner check box is checked, and then click
Next.
13. Click Finish.
14. Right-click the new CP&L Enterprises resource partner, point to New, and then click
Outgoing Custom Claim Mapping.
15. In the Outgoing custom claim name box, type ProxyAddresses, and then click OK.
16. Close the Active Directory Federation Services console.
23
Directory Account Store, add AD RMS as a Claims-aware application, and configure a resource
partner.
First, configure the ADFS-RESOURCE computer trust policy for the federation service in the
CPANDL domain.
Note
The Federation Service URI value is case sensitive.
6. In the Federation Service endpoint URL box, confirm that https://ADFS-
RESOURCE.cpandl.com/adfs/ls/ is shown.
7. On the Display Name tab, in Display name for this trust policy, type CP&L
Enterprises, and then click OK.
Note
The claim name value is case-sensitive.
4. Select the Custom claim option, and then click OK.
Next, add an Active Directory account store to the Federation Service for the CPANDL domain.
24
2. Right-click Account Stores, point to New, and then click Account Store.
3. On the Welcome to the Add Account Store Wizard page, click Next.
4. On the Account Store Type page, select the Active Directory Domain Services
option, and then click Next.
5. On the Enable this Account Store page, select the Enable this account store check
box, and then click Next.
6. On the Completing the Add Account Store Wizard page, click Finish.
7. Double-click the E-mail organization claim, select the Enabled check box, type mail in
the LDAP attribute box, and then click OK.
8. Right-click the Active Directory account store, point to New, and then click Custom claim
extraction.
9. In the Attribute box, type ProxyAddresses, and then click OK.
10. Close the Active Directory Federation Services console.
Next, add the AD RMS certification pipeline as a claims-aware application.
Note
The application URL is case sensitive and the name of the AD RMS extranet
cluster should match the return URL value of the ADRMS-SRV computer exactly.
If the values do not match, AD FS functionality will not work.
7. On the Accepted Identity Claims page, select the User principal name (UPN) and E-
mail check boxes, and then click Next.
8. On the Enable this Application page, select the Enable this application check box,
and then click Next.
9. On the Completing the Add Application Wizard page, click Finish.
10. In the task pane, double-click ProxyAddresses, select the Enabled check box, and then
click OK.
25
Use the following procedure to add the AD RMS licensing pipeline as a claims-aware application.
Note
The application URL is case sensitive and the computer name in the URL should
match the return URL value of the ADRMS-SRV computer exactly. If the values
do not match, AD FS functionality will not work.
7. On the Accepted Identity Claims page, select the User principal name (UPN) and E-
mail check boxes, and then click Next.
8. On the Enable this Application page, click the Enable this application check box, and
then click Next.
9. On the Completing the Add Application Wizard page, click Finish.
10. In the task pane, double-click ProxyAddresses, click the Enabled check box, and then
click OK.
Next, add an account partner to ADFS-RESOURCE. This account partner receives requests from
the ADFS-ACCOUNT computer in the TREYRESEARCH domain.
26
8. On the Account Partner Verification page, type the path where the token signing
certificate is stored, and then click Next.
9. Select the Federated Web SSO option, and then click Next.
10. Select the UPN Claim and E-mail Claim check boxes, and then click Next.
11. On the Accepted UPN Suffixes page, type treyresearch.net, click Add, and then click
Next.
12. On the Accept E-mail Suffixes page, type treyresearch.net, click Add, and then click
Next.
13. Verify that the Enable this account partner check box is checked, and then click Next.
14. Click Finish.
15. Right-click the Trey Research account partner, point to New, and then click Incoming
Custom Claim Mapping.
16. In the Incoming custom claim name box, type ProxyAddresses, and then click OK.
17. Close the Active Directory Federation Services console.
27
3. Expand Local Policies, and then click User Rights Assignment.
4. Double-click Generate security audits.
5. Click Add User or Group.
6. Type cpandl\adrmssrvc, and then click OK.
7. Click OK to close the Generate security audits properties sheet.
Caution
The AD RMS cluster URLs must be added before the Identity Federation Support role
service is added by using Server Manager. If the cluster URLs are not added, you must
edit the web.config files in the certificationexternal and licensingexternal directories
manually.
28
4. In the Roles Summary box, click Active Directory Rights Management Services, and
then click Add Role Services.
5. Select the Identity Federation Support check box. Ensure that the Claims-aware
Agent role service is listed as a required role service, and then click Add Required
Role Services.
6. Click Next.
7. On the Configure Identity Federation Support page, type adfs-resource.cpandl.com,
click Validate, and then click Next.
8. On the Introduction to AD FS page, click Next.
9. On the AD FS Role Service page, confirm that Claims-aware Agent is checked, and
then click Next.
10. Click Install to add the Identity Federation Support role service to the ADRMS-SRV
computer.
11. Click Finish.
29
Step 5: Verifying AD RMS Functionality
The AD RMS client is included in the default installation of Windows Vista and Windows
Server 2008. Previous versions of the client are available for download for some earlier versions
of the Windows operating systems. For more information, see the Windows Server 2003 Rights
Management Services page in the Microsoft Windows Server TechCenter
(http://go.microsoft.com/fwlink/?LinkId=68637).
Before you can publish or consume rights-protected content on Windows Vista, you must add the
AD RMS cluster URL, the ADFS-RESOURCE URL, and the ADFS-ACCOUNT URL to the
Internet Explorer Local Intranet security zone of the ADRMS-CLNT2 computer. This is required to
ensure that your credentials are automatically passed from Microsoft Office Word to the AD RMS
Web services.
To add AD RMS cluster URL to the Internet Explorer Local Intranet security zone
1. Log on to ADRMS-CLNT2 as Terence Philip (TREYRESEARCH\tphilip).
2. Click Start, click Control Panel, click Network and Internet, and then click Internet
Options.
3. Click the Security tab, and then click Local Intranet.
4. Click Sites, and then click Advanced.
5. In the Add this website to the zone box, do the following:
a. Type https://adrms-srv.cpandl.com, and then click Add.
b. Type https://adfs-resource.cpandl.com, and then click Add.
c. Type https://adfs-account.treyresearch.net, and then click Add.
To verify the functionality of the AD RMS deployment, you log on as Nicole Holliday, create a
Microsoft Word 2007 document, and then restrict permissions on it so that Terrence Philip is able
to read the document but is unable to change, print, or copy it. You then log on as Terence Philip,
verifying that Terence Philip can read the document but do nothing else with it.
31
What's New in Failover Clusters
Microsoft Corporation
Published: September 2007
Author: Jan Keller
Editor: Ronald Loi
Abstract
In Windows Server® 2008, the improvements to failover clusters (formerly known as server
clusters) are aimed at simplifying clusters, making them more secure, and enhancing cluster
stability. Cluster setup and management are easier. Security and networking in clusters have
been improved, as has the way a failover cluster communicates with storage. This document
describes the improvements in failover clusters.
1
This is a preliminary document and may be changed substantially prior to final commercial
release of the software described herein. The information contained in this document represents
the current view of Microsoft Corporation on the issues discussed as of the date of publication.
Because Microsoft must respond to changing market conditions, it should not be interpreted to be
a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any
information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, no part of this document may be reproduced, stored in or introduced into a
retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission
of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, MS-DOS, Windows, Windows Server, Windows Vista, and Active Directory are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.
2
Contents
What's New in Failover Clusters in Windows Server 2008 ............................................................. 5
What does a failover cluster do? .................................................................................................. 5
Who will be interested in failover clustering? ............................................................................... 5
Are there any special considerations? ......................................................................................... 5
What new functionality does failover clustering provide? ............................................................ 5
New validation wizard ............................................................................................................... 6
Support for GPT disks in cluster storage .................................................................................. 6
What existing functionality is changing? ...................................................................................... 6
Improvements to setup ............................................................................................................. 7
Improvements to management interfaces ................................................................................ 7
Improvements to stability and security to help maximize availability........................................ 8
Improvements to the way a cluster works with storage ............................................................ 8
Improvements to interfaces for working with shared folders .................................................... 8
Improvements to networking and security ................................................................................ 9
Do I need to change any existing code to work with Windows Server 2008? ........................... 10
How should I prepare to deploy this feature? ............................................................................ 10
Is this feature available in all editions of Windows Server 2008? .............................................. 10
3
What's New in Failover Clusters
Note
The failover cluster feature is not available in Windows® Web Server 2008 or
Windows Server® 2008 Standard.
5
What's New in Failover Clusters
• Support for GUID partition table (GPT) disks in cluster storage. GPT disks can have
partitions larger than two terabytes and have built-in redundancy in the way partition
information is stored, unlike master boot record (MBR) disks.
6
What's New in Failover Clusters
• Improvements to the way a cluster works with storage. With these improvements, you
can achieve better performance with your storage than was possible with server clusters in
previous releases.
• Improvements to interfaces for working with shared folders. With these improvements,
configuration of shared folders is more straightforward and misconfiguration is less likely.
• Improvements to networking and security. These improvements make it simpler to
configure and maintain the networks that the cluster uses.
Improvements to setup
The Create Cluster wizard has been simplified to make it much easier to set up a cluster. Cluster
setup is also fully scriptable so that you can automate your deployment.
The failover clustering software also includes a wizard that can help you capture certain resource
group settings from a cluster running Windows Server 2003 and apply them to a cluster running
Windows Server 2008. This can help you accomplish a migration more quickly.
7
What's New in Failover Clusters
8
What's New in Failover Clusters
misconfiguration is less likely. The improvements include the ability to configure the following for
shared folders:
• Access-based enumeration: You can use access-based enumeration to hide a specified
folder from users' view. Instead of allowing users to see the folder but not access anything on
it, you can choose to prevent them from seeing the folder at all. You can configure access-
based enumeration for a clustered shared folder in the same way as for a nonclustered
shared folder.
• Offline access: You can configure offline access (caching) for a clustered shared folder in
the same way as for a nonclustered shared folder.
• Clustered disks always recognized as part of the cluster: Whether you use the failover
cluster interface, Windows Explorer, or the Share and Storage Management snap-in,
Windows Server 2008 recognizes whether a disk has been designated as being in the cluster
storage. If such a disk has already been configured in Failover Cluster Management as part
of a clustered file server, you can then use any of the previously-mentioned interfaces to
create a share on the disk. If such a disk has not been configured as part of a clustered file
server, you cannot mistakenly create a share on it. Instead, an error indicates that the disk
must first be configured as part of a clustered file server before it can be shared.
• Integration of Services for Network File System: The File Server role in Windows
Server 2008 includes the optional role service called Services for Network File System (NFS).
By installing the role service and configuring shared folders with Services for NFS, you can
create a clustered file server that supports UNIX-based clients.
9
What's New in Failover Clusters
addition, you can use auditing to capture information about who accessed your cluster and
when.
• Place clustered servers on different subnets: You can now place clustered servers on
different IP subnets, which reduces the requirements for geographically dispersed clusters.
• Create additional security for intra-cluster communications: You now have the option
either to digitally sign or encrypt all intra-cluster communication. By default, intra-cluster
communication is digitally signed. Intra-cluster communication typically includes information
about changes to the cluster configuration or to the state of clustered resources.
Note
You cannot perform a rolling upgrade from a server cluster running Windows Server 2003
to a failover cluster running Windows Server 2008. However, after you create a failover
cluster running Windows Server 2008, you can use a wizard to migrate certain resource
settings to it from a server cluster running Windows Server 2003.
10
What's New in Terminal Services for
Windows Server 2008
Microsoft Corporation
Published: September 2007
Authors: Daniel H. Brown, Tessa Wooley, and Connie Rock
Editor: Linda Caputo
Abstract
The Terminal Services component of Microsoft® Windows Server® 2008 provides technologies
that enable users to access Windows-based programs that are installed on a terminal server, or
to access the Windows desktop itself, from almost any computing device. Users can connect to a
terminal server to run programs and to use network resources on that server.
For Microsoft Windows Server 2008, Terminal Services includes new core functionality that
enhances the end-user experience.
1
Copyright Information
This document supports a preliminary release of a software product that may be changed
substantially prior to final commercial release, and is the confidential and proprietary information
of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the
recipient and Microsoft. This document is provided for informational purposes only and Microsoft
makes no warranties, either express or implied, in this document. Information in this document,
including URL and other Internet Web site references, is subject to change without notice. The
entire risk of the use or the results from the use of this document remains with the user. Unless
otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this document may
be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by
any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,
without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, MS-DOS, Windows, Windows NT, and Windows Server are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
2
Contents
What's New in Terminal Services for Windows Server 2008 .......................................................... 7
Plug and Play Device Redirection for Media Players and Digital Cameras .................................. 13
Additional references ................................................................................................................. 15
3
What new functionality does this feature provide?..................................................................... 25
What existing functionality is changing? .................................................................................... 25
How should I prepare for this change? ............................................................................... 25
What settings have been added or changed in Windows Server 2008? ................................... 26
Group Policy settings........................................................................................................... 26
Additional references ................................................................................................................. 27
4
What does TS Licensing do? ..................................................................................................... 35
Who will be interested in TS Licensing? .................................................................................... 35
What new functionality is provided by TS Licensing? ................................................................ 36
How should I prepare to use TS Licensing? .............................................................................. 36
Are there any special considerations about TS Licensing? ....................................................... 36
Additional references ................................................................................................................. 37
5
What's New in Terminal Services for
Windows Server 2008
The Terminal Services component of Windows Server® 2008 provides technologies that enable
users to access Windows-based programs that are installed on a terminal server, or to access the
Windows desktop itself, from almost any computing device. Users can connect to a terminal
server to run programs and to use network resources on that server.
The following topics describe changes in Terminal Services functionality that are available in this
release:
• Terminal Services Core Functionality
• Remote Desktop Connection Display
• Plug and Play Device Redirection for Media Players and Digital Cameras
• Microsoft Point of Service for .NET Device Redirection
• Single Sign-On for Terminal Services
• Terminal Server Installation
• Terminal Services Printing
• Terminal Services RemoteApp (TS RemoteApp)
• Terminal Services Web Access (TS Web Access)
• Terminal Services Licensing (TS Licensing)
• Terminal Services Gateway (TS Gateway)
• Terminal Services Session Broker (TS Session Broker)
• Terminal Services and Windows System Resource Manager
7
• Font smoothing
• Display data prioritization
• Plug and Play Device Redirection for Media Players and Digital Cameras
• Microsoft Point of Service for .NET Device Redirection
• Single Sign-On for Terminal Services
8
Remote Desktop Connection 6.1
Remote Desktop Connection (RDC) 6.1 is available with Windows Server 2008. RDC 6.1
supports Remote Desktop Protocol 6.1.
Remote Desktop Connection (RDC) 6.0 is available with Windows Vista.
The RDC 6.0 software is also available for use on Windows Server® 2003 with Service Pack 1
(SP1), Windows Server 2003 with Service Pack 2 (SP2), and Windows® XP with SP2. To use
any new Terminal Services features on any of these platforms, download the installer package
from article 925876 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkId=79373).
Additional references
For information about other new features in Terminal Services, see What's New in Terminal
Services for Windows Server 2008.
Note
Previously, only 4:3 display resolution ratios were supported, and the maximum
resolution supported was 1600 x 1200.
You can set a custom display resolution in an .rdp file or from a command prompt.
9
For more information about .rdp file settings, see article 885187 in the Microsoft Knowledge
Base (http://go.microsoft.com/fwlink/?linkid=66168).
Monitor spanning
Monitor spanning allows you to display your remote desktop session across multiple monitors.
The monitors used for monitor spanning must meet the following requirements:
• All monitors must use the same resolution. For example, two monitors using 1024 x 768
resolution can be spanned. But one monitor at 1024 x 768 and one monitor at 800 x 600
cannot be spanned.
• All monitors must be aligned horizontally (that is, side by side). There is currently no support
for spanning multiple monitors vertically on the client system.
• The total resolution across all monitors cannot exceed 4096 x 2048.
You can enable monitor spanning in an .rdp file or from a command prompt.
Desktop Experience
Remote Desktop Connection (RDC) 6.0 and RDC 6.1 reproduce the desktop that exists on the
remote computer on the user’s client computer. To make the remote computer look and feel more
like the user's local Windows Vista desktop experience, you can install the Desktop Experience
10
feature on your Windows Server 2008 terminal server. Desktop Experience installs features of
Windows Vista, such as Windows Media® Player 11, desktop themes, and photo management.
Font smoothing
Windows Server 2008 supports ClearType®, which is a technology for displaying computer fonts
so that they appear clear and smooth, especially when you are using an LCD monitor.
A Windows Server 2008 terminal server can be configured to provide ClearType functionality
when a client computer connects to the Windows Server 2008 terminal server by using Remote
Desktop Connection. This functionality is referred to as font smoothing. Font smoothing is
available if the client computer is running any of the following:
• Windows Vista
• Windows Server 2003 with SP1 or SP2 and the Remote Desktop Connection 6.0 software
• Windows XP with SP2 and the Remote Desktop Connection 6.0 software
By default, ClearType is enabled on Windows Server 2008. To ensure that ClearType is enabled
on the Windows Server 2008 terminal server, follow this procedure.
11
To make font smoothing available for a remote desktop connection, follow this procedure on the
client computer.
When you allow font smoothing, you are specifying that the local settings on the client computer
will help determine the user experience in the remote desktop connection. Note that by allowing
font smoothing, you are not changing the settings on the Windows Server 2008 terminal server.
Using font smoothing in a remote desktop connection will increase the amount of bandwidth used
between the client computer and the Windows Server 2008 terminal server.
12
You can set the relative bandwidth priority for display (and input data) by setting the
FlowControlDisplayBandwidth value. The default value is 70; the maximum value allowed is 255.
You can set the relative bandwidth priority for other virtual channels (such as clipboard, file
transfers, or print jobs) by setting the FlowControlChannelBandwidth value. The default value is
30; the maximum value allowed is 255.
The bandwidth ratio for display data prioritization is based on the values of
FlowControlDisplayBandwidth and FlowControlChannelBandwidth. For example, if
FlowControlDisplayBandwidth is set to 150 and FlowControlChannelBandwidth is set to 50, the
ratio is 150:50, so display and input data will be allocated 75 percent of the bandwidth.
The FlowControlChargePostCompression value determines if flow control will calculate the
bandwidth allocation based on pre-compression or post-compression bytes. The default value is
0, which means that the calculation will be made on pre-compression bytes.
If you make any changes to the registry values, you need to restart the terminal server for the
changes to take effect.
Additional references
For information about other new features in Terminal Services, see What's New in Terminal
Services for Windows Server 2008.
13
the device supports MTP or PTP.
5. Choose the device that you want to redirect by selecting the check box next to the
device's name.
6. You can also redirect devices that have not been plugged in yet but will be plugged in
later when a session to a remote computer is active. To make Plug and Play devices that
you will plug in later available for redirection, select the Devices that I plug in later
check box.
Note
You can also redirect drives that will be connected after a session to a remote
computer is active. To make a drive that you will connect to later available for
redirection, expand Drives, and then select the Drives that I connect to later
check box.
7. Click OK and proceed to connect to the remote computer.
Note
The Remote Desktop Protocol (.rdp) file created by the RemoteApp Wizard automatically
enables Plug and Play device redirection. For more information about RemoteApps, see
the TS RemoteApp Step-by-Step Guide on the TS RemoteApp & TS Web Access page
on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?LinkId=79609).
When the session to the remote computer is launched, you should see the Plug and Play device
that is redirected get automatically installed on the remote computer. Plug and Play notifications
will appear in the taskbar on the remote computer.
If you have selected the Devices that I plug in later check box in Remote Desktop Connection,
you should see the Plug and Play device get installed on the remote computer when you plug the
Plug and Play device into your local computer while the session to the remote computer is active.
After the redirected Plug and Play device is installed on the remote computer, the Plug and Play
device is available for use in your session with the remote computer. For example, if you are
redirecting a Windows Portable Device such as a digital camera, the device can be accessed
directly from an application such as the Scanner and Camera Wizard on the remote computer.
Note
Plug and Play device redirection is not supported over cascaded terminal server
connections. For example, if you have a Plug and Play device attached to your local
client computer, you can redirect and use that Plug and Play device when you connect to
a terminal server (Server1, for example). If from within your remote session on Server1,
you then connect to another terminal server (Server2, for example), you will not be able
to redirect and use the Plug and Play device in your remote session with Server2.
You can control Plug and Play device redirection by using either of the following Group Policy
settings:
14
• Do not allow supported Plug and Play device redirection located in Computer
Configuration\Administrative Templates\Windows Components\Terminal
Services\Terminal Server\Device and Resource Redirection
• The policy settings located in Computer Configuration\Administrative
Templates\System\Device Installation\Device Installation Restrictions
You can also control Plug and Play device redirection on the Client Settings tab in the Terminal
Services Configuration tool (tsconfig.msc) by using the Supported Plug and Play Devices
check box.
Additional references
For information about other new features in Terminal Services, see What's New in Terminal
Services for Windows Server 2008.
Important
Microsoft POS for .NET device redirection is only supported if the terminal server is
running an x86-based version of Windows Server 2008.
You can download Microsoft POS for .NET 1.11 from the Microsoft Download Center
(http://go.microsoft.com/fwlink/?linkid=66169).
Note
Restart the Terminal Services UserMode Port Redirector service only after you have
installed the device server objects or configuration XML files for all the Microsoft POS
for .NET devices that you are supporting on the terminal server. If you later install a
new device server object or configuration XML file on your terminal server for a
Microsoft POS for .NET device, you will need to restart the Terminal Services
UserMode Port Redirector service.
Note
The .rdp file created created by the RemoteApp Wizard automatically enables Plug and
Play device redirection. For more information about RemoteApps, see the
TS RemoteApp Step-by-Step Guide on the TS RemoteApp & TS Web Access page on
the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?LinkId=79609).
16
Using redirected Microsoft POS for .NET devices
After you have implemented Microsoft POS for .NET 1.11 on your terminal server and have
enabled Microsoft POS for .NET device redirection in your .rdp file, plug in your Microsoft POS for
.NET device and then connect to the remote computer by using the modified .rdp file. After you
connect to the remote computer, you should see the Microsoft POS for .NET device that is
redirected get automatically installed on the remote computer. Plug and Play notifications will
appear in the taskbar on the remote computer.
After the redirected Microsoft POS for .NET device is installed on the remote computer, any
Microsoft POS for .NET application residing on the terminal server can access the Microsoft POS
for .NET device as if the device were available locally. There is a sample application in the POS
for .NET 1.11 SDK that you can use to test access to and the functionality of the redirected
Microsoft POS for .NET device. The sample application is called ccltestapp.exe and can be
found in the \SDK\Samples\Sample Application folder in the folder where you installed POS for
.NET.
You can control Microsoft POS for .NET device redirection by using either of the following Group
Policy settings:
• Do not allow supported Plug and Play device redirection located in Computer
Configuration\Administrative Templates\Windows Components\Terminal
Services\Terminal Server\Device and Resource Redirection
• The policy settings located in Computer Configuration\Administrative
Templates\System\Device Installation\Device Installation Restrictions
You can also control Microsoft POS for .NET device redirection on the Client Settings tab in the
Terminal Services Configuration tool (tsconfig.msc) by using the Supported Plug and Play
Devices check box.
Additional references
For information about other new features in Terminal Services, see What's New in Terminal
Services for Windows Server 2008.
17
Key scenarios for single sign-on
The key scenarios for single sign-on are:
• Line-of-business (LOB) applications deployment
• Centralized application deployment
Due to lower maintenance costs, many companies prefer to install their LOB applications on a
terminal server and make these applications available through RemoteApps or Remote Desktop.
Single sign-on makes it possible to give users a better experience by eliminating the need for
users to enter credentials every time they initiate a remote session.
18
To allow default credential usage for single sign-on
1. On the Windows Vista-based computer, open the Local Group Policy Editor. To open
Local Group Policy Editor, click Start, and in the Start Search box, type gpedit.msc and
then press ENTER.
2. In the left pane, expand the following: Computer Configuration, Administrative
Templates, System, and then click Credentials Delegation.
3. Double-click Allow Delegating Default Credentials.
4. In the Properties dialog box, on the Setting tab, click Enabled, and then click Show.
5. In the Show Contents dialog box, click Add to add servers to the list.
6. In the Add Item dialog box, in the Enter the item to be added box, type the prefix
termsrv/ followed by the name of the terminal server; for example, termsrv/Server1, and
then click OK.
