Sie sind auf Seite 1von 485

Overview of Windows Server 2008

OS Responsibilities
Process Management
Memory Management I/O Management File Management Object Management

Windows Architecture

Windows Architecture

System Processes
Executive, Kernel, HAL Architectural Details Subsystems and Layers User Mode & Kernel mode Kernel Objects Sharing kernel objects

OS classifications

Based on Functionality
Single user single tasking

Single user multi tasking


Multi user multi tasking

Based on architecture
Monolithic OS Microkernel OS

OS classifications

What is Single tasking? The execution of a single task as against multiple tasks (programs) by the operating system. The practice or capability of handling only one task at a time.

What is Multi tasking?


The simultaneous execution of multiple tasks (programs) under the control of an interrupt-driven operating system; The practice or capability of handling more than one task at the same time.

Kernel

What is a Kernel?

The kernel is the indispensable and therefore most important part of an operating system.
Roughly, an operating system itself consist of two parts:

The kernel space (privileged mode) The user space (unprivileged mode)

There are two different concepts of kernels:


Monolithic kernel Microkernel

Monolithic Kernel

What is Monolithic Kernel?

The older approach is the monolithic kernel, of which Unix, MS-DOS and the early Mac OS are typical examples.
It runs every basic system service like process and memory management, interrupt handling and I/O communication, file system, etc. in kernel space

Monolithic Kernel

Application Program

Application Program

User Mode

Kernel Mode

System Services
Operating System Services

Hardware
8

Monolithic Kernel

The inclusion of all basic services in kernel space has the following drawbacks:

The kernel size Lack of extensibility The bad maintainability Bug fixing or the addition of new features means a recompilation of the whole kernel.

Microkernel

What is Microkernel?

The idea of Microkernels appeared at the end of the 1980's.

The concept was to reduce the kernel to basic process communication and I/O control, and let the other system services reside in user space in form of normal processes (as so called services), there by providing protection between the processes.
There is a service for managing memory issues, one service does process management, another one manages drivers, and so on. Because the services do not run in kernel space anymore, so called "context switches" are needed, to allow user processes to enter privileged mode (and to exit again).

Microkernel OS

Client Application
Process Server

Memory Server File Server

Network Server Display Server User Mode

Microkernel Hardware

Kernel Mode

11

Multithreading

Process : Program in execution. Thread : A thread is basically a path of execution through a program. Also defined as a set of instructions Process owns one or more threads of program execution. The actual agent of execution is always a thread within a process.

12

Process
A Process comprises of:

Executable program comprising of initial code and data. A Private virtual address space, which is a set of virtual memory addresses that the process can use. System Resources : semaphores and files that the OS allocates to the process when threads open them. Process ID. At least one thread of execution.

Process is thus a container of resources.

13

Threads
A thread includes following components:

The contents of a set of volatile registers representing the state of the processor.
Two Stacks, one for the thread to use while executing in kernel mode and the other for executing in the user mode. Private Storage are for use by DLLs, runtime libraries and subsystems. Thread ID. All these constitute a thread context which is platform specific.
14

Multiprocessing

Only symmetric multiprocessing systems are supported. All systems share the same main memory and each system has equal access to peripheral devices. Thread scheduling and interrupt handling can be equally distributed among all the processors. Basic architecture supports up to 32 processors.

15

NT Features

32-bit, pre-emptive, re-entrant, virtual memory support

Hardware support - runs on Intel and Alpha processors


SMP support by default 4 processors are supported Run most existing 16-bit MS-DOS and Windows applications More reliable than Win 95/98 Complies to a very limited extent with the POSIX standard

16

Virtual Memory Support


32-bit address space, provides 4 GB of addresses. Lower half (0x00000000 thru 0x7fffffff) is allocated to the

process and the upper half (0x80000000 thru 0xffffffff) is used by OS itself.
Lower half addresses (0x00000000 thru 0x7fffffff) contain data

used by the current process, including program instructions, stack space, variables and constants.
Upper half addresses (0x80000000 thru 0xffffffff) contain data

used by the operating system itself, including kernel, executive, HAL, device drivers, cache memory and paged/nonpaged memory pools.
17

SMP Support

By default, every NT Server supports Symmetric Multiprocessing on up to 4 processors. NT Server is designed to support SMP configuration of up to 32 processors. However, you must have license to use additional (more than 4) processor support.

18

NT O/S Components

System Processes

Simplified NT Architecture
Server Processes Environment Subsystems User Applications
User Mode Components Kernel Mode Components

Sub-systems DLLs NT Executive Device Drivers Kernel Windowing and Graphics

Hardware Abstraction Layer

19

NT O/S Components

NT contains two types of components:


User mode components Kernel mode components

In user mode, the CPU only grants access to the memory of the current process and limited set of instructions. In kernel mode, the CPU grants access to all memory and all the instructions.