Additional references
For information about other new features in Terminal Services, see What's New in Terminal
Services for Windows Server 2008.
19
Services is already installed on the server, use the "To install the Terminal Server role server
when Terminal Services is already installed" procedure.
Membership in the local Administrators group, or equivalent, on the terminal server that you
plan to configure, is the minimum required to complete this procedure.
Note
If Terminal Services is already installed on the server, the Terminal Services
check box will be selected and dimmed.
5. Click Next.
6. On the Terminal Services page, click Next.
7. On the Select Role Services page, select the Terminal Server check box, and then
click Next.
If you are installing the Terminal Server role service on a domain controller, you will
receive a warning dialog box. Installing the Terminal Server role service on a domain
controller is not recommended.
8. On the Uninstall and Reinstall Applications for Compatibility page, click Next.
9. On the Specify Authentication Method for Terminal Server page, select the
appropriate authentication method for the terminal server, and then click Next.
10. On the Specify Licensing Mode page, select the appropriate licensing mode for the
terminal server, and then click Next.
11. On the Select User Groups Allowed Access To This Terminal Server page, add the
users or user groups that you want to be able to remotely connect to this terminal server,
and then click Next.
12. On the Confirm Installation Selections page, verify that the Terminal Server role
service will be installed, and then click Install.
13. On the Installation Results page, you are prompted to restart the server to finish the
installation process. Click Close, and then click Yes to restart the server.
14. If you are prompted that other programs are still running, do either of the following:
• To close the programs manually and restart the server later, click Cancel.
20
• To automatically close the programs and restart the server, click Restart now.
15. After the server restarts and you log on to the computer, the Installation Results page
will appear. Confirm that the installation of Terminal Server succeeded.
You can also confirm that Terminal Server is installed by following these steps:
a. Start Server Manager.
b. Under Roles Summary, click Terminal Services.
c. Under System Services, confirm that Terminal Services has a status of Running.
d. Under Role Services, confirm that Terminal Server has a status of Installed.
You can use the following procedure to install the Terminal Server role service when Terminal
Services is already installed on the computer.
Membership in the local Administrators group, or equivalent, on the terminal server that you
plan to configure, is the minimum required to complete this procedure
To install the Terminal Server role service when Terminal Services is already installed
1. Open Server Manager. To open Server Manager, click Start, point to Administrative
Tools, and then click Server Manager.
2. In the left pane, expand Roles.
3. Right-click Terminal Services and then click Add Role Services.
4. On the Select Role Services page, select the Terminal Server check box, and then
click Next.
If you are installing the Terminal Server role service on a domain controller, you will
receive a warning dialog box. Installing the Terminal Server role service on a domain
controller is not recommended.
5. On the Uninstall and Reinstall Applications for Compatibility page, click Next.
6. On the Specify Authentication Method for Terminal Server page, select the
appropriate authentication method for the terminal server, and then click Next.
7. On the Specify Licensing Mode page, select the appropriate licensing mode for the
terminal server, and then click Next.
8. On the Select User Groups Allowed Access To This Terminal Server page, add the
users or user groups that you want to be able to remotely connect to this terminal server,
and then click Next.
9. On the Confirm Installation Selections page, verify that the Terminal Server role
service will be installed, and then click Install.
10. On the Installation Results page, you are prompted to restart the server to finish the
installation process. Click Close, and then click Yes to restart the server.
11. If you are prompted that other programs are still running, do either of the following:
21
• To close the programs manually and restart the server later, click Cancel.
• To automatically close the programs and restart the server, click Restart now.
12. After the server restarts and you log on to the computer, the Installation Results page
will appear. Confirm that the installation of Terminal Server succeeded.
You can also confirm that Terminal Server is installed by following these steps:
a. Start Server Manager.
b. Under Roles Summary, click Terminal Services.
c. Under SystemServices, confirm that Terminal Services has a status of Running.
d. Under Role Services, confirm that Terminal Server has a status of Installed.
Installing programs
Install programs on the terminal server after you have installed the Terminal Server role service. If
you install the Terminal Server role service on a computer that already has programs installed,
some of the existing programs may not work correctly in a multiple user environment.
Some programs may require minor setup modifications to run correctly on a terminal server.
Before you install a program on the terminal server, type change user /install at the command
prompt to place the system in install mode. After the program is installed, type change user
/execute at the command prompt to return the system to execute mode.
Note
If you install a program from an .msi package, you do not have to run these commands to
switch the system in and out of install mode. Instead, you can run the .msi package or
associated Setup file directly.
If you have programs that are related to each other or have dependencies on each other, we
recommend that you install the programs on the same terminal server. For example, we
recommend that you install Microsoft Office as a suite instead of installing individual Office
programs on separate terminal servers.
You should consider putting individual programs on separate terminal servers in the following
circumstances:
• The program has compatibility issues that may affect other programs.
• A single program and the number of associated users may fill server capacity.
22
Note
To perform this procedure, you must be a member of the Administrators group on the
terminal server.
To determine whether a computer is running a version of the RDC client that supports Network
Level Authentication, start the RDC client, click the icon in the upper-left corner of the Remote
Desktop Connection dialog box, and then click About. Look for the phrase "Network Level
Authentication supported" in the About Remote Desktop Connection dialog box.
Additional references
For information about other new features in Terminal Services, see What's New in Terminal
Services for Windows Server 2008.
23
Terminal Services Printing
Terminal Services printing has been enhanced in Windows Server® 2008 by the addition of the
Terminal Services Easy Print printer driver and a Group Policy setting that enables you to redirect
only the default client printer.
The Terminal Services Easy Print driver is a feature in Windows Server 2008 that enables users
to reliably print from a Terminal Services RemoteApp™ program or from a terminal server
desktop session to the correct printer on their client computer. It also enables users to have a
much more consistent printing experience between local and remote sessions.
The Redirect only the default client printer policy setting allows you to specify whether the
default client printer is the only printer that is redirected in Terminal Services sessions. This helps
to limit the number of printers that the spooler must enumerate, therefore improving terminal
server scalability.
Note
The RDC 6.1 client supports Remote Desktop Protocol 6.1.
• Microsoft .NET Framework 3.0 Service Pack 1 (SP1)
At the time of the Windows Server 2008 RC0 release, client support is limited to Windows
Server 2008 and Windows Vista with Service Pack 1 (SP1) Beta. Windows Server 2008 and
Windows Vista with SP1 Beta include both of the required components.
To test the Terminal Services Easy Print driver on a Windows Server 2008-based server (that is
acting as the client), you must first add .NET Framework 3.0 SP1. To do this, you can use either
of the following methods:
To add .NET Framework 3.0 SP1 by using the Server Manager user interface
1. Start Server Manager. To open Server Manager, click Start, point to Administrative
Tools, and then click Server Manager.
2. In the left pane of Server Manager, right-click Features, and then click Add Features.
3. On the Select Features page, expand .NET Framework 3.0.
4. Select the .NET Framework 3.0 Features and the XPS Viewer check boxes, and then
click Next.
5. Click Install.
24
To add .NET Framework 3.0 SP1 by using the command line
1. Start the command prompt with elevated privileges. To do this, click Start, right-click
Command Prompt, and then click Run as administrator.
2. At the command prompt, type the following, and then press ENTER:
pkgmgr.exe /iu:NetFx3
The installation occurs silently, and may take several minutes.
25
• Ensure that client printer drivers for both local and network printers are installed on the
terminal server. If you are installing a third-party driver, make sure that the driver is a
Windows Hardware Quality Labs (WHQL) signed driver.
• Add the client printer drivers for both local and network printers to a custom printer mapping
file on the terminal server. For more information about how to create a custom printer
mapping file, see the "Resolution" section of article 239088 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkID=82784).
26
• Enabled: If you enable this policy setting, only the default client printer is redirected in
Terminal Services sessions.
• Disabled or Not configured: If you disable or do not configure this policy setting, all
client printers are redirected in Terminal Services sessions. By default, this policy setting
is not configured.
Additional references
For information about other new features in Terminal Services, see What's New in Terminal
Services for Windows Server 2008.
27
4. Access a link to the RemoteApp program on a Web site by using Terminal Services Web
Access (TS Web Access).
The .rdp files and Windows Installer packages contain the settings needed to run RemoteApp
programs. After opening the RemoteApp program on a local computer, the user can interact with
the program that is running on the terminal server as if it were running locally.
Note
The RDC version 6.0 software is available for use on Windows XP with SP2 and
Windows Server 2003 with SP1. You can download the installer package from article
925876 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=79373).
To access RemoteApp programs through TS Web Access, the client computer must be running
RDC 6.1. RDC 6.1 is included with Windows Server 2008 and Windows Vista Service Pack 1
(SP1) Beta.
28
What new functionality does this feature provide?
Ability to run programs remotely
Users can run programs from a terminal server and have the same experience as if the programs
were running on the end user's local computer, including resizable windows, drag-and-drop
support between multiple monitors, and notification icons in the notification area.
29
Additional references
For more information about TS RemoteApp, see the TS RemoteApp Step-by-Step Guide
(http://go.microsoft.com/fwlink/?LinkId=84895).
For information about other new features in Terminal Services, see What's New in Terminal
Services for Windows Server 2008.
30
• TS Web Access provides a solution that works with minimal configuration. The TS Web
Access Web page includes a customizable Web Part, which can be incorporated into a
customized Web page or a Windows® SharePoint® Services site.
Note
To use TS Web Access, client computers must be running RDC 6.1. (RDC 6.1
supports Remote Desktop Protocol 6.1.) RDC 6.1 is included with Windows
Server 2008 and Windows Vista with SP1 Beta.
31
window, and can easily start multiple programs at the same time. For an administrator, TS Web
Access is easy to configure and to deploy.
32
An administrator can specify the data source that will be used to populate the list of RemoteApp
programs. The Web Part is populated with all RemoteApp programs that are configured for Web
access on that server's RemoteApp Programs list.
33
Includes Remote Desktop Web Connection
In Windows Server 2008, Remote Desktop Web Connection is available through the TS Web
Access Web page.
Additional references
For information about other new features in Terminal Services, see What's New in Terminal
Services for Windows Server 2008.
Note
Remote Desktop supports two concurrent connections to remotely administer a
computer. You do not need a license server for these connections.
35
technologies that enable access, from almost any computing device, to a server running
Windows-based programs or the full Windows desktop. Users can connect to a terminal server to
run programs and use network resources on that server.
36
Note
No updates to the Active Directory Domain Services schema are needed to
implement TS Per User CAL tracking and reporting.
• A terminal server running Windows Server 2008 cannot communicate with a license server
running Windows Server 2003. However, it is possible for a terminal server running Windows
Server 2003 to communicate with a license server running Windows Server 2008.
Additional references
For information about other new features in Terminal Services, see What's New in Terminal
Services for Windows Server 2008.
37
Prior to this release of Windows Server, security measures prevented remote users from
connecting to internal network resources across firewalls and NATs. This is because port
3389, the port used for RDP connections, is typically blocked for network security purposes at
the firewalls. TS Gateway transmits RDP traffic to port 443 instead, by using an HTTP Secure
Sockets Layer/Transport Layer Security (SSL/TLS) tunnel. Because most corporations open
port 443 to enable Internet connectivity, TS Gateway takes advantage of this network design
to provide remote access connectivity across multiple firewalls.
• The TS Gateway Manager snap-in console enables you to configure authorization policies to
define conditions that must be met for remote users to connect to internal network resources.
For example, you can specify:
• Who can connect to network resources (in other words, the user groups who can
connect).
• What network resources (computer groups) users can connect to.
• Whether client computers must be members of Active Directory security groups.
• Whether device and disk redirection is allowed.
• Whether clients need to use smart card authentication or password authentication, or
whether they can use either method.
• You can configure TS Gateway servers and Terminal Services clients to use Network Access
Protection (NAP) to further enhance security. NAP is a health policy creation, enforcement,
and remediation technology that is included in Windows® XP Service Pack 2,
Windows Vista®, and Windows Server 2008. With NAP, system administrators can enforce
health requirements, which can include software requirements, security update requirements,
required computer configurations, and other settings.
Note
Computers running Windows Server 2008 cannot be used as NAP clients when
TS Gateway enforces NAP. Only computers running Windows XP SP2 and
Windows Vista can be used as NAP clients when TS Gateway enforces NAP.
For information about how to configure TS Gateway to use NAP for health policy enforcement
for Terminal Services clients that connect to TS Gateway servers, see the TS Gateway
Server Step-by-Step Setup Guide on the TS Gateway page on the Windows Server 2008
TechCenter (http://go.microsoft.com/fwlink/?linkid=79605).
• You can use TS Gateway server with Microsoft Internet Security and Acceleration (ISA)
Server to enhance security. In this scenario, you can host TS Gateway servers in a private
network rather than a perimeter network (also known as a DMZ, demilitarized zone, and
screened subnet), and host ISA Server in the perimeter network. The SSL connection
between the Terminal Services client and ISA Server can be terminated at the ISA Server,
which is Internet-facing.
38
For information about how to configure ISA Server as an SSL termination device for
TS Gateway server scenarios, see the TS Gateway Server Step-by-Step Setup Guide on the
TS Gateway page on the Windows Server 2008 TechCenter
(http://go.microsoft.com/fwlink/?linkid=79605).
• The TS Gateway Manager snap-in console provides tools to help you monitor TS Gateway
connection status, health, and events. By using TS Gateway Manager, you can specify
events (such as unsuccessful connection attempts to the TS Gateway server) that you want
to monitor for auditing purposes.
39
Note
You do not need a certification authority (CA) infrastructure within your organization if
you can use another method to obtain an externally trusted certificate that meets the
requirements for TS Gateway. If your company does not maintain a stand-alone CA
or an enterprise CA and you do not have a compatible certificate from a trusted
public CA, you can create and import a self-signed certificate for your TS Gateway
server for technical evaluation and testing purposes.
The certificate must meet these requirements:
• The name in the Subject line of the server certificate (certificate name, or CN) must
match the DNS name that the client uses to connect to the TS Gateway server, unless
you are using wildcard certificates or the SAN attributes of certificates. If your
organization issues certificates from an enterprise CA, a certificate template must be
configured so that the appropriate name is supplied in the certificate request. If your
organization issues certificates from a stand-alone CA, you do not need to do this.
• The certificate is a computer certificate.
• The intended purpose of the certificate is server authentication. The Extended Key Usage
(EKU) is Server Authentication (1.3.6.1.5.5.7.3.1).
• The certificate has a corresponding private key.
• The certificate has not expired. We recommend that the certificate be valid one year from
the date of installation.
• A certificate object identifier (also known as OID) of 2.5.29.15 is not required. However, if
the certificate that you plan to use contains an object identifier of 2.5.29.15, you can only
use the certificate if at least one of the following key usage values is also set:
CERT_KEY_ENCIPHERMENT_KEY_USAGE,
CERT_KEY_AGREEMENT_KEY_USAGE, and
CERT_DATA_ENCIPHERMENT_KEY_USAGE.
For more information about these values, see Advanced Certificate Enrollment and
Management (http://go.microsoft.com/fwlink/?LinkID=74577).
• The certificate must be trusted on clients. That is, the public certificate of the CA that
signed the TS Gateway server certificate must be located in the Trusted Root
Certification Authorities store on the client computer.
For more information about certificate requirements for TS Gateway and how to obtain and install
a certificate if you do not have one already, see the TS Gateway Step-by-Step Setup Guide on
the TS Gateway page on the Windows Server 2008 TechCenter
(http://go.microsoft.com/fwlink/?linkid=79605).
Additionally, keep in mind the following considerations:
40
• TS Gateway transmits all RDP traffic (that typically would have been sent over port 3389) to
port 443 by using an HTTPS tunnel. This also means that all traffic between the client and
TS Gateway is encrypted while in transit over the Internet.
• To function correctly, TS Gateway requires several role services and features to be installed
and running. When you use Server Manager to install the TS Gateway role service, the
following additional role services and features are automatically installed and started, if they
are not already installed:
• Remote procedure call (RPC) over HTTP Proxy
• Web Server (IIS) [Internet Information Services 7.0].
IIS 7.0 must be installed and running for the RPC over HTTP Proxy service to function.
• Network Policy and Access Services.
You can also configure TS Gateway to use Terminal Services connection authorization
policies that are stored on another server that runs the Network Policy Server (NPS)
service. By doing this, you are using the NPS server—formerly known as a Remote
Authentication Dial-In User Service (RADIUS) server—to centralize the storage,
management, and validation of TS CAPs. If you have already deployed an NPS server
for remote access scenarios such as VPN and dial-up networking, using the existing NPS
server for TS Gateway scenarios as well can enhance your deployment.
TS CAPs
Terminal Services connection authorization policies (TS CAPs) allow you to specify user groups,
and optionally client computer groups, that can access a TS Gateway server. You can create a
TS CAP by using TS Gateway Manager.
41
Why are TS CAPs important?
TS CAPs simplify administration and enhance security by providing a greater level of control over
access to computers on your internal network.
TS CAPs allow you to specify who can connect to a TS Gateway server. You can specify a user
group that exists on the local TS Gateway server or in Active Directory Domain Services. You can
also specify other conditions that users must meet to access a TS Gateway server. You can list
specific conditions in each TS CAP. For example, you might require a user to use a smart card to
connect through TS Gateway.
Users are granted access to a TS Gateway server if they meet the conditions specified in the
TS CAP.
Important
Users are granted access to a TS Gateway server if they meet the conditions specified in
the TS CAP. You must also create a Terminal Services resource authorization policy
(TS RAP). A TS RAP allows you to specify the internal network resources that users can
connect to through TS Gateway. Until you create both a TS CAP and a TS RAP, users
cannot connect to internal network resources through this TS Gateway server.
TS RAPs
TS RAPs allow you to specify the internal corporate network resources that remote users can
connect to through a TS Gateway server. When you create a TS RAP, you can create a computer
group (a list of computers on the internal network to which you want the remote users to connect)
and associate it with the TS RAP.
Remote users connecting to an internal network through a TS Gateway server are granted
access to computers on the network if they meet the conditions specified in at least one TS CAP
and one TS RAP.
Note
When you associate a TS Gateway-managed computer group with a TS RAP, you can
support both fully qualified domain names (FQDNs) and NetBIOS names by adding both
names to the TS Gateway-managed computer group separately. When you associate an
Active Directory security group with a TS RAP, both FQDNs and NetBIOS names are
supported automatically if the internal network computer that the client is connecting to
belongs to the same domain as the TS Gateway server. If the internal network computer
belongs to a different domain than the TS Gateway server, users must specify the FQDN
of the internal network computer.
Together, TS CAPs and TS RAPs provide two different levels of authorization to provide you with
the ability to configure a more specific level of access control to computers on an internal
network.
42
Security groups and TS Gateway-managed computer groups
associated with TS RAPs
Remote users can connect through TS Gateway to internal network resources in a security group
or a TS Gateway-managed computer group. The group can be any one of the following:
• Members of an existing security group. The security group can exist in Local Users and
Groups on the TS Gateway server, or it can exist in Active Directory Domain Services.
• Members of an existing TS Gateway-managed computer group or a new TS Gateway-
managed computer group. You can configure a TS Gateway–managed computer group by
using TS Gateway Manager after installation.
A TS Gateway-managed computer group will not appear in Local Users and Groups on the
TS Gateway server, nor can it be configured by using Local Users and Groups.
When you add an internal network computer to the list of TS Gateway-managed computers,
keep in mind that if you want to allow remote users to connect to the computer by specifying
either its computer name or its IP address, you must add the computer to the computer group
twice (by specifying the computer name of the computer and adding it to the computer group
and then specifying the IP address of the computer and adding it to the computer group
again). If you specify only an IP address for a computer when you add it to a computer group,
users must also specify the IP address of that computer when they connect to that computer
through TS Gateway.
Important
To ensure that remote users connect to the internal corporate network computers
that you intend, we recommend that you do not specify IP addresses for the
computers, if the computers are not configured to use static IP addresses. For
example, you should not specify IP addresses if your organization uses DHCP to
dynamically reconfigure IP addresses for the computers. To ensure that remote users
connect to the internal corporate network computers that you intend, we recommend
that you do not specify IP addresses for the computers, if the computers are not
configured to use static IP addresses. For example, you should not specify IP
addresses if your organization uses DHCP to dynamically reconfigure IP addresses
for the computers.
• Any network resource. In this case, users can connect to any computer on the internal
network that they could connect to when they use Remote Desktop Connection.
To ensure that the appropriate users have access to the appropriate network resources, plan and
create security groups and TS Gateway-managed computer groups carefully. Evaluate the users
who should have access to each group, and then associate the groups with TS RAPs to grant
users access as needed.
43
Monitoring capabilities
You can use TS Gateway Manager to view information about active connections from Terminal
Services clients to internal corporate network resources through TS Gateway. This information
includes:
• The connection ID. The connection ID is displayed in the format <a:b>, where "a" is the
tunnel ID that uniquely identifies a specific connection to the TS Gateway server and "b" is
the channel ID. The tunnel ID represents the number of connections that the TS Gateway
server has received since the Terminal Services Gateway service has been running. Each
time the TS Gateway server receives a new connection, the tunnel ID is incremented by 1.
• The domain and user ID of the user logged on to the client.
• The full name of the user logged on to the client.
• The date and time when the connection was initiated.
• The length of time the connection was active.
• The length of time that the connection is idle, if applicable.
• The name of the internal network computer to which the client is connected
• The IP address of the client
Note
If your network configuration includes proxy servers, the IP address that appears in
the Client IP Address column (in the Monitoring details pane) might reflect the IP
address of the proxy server, rather than the IP address of the Terminal Services
client.
• The port on the internal network computer to which the client is connected
You can also specify the types of events that you want to monitor, such as unsuccessful or
successful connection attempts to internal network computers through a TS Gateway server.
When these events occur, you can monitor the corresponding events by using Windows Event
Viewer. TS Gateway events are stored in Event Viewer under Application and Services
Logs\Microsoft\Windows\Terminal Services-Gateway\.
Important
If you disable or do not configure this policy setting, but enable the Enable connections
through TS Gateway policy setting, client connection attempts to any internal network
resource will fail if the client cannot connect directly to the network resource.
Note
TS Gateway can route connections to any Terminal Services–based session, including
those on Windows Server 2008, Windows Server 2003, Windows Vista, and
Windows XP–based computers.
If the internal corporate network computer is using new Terminal Services features, you will need
to use the Remote Desktop Connection version 6.0 or later software, which is included with
Windows Server 2008 and Windows Vista.
Note
The Remote Desktop Connection version 6.0 or later software is available for use on
Windows XP with Service Pack 2 and Windows Server 2003 with Service Pack 1 or later.
To use any new Terminal Services features on either of these platforms, download the
installer package for RDC. For information about how to download the installer package
for RDC 6.0 or later, see article 925876 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkID=79373).
45
Additional references
For information about other new features in Terminal Services, see What's New in Terminal
Services for Windows Server 2008.
Note
In Windows Server 2008, the name of the Terminal Services Session Directory (TS
Session Directory) feature was changed to Terminal Services Session Broker
(TS Session Broker).
46
In the second phase, the terminal server where the initial connection was made redirects the user
to the terminal server that was specified by TS Session Broker. The redirection behavior is as
follows:
• A user with an existing session will connect to the server where their session exists.
• A user without an existing session will connect to the terminal server that has the fewest
sessions.
TS Session Broker Load Balancing sets a limit of 16 for the maximum number of pending logon
requests to a particular terminal server. This helps to prevent the scenario where a single server
is overwhelmed by new logon requests; for example, if you add a new server to the farm, or if you
enable user logons on a server where they were previously denied.
The TS Session Broker Load Balancing feature also enables you to assign a relative weight value
to each server. By assigning a server weight value, you can help to distribute the load between
more powerful and less powerful servers in the farm.
Note
To configure a server to participate in TS Session Broker Load Balancing, and to assign
a server weight value, you can use the Terminal Services Configuration tool.
Additionally, a user logon mode setting is provided that enables you to prevent new users from
logging on to a terminal server that is scheduled to be taken down for maintenance. This
mechanism provides for the ability to take a server offline without disrupting the user experience.
If new logons are denied on a terminal server in the farm, TS Session Broker will allow users with
existing sessions to reconnect, but will redirect new users to terminal servers that are configured
to allow new logons.