20

System support processes Service processes


Service Control Manager Lsass Winlogon Session manager Svchost.exe Winmgmt.exe Spooler Service.exe

Applications
Task manager Windows Explorer
User Application Subsystem DLLs

Environment Subsystem OS/2 POSIX Win32

System Threads

Ntdll.dll
USER MODE KERNEL MODE

System service dispatcher (Kernel mode callable interfaces)


Security Reference monitor Virtual memory File system cache Object manager manager Plug and play Power manager Process & Thread Config Manager Local Procedure calls

Win32
USER GDI

I/O manager

Device & File sys drivers

KERNEL

Graphic drivers

Hardware Abstraction Layer ( HAL)

21

NT User Mode Components


System processes [logon process & session manager] are

processes that do not classify as services


The Services are processes such as the Task Scheduler

and Spooler started by the Service Control Manager.


Environment subsystems are specialized processes that

expose native NT services to user applications through a set of APIs.


User applications are processes that can be one of five

types: Win32, Windows 3.1, MS-DOS, POSIX, or OS/2.

22

NT Kernel Mode Components

NT kernel-mode components are:

NT Executive NT Kernel Device Drivers Hardware Abstraction Layer

Windowing and Graphics Sub-system

23

NT Kernel Mode Components

The executive contains the base operating system services The kernel consists of low-level operating system functions

Thread scheduling Interrupt and exception dispatching multiprocessor synchronization.

The device drivers include both hardware device drivers that

translate user I/O function calls into specific hardware device I/O requests as well as file system and network drivers.

24

NT Kernel Mode Components


The hardware abstraction layer (HAL) is a layer of code

that isolates the kernel, device drivers, and the rest of the executive from platform-specific differences (such as differences between motherboards).
The windowing and graphics system implements the

graphical user interface (GUI) functions (Win32 USER and GDI functions), such as dealing with windows, user interface controls, and drawing.

25

Services Overview
Windows Services are like Unix daemons.
Service processes can be configured to start with the OS and

continue to run as long as OS is running. Examples of NT server processes are:


Event Logger process Schedule (not NT Scheduler) process

RPC
Alerter Process

Windows also uses services to implement device drivers,

filters, and other system processes.


26

Services
Services are controlled by the Service Control Manager (SCM),

which starts, stops and pauses a service.


The SCM maintains two databases: a dynamic database that

tracks all running services and a static database under key HKEY_LOCAL_MACHINE \SYSTEM\ CurrentControlSet\Services.
Each service has its own key under Services key in the registry

that contains parameters (Error Control, Service Type, and Startup Order) to control the service.

27

Services
The overall service loading process occurs in three phases:

Boot, System, and Auto.


The Boot and System phases load device drivers and filters.

The Auto phase loads Win32 services.


Every service has a start value that determines which phase

starts the service.


The operating system loader executes the Boot phase. During

this phase, all drivers required to boot the operating system load.

28

Memory Management
Topics

Overview

Physical Memory Random Access Memory


Virtual Memory Part of hard disk space used as memory Paging swapping of applications between physical and virtual memory

Physical Memory Management


Virtual Address Space Management

29

Memory Management Overview


Windows uses a linear memory architecture that uses virtual memory. In linear addressing, addresses form a single, continuous address space. Windows uses a total of 4GB address space (32-bit Operating System) An address space is a set of address. The addresses start from 0x00000000 and run through 0xFFFFFFFF. Every process gets a 2GB/3GB address space

30

Open Source Vs. Licensed Software

Open Source (Free Software)

Linux

Licensed Software

Windows etc.

End-User License Agreement

Client Access License License required by the client to access the server

Per Server Per connection license Per Seat Per client license

File Systems

What is a File System? File System is a Method of storing files. Types of File Systems:

FAT-16 (File Allocation Table) FAT-32 (File Allocation Table) NTFS (New Technology File System) HPFS (High Performance File System) CDFS (Compact Disk File System) NFS (Network File System)etc

Shells & Scripting overview

What is a Shell?
Shell is a UNIX term for the interactive user interface with an operating system. The shell is the layer of programming that understands and executes the commands a user enters. In some systems, the shell is called a command interpreter. A shell usually implies an interface with a command syntax (think of the DOS operating system and its "C:>" prompts and user commands such as "dir" and "edit"). As the outer layer of an operating system, a shell can be contrasted with the kernel, the operating system's inmost layer or core of services.