Note
The User logon mode setting is located under General in the Edit settings area of the
Terminal Services Configuration tool.
While any load-balancing mechanism can be used to distribute the initial connections, DNS round
robin is the easiest mechanism to deploy. Deploying TS Session Broker Load Balancing with a
network level load-balancing solution such as NLB or a hardware load balancer avoids the
limitations of DNS, while still taking advantage of TS Session Broker session-based load
balancing, the per server limit on the number of pending logon requests, and the user logon mode
setting. The limitations of DNS round robin include the caching of DNS requests on the client,
which can result in clients using the same IP address for each initial connection request, and the
potential for a 30-second timeout delay if a user is redirected to a terminal server that is offline,
but still listed in DNS.
Note
If you prefer, you can use a hardware load balancer to spread the initial connection and
authentication load between multiple terminal servers in the farm.
Additional references
For more information, see the TS Session Broker Load Balancing Step-by-Step Guide
(http://go.microsoft.com/fwlink/?LinkId=92670).
For information about other new features in Terminal Services, see What's New in Terminal
Services for Windows Server 2008.
48
Terminal Services and Windows System
Resource Manager
Windows® System Resource Manager (WSRM) on Windows Server® 2008 allows you to control
how CPU and memory resources are allocated to applications, services, and processes on the
computer. Managing resources in this way improves system performance and reduces the
chance that applications, services, or processes will take CPU or memory resources away from
one another and slow down the performance of the computer. Managing resources also creates a
more consistent and predictable experience for users of applications and services running on the
computer.
You can use WSRM to manage multiple applications on a single computer or users on a
computer on which Terminal Services is installed.
For more information about WSRM, see the following documentation:
• Windows Server 2008 Windows System Resource Manager Step-by-Step Guide on the
Windows Server 2008 Technical Library Web site
(http://go.microsoft.com/fwlink/?LinkId=83376).
• Windows Server 2003 Help for Windows System Resource Manager on the Microsoft
Download Center (http://go.microsoft.com/fwlink/?LinkId=49774).
Installing WSRM
To install WSRM
1. Open Server Manager. Click Start, point to Administrative Tools, and then click Server
Manager.
2. Under Features Summary, click Add features.
3. On the Select Features page, select the Windows System Resource Manager check
box.
4. A dialog box will appear informing you that Windows Internal Database also needs to be
49
installed for WSRM to work properly. Click Add Required Features, and then click Next.
5. On the Confirm Installation Selections page, verify that Windows Internal Database
and Windows Server Resource Manager will be installed, and then click Install.
6. On the Installation Results page, confirm that the installation of Windows Internal
Database and Windows Server Resource Manager succeeded, and then click Close.
After you install WSRM, you need to start the Windows System Resource Manager service.
Resource-Allocation Policies
WSRM uses resource-allocation policies to determine how computer resources, such as CPU
and memory, are allocated to processes running on the computer. There are two resource-
allocation policies that are specifically designed for computers running Terminal Services. The
two Terminal Services-specific resource-allocation policies are:
• Equal_Per_User
• Equal_Per_Session
Note
The Equal_Per_Session resource-allocation policy is new for Windows Server 2008.
50
If you implement the Equal_Per_Session resource-allocation policy, each user session (and its
associated processes) gets an equal share of the CPU resources on the computer.
Monitoring Performance
You should collect data about the performance of your terminal server before and after
implementing the Equal_Per_Session resource-allocation policy (or making any other WSRM-
related configuration change). You can use Resource Monitor in the Windows System Resource
Manager snap-in to collect and view data about the usage of hardware resources and the activity
of system services on the computer.
Additional references
For information about other new features in Terminal Services, see What's New in Terminal
Services for Windows Server 2008.
51
Windows Server 2008 Active Directory
Certificate Services Step-By-Step Guide
Microsoft Corporation
Published: April 2007
Author: Roland Winkler
Editor: Debbie Swanson
Abstract
This step-by-step guide describes the steps needed to set up a basic configuration of Active
Directory® Certificate Services (AD CS) in a lab environment.
AD CS in Windows Server® 2008 provides customizable services for creating and managing
public key certificates used in software security systems employing public key technologies.
1
Copyright Information
This document supports a preliminary release of a software product that may be changed
substantially prior to final commercial release, and is the confidential and proprietary information
of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the
recipient and Microsoft. This document is provided for informational purposes only and Microsoft
makes no warranties, either express or implied, in this document. Information in this document,
including URL and other Internet Web site references, is subject to change without notice. The
entire risk of the use or the results from the use of this document remains with the user. Unless
otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this document
may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or
by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any
purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, Active Directory, MS-DOS, Visual Basic, Visual Studio, Windows, Windows NT, and
Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
2
Contents
Windows Server Active Directory Certificate Services Step-by-Step Guide ................................... 5
AD CS Technology Review .......................................................................................................... 5
Requirements for Using AD CS ................................................................................................... 6
AD CS Basic Lab Scenario .......................................................................................................... 7
Steps for Setting up a Basic Lab .................................................................................................. 7
Step 1: Setting Up an Enterprise Root CA ............................................................................... 8
Step 2: Installing the Online Responder ................................................................................... 9
Step 3: Configuring the CA to Issue OCSP Response Signing Certificates............................. 9
Step 4: Creating a Revocation Configuration ......................................................................... 11
Step 5: Verifying that the AD CS Lab Setup Functions Properly ............................................ 12
AD CS Advanced Lab Scenario ................................................................................................. 13
Steps for Setting Up an Advanced Lab ...................................................................................... 14
Step 1: Setting Up the Stand-Alone Root CA ......................................................................... 15
Step 2: Setting Up the Enterprise Subordinate Issuing CA .................................................... 15
Step 3: Installing and Configuring the Online Responder ...................................................... 16
Step 4: Configuring the Issuing CA to Issue OCSP Response Signing Certificates .............. 17
Step 5: Configuring the Authority Information Access Extension to Support the Online
Responder ........................................................................................................................... 17
Step 6: Assigning the OCSP Response Signing Template to a CA ....................................... 18
Step 7: Enrolling for an OCSP Response Signing Certificate ................................................ 18
Step 8: Creating a Revocation Configuration ......................................................................... 19
Step 9: Setting Up and Configuring the Network Device Enrollment Service ........................ 20
Step 10: Verifying that the Advanced AD CS Test Setup Functions Properly ....................... 21
3
Windows Server Active Directory Certificate
Services Step-by-Step Guide
This step-by-step guide describes the steps needed to set up a basic configuration of Active
Directory® Certificate Services (AD CS) in a lab environment.
AD CS in Windows Server® 2008 provides customizable services for creating and managing
public key certificates used in software security systems that employ public key technologies.
This document includes:
• A review of AD CS features
• Requirements for using AD CS
• Procedures for a basic lab setup to test AD CS on a minimum number of computers
• Procedures for an advanced lab setup to test AD CS on a larger number of computers to
more realistically simulate real-world configurations
AD CS Technology Review
Using the Active Directory Certificate Services option of the Add Roles Wizard, you can set up
the following components of AD CS:
• Certification authorities (CAs). Root and subordinate CAs are used to issue certificates to
users, computers, and services, and to manage their validity.
• CA Web enrollment. Web enrollment allows users to connect to a CA by means of a Web
browser in order to:
• Request certificates and review certificate requests.
• Retrieve certificate revocation lists (CRLs).
• Perform smart card certificate enrollment.
• Online Responder service. The Online Responder service implements the Online
Certificate Status Protocol (OCSP) by decoding revocation status requests for specific
certificates, evaluating the status of these certificates, and sending back a signed response
containing the requested certificate status information.
Important
Online Responders can be used as an alternative to or an extension of CRLs to
provide certificate revocation data to clients. Microsoft Online Responders are based
on and comply with RFC 2560 for OCSP. For more information about RFC 2560, see
the Internet Engineering Task Force Web site
(http://go.microsoft.com/fwlink/?LinkID=67082).
5
• Network Device Enrollment Service. The Network Device Enrollment Service allows
routers and other network devices to obtain certificates based on the Simple Certificate
Enrollment Protocol (SCEP) from Cisco Systems Inc.
Note
SCEP was developed to support the secure, scalable issuance of certificates to
network devices by using existing CAs. The protocol supports CA and registration
authority public key distribution, certificate enrollment, certificate revocation,
certificate queries, and certificate revocation queries.
Note
A limited set of server roles is available for a Server Core installation of Windows
Server 2008 and for Windows Server 2008 for Itanium-based Systems.
The following table lists the AD CS components that can be configured on different editions of
Windows Server 2008.
The following features are available on servers running Windows Server 2008 that have been
configured as CAs.
6
AD CS features Web Standard Enterprise Datacenter
templates
Note
Enterprise CAs and Online Responders can only be installed on servers running
Windows Server 2008 Enterprise or Windows Server 2008 Datacenter.
• LH_CLI1: This client computer running Windows Vista will autoenroll for certificates from
LH_PKI1 and verify certificate status from LH_ PKI1.
To configure the basic lab setup for AD CS, you need to complete the following prerequisite
steps:
• Set up a domain controller on LH_DC1 for contoso.com, including some organizational units
(OUs) to contain one or more users for the client computer, client computers in the domain,
and for the servers hosting CAs and Online Responders.
7
• Install Windows Server 2008 on LH_PKI1, and join LH_PKI1 to the domain.
• Install Windows Vista on LH_CLI1, and join LH_CLI1 to contoso.com.
After you have completed these preliminary setup procedures, you can begin to complete the
following steps:
Step 1: Setting Up an Enterprise Root CA
Step 2: Installing the Online Responder
Step 3: Configuring the CA to Issue OCSP Response Signing Certificates
Step 4: Creating a Revocation Configuration
Step 5: Verifying that the AD CS Lab Setup Functions Properly
Note
Enterprise CAs and Online Responders can only be installed on servers running
Windows Server 2008 Enterprise or Windows Server 2008 Datacenter.
8
storage locations for the certificate database and the certificate database log, and then
click Next.
12. After verifying the information on the Confirm Installation Options page, click Install.
13. Review the information on the confirmation screen to verify that the installation was
successful.
Note
IIS must also be installed on this computer before the Online Responder can be installed.
Note
These certificate template and autoenrollment steps can also be used to configure
certificates that you want to issue to a client computer or client computer users.
9
To configure certificate templates for your test environment
1. Log on to LH_PKI1 as a CA administrator.
2. Open the Certificate Templates snap-in.
3. Right-click the OCSP Response Signing template, and then click Duplicate Template.
4. Type a new name for the duplicated template, such as OCSP Response Signing_2.
5. Right-click the OCSP Response Signing_2 certificate template, and then click
Properties.
6. Click the Security tab. Under Group or user name, click Add, and then type the name
or browse to select the computer hosting the Online Responder service.
7. Click the computer name, LH_PKI1, and in the Permissions dialog box, select the Read
and Autoenroll check boxes.
8. While you have the Certificate Templates snap-in open, you can configure certificate
templates for users and computers by substituting the desired templates in step 3, and
repeating steps 4 through 7 to configure permissions for LH_CLI1 and your test user
accounts.
To configure the CA to support Online Responders, you need to use the Certification Authority
snap-in to complete two key steps:
• Add the location of the Online Responder to the authority information access extension of
issued certificates.
• Enable the certificate templates that you configured in the previous procedure for the CA.
10
the list.
Important
Before you create a revocation configuration, ensure that certificate enrollment has taken
place so that a signing certificate exists on the computer and adjust the permissions on
the signing certificate to allow the Online Responder to use it.
11
configuration, such as LH_RC1, and then click Next.
4. On the Select CA certificate Location page, click Select a certificate from an existing
enterprise CA, and then click Next.
5. On the following page, the name of the CA, LH_PKI1, should appear in the Browse CA
certificates published in Active Directory box.
• If it appears, click the name of the CA that you want to associate with your revocation
configuration, and then click Next.
• If it does not appear, click Browse for CA Computer and type the name of the
computer hosting LH_PKI1 or click Browse to locate this computer. When you have
located the computer, click Next.
Note
You might also be able to link to the CA certificate from the local certificate
store, or by importing it from removable media in step 4.
6. View the certificate and copy the CRL distribution point for the parent root CA, RootCA1.
To do this:
a. Open the Certificate Services snap-in. Select an issued certificate.
b. Double-click the certificate, and then click the Details tab.
c. Scroll down and select the CRL Distribution Points field.
d. Select and copy the URL for the CRL distribution point that you want to use.
e. Click OK.
7. On the Select Signing Certificate page, accept the default option, Automatically select
signing certificate, and then click Next.
8. On the Revocation Provider page, click Provider.
9. On the Revocation Provider Properties page, click Add, enter the URL of the CRL
distribution point, and then click OK.
10. Click Finish.
11. Using the Online Responder snap-in, select the revocation configuration, and then
examine the status information to verify that it is functioning properly. You should also be
able to examine the properties of the signing certificate to verify that the Online
Responder is configured properly.
12
To verify that the AD CS test setup functions properly
1. On the CA, configure several certificate templates to autoenroll certificates for LH_CLI1
and users on this computer.
2. When information about the new certificates has been published to AD DS, open a
command prompt on the client computer and enter the following command to start
certificate autoenrollment:
certutil -pulse
3. On LH_CLI1, use the Certificates snap-in to verify that the certificates have been issued
to the user and to the computer, as appropriate.
4. On the CA, use the Certification Authority snap-in to view and revoke one or more of the
issued certificates by clicking Certification Authority (Computer)/CA name/Issued
Certificates and selecting the certificate you want to revoke. On the Action menu, point
to All Tasks, and then click Revoke Certificate. Select the reason for revoking the
certificate, and click Yes.
5. In the Certification Authority snap-in, publish a new CRL by clicking Certification
Authority (Computer)/CA name/Revoked Certificates in the console tree. Then, on the
Action menu, point to All Tasks, and click Publish.
6. Remove all CRL distribution point extensions from the issuing CA by opening the
Certification Authority snap-in and then selecting the CA. On the Action menu, click
Properties.
7. On the Extensions tab, confirm that Select extension is set to CRL Distribution Point
(CDP).
8. Click any CRL distribution points that are listed, click Remove, and then click OK.
9. Stop and restart AD CS.
10. Repeat steps 1 and 2 above, and then verify that clients can still obtain revocation data.
To do this, use the Certificates snap-in to export the certificate to a file (*.cer). At a
command prompt, type:
certutil -url <exportedcert.cer>
11. In the Verify and Retrieve dialog box that appears, click From CDP and From OCSP
and compare the results.
13
Steps for Setting Up an Advanced Lab
To test additional features of AD CS in a lab environment, you will need five computers running
Windows Server 2008 and one client computer running Windows Vista. The computers for this
guide are named as follows:
• LH_DC1: This computer will be the domain controller for your test environment.
• LH_CA_ROOT1: This computer will host a stand-alone root CA for the test environment.
• LH_CA_ISSUE1: This enterprise CA will be subordinate to LH_CA_ROOT1 and issue client
certificates for the Online Responder and client computers.
Note
Enterprise CAs and Online Responders can only be installed on servers running
Windows Server 2008 Enterprise or Windows Server 2008 Datacenter.
• LH_ORS1. This server will host the Online Responder.
• LH_NDES. This server will host the Network Device Enrollment Servicethat makes it possible
to issue and manage certificates for routers and other network devices.
• LH_CLI1: This client computer running Windows Vista will autoenroll for certificates from
LH_CA_ISSUE1 and verify certificate status from LH_ORS1.
To configure the advanced lab setup for AD CS, you need to complete the following prerequisite
steps:
1. Set up a domain controller on LH_DC1 for contoso.com, including some OUs to contain one
or more users for LH_CLI1, client computers in the domain, and for the servers hosting CAs
and Online Responders.
2. Install Windows Server 2008 on the other servers in the test configuration and join them to
the domain.
3. Install Windows Vista on LH_CLI1, and join LH_CLI1 to contoso.com.
After you have completed these preliminary setup procedures, you can begin to complete the
following steps:
Step 1: Setting Up the Stand-Alone Root CA
Step 2: Setting Up the Enterprise Subordinate Issuing CA
Step 3: Installing and Configuring the Online Responder
Step 4: Configuring the Issuing CA to Issue OCSP Response Signing Certificates
Step 5: Configuring the Authority Information Access Extension to Support the Online Responder
Step 6: Assigning the OCSP Response Signing Template to a CA
Step 7: Enrolling for an OCSP Response Signing Certificate
Step 8: Creating a Revocation Configuration
Step 9: Setting Up and Configuring the Network Device Enrollment Service
14
Step 10: Verifying that the Advanced AD CS Test Setup Functions Properly
15
3. On the Select Role Services page, select the Certification Authority check box, and
then click Next.
4. On the Specify Setup Type page, click Enterprise, and then click Next.
5. On the Specify CA Type page, click Subordinate CA, and then click Next.
6. On the Set Up Private Key and Configure Cryptography for CA pages, you can
configure optional settings, including cryptographic service providers. However, for basic
testing purposes, accept the default values by clicking Next twice.
7. On the Request Certificate page, browse to locate LH_CA_ROOT1, or if, the root CA is
not connected to the network, save the certificate request to a file so that it can be
processed later. Click Next.
The subordinate CA setup will not be usable until it has been issued a root CA certificate
and this certificate has been used to complete the installation of the subordinate CA.
8. In the Common name for this CA box, type the common name of the CA,
LH_CA_ISSUE1.
9. On the Set the Certificate Validity Period page, accept the default validity duration for
the CA, and then click Next.
10. On the Configure Certificate Database page, accept the default values or specify other
storage locations for the certificate database and the certificate database log, and then
click Next.
11. After verifying the information on the Confirm Installation Options page, click Install.
Note
IIS must also be installed on this computer before the Online Responder can be installed.
As part of the setup process a virtual directory named OCSP is created in IIS and the
Web proxy is registered as an Internet Server Application Programming Interface (ISAPI)
extension.
16
3. On the Select Role Services page, clear the Certification Authority check box, select
the Online Responder check box, and then click Next.
You are prompted to install IIS and Windows Activation Service.
4. Click Add Required Role Services, and then click Next three times.
5. On the Confirm Installation Options page, click Install.
6. When the installation is complete, review the status page to verify that the installation
was successful.
17
To configure the authority information access extension to support the Online
Responder
1. Log on to LH_CA_ISSUE1 as a CA administrator.
2. Open the Certification Authority snap-in.
3. In the console tree, click the name of the CA.
4. On the Action menu, click Properties.
5. On the Extensions tab, click Select extension, and then click Authority Information
Access (AIA).
6. Select the Include in the AIA extension of issue certificates and Include in the
online certificate status protocol (OCSP) extension check boxes.
7. Specify the locations from which users can obtain certificate revocation data; for this
setup, the location is http://LH_ORS1/ocsp.
8. In the console tree of the Certification Authority snap-in, right-click Certificate
Templates, and then click New Certificate Templates to Issue.
9. In Enable Certificate Templates, select the OCSP Response Signing template and
any other certificate templates that you configured previously, and then click OK.
10. Open Certificate Templates, and verify that the modified certificate templates appear in
the list.
To configure the CA to issue certificates based on the newly created OCSP Response
Signing template
1. Open the Certification Authority snap-in.
2. Right-click Certificate Templates, and then click Certificate Template to Issue.
3. Select the OCSP Response Signing_2 template from the list of available templates, and
then click OK.
18
To verify that the signing certificate is properly configured
1. Start or restart LH_ORS1 to enroll for the certificates.
2. Log on as a CA administrator.
3. Open the Certificates snap-in for the computer. Open the Personal certificate store for the
computer, and then verify that it contains a certificate titled OCSP Response Signing_2.
4. Right-click this certificate, and then click Manage Private Keys.
5. Click the Security tab. In the User Group or user name dialog box, click Add to type in
and add Network Service to the Group or user name list, and then click OK.
6. Click Network Service, and in the Permissions dialog box, select the Full Control
check box. Click OK twice.
Note
19
You might also be able to link to the CA certificate from the local certificate
store, or by importing it from removable media in step 5.
7. View the certificate and copy the CRL distribution point for the parent root CA, RootCA1.
To do this:
a. Open the Certificate Services snap-in, and then select an issued certificate.
b. Double-click the certificate, and then click the Details tab.
c. Scroll down and select the CRL Distribution Points field.
d. Select and copy the URL for the CRL distribution point that you want to use.
e. Click OK.
8. On the Select Signing Certificate page, accept the default, Automatically select
signing certificate, and then click Next.
9. On the Revocation Provider page, click Provider.
10. On the Revocation Provider Properties page, click Add, enter the URL of the CRL
distribution point, and then click OK.
11. Click Finish.
12. Using the Online Responder snap-in, select the revocation configuration, and then
examine the status information to verify that it is functioning properly. You should also be
able to examine the properties of the signing certificate to verify that the Online
Responder is configured properly.
20
To set up and configure the Network Device Enrollment Service
1. Log on to LH_NDES as an enterprise administrator.
2. Start the Add RolesWizard. On the Select Server Roles page, select the Active
Directory Certificate Services check box, and then click Next two times.
3. On the Select Role Services page, clear the Certification Authority check box, and
then select Network Device Enrollment Service.
You are prompted to install IIS and Windows Activation Service.
4. Click Add Required Role Services, and then click Next three times.
5. On the Confirm Installation Options page, click Install.
6. When the installation is complete, review the status page to verify that the installation
was successful.
7. Because this is a new installation and there are no pending SCEP certificate requests,
click Replace existing Registration Authority (RA) certificates, and then click Next.
When the Network Device Enrollment Service is installed on a computer where a
registration authority already exists, the existing registration authority and any pending
certificate requests are deleted.
8. On the Specify User Account page, click Select User, and type the user name
ndes_user1 and password for this account, which the Network Device Enrollment
Service will use to authorize certificate requests. Click OK, and then click Next.
9. On the Specify CA page, select either the CA name or Computer name check box,
click Browse to locate the CA that will issue the Network Device Enrollment Service
certificates, LH_CA_ISSUE1, and then click Next.
10. On the Specify Registry Authority Information page, type ndes_1 in the RA name
box. Under Country/region,select the check box for the country/region you are in, and
then click Next.
11. On the Configure Cryptography page, accept the default values for the signature and
encryption keys, and then click Next.
12. Review the summary of configuration options, and then click Install.
21
To verify that the advanced AD CS test setup functions properly
1. On the CA, configure several certificate templates to autoenroll certificates for LH_CLI1
and users on this computer.
2. When information about the new certificates has been published to AD DS, open a
command prompt on the client computer and enter the following command to start
certificate autoenrollment:
certutil -pulse
3. On the client computer, use the Certificates snap-in to verify that the certificates have
been issued to the user and to the computer, as appropriate.
4. On the CA, use the Certification Authority snap-in to view and revoke one or more of the
issued certificates by clicking Certification Authority (Computer)/CA name/Issued
Certificates and selecting the certificate you want to revoke. On the Action menu, point
to All Tasks, and then click Revoke Certificate. Select the reason for revoking the
certificate, and click Yes.
5. In the Certification Authority snap-in, publish a new CRL by clicking Certification
Authority (Computer)/CA name/Revoked Certificates in the console tree. Then, on the
Action menu, point to All Tasks, and click Publish.
6. Remove all CRL distribution point extensions from the issuing CA by opening the
Certification Authority snap-in and then selecting the CA. On the Action menu, click
Properties.
7. On the Extensions tab, confirm that Select extension is set to CRL Distribution Point
(CDP).
8. Click any CRL distribution points that are listed, click Remove, and click OK.
9. Stop and restart AD CS.
10. Repeat steps 1 and 2 above, and then verify that clients can still obtain revocation data.
To do this, use the Certificates snap-in to export the certificate to a file (*.cer). At a
command prompt, type:
certutil -url <exportedcert.cer>
11. In the Verify and Retrieve dialog box that appears, click From CDP and From OCSP
and compare the results.
22
Windows Server 2008 RC0 Terminal Services
RemoteApp Step-by-Step Guide
Microsoft Corporation
Published: September 2007
Writer: Tessa Wooley
Editor: Linda Caputo
Abstract
Terminal Services RemoteApp™ (TS RemoteApp) is a feature that enables users to access
programs remotely through Terminal Services. The remote programs appear as if they are
running on the user's local computer. Users can run RemoteApp programs side-by-side with their
local programs. If a user is running more than one RemoteApp program on the same terminal
server, the RemoteApp programs will share the same Terminal Services session. You can use
Terminal Services Web Access (TS Web Access) to make RemoteApp programs available
through a Web site.
1
Copyright Information
This document supports a preliminary release of a software product that may be changed
substantially prior to final commercial release, and is the confidential and proprietary information
of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the
recipient and Microsoft. This document is provided for informational purposes only and Microsoft
makes no warranties, either express or implied, in this document. Information in this document,
including URL and other Internet Web site references, is subject to change without notice. The
entire risk of the use or the results from the use of this document remains with the user. Unless
otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this document may
be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by
any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,
without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Active Directory, Microsoft, MS-DOS, RemoteApp, Visual Basic, Visual Studio, Windows,
Windows NT, and Windows Server are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries.
2
Contents
Windows Server 2008 RC0 Terminal Services RemoteApp Step-by-Step Guide .......................... 5
What are RemoteApp programs? ................................................................................................ 5
Who should use TS RemoteApp? ................................................................................................ 6
Key scenarios for TS RemoteApp ............................................................................................ 6
How should I deploy RemoteApp programs? .............................................................................. 7
About deploying RemoteApp programs through TS Web Access............................................ 8
About deploying RemoteApp programs through a file share or other distribution mechanism 9
Configure the server that will host RemoteApp programs ......................................................... 10
Install the Terminal Server role service .................................................................................. 11
Install programs on the terminal server .................................................................................. 11
Verify remote connection settings........................................................................................... 12
Add RemoteApp programs and configure global deployment settings ...................................... 13
Add programs to the RemoteApp Programs list ..................................................................... 13
Configure global deployment settings..................................................................................... 14
Configure terminal server settings....................................................................................... 15
Configure TS Gateway settings........................................................................................... 16
Configure common RDP settings (optional) ........................................................................ 17
Configure custom RDP settings (optional) .......................................................................... 18
Configure digital signature settings (optional) ..................................................................... 19
Manage RemoteApp programs and settings .......................................................................... 21
Change or delete a RemoteApp program ........................................................................... 21
Export or import RemoteApp programs and settings .......................................................... 22
Deploy RemoteApp programs to users ...................................................................................... 23
Deploy RemoteApp programs through TS Web Access ........................................................ 23
Install the TS Web Access role service ............................................................................... 23
Populate the TS Web Access Computers security group ................................................... 24
Configure the data source for TS Web Access ................................................................... 25
Connect to TS Web Access ................................................................................................ 26
Deploy RemoteApp programs through file sharing or other distribution methods.................. 27
Create an .rdp file from a RemoteApp program .................................................................. 27
Create a Windows Installer package from a RemoteApp program ..................................... 28
Make RemoteApp programs available from the Internet ........................................................... 30
Configure the TS Web Access server to allow access from the Internet ............................... 31
Additional information ................................................................................................................. 32
Upgrading from Windows Server 2008 Beta 3 to Windows Server 2008 RC0 ...................... 32
Configure Server Manager and Initial Tasks not to run in administrator's RemoteApp session
............................................................................................................................................. 33
3
Configure Remote Desktop Web Connection behavior .......................................................... 33
4
Windows Server 2008 RC0 Terminal Services
RemoteApp Step-by-Step Guide
With Terminal Services, organizations can provide access to Windows®-based programs from
almost any location to almost any computing device. Terminal Services in
Windows Server® 2008 includes Terminal Services RemoteApp™ (TS RemoteApp). You can use
several different methods to deploy RemoteApp programs, such as Terminal Services Web
Access (TS Web Access). With TS Web Access, you can provide access to RemoteApp
programs through a Web page over the Internet or over an intranet. TS Web Access is also
included in Windows Server 2008.
Important
To access RemoteApp programs that are deployed as .rdp files or as Windows Installer
packages, the client computer must be running Remote Desktop Connection (RDC) 6.0
or RDC 6.1. (RDC 6.1 supports Remote Desktop Protocol 6.1.) To access RemoteApp
programs through TS Web Access, the client computer must be running RDC 6.1.
5
RDC 6.1 is included with Windows Server 2008 and Windows Vista Service Pack 1 (SP1)
Beta. To download RDC 6.0 for Windows Server 2003 with Service Pack 1 (SP1) or
Windows XP with Service Pack 2 (SP2), see article 925876 in the Microsoft® Knowledge
Base (http://go.microsoft.com/fwlink/?LinkId=79373).
6
How should I deploy RemoteApp programs?
Before you configure TS RemoteApp, you should decide how you want to distribute RemoteApp
programs to users. You can use either of the following deployment methods:
• You can make RemoteApp programs available on a Web site by distributing the RemoteApp
programs through TS Web Access.
• You can distribute RemoteApp programs as .rdp files or Windows Installer packages through
a file share, or through other distribution mechanisms such as Microsoft Systems
Management Server or Active Directory software distribution.
7
RemoteApp deployment components
8
Note
Additionally, TS Web Access includes the Remote Desktop Web Connection feature,
which allows users to connect from a Web browser to the remote desktop of any server
or client computer where they have Remote Desktop access. You can determine whether
you want this feature to be available to users. For more information, see Configure
Remote Desktop Web Connection Behavior.
To deploy RemoteApp programs by using TS Web Access, you must complete the following
tasks.
Task Reference
1. Configure the server that will host Configure the server that will host RemoteApp
RemoteApp programs. This includes installing programs
Terminal Server, installing programs, and
verifying remote connection settings.
2. Use TS RemoteApp Manager to add Add RemoteApp programs and configure global
RemoteApp programs that are enabled for deployment settings
TS Web Access, and to configure global
deployment settings.
3. Install TS Web Access on the server that you Install the TS Web Access role service
want users to connect to over the Web to
access RemoteApp programs.
4. Add the computer account of the TS Web Populate the TS Web Access Computers
Access server to the TS Web Access security group
Computers group on the terminal server.
5. Configure the TS Web Access server to Configure the data source for TS Web Access
populate its list of RemoteApp programs from a
single terminal server or single farm.
9
Note
If you distribute RemoteApp programs through Windows Installer packages, you can also
configure whether the terminal server will take over client file name extensions for the
RemoteApp programs. If this is the case, a user can double-click a file where the file
name extension is associated with a RemoteApp program.
You must complete the following tasks to prepare RemoteApp programs for distribution through a
file share or some other distribution mechanism.
Task Reference
1. Configure the server that will host Configure the server that will host RemoteApp
RemoteApp programs. This includes installing programs
Terminal Server, installing programs, and
verifying remote connection settings.
2. Use TS RemoteApp Manager to add Add RemoteApp programs and configure global
RemoteApp programs and to configure global deployment settings
deployment settings.
3. Use TS RemoteApp Manager to create .rdp • Create an .rdp file from a RemoteApp
files or Windows Installer packages from program
RemoteApp programs. • Create a Windows Installer package from a
RemoteApp program
After you create .rdp files or Windows Installer packages, you can distribute them to users.
Note
These procedures apply to an environment where you are using a single terminal server
to host RemoteApp programs.
To perform these procedures, you must be a member of the Administrators group on the
terminal server.
10
Install the Terminal Server role service
To install the Terminal Server role service
1. Open Server Manager. To open Server Manager, click Start, point to Administrative
Tools, and then click Server Manager.
2. Under Roles Summary, click Add Roles.
3. On the Before You Begin page of the Add Roles Wizard, click Next.
4. On the Select Server Roles page, select the Terminal Services check box, and then
click Next.
5. On the Terminal Services page, click Next.
6. On the Select Role Services page, select the Terminal Server check box, and then
click Next.
7. On the Uninstall and Reinstall Applications for Compatibility page, review the
information, and then click Next.
8. On the Specify Authentication Method for Terminal Server page, select the desired
authentication method, and then click Next.
Note
If you select Require Network Level Authentication, at the time of the
Windows Server 2008 RC0 release, only clients that are running Windows
Server 2008 or Windows Vista with RDC 6.0 or a later version of the RDC client
can connect to the terminal server.
9. On the Specify Licensing Mode page, select the licensing mode that applies to your
Terminal Services environment, and then click Next.
10. On the Select User Groups Allowed Access To This Terminal Server page, add any
users or groups that you want to add to the Remote Desktop Users group, and then click
Next.
11. On the Confirm Installation Selections page, verify that the Terminal Server role
service will be installed, and then click Install.
12. On the Installation Results page, you are prompted to restart the server to finish the
installation process. Click Close, and then click Yes to restart the server.
13. After the server restarts, the Resume Configuration Wizard completes the installation.
When you see an Installation succeeded status message on the Installation Results
page, click Close.
12
The users and groups that you add are added to the Remote Desktop Users group.
Note
Members of the local Administrators group can connect even if they are not
listed.
5. When you are finished, click OK to close the System Properties dialog box.
Note
The programs that are shown on the Choose programs to add to the
RemoteApp Programs list page are the programs that are found on the All
Users Start menu on the terminal server. If the program that you want to add to
the RemoteApp Programs list is not in the list, click Browse, and then specify
the location of the program's .exe file.
13
5. To configure the properties for a RemoteApp program, click the program name, and then
click Properties. You can configure the following:
• The program name that will appear to users. To change the name, type a new name
in the RemoteApp program name box.
• The path of the program executable file. To change the path, type the new path in the
Location box, or click Browse to locate the .exe file.
Note
You can use system environment variables in the path name. For example,
you can substitute %windir% for the explicit path of the Windows folder (such
as C:\Windows). You cannot use per user environment variables.
• The alias for the RemoteApp program. The alias is a unique identifier for the program
that defaults to the program's file name (without the extension). We recommend that
you do not change this name.
• Whether the RemoteApp program is available through TS Web Access. By default,
the RemoteApp program is available through TS Web Access setting is enabled.
To change the setting, select or clear the check box.
• Whether command-line arguments are allowed, not allowed, or whether to always
use the same command-line arguments.
• The program icon that will be used. To change the icon, click Change Icon.
6. When you are finished configuring program properties, click OK, and then click Next.
7. On the Review Settings page, review the settings, and then click Finish.
The programs that you selected should appear in the RemoteApp Programs list.
Note
Any changes to deployment settings that you make when you use TS RemoteApp
Manager to create .rdp files or Windows Installer packages will override the global
settings.
These global deployment settings include:
• Terminal server settings
• TS Gateway settings
14
• Common Remote Desktop Protocol (RDP) settings
• Custom RDP settings
• Digital signature settings
Important
If the Require server authentication check box is selected, consider the
following:
• If any client computers are running Windows Server 2003 with SP1 or Windows XP
with SP2, you must configure the terminal server to use a Secure Sockets Layer
(SSL) certificate. (You cannot use a self-signed certificate.)
• If the RemoteApp program is for intranet use, and all client computers are running
either Windows Server 2008 or Windows Vista, you do not have to configure the
terminal server to use an SSL certificate. In this case, Network Level Authentication
is used.
3. To provide a link to the full terminal server desktop through TS Web Access, under
Remote desktop access, select the Show a remote desktop connection to this
terminal server in TS Web Access check box.
4. Under Access to unlisted programs, choose either of the following:
• Do not allow users to start unlisted program on initial connection
(Recommended)
To help protect against malicious users, or a user unintentionally starting a program
from an .rdp file on initial connection, we recommended that you select this setting.
Important
This setting does not prevent users from starting unlisted programs remotely
after they connect to the terminal server by using the RemoteApp program.
For example, if Microsoft Word is in the RemoteApp Programs list and
Microsoft Internet Explorer is not, if a user starts a remote Word session, and
then clicks a hyperlink in a Word document, they can start Internet Explorer.
15
• Allow users to start both listed and unlisted programs on initial connection
Caution
If you choose this option, users can start any program remotely from an .rdp
file on initial connection, not just those programs in the RemoteApp
Programs list. To help protect against malicious users, or a user
unintentionally starting a program from an .rdp file, we recommend that you
do not select this setting.
5. When you are finished, click OK.
Note
For more information about client Group Policy settings, see the Help topic
"Using Group Policy to Manage Client Connections Through TS Gateway." (To
open TS Gateway Help on a Windows Server 2008-based server, click Start,
click Run, type hh ts_gateway.chm, and then click OK.)
If you select Use these TS Gateway server settings, do the following:
a. Configure the TS Gateway server name and the logon method.
Important
The server name must match what is specified in the SSL certificate for the
TS Gateway server.
b. If you want the connection to try to use the same user credentials to access both the
TS Gateway server and the terminal server, select the Use the same user
credentials for TS Gateway and terminal server check box. However, users may
still receive two prompts for credentials if conflicting credentials exist from any source
such as Group Policy settings, and those credentials do not work. They may also
16
receive two prompts for credentials if default credentials are used for the connection
and those credentials do not work.
c. If you want the client computer to automatically detect when TS Gateway is required,
select the Bypass TS Gateway server for local addresses check box. (Selecting
this option optimizes client performance.)
To always use a TS Gateway server for client connections, clear the Bypass TS
Gateway server for local addresses check box.
3. When you are finished, click OK.
Note
To configure additional RDP settings, such as audio redirection, click the
Custom RDP Settings tab. For more information, see Configure Custom RDP
Settings.
5. To close the RemoteApp Deployment Settings dialog box, click OK.
Note
If you do not sign .rdp files with a digital signature, or if you sign .rdp files with a digital
signature that clients do not recognize (such as a certificate from a private certification
authority), some redirection settings that you specify in TS RemoteApp Manager may be
overridden by the client. For example, if you enable all redirection settings on the
Common RDP Settings tab, and a user connects to an .rdp file that is not signed, disk
drives, and supported Plug and Play devices will not be redirected automatically. These
devices and resources will only be redirected if the user enables these redirection
settings in the RemoteApp warning dialog box that appears when they try to connect.
This default behavior helps to reduce potential security vulnerabilities. (Note that the
17
same behavior occurs if you enable serial port redirection on the Custom RDP Settings
tab.)
Note
You can use custom RDP settings to configure the working directory for RemoteApp
programs. By default, the working directory for a RemoteApp program is the same
location as the program executable file. If you configure the working directory as a
custom RDP setting, the setting will apply to all RemoteApp programs that are available
through TS Web Access, and to any .rdp files or Windows Installer packages that you
create from a RemoteApp program. If you want to customize the working directory for
RemoteApp programs that you plan to distribute as .rdp files or Windows Installer
packages, you can add the working directory as a custom RDP setting, create the files
from the RemoteApp programs, and then clear the working directory custom RDP setting.
Important
You cannot override settings that are available in the global deployment settings
in TS RemoteApp Manager. If you do so, you will be prompted to remove those
settings when you click Apply.
To create an .rdp file to copy the settings from, follow these steps:
a. Open the RDC client, and then click Options.
b. Configure the settings that you want, such as audio redirection.
c. When you are finished, on the General tab, click Save As, and then save the .rdp
file.
d. Open the .rdp file in Notepad, and then copy the desired settings into the Custom
RDP settings box on the Custom RDP Settings tab.
3. When you have finished adding the settings that you want, click Apply.
18
4. If the Error with Custom RDP Settings dialog box appears, do the following:
a. Click Remove to automatically remove the settings that are either not valid or cannot
be overridden, or click OK to remove the settings manually.
b. After the settings are removed, click Apply again.
5. To close the RemoteApp Deployment Settings dialog box, click OK.
Important
To connect to a RemoteApp program by using a digitally signed .rdp file, the client must
be running RDC 6.1. (The RDC 6.1 client supports Remote Desktop Protocol 6.1.)
If you use a digital certificate, the cryptographic signature on the connection file provides
verifiable information about your identity as its publisher. This enables clients to recognize your
organization as the source of the RemoteApp program or the remote desktop connection, and
allows them to make more informed trust decisions about whether to start the connection. This
helps protect against the use of .rdp files that were altered by a malicious user.
You can sign .rdp files that are used for RemoteApp connections by using a Server
Authentication certificate (SSL certificate) or a Code Signing certificate. You can obtain SSL and
Code Signing certificates from public certification authorities (CAs), or from an enterprise CA in
your public key infrastructure hierarchy.
If you are already using an SSL certificate for terminal server or TS Gateway connections, you
can use the same certificate to sign .rdp files. However, if users will connect to RemoteApp
programs from public or home computers, you must use either of the following:
• A certificate from a public certification authority (CA) that participates in the Microsoft Root
Certificate Program Members program (http://go.microsoft.com/fwlink/?LinkID=59547).
• If you are using an enterprise CA, your enterprise CA-issued certificate must be co-signed by
a public CA that participates in the Microsoft Root Certification Program Members program.
19
Note
The Select Certificate dialog box is populated by certificates that are located in
the local computer's certificates store or in your personal certificate store. The
certificate that you want to use must be located in one of these stores.
Group Policy settings to control client behavior when opening a digitally signed .rdp file
You can use Group Policy to configure clients to always recognize RemoteApp programs from a
particular publisher as trusted. You can also configure whether clients will block RemoteApp
programs and remote desktop connections from external or unknown sources. By using these
policy settings, you can reduce the number and complexity of security decisions that users face.
This reduces the chances of inadvertent user actions that may lead to security vulnerabilities.
The relevant Group Policy settings are located in the Local Group Policy Editor at the following
location, in both the Computer Configuration and in the User Configuration node:
Administrative Templates\Windows Components\Terminal Services\Remote Desktop
Connection Client
The available policy settings are:
• Specify SHA1 thumbprints of certificates representing trusted .rdp publishers
This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate
thumbprints that represent trusted .rdp file publishers. If you enable this policy setting, any
certificate with an SHA1 thumbprint that matches a thumbprint on the list will be considered
trusted.
• Allow .rdp files from valid publishers and user’s default .rdp settings
This policy setting allows you to specify whether users can run .rdp files from a publisher that
signed the file with a valid certificate. This policy setting also controls whether the user can
start an RDP session by using default .rdp settings, such as when a user directly opens the
RDC client without specifying an .rdp file.
• Allow .rdp files from unknown publishers
This policy setting allows you to specify whether users can run unsigned .rdp files and .rdp
files from unknown publishers on the client computer.
Important
To use these Group Policy settings, the client computer must be running RDC 6.1.
For more information about these policy settings, view the Group Policy Explain text in the Local
Group Policy Editor.
20
Manage RemoteApp programs and settings
In TS RemoteApp Manager, you can make changes to an existing RemoteApp program, or you
can remove the program from the list. Additionally, you can export or import the RemoteApp
Programs list and the global deployment settings to or from another terminal server.
• Change or delete a RemoteApp program
• Export or import RemoteApp programs and settings
Important
If you make any changes, the changes will not affect .rdp files or Windows Installer
packages that you already created by using TS RemoteApp Manager.
• To change the properties of a single RemoteApp program, click the program in the
RemoteApp Programs list, and then in the Actions pane for the program, click Properties.
Note
You cannot change the properties of an existing .rdp file or Windows Installer
package by using TS RemoteApp Manager. Instead, you must click Create .rdp File
or Create Windows Installer Package in the Actions pane to create a new .rdp file
or Windows Installer package that has the desired properties.
• To change whether the RemoteApp program will be available from TS Web Access, click the
program, and then click Show in TS Web Access or Hide in TS Web Access in the
Actions pane.
• To delete a program in the RemoteApp Programs list, click the RemoteApp program, and
then in the Actions pane for the program, click Remove. Click Yes to confirm the deletion.
Note
When you delete a program in the RemoteApp Programs list, any .rdp files or
Windows Installer packages that you created from the RemoteApp program are not
deleted.
21
Export or import RemoteApp programs and settings
You can copy the RemoteApp Programs list and deployment settings from one terminal server
to another terminal server. You might want to do this if you want to configure multiple terminal
servers identically to host RemoteApp programs, such as in a terminal server farm.
Important
When you click OK, the RemoteApp Programs list and deployment settings
will be automatically overwritten on the target terminal server.
• Export the RemoteApp Programs list and settings to a file
If you select this option, click OK. In the Save As dialog box, specify a location to
save the .tspub file, and then click Save.
If you import a configuration, and the target terminal server does not have a program in the
RemoteApp Programs list installed or the program is installed in a different folder, the program
22
will appear in the RemoteApp Programs list. However, the name will be displayed with
strikethrough text.
Note
Only the RemoteApp Programs list and deployment settings are exported or imported.
Any .rdp files or Windows Installer packages that were created from the programs will not
be exported or imported. You must create new .rdp files or Windows Installer packages
on each terminal server unless the server is a member of a terminal server farm. If you
specified a farm name when you created the .rdp files or Windows Installer packages,
and the server where you want to copy the files to is a member of the same terminal
server farm, you can manually copy the files.
Note
For information about client requirements, see Client requirements and configuration.
To use TS Web Access to deploy RemoteApp programs, you must do the following:
1. Install the TS Web Access role service.
2. Populate the TS Web Access Computers security group.
3. Specify the terminal server from which to populate the list of RemoteApp programs that will
appear in the TS Web Access Web Part.
23
Membership in the local Administrators group is the minimum required to complete this
procedure.
To add the computer account of the TS Web Access server to the security group
1. On the terminal server, click Start, point to Administrative Tools, and then click
Computer Management.
2. In the left pane, expand Local Users and Groups, and then click Groups.
24
3. In the right pane, double-click TS Web Access Computers.
4. In the TS Web Access Computers Properties dialog box, click Add.
5. In the Select Users, Computers, or Groups dialog box, click Object Types.
6. In the Object Types dialog box, select the Computers check box, and then click OK.
7. In the Enter the object names to select box, specify the computer account of the
TS Web Access server, and then click OK.
8. Click OK to close the TS Web Access Computers Properties dialog box.
Note
If you access the TS Web Access Web site by using the TS Web Access
Administration option, the page automatically opens to the Configuration tab.
4. In the Editor Zone area, in the Terminal server name box, enter the name of the
terminal server that you want to use as the data source.
25
5. Click Apply to apply the changes.
To test TS Web Access, see Connect to TS Web Access.
Note
If the Internet Explorer Information bar does not appear, and you cannot connect to
TS Web Access, you can enable the Terminal Services ActiveX control by using the
Manage Add-ons tool on the Tools menu of Internet Explorer.
• The TS Web Access server must be added to the Local intranet zone or the Trusted sites
zone in Internet Explorer. To do this, use the following procedure.
To add site to Local intranet or Trusted sites zone by using Internet Options
1. Start Internet Explorer.
26
2. On the Tools menu, click Internet Options.
3. Click the Security tab.
4. If the TS Web Access server is on your intranet, click Local intranet. Otherwise, click
Trusted sites.
5. Click Sites.
6. Use one of the following procedures, depending on the zone that you selected:
• If you are adding the site to the Local intranet zone, click Advanced. In the Add
this website to the zone box, type the URL of the Web server (for example,
type http://server_name), and then click Add. If the site does not require server
verification, clear the Require server verification (https:) for all sites in this
zone box. Click Close to apply the settings.
• If you are adding the site to the Trusted sites zone, in the Add this website to
the zone box, type the URL of the Web server (for example, type
http://server_name.domain_name.com), and then click Add. If the site does not
require server verification, clear the Require server verification (https:) for all
sites in this zone box. Click Close to apply the settings.
Note
If you selected multiple programs, the settings described in the rest of this
27
procedure apply to all of the selected programs. A separate .rdp file is created for
each program.
4. On the Welcome to the Remote App Wizard page, click Next.
5. On the Specify Package Settings page, do the following:
a. In the Enter the location to save the packages box, accept the default location or
click Browse to specify a new location to save the .rdp file.
b. In the Terminal server settings area, click Change to modify the terminal server or
farm name, the RDP port number, and the Require server authentication setting.
(For more information about these settings, see Configure terminal server settings.)
When you are finished, click OK.
c. In the TS Gateway settings area, click Change to modify or to configure whether
clients will use a TS Gateway server to connect to the target terminal server across a
firewall. (For more information about these settings, see Configure TS Gateway
settings.) When you are finished, click OK.
Note
For more information about TS Gateway, see the TS Gateway Step-by-Step
Guide (http://go.microsoft.com/fwlink/?LinkId=85872).
d. To digitally sign the .rdp file, in the Certificate Settings section, click Change to
select or to change the certificate to use. Select the certificate that you want to use,
and then click OK. (For more information about these settings, see Configure digital
signature settings (optional).)