What is a Script? In computer programming, a script is a program or sequence of instructions that is interpreted or carried out by another program rather than by the computer processor (as a compiled program is). Some languages have been conceived expressly as script languages. Among the most popular are Perl, REXX (on IBM mainframes), JavaScript, and VB Script

File Types

.DLL (Dynamic Link Libraries)


.SYS (System Files) .EXE (Executable Files)

.BAT (Batch Files)


.VBS (Visual Basic Script Files) etc

Hardware Devices

Devices Hardware viz. Hard Disk Drive, Floppy Disk Drive, Memory Chip, Display Card, NIC etc.
Drivers Software interface between the OS and a specific hardware device

Driver Software Supplied by the hardware vendor along with the device

Boot Process

What is Booting? Pre-Windows Vista Boot Process Windows Vista/Windows 7/Windows 2008 Boot Process

Boot Process

What is Booting? The process of starting the Operating System.

Types of Booting:

Cold Boot - When you start from off state or power off and than on by using the power button. POST is performed. Warm Boot - Restarting the computer without turning power off. When you restart the computer using Ctrl+Alt+Del combination or restart command from the startup menu. POST is not performed during this process which decreases the boot up time and the PC boots faster.

Introducing Remote Desktop Services Remote Desktop Architecture


Remote Desktop Session Host (RDSH) Remote Desktop Virtualization Host (RDVH) RD Connection Broker

What's New for Windows Server 2008 R2 RDS Key Features


RD Web Access / RemoteApp & Desktop Connections RD Gateway Full-fidelity User Experience

App-V for RDS RDS - Better Together with Windows 7 and Citrix Summary

From the Datacenter to the Desktop


User State Virtualization
Folder Redirection Roaming Profiles

Server Virtualization

Presentation Virtualization

Management
Desktop Virtualization Application Virtualization

TS RemoteApp TS Gateway TS Session Broker TS Web Access TS Easy Print Terminal Server

RemoteApp RD Gateway RD Connection Broker RD Web Access RD Easy Print RD Session Host RD Virtual Host RemoteApp & Desktop Connections

Accelerate Desktop and Application Deployment

Install and maintain applications once in the datacenter, not on every desktop Enable flexible work scenarios such as hot-desking and work from home Deploy applications to devices that cant run them natively, or that require hardware upgrades to run them

Help Secure Data and Applications

Keep data safe in the datacenter to help eliminate the risk of laptop data theft Help simplify the burden of regulatory compliance with centralized tracking

Increase Remote Worker Efficiency

Quickly connect remote workers with the critical applications they need from a Web page Provide users with secure access to remote applications from outside the corporate network (without using VPN infrastructure)

RD Web Access RD Client

RD Session Host

RD Gateway

RD Connection Broker

RD Virtualization Host

Active Directory Licensing Server

RD Session Host Server Farm (RemoteApp)

RD Connection Broker

RD Session Host Server Farm (Session-based desktops)

RD Client

App-V Management Server

RD Session Host

RD Client

RD Virtualization Host

Personal Virtual Desktops

RD Connection Broker

Pooled Virtual Desktops

RD Client

Active Directory

Personal Virtual Desktops


One OS image per user Administrator access, desktop customizable User state typically part of the image

Personal Virtual Desktops

Pooled Virtual Desktops


Shared OS images, identically configured No administrator access User state temporary (discarded at session end)

Pooled Virtual Desktops

Role
RemoteApp

Function
Publishes applications with just the application UI, and not a full desktop UI Hosts centralized, session-based applications and remote desktops Hosts centralized, virtual-machine-based (virtual) desktops on top of Hyper-V for VDI environment Creates unified administrator experience for session-based and virtual-machine based remote desktops Allows connection from clients outside the firewall, using SSL, and proxies those to internal resources RD Web Access provides Web-based connection to resources published by RD Connection Broker. Supports traditional web page, as well as new RemoteApp & Desktop Connections Simplifies printing to a local printer, and supports legacy and new print drivers without the need to install those on the host

RD Session Host

RD Virtualization Host RD Connection Broker RD Gateway RD Web Access / RemoteApp & Desktop Connections (Windows 7)

RD EasyPrint

RDS & VDI An Integrated Solution


Hyper-V support for virtual desktops Basic inbox connection broker Single discovery and publishing infrastructure

Remote Application Access


RemoteApp & Desktop Connection RemoteApp & Desktop Web Access RD Gateway security improvements

Full-Fidelity User Experience


True multiple monitor support Multimedia support & bidirectional audio Enhanced bitmap acceleration for 3D and rich media content

Platform & Management


New API, Connection Broker Extensibility, Windows PowerShell Support, Best Practices Analyzer

Introduction to Windows Server 2008

Active Directory

Installing Windows Server 2008

Hardware Pre-Requisites

RAM

The following are the RAM requirements for Windows

Server 2008:
Minimum: 512 MB (for both the Server Core installation

and full installation options of Windows Server 2008)


Recommended: 1 GB (full installation option)
Optimal: 2 GB or more (full installation option) or 1 GB or

more (Server Core installation option)


Note: Optimal RAM configuration is highly workload-

dependent.

Hardware Pre-Requisites

Processor

The following are the processor requirements for

Windows Server 2008:


Minimum: 1 GHz (full installation option)

Recommended: 2 GHz (full installation option)


Optimal: 3 GHz or faster (full installation option) Note: Optimal Processor configuration is highly

workload-dependent.

Hardware Pre-Requisites

Disk
The following are the approximate disk space requirements for the

system partition. Itanium-based and x64-based operating systems will vary from these estimates.
Minimum: 8 GB (for both the Server Core installation and full

installation options)
Recommended: 40 GB (full installation option) or 8 GB (Server Core

installation option)
Optimal: 80 GB (full installation option) or 40 GB or more (Server

Core installation option)


Note: Computers with more than 16 GB of RAM will require more

disk space for the paging file, hibernation, and dump files.

Server Core

Benefits of Server Core

Server Core requires less software maintenance, such as installing updates. Server Core has fewer attack vectors by default (services with listening ports) exposed to the network, and therefore less of an attack surface. Server Core is easier to manage Server Core uses less disk space for installation.

Configuring Windows Server 2008

Server Management Tools

Initial Configuration Tasks

Opens right after the servers installation is complete


Server Manager

Allows a daily, one-stop-shop management point for the server


Unifies the functionality of multiple earlier tools in a single, simple, MMC-based user interface Servermanagercmd.exe

PowerShell Revolutionary interactive shell and scripting language


Based on .NET
New set of built-in tools (~130) New language to take advantage of .NET
An object-based pipeline view

Can continue to use current tools

Can continue to use current instrumentation (COM, ADSI, WMI, ADO, XML, Text, )

PowerShell Commands are built with logic


Verb-noun

Some good starters


Get-Help Get-Command | more Get-Command | sort-object noun | formattable -group noun Get-Alias | more Get-Help stop-service -detailed | more

Server Roles and Features

Adding/Removing Server Roles

AD DS

DNS
WINS WDS

DHCP etc.

Adding/Removing Server Features

Windows Backup

.NET Framework
Failover Clustering etc.

Configuring Disks and Device Drivers

Module Overview
Partitioning Disks in Windows 7 Managing Disk Volumes

Maintaining Disks in Windows 7


Installing and Configuring Device Drivers

Partitioning Disks in Windows 7


What Is an MBR Disk? What Is a GPT Disk?

Disk Management Tools


Demonstration: Converting an MBR Partition to a GPT

Partition

What Is an MBR Disk?


The MBR contains the partition table for the disk and a small amount of executable code called the master boot code.

Master Boot Record (MBR) Disk

Is created when the disk is partitioned


Contains a four partition entry table

Is on the first sector of the hard disk


Limits the number & size of partitions

What Is a GPT Disk?


Contains an array of partition entries describing the start and end LBA of each partition on disk

GUID Partition Table(GPT)

Supports more partitions

Supports larger partitions

Enhances reliability

Supports boot disks on 64-bit Windows

operating systems, UEFI systems

Disk Management Tools

Use diskpart.exe to convert partition styles Disk Management Snap-in Diskpart.exe

dynamic, Manage disks and volumes, bothlocally basic andor


or Always runs locally dynamic, locally on remote computers
Simple partition creation

Scriptable Graphical user interface command line utility Disk Management Snap-in interface Manage disks and volumes, both basic and Graphical user Create scripts to automate disk-related tasks

MBR

GPT on remote computers

Simple partition creation

Use diskpart.exe to convert partition styles

Diskpart.exe
Scriptable command line utility Create scripts to automate disk-related

MBR

GPT

tasks

Always runs locally

Demonstration: Converting an MBR Partition to a GPT Partition


In this demonstration, you will see how to:

Convert a Disk to GPT by using Diskpart.exe Convert Disk 3 to GPT by using Disk Management Verify the Disk Type

10 min

Managing Disk Volumes


What Is a Simple Volume? Demonstration: Creating a Simple Volume

What Are Spanned and Striped Volumes?


Demonstration: Creating Spanned and Striped Volumes Purpose of Resizing a Volume

Demonstration: Resizing a Volume

What Is a Simple Volume?


Dynamic volume that encompasses available free-space from a single, dynamic, hard disk drive

Simple Volume

Can be extended on same disk Not fault tolerant Volume I/O performance the same as Disk I/O performance Can be extended across disks creating a spanned volume

Demonstration: Creating a Simple Volume

In this demonstration, you will see how to create a simple volume by using Disk Management and Diskpart.exe.