6. When you are finished, click Next.
7. On the Review Settings page, click Finish.
When the wizard is finished, the folder where the .rdp file was saved opens in a new
window. You can confirm that the .rdp file was created.
28
Installer package.
Note
If you selected multiple programs, the settings described in the rest of this
procedure apply to all of the selected programs. A separate Windows Installer
package is created for each program.
4. On the Welcome to the RemoteApp Wizard page, click Next.
5. On the Specify Package Settings page, do the following:
a. In the Enter the location to save the packages box, accept the default location or
click Browse to specify a new location to save the Windows Installer package.
b. In the Terminal server settings area, click Change to modify the terminal server or
farm name, the RDP port number, and the Require server authentication setting.
(For more information about these settings, see Configure terminal server settings.)
When you are finished, click OK.
c. In the TS Gateway settings area, click Change to modify or to configure whether
clients will use a TS Gateway server to connect to the target terminal server across a
firewall. (For more information about these settings, see Configure TS Gateway
settings.) When you are finished, click OK.
Note
For more information about TS Gateway, see the TS Gateway Step-by-Step
Guide (http://go.microsoft.com/fwlink/?LinkId=85872).
d. To digitally sign the file, in the Certificate Settings section, click Change to select or
to change the certificate to use. Select the certificate that you want to use, and then
click OK. (For more information about these settings, see Configure digital signature
settings (optional).)
6. When you are finished, click Next.
7. On the Configure Distribution Package page, do the following:
a. In the Shortcut icons area, specify where the shortcut icon for the program will
appear on client computers.
b. In the Take over client extensions area, configure whether to take over client file
name extensions for the program.
If you associate the file name extensions on the client computer with the RemoteApp
program, all file name extensions that are handled by the program on the terminal
server will also be associated on the client computer with the RemoteApp program.
For example, if you add Microsoft Word as a RemoteApp program, and you configure
the option to take over client file name extensions, any file name extensions on the
client computer that Word takes over will be associated with Remote Word. This
means that any existing program on the client computer will no longer handle file
29
name extensions such as .doc and .dot. Note that users are not prompted whether
the terminal server should take over file extensions for the program.
To view what file name extensions are associated with a program on the terminal
server, click Start, click Control Panel, and then double-click Default Programs.
Click Associate a file type or protocol with a program to view the file name
extensions and their default associated program.
Caution
Do not install Windows Installer packages that were created with this setting
enabled on the terminal server itself. If you do, clients that use the Windows
Installer package may not be able to start the associated RemoteApp
program.
8. After you have configured the properties of the distribution package, click Next.
9. On the Review Settings page, click Finish.
When the wizard is finished, the folder where the Windows Installer package was saved
opens in a new window. You can confirm that the Windows Installer package was
created.
30
a. Create a Terminal Services connection authorization policy (TS CAP) to define the list of
user groups that can connect to the terminal servers that host the RemoteApp programs.
For more information, see the "Create a TS CAP for the TS Gateway server" section of
the TS Gateway Step-by-Step guide.
b. Create a Terminal Services resource authorization policy (TS RAP) that provides access
to the terminal servers that host the RemoteApp programs.
When you create the TS RAP, add the user groups that you defined in the TS CAP. Also,
create a new TS Gateway-managed computer group that contains both the NetBIOS
names and the fully qualified domain names (FQDNs) of the terminal servers that host
the RemoteApp programs.
Note
If you are using a terminal server farm, specify the name of the farm, and not the
individual farm members.
For more information, see the "Create a TS RAP and specify computers that users can
connect to through the TS Gateway server" section of the TS Gateway Step-by-Step
Guide.
4. Configure TS Gateway settings in TS RemoteApp Manager (either in the global deployment
settings or when you create an .rdp file or Windows Installer package). When you do so,
make sure that you specify the FQDN of the TS Gateway server.
When you configure global deployment settings, the changes will be reflected immediately on
the TS Web Access Web site.
Note
If you have previously created .rdp files and Windows Installer packages, the new
settings will not be reflected in those packages. You must create new packages with
the correct settings, and then distribute them to users.
5. To allow Internet access to RemoteApp programs through TS Web Access, configure firewall
and authentication settings. For more information, see Configure the TS Web Access server
to allow access from the Internet in the following section.
31
information about Web publishing through ISA Server 2006, visit the "Publishing Concepts in ISA
Server 2006" Web site (http://go.microsoft.com/fwlink/?LinkId=86359).
If you deploy TS Web Access in the perimeter network, you must configure your firewall to allow
Windows Management Instrumentation (WMI) traffic from the TS Web Access server to the
terminal server.
Additionally, the TS Web Access Web site must be configured to use Windows authentication. By
default, Windows authentication is enabled for the TS Web Access Web site.
Note
If you placed TS Web Access in a custom Web site, you must ensure that the
authentication method that is used for the Web site can map to the user's Windows
account. You can do this by using integrated Windows authentication on the custom Web
site.
Additional information
Upgrading from Windows Server 2008 Beta 3 to Windows
Server 2008 RC0
If you are using TS RemoteApp and have made RemoteApp programs available by using the
Beta 3 release of Windows Server 2008, the list of RemoteApp programs and settings in
TS RemoteApp Manager is not preserved when you upgrade to the RC0 release.
To preserve the settings, use the Export RemoteApp Settings option in TS RemoteApp
Manager to export the RemoteApp programs and settings to a file. After you upgrade the server
to RC0, use the Import RemoteApp Settings option to import the file and to restore the settings.
(For more information, see Export or import RemoteApp programs and settings.)
If you upgraded the server before exporting the settings to a file, you will have to add the list of
RemoteApp programs and configure the deployment settings manually in TS RemoteApp
Manager.
32
Configure Server Manager and Initial Tasks not to run in
administrator's RemoteApp session
If a user has administrative access to the terminal server where the RemoteApp programs are
installed, when the user starts a RemoteApp program, the Server Manager tool and Initial
Configuration Tasks also start in the RemoteApp session.
You can control this behavior by using the following Group Policy settings in the Computer
Configuration\Administrative Templates\System\Server Manager node of the Local Group
Policy Editor on the terminal server:
• Do not display Initial Configuration Tasks window automatically at logon
You must enable this policy setting to prevent the Initial Configuration Tasks window from
opening when a user with administrative access starts a RemoteApp session.
• Do not display Server Manager automatically at logon
You must enable this policy setting to prevent Server Manager from opening when a user
with administrative access starts a RemoteApp session.
33
• To configure a default TS Gateway server, double-click DefaultTSGateway, enter
the fully qualified domain name of the server in the Value box (for example,
server1.contoso.com), and then click OK.
• To specify the TS Gateway authentication method, double-click
GatewayCredentialsSource, type the number that corresponds to the desired
authentication method in the Value box, and then click OK. The possible values
include:
0 = Ask for password (NTLM)
1 = Smart card
4 = Allow user to select later
• To configure whether the Remote Desktop tab appears on the TS Web Access
page, double-click ShowDesktops. In the Value box, type true to show the Remote
Desktop tab, or type false to hide the Remote Desktop tab. When you are finished,
click OK.
• To configure default device and resource redirection settings, double-click the setting
that you want to modify (xClipboard, xDriveRedirection, xPnPRedirection,
xPortRedirection, or xPrinterRedirection). In the Value box, type true to enable
the redirection setting by default, or type false to disable the redirection setting by
default, and then click OK.
5. When you are finished, close IIS Manager.
Your changes should take effect immediately on the TS Web Access Web site. If the
Web page is open, refresh the page to view the changes.
Note
You can also configure these settings by modifying the %windir%\Web\ts\Web.config file
directly by using a text editor such as Notepad.
34
Windows Server 2008 RC0 TS Session
Broker Load Balancing Step-By-Step Guide
Microsoft Corporation
Published: September 2007
Author: Tessa Wooley
Editor: Linda Caputo
Abstract
Terminal Services Session Broker (TS Session Broker) is a role service in
Windows Server® 2008 that enables you to load balance sessions in a terminal server farm, and
allows a user to reconnect to an existing session in a load-balanced terminal server farm. The
new TS Session Broker Load Balancing feature enables you to easily distribute the session load
between servers in a load-balanced terminal server farm.
1
Copyright Information
This document supports a preliminary release of a software product that may be changed
substantially prior to final commercial release, and is the confidential and proprietary information
of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the
recipient and Microsoft. This document is provided for informational purposes only and Microsoft
makes no warranties, either express or implied, in this document. Information in this document,
including URL and other Internet Web site references, is subject to change without notice. The
entire risk of the use or the results from the use of this document remains with the user. Unless
otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this document may
be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by
any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,
without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Active Directory, Microsoft, MS-DOS, Visual Basic, Visual Studio, Windows, Windows NT, and
Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
2
Contents
Windows Server 2008 RC0 TS Session Broker Load Balancing Step-by-Step Guide ................... 5
What new functionality does this feature provide?....................................................................... 5
About using DNS round robin ...................................................................................................... 6
TS Session Broker Load Balancing system requirements ........................................................... 7
Checklist: Deploying TS Session Broker Load Balancing ........................................................... 7
Install the TS Session Broker role service ................................................................................... 8
Installation prerequisites ........................................................................................................... 8
Installation procedure ............................................................................................................... 8
Add each terminal server in the farm to the Session Directory Computers local group .............. 9
Configure TS Session Broker settings for terminal servers in the farm ..................................... 10
Configure TS Session Broker settings by using Group Policy ............................................... 10
Configure TS Session Broker settings by using Terminal Services Configuration ................. 12
Configure DNS for TS Session Broker Load Balancing ............................................................. 14
Additional information ................................................................................................................. 15
Configure dedicated redirectors (optional) ............................................................................. 15
Deny logons to a terminal server in a load-balanced farm ..................................................... 15
Additional references ........................................................................................................... 16
3
Windows Server 2008 RC0 TS Session
Broker Load Balancing Step-by-Step Guide
Terminal Services Session Broker (TS Session Broker) is a role service in
Windows Server® 2008 that enables you to load balance sessions between terminal servers in a
farm, and allows a user to reconnect to an existing session in a load-balanced terminal server
farm. TS Session Broker stores session state information that includes session IDs, their
associated user names, and the name of the server where each session resides.
This step-by-step guide describes how to configure the new TS Session Broker Load Balancing
feature.
Note
In Windows Server 2008, the name of the Terminal Services Session Directory feature
was changed to TS Session Broker.
5
more powerful and less powerful servers in the farm. For more information, see Configure TS
Session Broker settings by using Terminal Services Configuration.
Additionally, a new "server draining" mechanism is provided that enables you to prevent new
users from logging on to a terminal server that is scheduled to be taken down for maintenance.
This mechanism provides for the ability to take a server offline without disrupting the user
experience. If new logons are denied on a terminal server in the farm, TS Session Broker will
allow users with existing sessions to reconnect, but will redirect new users to terminal servers that
are configured to allow new logons. For more information, see Deny logons to a terminal server in
a load-balanced farm.
You can enable TS Session Broker Load Balancing through Terminal Services Configuration,
Group Policy, or Windows Management Instrumentation (WMI). If you are using DNS round robin
to distribute initial connections, you must also configure DNS entries for each terminal server in
the farm.
Note
While any load-balancing mechanism can be used to distribute the initial connections,
DNS round robin is the easiest mechanism to deploy. Deploying TS Session Broker Load
Balancing with a network level load-balancing solution such as Network Load Balancing
(NLB) or a hardware load balancer avoids the limitations of DNS, while still taking
advantage of TS Session Broker session-based load balancing, the per server limit on
the number of pending logon requests, and the new "server draining" feature. The
limitations of DNS round robin include the caching of DNS requests on the client, which
can result in clients using the same IP address for each initial connection request, and
the potential for a 30-second timeout delay if a user is redirected to a terminal server that
is offline, but still listed in DNS.
6
Note
For information about how to configure dedicated redirectors that redirect user sessions
but do not accept user logons, see Configure dedicated redirectors (optional).
Note
Windows Server 2003-based terminal servers cannot use the TS Session Broker
Load Balancing feature.
• You must configure all terminal servers in the load-balanced farm identically, with the same
available programs.
• For clients to use TS Session Broker Load Balancing, they must be running Remote Desktop
Connection (RDC) version 5.2 or later.
Note
This step-by-step guide describes how to configure TS Session Broker Load Balancing
by using DNS round robin to distribute the initial connections. If you prefer, you can use
NLB or a hardware load balancer to spread the initial connection and authentication load
between multiple terminal servers in the farm.
Task Reference
Install the TS Session Broker role service on Install the TS Session Broker role service
the server that you want to use to track user
sessions for a farm.
Add the terminal servers in the farm to the Add each terminal server in the farm to the
Session Directory Computers local group on Session Directory Computers local group
the TS Session Broker server.
Configure the terminal servers in the farm to Configure TS Session Broker settings for
7
Task Reference
join a farm in TS Session Broker, and to terminal servers in the farm
participate in TS Session Broker Load
Balancing.
Configure DNS round robin entries for terminal Configure DNS for TS Session Broker Load
servers in the farm. Balancing
Installation prerequisites
The server where you install TS Session Broker must be a member of a domain.
Note
If you install the TS Session Broker role service on a domain controller, the Session
Directory Computers group will be a domain local group and will be available on all
domain controllers.
Installation procedure
Membership in the local Administrators group is the minimum required to complete this
procedure.
8
To install TS Session Broker
1. Open Server Manager. To open Server Manager, click Start, point to Administrative
Tools, and then click Server Manager.
2. If the Terminal Services role is already installed:
a. Under Roles Summary, click Terminal Services.
b. Under Role Services, click Add Role Services.
c. On the Select Role Services page, select the TS Session Broker check box, and
then click Next.
If the Terminal Services role is not already installed:
a. Under Roles Summary, click Add Roles.
b. On the Before You Begin page of the Add Roles Wizard, click Next.
c. On the Select Server Roles page, select the Terminal Services check box, and
then click Next.
d. Review the Terminal Services page, and then click Next.
e. On the Select Role Services page, select the TS Session Broker check box, and
then click Next.
3. On the Confirm Installation Selections page, click Install.
4. On the Installation Results page, confirm that the installation succeeded, and then click
Close.
Important
You must perform this procedure on the server where you installed the TS Session
Broker role service.
9
2. In the left pane, expand Local Users and Groups, and then click Groups.
3. In the right pane, right-click the Session Directory Computers group, and then click
Properties.
4. Click Add.
5. In the Select Users, Computers or Groups dialog box, click Object Types.
6. Select the Computers check box, and then click OK.
7. Locate and then add the computer account for each terminal server that you want to add.
8. When you are finished, click OK.
Important
Group Policy settings take precedence over configuration settings in the Terminal
Services Configuration snap-in and those that are made by using the Terminal Services
WMI provider.
Note
For the TS Session Broker settings to be effective on a server, the server must have the
Terminal Server role service installed.
10
The following procedure describes how to configure TS Session Broker Group Policy settings by
using the Group Policy Management Console (GPMC) on a Windows Server 2008-based domain
controller.
To change Group Policy settings for a domain or an OU, you must be logged on as a member of
the Domain Admins, Enterprise Admins, or the Group Policy Creator Owners group, or have
been delegated the appropriate control over Group Policy to complete this procedure.
Important
TS Session Broker uses a farm name to determine which servers are in the
same terminal server farm. You must use the same farm name for all servers
that are in the same load-balanced terminal server farm. Although the farm
name in TS Session Broker does not have to be registered in AD DS, it is
recommended that you use the same name that you will use in DNS for the
terminal server farm. (The terminal server farm name in DNS represents the
virtual name that clients will use to connect to the terminal server farm.) If
you type a new farm name, a new farm is created in TS Session Broker and
11
the server is joined to the farm. If you type an existing farm name, the server
joins the existing farm in TS Session Broker.
9. Double-click the Configure TS Session Broker server name policy setting, and then do
the following:
a. Click Enabled.
b. In the TS Session Broker server name box, type the name of the server where you
installed the TS Session Broker role service, and then click OK.
10. Double-click the Use TS Session Broker load balancing policy setting, click Enabled,
and then click OK.
11. Optionally, if you are using a hardware load balancer that supports token redirection,
double-click Use IP Address Redirection and configure the setting. See the Group
Policy Explain text for more information.
Note
To configure TS Session Broker settings by using local Group Policy, use the Local
Group Policy Editor. To start the Local Group Policy Editor, click Start, click Run, type
gpedit.msc, and then click OK. To configure local Group Policy settings, you must be a
member of the Administrators group on the local computer or you must have been
delegated the appropriate authority.
Note
The following steps are only applicable if the Terminal Server role service is installed.
Membership in the local Administrators group is the minimum required to complete this
procedure.
12
address of the TS Session Broker server.
Note
The TS Session Broker server is the server where you installed the TS Session
Broker role service.
5. In the Farm name in TS Session Broker box, type the name of the farm that you want
to join in TS Session Broker.
Important
TS Session Broker uses a farm name to determine which servers are in the
same terminal server farm. You must use the same farm name for all servers that
are in the same load-balanced terminal server farm. Although the farm name in
TS Session Broker does not have to be registered in AD DS, it is recommended
that you use the same name that you will use in DNS for the terminal server
farm. (The terminal server farm name in DNS represents the virtual name that
clients will use to connect to the terminal server farm.) If you type a new farm
name, a new farm is created in TS Session Broker and the server is joined to the
farm. If you type an existing farm name, the server joins the existing farm in
TS Session Broker.
6. To participate in TS Session Broker Load Balancing, select the Participate in Session
Broker Load-Balancing check box.
7. Optionally, in the Relative weight of this server in the farm box, modify the server
weight. By default, the value is 100. The server weight is relative. Therefore, if you assign
one server a value of 100, and one a value of 200, the server with a relative weight of
200 will receive twice the number of sessions.
8. Verify that you want to use IP address redirection. By default, the Use IP address
redirection (recommended) setting is enabled. If you clear the check box, the server
switches to token redirection mode.
9. In the Select IP addresses to be used for reconnection box, click to select the check
box next to each IP address that you want to use. When you select the IP addresses to
use, consider the following:
• Only the first selected IPv4 address will be used by clients that are running RDC 5.2
and earlier.
• Using IPv6 addresses is not recommended if the terminal server farm contains
servers that are running Windows Server 2003.
10. When you are finished, click OK.
13
Configure DNS for TS Session Broker Load
Balancing
To configure DNS round robin for TS Session Broker Load Balancing, you must map the IP
address of each terminal server in the farm to the terminal server farm name in DNS.
The following procedure provides the steps to configure DNS on a Windows Server 2008-based
domain controller.
You must be a member of the Domain Admins, Enterprise Admins, or the DnsAdmins group
to complete this procedure.
Important
Do not use the name of an existing server for the farm name.
5. In the IP address box, type the IP address of a terminal server in the farm.
6. Click Add Host, and then click OK when you receive the message that the host record
was successfully created.
7. Repeat steps four through six for each terminal server in the farm. For each DNS entry,
ensure that you specify the same farm name in the Name (uses parent domain name if
blank) box. For example, if you have three terminal servers in a farm named FARM1,
with IP addresses of 192.168.1.20, 192.168.1.21, and 192.168.1.22, the entries would
look similar to the following:
Farm1 Host(A) 192.168.1.20
Farm1 Host(A) 192.168.1.21
Farm1 Host(A) 192.168.1.22
8. When you are finished, click Done.
14
Additional information
Configure dedicated redirectors (optional)
When you register the IP address of each terminal server in the farm to a single terminal server
farm name in DNS, incoming Terminal Services clients will try to connect to the first IP address
for the farm name that is returned by DNS. The terminal server that receives this initial connection
request acts as the redirector.
To increase session redirection performance in a large terminal server farm, you can configure
terminal servers to be dedicated redirectors. These servers will process incoming requests, but
will not accept user sessions. To configure dedicated redirectors, you must do the following:
1. Create DNS round robin entries for the terminal servers that you want to use as dedicated
redirectors. When you do so, you must map the IP address of each terminal server that you
are using as a dedicated redirector to the terminal server farm name in DNS. (The farm name
is the virtual name that clients will use to connect to the terminal server farm.) The farm name
must not match an existing server name in AD DS.
2. Configure the servers to deny new user logons. For more information about how to deny new
user logons, see Deny logons to a terminal server in a load-balanced farm.
Because these dedicated redirectors have no user sessions, they do not require roaming profiles
or any installed programs. This enables a faster logon experience, and makes the server easier
to manage and more reliable.
Note
An administrator can also connect remotely by starting the RDC client from the
command line with the /admin option (mstsc /admin).
• If you are using TS Session Broker Load Balancing, TS Session Broker will redirect new
users to other servers in the farm, where new user logons are enabled.
Before you take a server down for maintenance, you can notify users with existing sessions to log
off from the server by using Terminal Services Manager to send a message.
15
To deny new user logons
1. Click Start, point to Administrative Tools, point to Terminal Services, and then click
Terminal Services Configuration.
2. In the Edit settings area, double-click User logon mode under General.
3. On the General tab, click either of the following:
• Allow reconnections, but prevent new logons
• Allow reconnections, but prevent new logons until the server is restarted
4. Click OK.
When you are finished doing maintenance, ensure that Allow all connections is
selected.
Additional references
• For information about how to configure a load-balanced terminal server farm by using
TS Session Broker and NLB, see the Step-by-Step Guide for Configuring Network Load
Balancing with Terminal Services: Windows Server 2008
(http://go.microsoft.com/fwlink/?LinkID=80406).
• For information about Terminal Services Session Directory in Windows Server 2003, see
Session Directory and Load Balancing Using Terminal Server
(http://go.microsoft.com/fwlink/?LinkID=80740).
16
Windows Server Active Directory Rights
Management Services Step-by-Step Guide
Microsoft Corporation
Published: September 2007
Author: Brian Lich
Editor: Carolyn Eller
Abstract
This step-by-step guide provides instructions for setting up a test environment to deploy and
evaluate Active Directory Rights Management Services (AD RMS) in Windows Server® 2008. It
includes the necessary information for preparing the AD RMS infrastructure, installing and
configuring AD RMS, and verifying AD RMS features after configuration is complete.
1
Copyright Information
This document supports a preliminary release of a software product that may be changed
substantially prior to final commercial release, and is the confidential and proprietary information
of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the
recipient and Microsoft. This document is provided for informational purposes only and Microsoft
makes no warranties, either express or implied, in this document. Information in this document,
including URL and other Internet Web site references, is subject to change without notice. The
entire risk of the use or the results from the use of this document remains with the user. Unless
otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this document may
be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by
any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,
without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, MS-DOS, Windows, Windows NT, Windows Server, Windows Vista, and Active
Directory are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
2
Contents
Windows Server Active Directory Rights Management Services Step-by-Step Guide ................... 5
About This Guide.......................................................................................................................... 5
What This Guide Does Not Provide .......................................................................................... 5
Deploying AD RMS in a Test Environment .................................................................................. 6
3
Windows Server Active Directory Rights
Management Services Step-by-Step Guide
Note
This guide is considered the basic AD RMS step-by-step guide. All other step-by-step
guides developed for AD RMS will assume that this guide has been completed first.
5
Deploying AD RMS in a Test Environment
We recommend that you first use the steps provided in this guide in a test lab environment. Step-
by-step guides are not necessarily meant to be used to deploy Windows Server features without
additional deployment documentation and should be used with discretion as a stand-alone
document.
Upon completion of this step-by-step guide, you will have a working AD RMS infrastructure. You
can then test and verify AD RMS functionality as follows:
• Restrict permissions on a Microsoft Office Word 2007 document
• Have an authorized user open and work with the document.
• Have an unauthorized user attempt to open and work with the document.
The test environment described in this guide includes four computers connected to a private
network and using the following operating systems, applications, and services:
Note
Service Pack 2 for
Windows Server 2003 is
not required but will be
used for the purposes of
this guide.
ADRMS-DB Windows Server 2003 with SP2 Microsoft SQL Server™ 2005
Standard Edition with Service
Note
Pack 2 (SP2)
Service Pack 2 for
Windows Server 2003 is Note
not required but will be Service Pack 2 for SQL
used for the purposes of Server 2005 Standard
this guide. Edition is not required
but will be used for the
purposes of this guide.
6
Computer Name Operating System Applications and Services
Note
For more information about the system requirements for installing AD RMS, see
http://go.microsoft.com/fwlink/?LinkId=84733.