10 min

What Are Spanned and Striped Volumes? Spanned


Requires dynamic disks Space allocated from multiple

Striped

Spanned

Requires multiple dynamic disks Allocated space from each disk must

dynamic disks A spanned

be of identical volume joins areas unallocated space disks into a single logical disk.
single striped volume

Up to 32 disks can be combined

into single spanned volume

Up to 32 disks can be combined into

No fault tolerance No performance improvement

Striped

No fault tolerance

Well suited for isolating the paging A striped volume maps stripes of data compared to simple volumes file cyclically across the disks. Provides for faster throughput

Can shrink or extend

Demonstration: Creating Spanned and Striped Volumes In this demonstration, you will see how to:

Create a spanned volume Create a striped volume

10 min

Purpose of Resizing a Volume


Resize a volume to create additional, unallocated space to use for data or programs on a new volume.

Shrink simple and spanned dynamic disks to:


Extend the simple volume on the same disk

Extend a simple volume to include unallocated space

on other disks on the same computer

Before shrinking:
Defragment the disk

Reduce shadow copy disk space consumption


Ensure that no page files are stored on the volume to

be shrunk

Demonstration: Resizing a Volume In this demonstration, you will see how to:

Shrink a volume by using Diskpart.exe Extend a volume by Disk Management

5 min

Maintaining Disks in Windows 7


What Is Disk Fragmentation? Defragmenting a Disk

What Are Disk Quotas?


Demonstration: Configuring Disk Quotas (Optional)

What Is Disk Fragmentation?


Disk fragmentation is the non-contiguous storage of data on a volume
Disk fragmentation can:
Consist of both fragmented files and fragmented free space Lead to poor performance of the disk subsystem

Defragmenting a Disk
Rearrange data and reunite fragmented files

Scheduled to run automatically by default

C:>

Can be run from the command-line

What Are Disk Quotas?


A disk quota is a way for you to limit use of disk space on a volume for each user to conserve disk space.

Disk quotas help you:


Track and restrict disk

consumption

Proactively monitor

available space

Determine who is

consuming available space increases

Plan for storage capacity

Installing and Configuring Device Drivers


Overview of Device Drivers in Windows 7 Installing Devices and Drivers

Device Driver Management Tools


Options for Updating Drivers Managing Signed Drivers

Discussion: Options for Recovering from a Driver Problem


Demonstration: Managing Drivers

Overview of Device Drivers in Windows 7


A driver is a small software program that allows a hardware device to communicate with a computer.
Drivers developed for the 32-bit versions do not work with

the 64-bit versions, and vice versa.

Device drivers that ship with Windows have a Microsoft

digital signature.

The driver store is the driver repository. Device metadata packages contain device experience XML

documents that represent:


The device functions

The properties of the device Applications and services that support the device.

Installing Devices and Drivers


Improve end-user device driver installation by:

Staging driver packages in the protected driver store

Add to the Driver Store by using the Plug-andPlay utility (Pnputil.exe) at a Command Prompt

client computers to automatically search Configuring a specified list of folders

Search folders specified by the DevicePath registry entry

Device Driver Management Tools


Devices and Printers Device Stage Device ManagerDevices Device Manager
and Printers

Provides a place to with Provides users Helps install and a way

Device Stage

manage devices to access devices update drivers and for advanced options for hardware devices, managing them change the hardware Devices that display in settings for those this are usually location Devices in use are shown devices, and external devices that on the taskbar with a troubleshoot problems you connect or photo-realistic icon disconnect theManager Usefrom Device computer to through manage a devices port or network only on a local connection computer

Options for Updating Drivers


Dynamic Update
Works with Windows Update to download critical fixes

and device drivers required for the setup process

Windows Update Delivers software updates and drivers, and provides automatic updating options Manufacturers media or Web site
Use the media or browse to the device manufacturers

Web site to obtain an updated driver

Device Manager
Updates the driver software for the device manually

Compatibility Report Use this report to load a new or updated driver during an upgrade

Managing Signed Drivers


Benefits of signing and staging driver packages
Improved security Reduced support costs

Better user experience

Maintaining signed drivers


Use Sigverif.exe to check for unsigned device drivers Use a Command Prompt to run the driverquery

command with the /si switch to obtain a basic list of signed and unsigned device drivers computers

Use Group Policy to deploy certificates to client

Demonstration: Managing Drivers In this demonstration, you will see how to:

Update a device driver Roll back a device driver Install a driver into the driver store

12 min

Managing Printing
Printing Components in Windows Server 2008 Demonstration: Installing and Sharing a Printer

Managing Client-Side Printing


Configuring Location-Aware Printing

Printing Components in Windows Server 2008

Demonstration: Installing and Sharing a Printer


In this demonstration, you will see how to:
Create and share a local printer Set permissions on the printer

Managing Client-Side/Server-Side Printing


Print Management Tasks Devices and Printers

Configuring Location-Aware Printing

Event Logs

What are Event Logs? Types of Event Logs

Application Log
Security Log System Log

Event Logs

What are Event Logs? Event logs contain the information about the various events related to applications, operating system, and security, which can later be used for monitoring and troubleshooting.

Event Logs
Types of Event Logs

Application Log Contains information specific to Applications Security Log - Contains information specific to Security Viz. Authentication, Authorization etc. System Log - Contains information specific to Operating System

Updating and Patching

Windows Update Service Packs and Patches Software Update Service

Windows Update

What is Windows Update?

Contain the latest debugged and updated Windows OS related files, which are downloadable from Microsoft web site.

Service Packs and Patches

What are Service Packs and Patches?

Service Packs and Patches contain a set of updated and debugged Windows OS files, to stabilize the OS.

Software Update Service


What is Software Update Service?

Software Update Service is a centralized software from Microsoft to securely apply Windows Update from a central location to all the client and server operating systems in the network.

Browser

What is a Browser?

A program that lets you look through a collection of data.


Browser Configuration Network Discovery Resolving Browser Configuration Issues

Implement a Volume Licensing Strategy using KMS and MAK


Microsoft Volume Activation 2.0 Multiple Activation Keys

Key Management Service


Planning Volume Activation Deployment Example for MAK independent activation and

KMS activation

Deployment example for MAK proxy activation

Microsoft Volume Activation 2.0

Automates activation of Volume Licensed Vista and Windows Server 2008 Systems Uses either Multiple Activation Keys or Key Management Service Offers central management for Volume License keys

Is invisible to end user


Offers monitoring and reporting Uses Volume Edition Product groups to simplify administration

Multiple Activation Keys

MAK Proxy

MS Activation Clearinghouse

Key Management Service


KMS Server

Planning Volume Activation

Key considerations:
Number of computers in the target network Network and Internet connectivity

DNS servers support for DDNS and SRV records Centralized KMS recommended if bandwidth is sufficient
MAK recommended for remote computers with limited connectivity

Deployment Example for MAK Independent Activation and KMS Activation

Deployment Example for MAK Proxy Activation

Discussion: Choosing a Volume Activation Approach

1
2

Read the discussion questions Discuss your answers with the class

Install Windows Server 2008

Exercise 1: Install Windows Server

2008
Core

Exercise 2: Install Windows Server

Server Core Configuration

Module Overview

Server Core basic configuration

Configuring Server Core roles

Server Core Basic Configuration

Configuring Server Core


Configuring networking and security on Server Core Configuring system settings on Server Core

Configuring Server Core

Set admin password


Set static IP address Join existing domain Activate the Server Configure the firewall

Configuring Networking and Security on Server Core

> net user Administrator > netsh interface ipv4 set address > netsh interface ipv4 add dnsserver

Configuring System Settings on Server Core

> Slmgr.vbs ato > Control timedate.cpl > Control intl.cpl

Configuring Server Core Roles


Add and remove server roles and features Configuring Active Directory Domain Service role on Server Core Configuring Network Infrastructure roles on Server Core Configuring File and Print Services on Server Core Configuring IIS7 on Server Core

Add and Remove Server Roles and Features

> start /w Ocsetup <role or feature name>

Configuring Active Directory Domain Services Role on Server Core

> Dcpromo /unattend:Unattendfile

Configuring Network Infrastructure Roles on Server Core

> start /w ocsetup DHCPServerCore > Netsh dhcp add server dhcpsrv1.example.microsoft.com 10.2.2.2 > start /w ocsetup DNS-Server-CoreRole

Configuring File and Print Services on Server Core

> Start /w ocsetup PrintingServerCore-Role > start /w ocsetup FRSInfrastructure > start /w ocsetup DFSN-Server

Configuring IIS7 on Server Core

> start /w pkgmgr /iu:IISWebServerRole;WASWindowsActivationService;WASProcessModel

Lab : Perform Server Core Configuration Tasks


Exercise 1: Configure Server Core

Exercise 2: Add and Configure Server Roles


Exercise 3: Managing Server Core

Windows Server 2008 Security


Creating and Managing AD Domain Objects Creating and Managing User and Group Accounts AD Domain Groups Group Types

Security Groups Distribution Groups

Group Scopes

Domain Local Group Global Group Universal Group

Group Strategies and Best Practices

Security Policies

Domain Policies

Accounts Policy

User Rights Assignment

Local Policies

Accounts Policy

User Rights Assignment

Authentication Kerberos Authentication

NTLM Authentication

Windows Server 2008 Active Directory

Agenda
Active Directory Roles DCPromo Improvements

Read Only Domain Controllers


Restartable Directory Services Directory Services Auditing

Fine-Grained Password Settings


Group Policy Enhancements Active Directory Snapshots

Active Directory Roles


On Windows Server 2008, Active Directory-related roles have

been separated into distinct functions:


Active Active Active Active

Directory Domain Services (AD DS)

Directory Certificate Services (AD CS) Directory Federation Services (AD FS) Directory Lightweight Directory Services (AD LDS) Directory Rights Management Services (AD RMS)

Active

DCPromo Improvements

DCPromo contains a new option to enable

advanced mode, that provides experienced users with more control over the operation:

Using backup media (IFM) from an existing DC in the same domain to reduce network traffic that is associated with initial replication. Selecting the source DC for the installation. Modifying the NetBIOS name that the wizard generates by default. Defining the Password Replication Policy for an RODC.