The computers form a private intranet and are connected through a common hub or Layer 2
switch. This configuration can be emulated in a virtual server environment if desired. This step-
by-step exercise uses private addresses throughout the test lab configuration. The private
network ID 10.0.0.0/24 is used for the intranet. The domain controller is named CPANDL-DC for
the domain named cpandl.com. The following figure shows the configuration of the test
environment:
7
Important
Before you configure your computers with static Internet Protocol (IP) addresses, we
recommend that you first complete Windows product activation while each of your
computers still has Internet connectivity. You should also install any available critical
security updates from Windows Update (http://go.microsoft.com/fwlink/?LinkID=47370).
8
For each user account and group that you configure with AD RMS, you need to add an e-mail
address and then assign the users to groups.
First, install Windows Server 2003 with SP2 on a stand-alone server.
9
10. Click Next again.
11. When the Active Directory Installation Wizard is done, click Finish.
12. Click Restart Now.
Note
You must restart the computer after you complete this procedure.
Next, you must raise the domain functional level to Windows Server 2003 so that Active Directory
Universal groups can be used.
Note
You cannot change the domain functional level once you have raised it.
6. Close the Active Directory Users and Computers console.
Next, add the user accounts shown in the following table to Active Directory. Use the procedure
following the table to create the user accounts.
ADRMSSRVC ADRMSSRVC
10
To add new user accounts
1. Click Start, point to Administrative Tools, and then click Active Directory Users and
Computers.
2. In the console tree, expand cpandl.com.
3. Right-click Users, point to New, and then click User.
4. In the New Object – User dialog box, type ADRMSSRVC in the Full name and User
logon name boxes, and then click Next.
5. In the New Object – User dialog box, type a password of your choice in the Password
and Confirm password boxes. Clear the User must change password at next logon
check box, click Next, and then click Finish.
6. Perform steps 3-6 for each of the following users: ADRMSADMIN, Nicole Holliday, Limor
Henig, and Stuart Railson.
Finance finance@cpandl.com
Marketing marketing@cpandl.com
Engineering engineering@cpandl.com
Employees employees@cpandl.com
11
Universal option for the Group Scope, and then click OK.
3. Perform the above steps 1-2 for each of the remaining groups: Marketing, Engineering,
and Employees.
12
2. Follow the instructions that appear on your computer screen, and when prompted for a
computer name, type ADRMS-DB.
In this step, configure TCP/IP properties so that ADRMS-DB has a static IP address of 10.0.0.3.
13
2. Insert the Microsoft SQL Server 2005 product CD. The installation will start automatically.
3. Click the I accept the licensing terms and conditions check box, and then click Next.
4. On the Installing Prerequisites page, click Install.
5. Click Next.
6. On the Welcome to the Microsoft SQL Server Installation Wizard page, click Next, and
then click Next again.
7. In the Name box, type your name. In the Company box, type the name of your
organization, and then type in the appropriate product key. Click Next.
8. Select the SQL Server Database Services, Workstation components, and Books
Online and development tools check boxes, and then click Next.
9. Select the Default instance option, and then click Next.
10. Select the Use the built-in System account option, and then click Next.
11. Click the Windows Authentication Mode option, and then click Next.
12. Click Next, accepting the default Collation Settings, and then click Next again.
13. Click Install. When the status of all the selected components is finished, click Next.
14. Click Finish.
Next, add ADRMSADMIN to the local Administrators group on ADRMS-DB. The AD RMS
installing user account needs this membership in order to create the AD RMS databases. After
AD RMS installed, ADRMSADMIN can be removed from this group.
14
6. Click Permissions.
7. Select the Full Control check box in the Allow column of the Permissions for
Everyone box.
8. Click OK two times.
Next, configure TCP/IP properties so that ADRMS-SRV has a static IP address of 10.0.0.2. In
addition, configure the DNS server by using the IP address of CPANDL-DC (10.0.0.1).
15
box.
Next, join ADRMS-SRV to the cpandl.com domain.
After the computer has restarted, add ADRMSADMIN to the local administrators group on
ADRMS-SRV.
16
To install Windows Vista
1. Start your computer by using the Windows Vista product CD.
2. Follow the instructions that appear on your screen, and when prompted for a computer
name, type ADRMS-CLNT.
Next, configure TCP/IP properties so that ADRMS-CLNT has a static IP address of 10.0.0.4. In
addition, configure the DNS server of CPANDL-DC (10.0.0.1).
17
8. When a Computer Name/Domain Changes dialog box appears prompting you for
administrative credentials, provide the credentials, and then click OK.
9. When a Computer Name/Domain Changes dialog box appears welcoming you to the
cpandl.com domain, click OK.
10. When a Computer Name/Domain Changes dialog box appears telling you that the
computer must be restarted, click OK, and then click Close.
11. In the System Settings Change dialog box, click Yes to restart the computer.
Finally, install Microsoft Office Word 2007 Enterprise.
Important
Only the Ultimate, Professional Plus, and Enterprise editions of Microsoft Office 2007
allow you to create rights-protected content. All editions will allow you to consume rights-
protected content.
18
Important
Access to the Enterprise Admins group should be granted only while AD RMS is being
installed. After installation is complete, the installing user account should be removed
from this group.
19
14. Click Next.
15. Click Specify, type CPANDL\ADRMSSRVC, type the password for the account, click
OK, and then click Next.
16. Ensure that the Use AD RMS centrally managed key storage option is selected, and
then click Next.
17. Type a strong password in the Password box and in the Confirm password box, and
then click Next.
18. Choose the Web site where AD RMS will be installed, and then click Next. In an
installation that uses default settings, the name of the only available Web site should be
Default Web Site.
19. Select the Use an SSL-encrypted connection (https://) option.
20. In the Fully-Qualified Domain Name box, type adrms-srv.cpandl.com, and then click
Validate. If validation succeeds, the Next button becomes available. Click Next.
21. Select the Choose an existing certificate for SSL encryption option, click the
certificate that has been imported for this AD RMS cluster, and then click Next.
22. Type a name that will help you identify the AD RMS cluster in the Friendly name box,
and then click Next.
23. Ensure that the Register the AD RMS service connection point now option is
selected, and then click Next to register the AD RMS service connection point (SCP) in
Active Directory during installation.
24. Read the Introduction to Web Server (IIS) page, and then click Next.
25. Keep the Web server default check box selections, and then click Next.
26. Click Install to provision AD RMS on the computer. It can take up to 60 minutes to
complete the installation.
27. Click Finish.
28. Log off the server, and then log on again to update the security token of the logged-on
user account. The user account that is logged on when the AD RMS server role is
installed is automatically made a member of the AD RMS Enterprise Administrators local
group. A user must be a member of that group to administer AD RMS.
Note
At this point in the guide, you can remove cpandl\ADRMSADMIN from the local
Administrators group on ADRMS-DB.
Your AD RMS root cluster is now installed and configured.
Further management of AD RMS is done by using the Active Directory Rights Management
Services console.
20
To open the Active Directory Rights Management Services console
1. Click Start, point to Administrative Tools, and then click Active Directory Rights
Management Services.
2. If the User Account Control dialog box appears, confirm that the action it displays is
what you want, and then click Continue.
From the console, you can configure trust policies, configure exclusion policies, and create rights
policy templates.
21
granted, and nothing else. Then, you will log on as Limor Henig. Since Limor is not a member of
the Engineering group, he should not be able to consume the rights-protected file.
22
8. Log off as Stuart Railson.
Finally, log on as Limor Henig and verify that he is not able to consume the rights-protected file.
23
Windows Server “Longhorn” Beta 3
Release TS Gateway Server Step-By-Step
Setup Guide
Microsoft Corporation
Abstract
Terminal Services Gateway (TS Gateway) is a new role service available to users of the
Microsoft Windows Server® Code Name "Longhorn" operating system. TS Gateway
enables authorized remote users to connect to resources on an internal corporate or
private network, from any Internet-connected device. The network resources can be
either terminal servers running RemoteApp™ programs [hosting line-of-business (LOB)
applications] or computers with Remote Desktop enabled. TS Gateway encapsulates
Remote Desktop Protocol (RDP) within HTTPS to help form a secure, encrypted remote
connection between users on the Internet and the internal network resources on which
their productivity applications run.
This document supports a preliminary release of a software product that may be changed
substantially prior to final commercial release, and is the confidential and proprietary
information of Microsoft Corporation. It is disclosed pursuant to a non-disclosure
agreement between the recipient and Microsoft. This document is provided for
informational purposes only and Microsoft makes no warranties, either express or
implied, in this document. Information in this document, including URL and other Internet
Web site references, is subject to change without notice. The entire risk of the use or the
results from the use of this document remains with the user. Unless otherwise noted, the
example companies, organizations, products, domain names, e-mail addresses, logos,
people, places, and events depicted herein are fictitious, and no association with any real
company, organization, product, domain name, e-mail address, logo, person, place, or
event is intended or should be inferred. Complying with all applicable copyright laws is
the responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Active Directory, Terminal Services, Microsoft, MS-DOS, Visual Basic, Visual Studio,
Windows, Windows NT, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.
What is TS Gateway?
Windows Server® Code Name "Longhorn" Terminal Services Gateway (TS Gateway) is
a role service that enables authorized remote users to connect to resources on an
internal corporate or private network, from any Internet-connected device. The network
resources can be either terminal servers running RemoteApp™ programs [hosting line-
of-business (LOB) applications] or computers with Remote Desktop enabled.
TS Gateway uses Remote Desktop Protocol (RDP) over HTTPS to help form a secure,
encrypted connection between remote users on the Internet and the internal network
resources on which their productivity applications run.
This guide describes functionality for the Windows Server "Longhorn" Beta 3 release of
TS Gateway.
The procedures in this guide will help you set up a TS Gateway server, enabling remote
users to access terminal servers or computers with Remote Desktop enabled on your
internal corporate or private network.
Note
After you use the procedures in this guide to set up a TS Gateway server, you
must also set up clients to use a TS Gateway server and verify that the end-to-
end connections can be successfully established through TS Gateway. For client
setup and end-to-end connectivity testing instructions, see the Terminal Services
Client Step-by-Step Setup Guide for TS Gateway.
• IT administrators, planners, and analysts who are evaluating remote access and
mobile solution products
• Enterprise IT architects and designers
8
• Early adopters
• Security architects who are responsible for implementing trustworthy computing
• IT professionals who are responsible for terminal servers or remote access to
desktops
Benefits of TS Gateway
TS Gateway provides these benefits:
• TS Gateway enables remote users to connect to internal network resources over the
Internet by using an encrypted connection, without needing to configure virtual
private network (VPN) connections.
In this guide
• Prerequisites for configuring a TS Gateway server
• Special considerations for TS Gateway
• Key scenarios for TS Gateway
• Overview of the TS Gateway NAP scenario: Enabling NAP health policy checking
for remote access to internal corporate network resources
• Steps for configuring TS Gateway for the NAP scenario
• Overview of the TS Gateway ISA Server scenario: Enabling SSL bridging for
remote access to internal corporate network resources
• Steps for configuring TS Gateway for the ISA Server scenario
10
• Appendix A: Example script for verifying that the TS Gateway server configuration is
correct
• Additional references
Note
You do not need a certification authority (CA) infrastructure within your
organization if you can use another method to obtain an externally trusted
certificate that meets the requirements for TS Gateway.
• Active Directory Domain Services is only required if you configure a TS Gateway
authorization policy that requires that clients be members of an Active Directory
security group to connect to the TS Gateway server.
Administrative credentials
• You must be a member of the Administrators group on the computer that you want to
configure as a TS Gateway server.
Client considerations
For information about client prerequisites and configuration steps, see the Terminal
Services Client Step-by-Step Setup Guide for TS Gateway.
Because the User ID and User Name columns display the correct data, you can
successfully disconnect all connections for a user or disconnect a selected connection.
To avoid this issue, when you install the TS Gateway role service in Server Manager, do
not install any other role service at the same time. If you plan to install other role services,
install them separately.
If you have already installed the TS Gateway role service with other role services at the
same time and you have encountered this issue, you can resolve this issue by
configuring the computer group for the TS RAP manually, in TS Gateway Manager. For
more information, see Create a TS RAP and specify computers that users can connect to
through the TS Gateway server.
14
Warning
Incorrectly editing the registry can severely damage your system. Before making
changes to the registry, you should back up any valued data on the computer.
and then click Modify. In the Edit DWORD (32-bit) Value dialog box, in Value Data,
type 0, and then click OK.
3. Recycle the default application pool in IIS manually by doing the following:
• In the Connections pane, expand the server node, and then click Application Pools.
• In the Application Pools pane, click DefaultAppPool.
• In the Actions pane, under Application Pool Tasks, click Recycle.
3. Configure the Terminal Services client by following the instructions in "Steps for
configuring a Terminal Services client for the TS Gateway core scenario" in the
Terminal Services Client Step-by-Step Setup Guide for TS Gateway.
Terminal Services client (TSCLIENT) • Windows Vista RTM. The installation can
be an upgrade from Windows XP with
Service Pack 2 (SP2).
• Windows XP with SP2 and Remote
Desktop Connection (RDC) 6.0 or later. To
download the installer package for RDC, go
to Microsoft Help and Support
(http://go.microsoft.com/fwlink/?LinkID=793
73).
• Windows Server "Longhorn" Beta 3. The
installation must be a clean installation, not
an upgrade.
• Microsoft Windows Server® 2003 with
Service Pack 1 (SP1) or later and RDC 6.0
or later.
Note
The steps in this setup guide describe how to set up the core TS Gateway
scenario for remote access from a Terminal Services client through a TS
Gateway server to an internal corporate network resource. The guide does not
describe how to set up the firewalls illustrated in the diagram, terminal servers
running RemoteApp programs (hosting LOB applications), or the Active Directory
infrastructure. The diagram is provided to suggest one of many ways in which the
TS Gateway core remote access scenario might be implemented in a production
environment.
For information about how to set up a terminal server, see the Help topic "Terminal
Server" (http://go.microsoft.com/fwlink/?LinkId=72052).
For information about setting up RemoteApp programs, see the Windows Server
"Longhorn" Terminal Services RemoteApp Step-by-Step Guide
(http://go.microsoft.com/fwlink/?linkId=84895).
For information about how to enable Remote Desktop, see the topic "Using Remote
Desktop" in the Windows Server "Longhorn" Help.
19
1. The user on the Terminal Services client, TSCLIENT, might initiate the connection by
doing one of the following:
• Clicking an RDP file that the administrator has configured, to access his or her
full desktop.
• Clicking a RemoteApp program icon. RemoteApp programs are represented in
an RDP file that the administrator has configured.
• Visiting a Web site (either from the Internet or from an intranet) to access a list of
RemoteApp programs that the administrator has made available by using
Terminal Services Web Access (TS Web Access), and then clicking a
RemoteApp program icon.
2. An SSL tunnel is established between TSCLIENT and TSGSERVER by using the TS
Gateway server's SSL certificate. Before a connection between TSCLIENT and
TSGSERVER is established, TSGSERVER must authenticate and authorize the user
according to TS CAPs that the administrator has configured on TSGSERVER.
3. After authentication and authorization succeed, TSGSERVER signals TSCLIENT to
continue with the connection sequence.
4. TSCLIENT requests a connection from TSGSERVER to CORPORATERESOURCE.
Before authorizing the request, TSGSERVER verifies that both of the following
conditions are met simultaneously, for at least one Terminal Services resource
authorization policy (TS RAP) that is configured on TSGSERVER:
• CORPORATERESOURCE is a member of a computer group that is specified in
the TS RAP; and
• The user is a member of a user group that is specified in the TS RAP.
If both requirements are met, TSGSERVER authorizes the request.
From this point, any packets that TSCLIENT sends to TSGSERVER are forwarded to
CORPORATERESOURCE, and any packets that CORPORATERESOURCE sends
to TSGSERVER are forwarded to TSCLIENT.
20
1. Install the TS Gateway role service. Install the TS Gateway role service
2. Obtain a certificate for the TS Gateway Obtain a certificate for the TS Gateway
server. server
7. Monitor the TS Gateway server for Monitor the TS Gateway server for
connection status and reporting. connection status and reporting
• On the Create a TS RAP for TS Gateway page, accept the default name for
the TS RAP (TS_RAP_01) or specify a new name, and then do one of the
following: Specify whether to allow users to connect only to computers in one
or more computer groups, and then specify the computer groups; or specify
that users can connect to any computer on the network. Click Next. If you do
not want to create a TS RAP during the role service installation process,
follow the procedure in Create a TS RAP.
11. On the Network Policy and Access Services page (which appears if this role
service is not already installed), review the summary information, and then click
Next.
12. On Select Role Services, verify that Network Policy Server is selected, and
then click Next.
13. On the Web Server (IIS) page (which appears if this role service is not already
installed), review the summary information, and then click Next.
14. On the Select Role Services page, accept the default selections for Web Server
(IIS), and then click Next.
15. On the Confirm Installation Options page, verify that the following roles, role
services, and features will be installed:
• Terminal Services\TS Gateway
• Network Policy and Access Services
• Web Server (IIS)
For TLS to function correctly, you must install an SSL-compatible X.509 certificate on the
TS Gateway server.
If you already have a certificate, you can reuse it for the TS Gateway server if the
certificate:
• Is issued by one of the trusted public certification authorities (CAs) that participate in
the Microsoft Root Certificate Program Members program [as listed in article 931125
in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=59547)];
and
• Meets the certificate requirements for TS Gateway server.
If the certificate is not trusted by the Microsoft Root Certificate Program Members
program (for example, if you create and install a self-signed certificate on the TS
Gateway server and you do not manually configure the certificate to trust the Terminal
Services client computer), a warning stating that you do not have a trusted certificate
appears when the client attempts to connect through the TS Gateway server, and the
connection will not succeed. To prevent this error from occurring, install the certificate
onto the computer certificate store on the client computer before the client attempts to
connect through the TS Gateway server.
Note
The Certificate Request Wizard is not supported for obtaining certificates
for TS Gateway.
Your enterprise CA-issued certificate must be co-signed by a trusted public CA that
participates in the Microsoft Root Certification Program Members program. Otherwise,
users connecting from home computers or kiosks might not be able to connect to TS
Gateway servers. These connections might fail because the enterprise CA-issued root
might not be trusted by computers that are not members of domains, such as home
computers or kiosks.
• If your company does not maintain an enterprise CA that is configured to issue
SSL-compatible X.509 certificates, you can purchase a certificate from a trusted
public CA that participates in the Microsoft Root Certificate Program Members
program (http://go.microsoft.com/fwlink/?LinkID=59547). Some of these vendors
might offer certificates at no cost on a trial basis.
• Alternatively, if your company does not maintain an enterprise CA and you do not
have a compatible certificate from a trusted public CA, you can create and import
a self-signed certificate for your TS Gateway server for technical evaluation and
testing purposes. For step-by-step instructions, see Create a self-signed
certificate for TS Gateway.
Important
If you use either of the first two methods to obtain a certificate (that is, if
you obtain a certificate from a PKI or a public vendor), you must also
install the certificate on the TS Gateway server and map the certificate.
However, if you create a self-signed certificate by using the Add Roles
Wizard during installation of the TS Gateway role service or by using TS
Gateway Manager after installation (as described in Create a self-signed
certificate for TS Gateway), you do not need to install or map the
certificate to the TS Gateway server. In this case, the certificate is
automatically created, installed in the correct location on the TS Gateway
server, and mapped to the TS Gateway server.
Note that Terminal Services clients must have the certificate of the certification
authority (CA) that issued the server certificate in their Trusted Root Certification
Authorities store. Therefore, if you create a self-signed certificate by following the
procedure in this guide, you must install the root certificate in the client computer
certificate store. For step-by-step instructions, see "Install the TS Gateway server
26
root certificate on the client" in the Terminal Services Client Step-by-Step Setup
Guide for TS Gateway.
If you used one of the first two methods to obtain a certificate and the Terminal
Services client computer trusts the certificate, you do not need to install the certificate
of the CA that issued the server certificate in the client computer certificate store. For
example, you do not need to install the certificate of the issuing CA in the client
computer certificate store if a VeriSign or other public, trusted PKI certificate is
installed on the TS Gateway server and the Terminal Services client computer trusts
the TS Gateway server certificate.
2. Install a certificate on the TS Gateway server. Use this procedure, described later in
this guide, to install the certificate on your TS Gateway server.
3. Map the TS Gateway certificate. This procedure, described later in this guide, allows
you to map the existing certificate to the TS Gateway server.
For information about PKI configuration in Windows Server 2003, see Public Key
Infrastructure (http://go.microsoft.com/fwlink/?LinkId=66539) and Deploying a Public Key
Infrastructure (http://go.microsoft.com/fwlink/?LinkId=66541). For information about
requesting certificates in Windows Server 2003, see Requesting Certificates
(http://go.microsoft.com/fwlink/?LinkId=66543).
For more information about these values, see Advanced Certificate Enrollment and
Management (http://go.microsoft.com/fwlink/?LinkID=74577).
• The certificate must be trusted on clients. That is, the public certificate of the CA that
signed the TS Gateway server certificate must be located in the client's Trusted Root
Certification Authorities store.
Note
As mentioned, if you create a self-signed certificate by using the Add Roles
Wizard during installation of the TS Gateway role service, or by using TS
Gateway Manager after installation (as described in this procedure), you do not
need to install or map the certificate to the TS Gateway server. In this case, the
certificate is automatically created, installed in the correct location on the TS
Gateway server, and mapped to the TS Gateway server.
successfully created the self-signed certificate, and confirming the location of the
stored certificate. Click OK to close the message.
7. Click OK again to close the TS Gateway server Properties dialog box.
Note
This procedure is not required if you created a self-signed certificate by using the
Add Remove Roles Wizard during installation of the TS Gateway role service, or
by using TS Gateway Manager after installation, as described in Create a self-
signed certificate for TS Gateway. In either case, a certificate is automatically
created, installed in the correct location on the TS Gateway server, and mapped
to the TS Gateway server.
• In the Certificates snap-in dialog box, click Computer account, and then
click Next.
• In the Select Computer dialog box, click Local computer: (the computer
this console is running on), and then click Finish.
• In the Add or Remove snap-ins dialog box, click OK.
29
6. On the Password page, if you specified a password for the private key
associated with the certificate earlier, type the password.
7. On the Certificate Store page, accept the default option, and then click Next.
8. On the Completing the Certificate Import Wizard page, confirm that the correct
certificate has been selected.
9. Click Finish.
10. After the certificate import has successfully completed, a message appears
confirming that the import was successful. Click OK.
11. With Certificates selected in the console tree, in the details pane, verify that the
correct certificate appears in the list of certificates on the TS Gateway server.
The certificate must be under the Personal store of the local computer.
Note
This procedure is not required if you created a self-signed certificate by using the
Add Remove Roles Wizard during installation of the TS Gateway role service, or
by using TS Gateway Manager after installation, as described in Create a self-
signed certificate for TS Gateway. In either case, a certificate is automatically
created, installed in the correct location on the TS Gateway server, and mapped
to the TS Gateway server.
5. Click OK to close the Properties dialog box for the TS Gateway server.
6. If this is the first time that you have mapped the TS Gateway certificate, after the
certificate mapping is completed, you can verify that the mapping was successful
by viewing the TS Gateway Server Status area in TS Gateway Manager. Under
Configuration Status and Configuration Tasks, the warning stating that a
server certificate is not yet installed or selected and the View or modify
certificate properties hyperlink are no longer displayed.
TS CAPs
TS CAPs allow you to specify who can connect to a TS Gateway server. You can specify
a user group that exists on the local TS Gateway server or in Active Directory Domain
Services. You can also specify other conditions that users must meet to access a TS
Gateway server. For example, you can specify that all users who connect to a specific
terminal server that is hosting a human resources (HR) database through a TS Gateway
server must be members of the "HR Users" security group. You can also specify that the
client computer that is initiating the connection must be a member of an Active Directory
security group in the corporate network to connect to the TS Gateway server. By
requiring that the computer be a member of a specific Active Directory security group in
the corporate network, you can exclude users who are attempting to connect to the
corporate network from kiosks, airport computers, or home computers that are not
trusted.
For enhanced security when clients are connecting to the internal corporate network
through TS Gateway, you can also specify whether to disable client device redirection for
31
all devices supported by the Terminal Services client, or just for a specific type of device
such as a disk drive or Plug and Play devices. If you disable client device redirection for
all devices supported by the client, all Clipboard and file device redirection are disabled,
except for audio and smart card redirection.