Active Directory

Introduction to Active Directory


What Is Active Directory? Active Directory Objects Active Directory Schema

Lightweight Directory Access Protocol (LDAP)

Active Directory

What Is Active Directory?

Active Directory is a central repository which stores information about various network resources viz. users, computers, groups, printers, contacts etc. in a meaningful hierarchy.

Active Directory

What Is Active Directory?

Directory Service Functionality


Centralized Management

Organize Manage
Resources

Single point of administration Full user access to directory resources by a single logon

Control

Active Directory Objects

Active Directory Objects


Active Directory
Attributes Printers Printer1 Printer2 Printer3 Attributes First Name Last Name Logon Name Users Don Hall Suzan Fine

Objects

Printers

Printer Name Printer Location

Attribute Value

Users

Objects Represent Network Resources Attributes Store Information About an Object

Active Directory Schema


Objects Class Examples
Active Directory Schema Is: Dynamically Available Dynamically Updateable Protected by DACLs Attribute Examples
Attributes of Users Might Contain:
accountExpires department distinguishedName middleName

Computers

List of Attributes
accountExpires department distinguishedName directReports dNSHostName operatingSystem repsFrom repsTo middleName

Users

Printers

Lightweight Directory Access Protocol (LDAP)

LDAP Provides a Way to Communicate with Active

Directory by Specifying Unique Naming Paths for Each Object in the Directory

LDAP Naming Paths Include:

Distinguished

names

CN=Suzan Suzan Fine Fine,OU=Sales,DC=contoso,DC=msft

Relative

distinguished names

Active Directory Structure


Logical Structure Physical Structure

Active Directory Logical Structure

Forest Collection of one or more trees which share common schema and configuration information, but do not share a common name space.

Tree
Collection of one or more domains which share common schema, common configuration information, as well as a common name space.

Domain Collection of various network resources viz. users, computers, groups, printers etc. defined by a security boundary.

Organizational Unit

Container object in a domain

Global Catalog A comprehensive Index

Domains
A Domain Is a Security Boundary A domain administrator can administer only within the domain, unless explicitly granted administration rights in other domains
A Domain Is a Unit of Replication

Domain controllers in a domain participate in replication and contain a complete copy of the directory information for their domain

Replication

Windows 2000 Domain

Organizational Units

Network Administrative Model Sales Users Computers

Organizational Structure Vancouver Sales Repair

Use OUs to Group Objects into a Logical Hierarchy

That Best Suits the Needs of Your Organization

Delegate Administrative Control over the Objects

Within an OU by Assigning Specific Permissions to Users and Groups

Trees and Forests

Two-Way Transitive Trust


contoso.msft

Forest Tree
nwtraders.msft asia. contoso.msft au. contoso.msft

Tree
asia. nwtraders.msft au. nwtraders.msft

Two-Way Transitive Trusts

Global Catalog

Subset of the Attributes of All Objects

Domain Domain

Domain

Domain
Domain Domain

Global Catalog

Queries Group membership when user logs on


Global Catalog Server

Active Directory Physical Structure

Domain Controllers Sites

Domain Controllers
Domain Controllers:

Participate in Active Directory replication

Perform single master operations roles in a domain

Replication
Domain Controller Domain Controller

Domain = A Writeable Copy of the Active Directory Database

Sites

Seattle Chicago Los Angeles New York

IP subnet Sites:

Site

IP subnet

Optimize replication traffic Enable users to log on to a domain controller by using a reliable, highspeed connection

Methods for Administering a Windows 2008 Network


Using Active Directory for Centralized Management Managing the User Environment

Delegating Administrative Control

Using Active Directory for Centralized Management


Domain

Search
OU1 Domain OU2

OU1 Computers Computer1 Users User1 OU2

User1 Computer1 User2 Printer1

Users User2 Printers Printer1

Active Directory:

Enables a single administrator to centrally manage resources Allows administrators to easily locate information Allows administrators to group objects into OUs Uses Group Policy to specify policy-based settings

Managing the User Environment

12 3
Apply Group Policy Once Windows 2000 Enforces Continually

Domain OU1

1 2 3

OU2

OU3

Use Group Policy to:


Control and lock down what users can do Centrally manage software installation, repairs, updates, and removal Configure user data to follow users whether they are online or offline