Additionally, you can specify whether clients must use smart card authentication or
password authentication to access computers remotely on your corporate network
through a TS Gateway server. When both of these options are selected, clients that use
either authentication method are allowed to connect.
Finally, if your organization has deployed Network Access Protection (NAP), you can
specify that the client must send a statement of health (SoH). For information about how
to configure TS Gateway for NAP, see Overview of the TS Gateway NAP scenario:
Enabling NAP health policy checking for remote access to internal corporate network
resources.
Important
Users are granted access to a TS Gateway server if they meet the conditions
specified in the TS CAP. You must also create a TS RAP. A TS RAP allows you
to specify the network resources that users can connect to through TS Gateway.
Until you create both a TS CAP and a TS RAP, users cannot connect to network
resources through this TS Gateway server.
TS RAPs
TS RAPs allow you to specify the internal corporate network resources that remote users
can connect to through a TS Gateway server. When you create a TS RAP, you can
create a computer group and associate it with the TS RAP. For example, you can specify
that users who are members of the “HR Users” user group be allowed to connect only to
computers that are members of the “HR Computers” computer group, and that users who
are members of the “Finance Users” user group be allowed to connect only to computers
that are members of the "Finance Computers" computer group.
Remote users connecting to an internal corporate network through a TS Gateway server
are granted access to computers on the network if they meet the conditions specified in
at least one TS CAP and one TS RAP.
Note
Client users can specify a NetBIOS name or a fully qualified domain name
(FQDN) for the internal corporate network computer that they want to access
through the TS Gateway server. To support either NetBIOS or FQDN names,
create a TS RAP for each possible computer name.
32
Together, TS CAPs and TS RAPs provide two different levels of authorization to provide
you with the ability to configure a more specific level of access control to computers on
the internal corporate network.
• Members of an existing Windows group. The Windows group can exist in Local Users
and Groups on the TS Gateway server, or it can exist in Active Directory Domain
Services.
• Any network resource. In this case, users can connect to any computer on the
internal corporate network that they could connect to when they use Remote
Desktop.
Important
If you configure more than one TS CAP, keep in mind that TS Gateway uses the
following policy lookup behavior: policies are applied in the numerical order
shown in the TS Gateway Manager results pane, and access to the TS Gateway
server is granted by the first matching policy. That is, if a client does not meet the
requirements of the first TS CAP in the list, TS Gateway will evaluate the second
policy in the list, and so forth, until it locates a TS CAP whose requirements are
met. If a client does not meet the requirements of any TS CAP in the list,
TS Gateway denies access to the client.
33
5. On the General tab, type a name for the policy, and then verify that the Enable
this policy check box is selected.
6. On the Requirements tab, under Supported Windows authentication
methods, select one or both of the following check boxes:
• Password
• Smart card
When both of these options are selected, clients that use either authentication
method are allowed to connect.
7. Under User group membership (required), click Add Group to select the user
groups to which you want this TS CAP to apply.
8. In the Select Groups dialog box, specify the user group location and name, and
then click OK. To specify more than one user group, do either of the following:
• Type the name of each user group, separating the name of each group with
a semi-colon.
• Add additional groups from different domains by repeating Step 8 for each
group.
9. To specify computer domain membership criteria that client computers should
meet (optional), on the Requirements tab, under Client computer group
membership (optional), click Add Group, and then specify the computer
groups. In the example configurations, no computer group is specified.
To specify computer groups, you can use the same steps that you used to
specify user groups.
10. On the Device Redirection tab, select one of the following options to enable or
disable redirection for remote client devices:
34
Important
If users are connecting to members of a terminal server farm, you must select the
Select an existing TS Gateway-managed computer group or create a new
one option on the Computer Group tab. In the computer group, you must
specify the name of the farm rather than the name of each member must be
specified in the computer group.
To create a TS RAP and specify computers that users can connect to through
the TS Gateway server
1. Open TS Gateway Manager.
2. In the console tree, click to select the node that represents your TS Gateway
server, which is named for the computer on which the TS Gateway server is
35
running.
3. In the console tree, expand Policies, and then click Resource Authorization
Policies.
• Type the name of each user group, separating the name of each group with
a semi-colon.
• Add additional groups from different domains by repeating Step 7 for each
group.
9. On the Computer Group tab, specify the computer group that users can connect
to through TS Gateway. Then, do one of the following:
click the name of the new computer group, and then click OK to close the
dialog box.
Important
When you add an internal corporate network computer to the list of
TS Gateway-managed computers, keep in mind that if you want to
allow remote users to connect to the computer by specifying either
its computer name or its IP address, you must add the computer to
the computer group twice (by specifying the computer name of the
computer and adding it to the computer group and then specifying
the IP address of the computer and adding it to the computer group
again). If you specify only an IP address for a computer when you
add it to a computer group, users must also specify the IP address of
that computer when they connect to that computer through TS
Gateway. To ensure that remote users connect to the internal
corporate network computers that you intend, we recommend that
you do not specify IP addresses for the computers, if the computers
are not configured to use static IP addresses. For example, you
should not specify IP addresses if your organization uses DHCP to
dynamically reconfigure IP addresses for the computers.
server, which is named for the computer on which the TS Gateway server is
running.
3. In the console tree, expand Monitoring.
4. With the Monitoring folder selected, right-click the Monitoring folder, and then
click Edit Connection Limit.
5. On the General tab, under Maximum Connections, do one of the following:
• To set a limit for the maximum number of simultaneous connections that
Terminal Services clients can make to network resources through TS
Gateway, click Limit maximum allowed simultaneous connections to,
and then specify the number of allowable connections.
• To set no limit on the number of allowable connections between clients and
network resources through TS Gateway, click Allow the maximum
supported simultaneous connections. This is the default option.
• To prevent new connections from being made between clients and network
resources through TS Gateway, click Disable new connections. If you
select this option, only new connection attempts will be rejected. Current
connections will not be ended.
6. Click OK.
Note
New Remote Desktop Connection (RDC) software is available for use on
Windows Server 2003 with Service Pack 1 or later and Windows XP with Service
Pack 2. To use any new Terminal Services features (including TS Gateway) on
either of these platforms, download the installer package for RDC 6.0 or later. To
download this package, go to Microsoft Help and Support
(http://go.microsoft.com/fwlink/?LinkID=79373). Clients must have RDC 6.0 or
later installed to connect to TS Gateway servers.
4. On the Auditing tab, select or clear the appropriate check boxes to specify the
events that you want to monitor for TS Gateway.
The following table lists and describes the TS Gateway event types that you can monitor.
39
• The domain and user ID of the user logged onto the client
• The IP address of the client
Note
If your network configuration includes proxy servers, the IP address that appears
in the Client IP Address column (in the Monitoring details pane) will reflect the
IP address of the proxy server, rather than the IP address of the Terminal
Services client.
2. In the console tree, click to select the node that represents your TS Gateway
server, which is named for the computer on which the TS Gateway server is
running.
42
4. To refresh the display of connection status, in the Actions pane, click Refresh.
Note
TS Gateway currently does not support remediation.
This section describes how to configure NAP with the TS Gateway server. By using NAP,
you can help ensure that clients meet the health policy requirements of your organization
before they are allowed to connect to internal corporate network resources through TS
Gateway servers.
The following steps are required for the successful setup and demonstration of the TS
Gateway NAP scenario described as an example in this guide.
1. We recommend that you set up three computers to evaluate this scenario. These
computers are:
• The TS Gateway server/Network Policy Server (NPS server) (known as
"TSGSERVER" in this example)
Internal corporate network resource • Windows Vista RTM. The installation can
(CORPORATERESOURCE) be an upgrade from Windows XP with SP2.
Note
The steps in this setup guide describe how to set up remote access from a
Terminal Services client through a TS Gateway server to an internal corporate
network resource, with health policy checking for Terminal Services (the NPS
server is used to perform the health policy checking). The guide does not
describe how to set up the firewalls illustrated in the diagram, the terminal
servers running RemoteApp programs, or the perimeter network or Active
Directory infrastructure. The diagram is provided to suggest one way in which
this scenario might be implemented in a production environment.
1. Enable NAP health policy checking on Enable NAP health policy checking on the
the TS Gateway server. TS Gateway server
2. Delete existing TS CAPs and create Delete existing TS CAPs and create three
three new TS CAPs on the TS Gateway new TS CAPs on the TS Gateway server
server.
4. Create two health policies on the TS Create two health policies on the TS
Gateway server. Gateway server
5. Create three network policies on the TS Create three network policies on the TS
Gateway server. Gateway server
Warning
Failure to delete existing TS CAPs might result in security vulnerabilities for your
internal corporate network because these TS CAPs might bypass the NAP
authorization policies that you will create for the TS Gateway NAP scenario. If the
NAP authorization policies are bypassed, Terminal Services clients that don't
meet NAP authorization policy requirements will be allowed access to the TS
Gateway server.
and their configuration does not match the WSHV, their network connection is blocked
until the clients meet the conditions of the WSHV.
In this example, the WSHV only requires that automatic updating be enabled.
3. In the details pane, right-click Windows Security Health Validator, and then
click Properties.
4. In the Windows Security Health Validator Properties dialog box, on the
Settings tab, click Configure.
5. On the Windows Vista and/or the Windows XP SP2 tab (depending on the
operating system that the Terminal Services client is running), clear every check
box except for Automatic updating is enabled and Windows Update.
6. Click OK to close the Windows Security Health Validator Properties dialog
box (with the Windows Vista and Windows XP tabs, and then click OK again to
close the Windows Security Health Validator Properties dialog box with the
Settings tab.
4. In the Create New Health Policy dialog box, on the Settings tab, under Policy
49
Important
When you select the Network Policies folder in the console tree, a default
policy, TSG Marker Policy <GUID>, appears in the console tree. Do not
delete or modify this policy. Additionally, any TS CAPs that you have
50
3. With Network Policies selected in the console tree, right-click TSCAP1, and
then click Properties.
4. In the TSCAP1 Properties dialog box, on the Overview tab, change the name of
the TS CAP to TSCAP FAIL, and accept the default values, where:
• The Policy enabled check box is selected
• Access Permission: Grant access
9. On the Constraints tab, verify that only the Allow clients to connect without
negotiating an authentication method check box is selected.
10. On the Settings tab, browse to Network Access Protection\NAP
Enforcement. With NAP Enforcement selected in the navigational tree, select
Allow limited access.
11. Verify that the following check boxes are not selected:
22. On the Overview tab, change the name to NONNAPCAP, and accept the default
settings.
23. On the Conditions tab, click Add.
24. In the Select condition dialog box, click NAP-Capable Computers, and then
click Add.
25. In the NAP-Capable Computers dialog box, click Only computers that are not
NAP-Capable, and then click OK.
26. On the Conditions tab, verify that the value of the NAP-Capable condition is
Computer is not NAP-Capable.
27. On the Constraints tab, verify that only the Allow clients to connect without
negotiating an authentication method check box is selected.
28. On the Settings tab, browse to Network Access Protection\NAP
52
Following are three scenarios in which ISA Server and TS Gateway server can be used
together to enhance security for remote connections to internal corporate network
resources:
• ISA Server as an SSL bridging device. In this scenario, ISA Server is hosted in a
perimeter network with SSL bridging. The TS Gateway server is hosted in the
corporate/private network.
53
Note
The steps in this setup guide provide detailed configuration information only for
the first scenario (ISA Server as an SSL bridging device). The other two
scenarios are mentioned as alternate ways in which ISA Server can be used with
TS Gateway to enhance security for remote connections to internal corporate
network resources.
Terminal Services client (TSCLIENT) • Windows Vista RTM. The installation can
be an upgrade from Windows XP with
Service Pack 2.
• Windows XP with SP2 and the Terminal
Services client, Remote Desktop
Connection (RDC) 6.0 or later. To
download the installer package for RDC, go
to Microsoft Help and Support
(http://go.microsoft.com/fwlink/?LinkID=793
73).
Internal corporate network resource • Windows Vista RTM. The installation can
(CORPORATERESOURCE) be an upgrade from Windows XP with SP2.
Note
The steps in this setup guide describe how to set up remote access from a
Terminal Services client through a TS Gateway server, where SSL traffic from
the client is first sent to the ISA Server, which is used for SSL bridging. The guide
does not describe how to install ISA Server 2004, nor does it describe how to
configure the firewalls illustrated in the diagram, the terminal servers running
RemoteApp programs (hosting LOB applications), or the perimeter network or
Active Directory infrastructure. The diagram is provided to suggest one way in
which this scenario might be implemented in a production environment.
56
1. Create a firewall policy on the ISA "Firewall Policy" topic in the ISA Server 2004
Server to allow the RDP protocol Enterprise and Standard Edition Help
access from anywhere to anywhere (http://go.microsoft.com/fwlink/?LinkID=89125)
(optional).
Note
This firewall policy is needed only if you
plan to administer the ISA Server
remotely.
2. Export the SSL certificate for the TS Export the certificate for the TS Gateway server
Gateway server and copy it to the ISA and copy it to the ISA Server
Server.
3. Install the SSL certificate for the TS Install the SSL certificate for the TS Gateway
Gateway server on the ISA Server. server on the ISA Server
4. Copy and install the TS Gateway Copy and install the TS Gateway server root
server root certificate on the ISA certificate on the ISA Server
Server.
Note
This step is required only if you are
using a self-signed certificate or
another SSL certificate type that is not
trusted.
5. Create a new Web publishing rule on Create a new Web publishing rule on the ISA
the ISA Server. Server
7. Create access policies on the ISA Create access policies on the ISA Server
Server.
57
8. Verify client configuration and test Verify client configuration and test end-to-end
end-to-end connectivity. connectivity
To export the SSL certificate for the TS Gateway server and copy it to the ISA
Server
1. On the TS Gateway server, open Internet Information Services (IIS) Manager. To
open IIS Manager, click Start, point to Administrative Tools, and then click
Internet Information Services (IIS) Manager.
2. In the console tree, browse to <Local TS Gateway Server>.
3. In the details pane, under IIS, double-click Server Certificates.
4. Right-click the SSL certificate for the TS Gateway server (the SSL certificate that
is mapped to the TS Gateway server), and then click Export.
If the Export command does not appear on the shortcut menu, this means that
the certificate that you selected was not marked as exportable when it was
originally created. If this is the case, you can create a new self-signed certificate
by using TS Gateway Manager, as described in Create a self-signed certificate
for TS Gateway.
5. In the Export Certificate dialog box, under Export to, click the browse button to
browse to the location where you want to export the certificate file (for example,
your Desktop).
6. In the Specify file to save as dialog box, in the File name box, specify a name
for the certificate file that you want to export (for example, TSGSERVER), and
58
To install the SSL certificate for the TS Gateway server on the ISA Server
1. On the ISA Server, open the Certificates snap-in console. If you have not already
added the Certificates snap-in console, you can do so by doing the following:
• Click Start, click Run, type mmc, and then click OK.
5. On the File to Import page, in the File name box, click Browse, and then
browse to the location where you copied the SSL certificate for the TS Gateway
server. Select the certificate (Certificate_Name.pfx), click Open, and then click
59
Next.
6. On the Password page, if earlier you specified a password for the private key
associated with the certificate, type the password.
7. On the Certificate Store page, accept the default option, and then click Next.
8. On the Completing the Certificate Import Wizard page, confirm that the correct
certificate has been selected.
9. On the Completing the Certificate Import Wizard page, confirm that the
following certificate settings appear:
• Certificate Store Selected by User: Trusted Root Certification Authorities
• Content: PFX
• File Name: FilePath\<Certificate_Name.pfx>, where <Certificate_Name> is
the name of the TS Gateway server SSL certificate.
12. With Certificates selected in the console tree, in the details pane, verify that the
correct certificate appears in the list of certificates on the ISA Server. The
certificate must be under the Personal store of the local computer.
To copy and install the TS Gateway server root certificate on the ISA Server
1. On the ISA Server, open the Certificates snap-in console. If you have not already
added the Certificates snap-in console, you can do so by doing the following:
• Click Start, click Run, type mmc, and then click OK.
• In the Certificates snap-in dialog box, click Computer account, and then
60
click Next.
• In the Select Computer dialog box, click Local computer: (the computer
this console is running on), and then click Finish.
Note
If you created a self-signed certificate by using the Add Remove Roles
Wizard during installation of the TS Gateway role service, or by using TS
Gateway Manager after installation, as described in Create a self-signed
certificate for TS Gateway, note that the self-signed certificate is also the
root certificate.
5. On the Password page, if earlier you specified a password for the private key
associated with the certificate, type the password.
6. On the Certificate Store page, accept the default option (Place all certificates
in the following store - Trusted Root Certification Authorities), and then click
Next.
7. On the Completing the Certificate Import Wizard page, confirm that the
following certificate settings appear:
10. With Certificates selected in the console tree, in the details pane, verify that the
root certificate of the TS Gateway server appears in the list of certificates on the
ISA Server. Ensure that the certificate appears under the Trusted Root
Certification Authorities store on the local computer.
4. On the Welcome To The SSL Publishing Rule Wizard page, in the SSL Web
Publishing Rule Name box, type a name for the new server publishing rule, and
then click Next.
5. On the Publishing Mode page, click SSL Bridging, and then click Next.
6. On the Select Rule Action page, click Allow, and then click Next.
7. On the Bridging Mode page, do one of the following:
• To enable HTTPS-HTTP bridging, click Secure connections to clients, and
then click Next.
• To enable HTTPS-HTTPS bridging, click Secure connection to clients and
Web server, and then click Next.
8. On the Define Website to Publish page, do the following:
• In the Computer name or IP address box, type the name of the TS
Gateway server. The specified name must match the name of the TS
Gateway server through which users will connect in this scenario.
• Select the Forward the original host header instead of the actual one
(specified above) check box.
62
• In the Public name box, type the name of the TS Gateway server. The
specified name must match the name of the TS Gateway server through
which users will connect in this scenario.
Click OK to close the Select Certificate dialog box, and then click Next.
• On the Completing the New Web Listener Wizard page, click Finish.
• On the Select Web Listener page, confirm that the correct Web listener
properties appear, and then click Next.
11. On the User Sets page, click All Users, and then click Next.
12. On the Completing the New SSL Web Publishing Rule Wizard page, click
Finish.
13. To save the changes and update the ISA Server firewall policy, in the details
pane of the ISA Server Management console, click Apply.
14. In the Apply New Configuration dialog box, click OK after the changes are
applied (a progress bar appears while the changes are being applied).
63
Important
As mentioned earlier in this guide, in the Beta 3 release of TS Gateway, selecting
or clearing the Use HTTPS-HTTP bridging check box does not create or update
the AllowAnonymous registry key value. Therefore, you must create or update
this registry key value manually. For more information and step by step
instructions, see Special considerations for TS Gateway earlier in this guide.
Important
If you enable HTTPS-HTTP bridging, the TS Gateway server will depend on ISA
Server 2004 to perform user authentication. If you no longer want to use ISA
Server for SSL bridging in this scenario, we strongly recommend that you roll
back the configuration changes described in this procedure by disabling HTTPS-
HTTP bridging on the TS Gateway server. If you do not roll back the
configuration changes in this scenario, TS Gateway will allow access to
everyone.
TS Gateway server address and the IP address of the ISA Server will be published in
DNS. As a result, clients will resolve the TS Gateway server address to the ISA Server.
The secure Web publishing rule that you create for the ISA Server ensures that all
incoming requests to the TS Gateway server from the external network will be forwarded
to the TS Gateway server, which is located in the internal network.
If you cannot publish entries to DNS, for testing purposes, you can add an entry to the
hosts file of the client that maps the TS Gateway server address to the IP address of the
ISA Server. The hosts file on the client is located at:
%windir%\system32\drivers\etc\hosts.
Next, ensure that the client is correctly configured as a TS Gateway client as described in
"Steps for configuring a Terminal Services client for the TS Gateway core scenario." To
ensure that connectivity is successful in this scenario, follow the steps in "Verify that end-
to-end connectivity through TS Gateway is functioning correctly" in the Terminal Services
Client Step-by-Step Setup Guide for TS Gateway.
6. Type the password for RPC/http proxy (the password for the TS Gateway
server).
Echo *******************************************************************
Echo * The first RPCPing will authenticate to the RPC over HTTP
Echo * Proxy service. If this ping fails, then the certificate
66
Echo *******************************************************************
Echo * The second RPCPing will attempt to authenticate to the TS
Echo * Gateway service. If this ping fails, then the TS Gateway
Echo * service is probably not running.
Echo *******************************************************************
goto endall
:DO_USAGE
Echo ******************************************************************
Usage: *
Echo * testclient.cmd [gateway] [user] [domain/machine] *
Echo * *
Echo ******************************************************************
goto endall
:ENDALL
Endlocal
Disclaimer
The sample script is not supported under any Microsoft standard support program or
service. The sample script is provided AS IS without warranty of any kind. Microsoft
further disclaims all implied warranties including, without limitation, any implied warranties
of merchantability or of fitness for a particular purpose. The entire risk arising out of the
use or performance of the sample script and documentation remains with you. In no
event shall Microsoft, its authors, or anyone else involved in the creation, production, or
delivery of the script be liable for any damages whatsoever (including, without limitation,
damages for loss of business profits, business interruption, loss of business information,
or other pecuniary loss) arising out of the use of or inability to use the sample scripts or
documentation, even if Microsoft has been advised of the possibility of such damages.
67
Additional references
The following references provide additional information about TS Gateway:
• For product support, see the Terminal Services page on the Windows Server
"Longhorn" TechCenter (http://go.mi).
• To access newsgroups for Terminal Services, see the Terminal Services Community
page on the Microsoft TechNet Web site (http://go.mi).
• If you are a beta tester and part of the special Technology Adoption Program (TAP)
beta program, you can also contact your appointed Microsoft development team
member for assistance.
Important
Before you follow the steps in this guide to set up a Terminal Services client,
verify that you have correctly configured the TS Gateway server, as
described in the Windows Server “Longhorn” Beta 3 Release TS Gateway
Server Step-by-Step Setup Guide.
68
Known issues
The following are known issues for Terminal Services clients connecting through a TS
Gateway server in the Windows Server "Longhorn" Beta 3 release.
2. End the session, leaving the smart card in the smart card reader.
3. Start another connection while leaving the smart card in the smart card reader.
To resolve this problem, remove the smart card, reinsert it, and then try to connect to the
remote computer again.
1. Verify that system requirements are met "System requirements for the TS Gateway
for the Terminal Services client. core scenario" in the Windows Server
“Longhorn” Beta 3 Release TS Gateway
Server Step-by-Step Setup Guide
2. Install the TS Gateway server root Install the TS Gateway server root
certificate on the Terminal Services client certificate on the Terminal Services client
(optional).
Note
This procedure is not required if a
certificate that is issued by one of
the trusted public CAs that
participate in the Microsoft Root
Certificate Program Members
program is installed on the TS
Gateway server, and the Terminal
Services client computer trusts the
certificate.
As mentioned, you can also configure the Terminal Services client as a NAP enforcement
client. For more information, see Steps for configuring a Terminal Services client as a
NAP enforcement client later in this guide.
70
• A certificate that is issued by one of the trusted public CAs that participate in the
Microsoft Root Certificate Program Members program [as listed in article 931125 in
the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=59547)] is
installed on the TS Gateway server; and
• The Terminal Services client computer trusts the certificate.
For more information, see "Obtain a certificate for the TS Gateway server" in the
Windows Server “Longhorn” Beta 3 Release TS Gateway Server Step-by-Step Setup
Guide.
If the TS Gateway server is using a non-Microsoft, trusted PKI certificate that is
recognized and trusted by your client computer, proceed to the Configure remote desktop
connection settings section.
Important
Do not install certificates from any untrusted sources or individuals.
To install the TS Gateway server root certificate, do the following on the Terminal
Services client.
To install the TS Gateway server root certificate on the Terminal Services client
1. Open the Certificates snap-in console. If you have not already added the
Certificates snap-in console, you can do so by doing the following:
• Click Start, click Run, type mmc, and then click OK.
• In the Certificates snap-in dialog box, click Computer account, and then
click Next.
71
• In the Select Computer dialog box, click Local computer: (the computer
this console is running on), and then click Finish.
• In the Add or Remove snap-ins dialog box, click OK.
5. On the Password page, if earlier you specified a password for the private key
associated with the certificate, type the password.
6. On the Certificate Store page, accept the default option (Place all certificates
in the following store - Trusted Root Certification Authorities), and then click
Next.
7. On the Completing the Certificate Import Wizard page, confirm that the
following certificate settings appear:
• Certificate Store Selected by User: Trusted Root Certification Authorities
• Content: Certificate
• File Name: FilePath\<Root_Certificate_Name.cer>, where
<Root_Certificate_Name> is the name of the TS Gateway server root
certificate.
8. Click Finish.
9. After the certificate import has successfully completed, a message appears
confirming that the import was successful. Click OK.
10. With Certificates selected in the console tree, in the details pane, verify that the
root certificate of the TS Gateway server appears in the list of certificates on the
client. Ensure that the certificate appears under the Personal store.
3. On the Advanced tab, in the Connect from anywhere area, click Settings.
4. In the Gateway Server Settings dialog box, select the appropriate options:
• Automatically detect TS Gateway server settings (default). If you select
this option, the Terminal Services client attempts to use Group Policy
settings that determine the behavior of client connections to TS Gateway
servers, if these settings have been configured and enabled. Group Policy
settings for Terminal Services client connections can be applied in one of two
ways. These settings can either be suggested (that is, they can be enabled,
but not enforced) or they can be enabled and enforced. When Group Policy
settings are suggested, if you click Use these TS Gateway server settings,
you can modify settings and specify the name of the TS Gateway server or
TS Gateway server farm that you want to connect to and the logon method to
use for the connection. When Group Policy settings are enabled and
enforced, when you click Use these TS Gateway server settings, you
cannot modify the settings.
will not connect through the TS Gateway server or TS Gateway server farm
in this case.
• Do not use a TS Gateway server. Select this option if your computer is
always connected to the LAN or if it is hosted inside the corporate firewall.
This option is appropriate if you know that you do not need to use TS
Gateway to traverse a firewall.
6. Click Submit.
7. Review the security warning, and then click Yes.
8. On the Gateway server credentials page, select the user name that you want to
use to log on to the TS Gateway server, and then enter the required credentials.
9. Click Submit.
10. After a few moments, the connection completes and a connection will be
established through the TS Gateway server to the computer.
Verify that system requirements are met for "System requirements for the TS Gateway
the Terminal Services client. NAP scenario" in the Windows Server
“Longhorn” Beta 3 Release TS Gateway
Server Step-by-Step Setup Guide
Download and run the Terminal Services Download and run the Terminal Services
NAP client configuration command. NAP client configuration command
Test to confirm that the NAP health policy Test to confirm that the NAP health policy is
is successfully applied to the Terminal successfully applied to the Terminal
Services client. Services client
75
• Starts the Network Access Protection Agent service and sets the service startup type
to Automatic.
The NAP agent collects and manages health information. The NAP agent processes
statements of health (SoH) from the various system health agents (SHAs) and
reports client health to the NAP administration server. For NAP to function correctly,
you must start the Network Access Protection Agent service on the client, and then
set the service startup type to Automatic. By default, this service does not start
automatically.
• Enables the TS Gateway Quarantine Enforcement client.
To run this example script, use the following procedure. Note that you must run the
script as a member of the local Administrators group on the TS Gateway server.
To download and run the Terminal Services NAP client configuration command
1. To download the Terminal Services NAP client configuration command, go to the
TS Gateway page on the Windows Server "Longhorn" TechCenter
(http://go.microsoft.com/fwlink/?LinkId=79605). When you open the command
prompt, right-click the command prompt, and then click Run as Administrator.
You must run this command with elevated privileges for the command to
succeed. For information about how to run this command with elevated privileges
in Windows XP, see article 294676 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkId=87531). For information about how to do
this in Windows Server 2003, see Run a program with administrative credentials
(http://go.microsoft.com/fwlink/?LinkId=87533).
2. At the command prompt, type:
tsgqecclientconfig TS_GATEWAY_SERVER_NAME
The name that you specify for the server must match the name in the Issued to
76
where TrustedGateways lists the FQDN of the TS Gateway servers that you
specified in Step 2, in the Data field.
Recall that the Windows Security Health Validator (WSHV) policy that you created on the
TS Gateway server (by following the steps in the Windows Server “Longhorn” Beta 3
Release TS Gateway Server Step-by-Step Setup Guide) requires that you enable
automatic updating for the connection to succeed.
77
To test whether the health policy is correctly applied to the Terminal Services client,
perform the following tasks:
• Test for successful blocked connection for NAP-capable client. If the health policy is
correctly applied to the Terminal Services NAP-capable client, the client connection
attempt will be blocked by the server when automatic updating is disabled on the
client.
• Test for successful allowed connection for NAP-capable client. If the health policy is
correctly applied to the Terminal Services NAP-capable client, the client connection
attempt will be allowed by the server when automatic updating is enabled on the
client.
• Test for successful blocked connection for non-NAP capable client. If the health
policy is correctly applied to the Terminal Services non-NAP capable client, the client
connection attempt will be blocked by the server, because the client cannot send a
statement of health (SoH).
5. Open the Remote Desktop Connection client. To open the Remote Desktop
Connection client, click Start, point to All Programs, point to Accessories, and
then click Remote Desktop Connection.
6. In the Remote Desktop Connection dialog box, click Options to expand the
dialog box and view settings.
7. On the General tab, type the name of the computer (terminal server or computer
with Remote Desktop enabled) to which you want to connect remotely through
78
TS Gateway.
8. Click Connect.
9. On the Enter your credentials page, select the user account that you want to
use to log on remotely to the computer, and then enter the required credentials.
10. Click Submit.
11. Review the security warning, and then click Yes.
12. On the Gateway server credentials page, select the user name that you want to
use to log on to the TS Gateway server, and then enter the required credentials.
13. Click Submit.
3. With System selected in the console tree, search for event IDs 1 and 5.
79
5. Open the Remote Desktop Connection client. To open the Remote Desktop
Connection client, click Start, point to All Programs, point to Accessories, and
then click Remote Desktop Connection.
6. In the Remote Desktop Connection dialog box, click Options to expand the
dialog box and view settings.
7. On the General tab, type the name of the computer (terminal server or remote
desktop) to which you want to connect remotely through TS Gateway.
8. Click Connect.
9. On the Enter your credentials page, select the user account that you want to
use to log on remotely to the computer, and then enter the required credentials.
10. Click Submit.
11. Review the security warning, and then click Yes.
12. On the Gateway server credentials page, select the user name that you want to
use to log on to the TS Gateway server, and then enter the required credentials.
80
• Event ID 7: This event, which appears in the global System log, indicates that the
client was granted access to the TS Gateway server because the health policy was
successfully applied.
• Event ID 200: This event, which appears in the TS Gateway server log, indicates that
the client is healthy and therefore can access the TS Gateway server.
6. Open the Remote Desktop Connection client. To open the Remote Desktop
Connection client, click Start, point to All Programs, point to Accessories, and
then click Remote Desktop Connection.
7. In the Remote Desktop Connection dialog box, click Options to expand the
dialog box and view settings.
8. On the General tab, type the name of the computer (terminal server or computer
with Remote Desktop enabled) to which you want to connect remotely through
TS Gateway.
9. Click Connect.
10. On the Enter your credentials page, select the user account that you want to
use to log on remotely to the computer, and then enter the required credentials.
11. Click Submit.
12. Review the security warning, and then click Yes.
13. On the Gateway server credentials page, select the user name that you want to
use to log on to the TS Gateway server, and then enter the required credentials.
Additional references
Network Access Protection (http://go.microsoft.com/fwlink/?LinkID=70047)
Abstract
Windows Server® Code Name "Longhorn" provides a license management system for
Terminal Services known as Terminal Services Licensing (TS Licensing). This system
allows terminal servers to obtain and manage Terminal Services client access licenses
(TS CALs) for devices and users that are connecting to a terminal server. TS Licensing
supports terminal servers that run Windows Server "Longhorn" as well as terminal
servers running Microsoft Windows Server® 2003 or Microsoft Windows® 2000 Server.
This document supports a preliminary release of a software product that may be changed
substantially prior to final commercial release, and is the confidential and proprietary
information of Microsoft Corporation. It is disclosed pursuant to a non-disclosure
agreement between the recipient and Microsoft. This document is provided for
informational purposes only and Microsoft makes no warranties, either express or
implied, in this document. Information in this document, including URL and other Internet
Web site references, is subject to change without notice. The entire risk of the use or the
results from the use of this document remains with the user. Unless otherwise noted, the
example companies, organizations, products, domain names, e-mail addresses, logos,
people, places, and events depicted herein are fictitious, and no association with any real
company, organization, product, domain name, e-mail address, logo, person, place, or
event is intended or should be inferred. Complying with all applicable copyright laws is
the responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Active Directory, Terminal Services, Microsoft, MS-DOS, Visual Basic, Visual Studio,
Windows, Windows NT, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.
Installing Terminal Services Client Access Licenses by Using a Web Browser ............... 21
Overview of TS Licensing
Terminal Services Licensing (TS Licensing) manages the Terminal Services client access
licenses (TS CALs) that are required for each device or user to connect to a terminal
6
server. You use TS Licensing to install, issue, and monitor the availability of TS CALs
on a Terminal Services license server.
For more information about TS CALs, see Terminal Services Client Access Licenses (TS
CALs).
When a client—either a user or a device—connects to a terminal server, the terminal
server determines if a TS CAL is needed. The terminal server then requests a TS CAL
from the Terminal Services license server, and then the TS CAL is issued to the client by
the license server. Although there is a licensing grace period during which no license
server is required, after the grace period ends, clients must receive a valid TS CAL
issued by a license server before they can log on to a terminal server.
Important
Remote Desktop supports two concurrent connections to remotely administer a
computer. You do not need a license server for these connections.
To use Terminal Services, you must also have at least one license server. For small
deployments, it is acceptable to install both the Terminal Server role service and the
TS Licensing role service on the same computer. For larger deployments, it is
recommended that the TS Licensing role service be installed on a separate computer
from the Terminal Server role service.
You must configure TS Licensing correctly in order for your terminal server to continue to
accept connections from clients. To allow ample time for you to deploy a license server,
Terminal Services provides a licensing grace period during which no license server is
required. During this grace period, a terminal server can accept connections from
unlicensed clients without contacting a license server. The grace period begins the first
time the terminal server accepts a client connection. The grace period ends after you
deploy a license server and that license server issues its first permanent TS CAL, or after
120 days, whichever comes first.
After the TS Licensing grace period ends, you must purchase and install the appropriate
number of TS CALs for each device or user that needs to connect to a terminal server. In
addition, you must verify that the TS Licensing mode that you specify on the terminal
server matches the type of TS CAL available on the license server. TS Licensing modes
determine the type of TS CAL that a license server issues to a client.
7
Task Reference
Verify that the license server supports the TS Licensing in Windows Server
operating system of the terminal servers. "Longhorn" supports terminal servers that
run:
• Windows Server "Longhorn"
Determine which type of TS CALs to use. Terminal Services Client Access Licenses
(TS CALs)
8
Task Reference
Purchase the appropriate type and number For the Windows Server "Longhorn" Beta 3
of TS CALs. release, you do not have to purchase TS
CALs from Microsoft. Instead, you can use
a test license code from Microsoft so that
you can install Windows Server "Longhorn"
beta TS CALs on a Windows Server
"Longhorn" Beta 3 license server. For more
information, see Obtaining Beta Terminal
Services Client Access Licenses.
To ensure that you are in compliance with the license terms, make sure that you track
the number of TS Per User CALs being used in your organization and that you have a
sufficient number of TS Per User CALs installed on the license server to provide a TS Per
User CAL for each user that needs to connect to the terminal server.
In Windows Server "Longhorn", you can use the TS Licensing Manager tool to track and
generate reports on the issuance of TS Per User CALs. For more information, see
Tracking the Issuance of Terminal Services Client Access Licenses.
• Domain
• Forest
Workgroup scope is only available when the computer that you are installing the
TS Licensing role service on is not a member of a domain. If you configure workgroup
scope, terminal servers, without any additional configuration, can automatically discover
a license server in the same workgroup.
Domain scope and forest scope are only available when the computer that you are
installing the TS Licensing role service on is a member of a domain.
If you configure domain scope, terminal servers, without any additional configuration, can
automatically discover a license server in the same domain if the license server is
installed on a domain controller. To configure domain scope, you must be logged on as a
domain administrator to the domain in which the license server is a member.
If you configure forest scope, terminal servers, without any additional configuration, can
automatically discover a license server in the same forest. To configure forest scope, you
must be logged on as an enterprise administrator to the forest in which the license server
is a member.
10
Note
In Windows Server 2003, "forest scope" was known as "enterprise scope."
Task Reference
Install Terminal Services client access Installing Terminal Services Client Access
licenses (TS CALs) on the Terminal Licenses
Services license server.
Installing TS Licensing
Use the following procedure to install the TS Licensing role service if Terminal Services is
not already installed on the server. If Terminal Services is already installed on the server,
use the "To install the TS Licensing role service when Terminal Services is already
installed" procedure.
Note
If Terminal Services is already installed on the server, the Terminal
Services check box will be selected and dimmed.
5. Click Next.
6. On the Terminal Services page, click Next.
7. On the Select Role Services page, select the TS Licensing check box.
8. On the Configure Scope for TS Licensing page, specify the scope for
TS Licensing. For more information about TS Licensing scopes, see Terminal
Services License Server Discovery.
9. On the Configure Scope for TS Licensing page, specify the location where the
TS Licensing database will be stored. If you want to specify a database location
other than the default location provided, click Browse. Note that the database
location must be a local folder on the computer on which TS Licensing is being
installed.
10. Click Next.
11. On the Confirm Installation Selections page, verify that the TS Licensing role
service will be installed, and then click Install.
12. On the Installation Progress page, installation progress will be noted.
13. On the Installation Results page, confirm that installation for the role service
was successful, and then click Close.
Use the following procedure to install the TS Licensing role service when Terminal
Services is already installed on the server.
When TS Licensing Manager opens, it automatically tries to find all license servers in the
workgroup or domain.
2. In the left pane, right-click Features, and then click Add Features.
3. On the Select Features page, expand Remote Server Administration Tools,
expand Role Administration Tools, and then expand Terminal Services.
4. Select the TS Licensing Manager check box, and then click Next.
5. On the Confirm Installation Selections page, click Next.
6. On the Installation Results page, confirm that installation of TS Licensing
Manager was successful, and then click Close.
7. To run TS Licensing Manager, click Start, point to Administrative Tools, point
to Terminal Services, and then click TS Licensing Manager.
14
• Web You can use the Web method when the computer running TS Licensing
Manager does not have Internet connectivity, but you have access to the Web by
means of a Web browser from another computer. The URL for the Web method is
displayed in the Activate Server Wizard.
• Telephone The telephone method allows you to talk to a Microsoft customer
service representative to complete the activation process. The appropriate telephone
number is displayed in the Activate Server Wizard and is determined by the
country/region that you choose in the wizard.
When you activate the license server, Microsoft provides the server with a limited-use
digital certificate that validates server ownership and identity. Microsoft uses an X.509
industry standard certificate for this purpose. By using this certificate, a license server
can make subsequent transactions with Microsoft.
You only need to activate a license server once. While waiting to complete the activation
or TS CAL installation processes, your license server can issue temporary TS CALs that
allow clients to use terminal servers for up to 90 days.
Additional references
• Activating a Terminal Services License Server Automatically
• Activating a Terminal Services License Server by Using a Web Browser
• Activating a Terminal Services License Server by Using the Telephone
15
2. Right-click the license server that you want to activate, and then click Activate
Server. The Activate Server Wizard starts.
3. Click Next.
2. Right-click the license server that you want to activate, and then click Activate
Server. The Activate Server Wizard starts.
3. Click Next.
4. On the Connection method page, in the Connection method list, select Web
Browser, and then click Next.
5. On the License Server Activation page, click the hyperlink to connect to the
Terminal Server Licensing Web site.
6. Under Select Option, click Activate a license server, and then click Next.
7. In the Product ID boxes, type your Product ID. Your Product ID is displayed on
the License Server Activation page of the Activate Server Wizard. Complete
the name, company, and country/region fields, and then click Next.
8. Confirm your entries, and then click Next. Your license server ID is displayed.
Write down the license server ID or print the Web page.
9. On the License Server Activation page of the Activate Server Wizard, type the
license server ID that you received in the previous step, and then click Next.
Your license server is activated.
10. On the Completing the Activate Server Wizard page, do one of the following:
• To install Terminal Services client access licenses (TS CALs) onto your
license server, ensure that the Start Install Licenses Wizard now check
box is selected, click Next, and then follow the instructions.
17
• To install TS CALs later, clear the Start Install Licenses Wizard now check
box, and then click Finish.
2. Right-click the license server that you want to activate, and then click Activate
Server. The Activate Server Wizard starts.
3. Click Next.
Note
For the Windows Server "Longhorn" Beta 3 release, you do not have to
purchase TS CALs from Microsoft. Instead, you can use a test license code
from Microsoft so that you can install Windows Server "Longhorn" beta
TS CALs on a Windows Server "Longhorn" Beta 3 license server. For more
information, see Obtaining Beta Terminal Services Client Access Licenses.
Additional references
• Installing Terminal Services Client Access Licenses Automatically
• Installing Terminal Services Client Access Licenses by Using a Web Browser
• Installing Terminal Services Client Access Licenses by Using the Telephone
Note
The test license code should only be used for beta testing and evaluation
purposes.
• Country
• Source Select Technical Beta (download site).
20
• License Type Select Windows Server "Longhorn" Per Device or Per User
CALs.
• E-Mail Address Enter the e-mail address to which you want the test license
code delivered.
4. Click Next.
5. On the Confirm License Code Request page, re-enter your e-mail address,
verify that all the other information you entered is correct, and then click Submit.
6. On the License Code Request Successfully Processed page, click Finish.
7. You will receive an e-mail message with the subject line "Terminal Server
License Management" that contains your test license code.
8. Copy the test license code into a safe location and do not delete the e-mail. This
test code is important and will be required when installing Windows Server
"Longhorn" beta TS CALs.
Note
For the Windows Server "Longhorn" Beta 3 release, you do not have to purchase
TS CALs from Microsoft. Instead, you can use a test license code from Microsoft
so that you can install Windows Server "Longhorn" beta TS CALs on a
Windows Server "Longhorn" Beta 3 license server. For more information, see
Obtaining Beta Terminal Services Client Access Licenses.
2. Verify that the installation method for the Terminal Services license server is set
to Automatic connection (recommended) by right-clicking the license server
on which you want to install TS CALs, and then clicking Properties. On the
Connection Method tab, change the connection method if necessary.
3. In the console tree, right-click the Terminal Services license server on which you
want to install the TS CALs, click Install Licenses to open the Install Licenses
Wizard, and then click Next.
4. On the License Program page, select License Pack (Retail Purchase). Other
programs are not supported for the Windows Server "Longhorn" Beta 3 release.
Click Next.
5. On the License Code page, type the test license code that you received in e-
mail into the boxes provided, and then click Add. If you have more than one test
license code, type each additional code and click Add until all the codes are
entered.
6. Click Next. The TS CALs are installed on your Terminal Services license server.
7. On the Completing the Install Licenses Wizard page, click Finish. The
Terminal Services license server can now issue TS CALs to clients that connect
to a terminal server.
Note
For the Windows Server "Longhorn" Beta 3 release, you do not have to purchase
TS CALs from Microsoft. Instead, you can use a test license code from Microsoft
so that you can install Windows Server "Longhorn" beta TS CALs on a
Windows Server "Longhorn" Beta 3 license server. For more information, see
Obtaining Beta Terminal Services Client Access Licenses.
Membership in the Administrators group, or equivalent, is the minimum required to
complete this procedure.
• Company name
• Country/region
23
You can also provide the optional information requested, such as company
address, e-mail address, and phone number. In the organizational unit field, you
can describe the unit within your organization that this license server will serve.
7. Click Next.
8. In the License Codes boxes, type the test license code that you received in e-
mail, and then click Add. If you have more than one test license code, type each
additional code and click Add until all the codes are entered, and then click Next.
9. Verify that all of the information you have entered is correct. To submit your
request to the Microsoft Clearinghouse, click Next. The Web page then displays
a TS CAL ID generated by the Microsoft Clearinghouse. Write down the TS CAL
ID or print the Web page.
10. In the Install Licenses Wizard, on the Obtain Client License Key Pack page,
enter the TS CAL ID that you received in the previous step, and then click Next.
The TS CALs are installed on your Terminal Services license server.
11. On the Completing the Install Licenses Wizard page, click Finish. The
Terminal Services license server can now issue TS CALs to clients that connect
to a terminal server.
Note
For the Windows Server "Longhorn" Beta 3 release, you do not have to purchase
TS CALs from Microsoft. Instead, you can use a test license code from Microsoft
so that you can install Windows Server "Longhorn" beta TS CALs on a
Windows Server "Longhorn" Beta 3 license server. For more information, see
Obtaining Beta Terminal Services Client Access Licenses.
2. Verify that the installation method for the Terminal Services license server is set
to Telephone by right-clicking the license server on which you want to install
TS CALs, and then clicking Properties. On the Connection Method tab, change
the connection method if necessary. On the Required Information tab, change
the country/region if necessary.
3. In the console tree, right-click the Terminal Services license server on which you
want to install the TS CALs, click Install Licenses to open the Install Licenses
Wizard, and then click Next.
4. On the Obtain client license key pack page, use the telephone number that is
displayed to call the Customer Support Center, and give the representative your
Terminal Services license server ID and the test license code that you received
in e-mail. The representative then processes your request to install TS CALs,
and gives you a unique ID for the TS CALs.
5. On the Obtain client license key pack page, type the TS CALs ID provided by
the representative into the boxes, and then click Next. The TS CALs are installed
on your Terminal Services license server.
6. On the Completing the Install Licenses Wizard page, click Finish. The
Terminal Services license server can now issue TS CALs to clients that connect
to a terminal server.
Important
The Terminal Services licensing mode must match the type of TS CALs available
on the license server.
The Terminal Services licensing mode can be set in the following ways:
• During the installation of the Terminal Server role service in Server Manager
• By configuring Terminal Server licensing mode in the Terminal Services
Configuration tool
• By applying the Set the Terminal Services licensing mode Group Policy setting
The license server discovery mode can be set in the following ways:
• By configuring License Server discovery mode in the Terminal Services
Configuration tool
• By applying the Use the specified Terminal Services license servers Group Policy
setting
In the automatic license server discovery process, a terminal server in a Windows
Server-based domain attempts to contact a license server in the following order:
• License servers that are specified in the Terminal Services Configuration tool
• License servers that are published in Active Directory® Domain Services
• License servers that are installed on domain controllers in the same domain as the
terminal server
26
Important
TS Per User CAL tracking and reporting is supported only in domain-joined
scenarios; that is, the terminal server and the Terminal Services license server
must be members of a domain. TS Per User CAL tracking and reporting is not
supported in workgroup mode. Active Directory Domain Services is used for
license tracking in Per User mode. Active Directory Domain Services can be
Windows Server "Longhorn"-based or Windows Server 2003-based. Also, the
computer account for the license server must be a member of the Terminal
Server License Servers group in the domain.
Membership in the Administrators group, or equivalent, is the minimum required to
complete this procedure.
3. Select the scope of the report, and then click Create Report.
4. The report will appear in the Reports node under the license server.
Troubleshooting TS Licensing
Installation
You can check the configuration of your Terminal Services license server and identify
common licensing problems for a terminal server by using the following:
• Review Configuration in the TS Licensing Manager tool
27
• Issuing Terminal Services client access licenses (TS CALs) to users or devices
connecting to a terminal server.
• Tracking and reporting the issuance of TS CALs.
4. The dialog box will provide you with information about the configuration of the
license server. If a configuration problem is identified, you can correct the
problem from within the dialog box.
server—that would prevent users from connecting to the terminal server because of
licensing issues.
Note
For more information about license settings, see Configuring License Settings on
a Terminal Server.
Membership in the Administrators group, or equivalent, is the minimum required to
complete this procedure.
Subkey:
HKLM\Software\Microsoft\TermServLicensing
Entry name: RunAsRTM
Entry type: DWORD
Value: 1