Delegating Administrative Control

Domain OU1 Admin1

Assign Permissions:

OU2 Admin2 OU3 Admin3

For specific OUs to other administrators To modify specific attributes of an object in a single OU To perform the same task in all OUs

Customize Administrative Tools to:

Map to delegated administrative tasks Simplify interface design

Installing Active Directory

Adding the AD DS Role in the Server Manager

Then running the command:


DCPROMO.EXE

DCPromo Improvements
New options in DCPromo:

Choose to install DNS on the server Choose to configure the new DC as a GC Create a new RODC Join to a Site Postpone replication Auto-reboot the server after the DCPromo process is finished Save an answer/unattend file using the options configured during DCPromo

ADUC and GUI improvements


New features in ADUC and other tools:

Delete protection for objects in Active Directory Users and

Computers
Search in Sites and

Services
ADSIEdit integration

with ADUC
NTDS Objects

exposed in ADUC
Support tools

integration

Read Only Domain Controllers

Overview New Domain Controller Deployment Option Typically Deployed at Perimeter / Branch Office Ideal for Sites Lacking Deep IT Knowledge Logic

Increase End User Productivity Mitigate Poor Physical Server Security Lower Impact of Compromise, Theft , or Error Meet Requirements of Specific LOB Applications

RODC features

Read-only Active Directory database


Except for account passwords, an RODC holds all the

Active Directory Domain Services (AD DS) objects and attributes that a writable domain controller holds.
Clients are not able to write changes directly to the

RODC.
Local applications that request Read access to the

directory obtain access.


Lightweight Directory Access Protocol (LDAP)

applications that perform a Write operation are referred to a writable domain controller in a hub site.

RODC features
RODC filtered attribute set

Some

applications that use AD DS as a data store may have credential-like data (such as passwords, credentials, or encryption keys) that you do not want to be stored on an RODC in case the RODC is stolen or compromised.

RODC features
Unidirectional replication

Writable

DCs that are replication partners do not have to pull changes from the RODC. changes or corruption that a malicious user might make at branch locations cannot replicate from the RODC to the rest of the forest. also reduces the workload of bridgehead servers in the hub site and the effort required to monitor replication.

Any

This

RODC features
Credential caching

By default, an RODC does not store user/computer

credentials except for its own computer account and a special krbtgt account for that RODC.
You must explicitly allow

any other credentials to be cached on that RODC.


The RODC attempts to

contact and pull the credentials from a writable domain controller that is running Windows Server 2008 at the hub site.

RODC features
Password Replication Policy (PRP)
The PRP that is enforced at the writable DC determines if the

credentials can be replicated from the writable DC to the RODC.


If the PRP allows it, the RODC replicates the credentials from

the writable DC, and the RODC caches them.


In the event that the

RODC is stolen, only those credentials that are cached can potentially be compromised.

RODC features

Administrator role separation


Any

domain user or security group can be delegated to be the local administrator of an RODC without granting that user or group any rights for the domain or other domain controllers. delegated administrator can log on to an RODC to perform maintenance work on the server such as upgrading a driver. But the delegated administrator would not be able to log on to any other domain controller or perform any other administrative task in the domain.

RODC features

Read-only Domain Name System


You An

can install the DNS Server service on an RODC. RODC is able to replicate all application directory partitions that are used by DNS, including ForestDNSZones and DomainDNSZones. the DNS server is installed on an RODC, clients can query it for name resolution as they would query any other DNS server.

If

The

DNS server on an RODC does not support client updates directly, and instead, the server returns a referral.

RODC Upgrade Plan

Deployment steps:
1.

ADPREP /ForestPrep

2.
3. 4.

ADPREP /DomainPrep

Not RODC specific

Promote a Windows Server 2008 DC Verify Forest Functional Mode is Windows RODC 2003 ADPREP /RodcPrep

Specific task

5. 6.

Promote RODC

Test RODCs for application compatibility in your environment

RODC Install From Media (IFM)

NTDSUTIL > IFM > Create RODC <path> Secrets are removed, so if IFM is lost, no harm is done DIT is defragged to remove free space Take the IFM to the remote site, then use DCPROMO with the advanced checkbox to use it

DFSR for Sysvol

Windows Server 2008 SYSVOL replication uses the new

Distributed File System Replication (DFSR) service.


DFSR is a new multi-master replication engine that is

used to keep folders synchronized on multiple servers.


DFSR uses a new compression algorithm called Remote

Differential Compression (RDC).


DFSR requires Windows Server 2008 Domain Mode. The DFSR service uses RPC to communicate between

servers.

Restartable Directory Services

Used to perform routine maintenance tasks on a domain

controller, such as applying updates or performing offline defragmentation, without restarting the server.
While AD DS is running, a domain controller running

Windows Server 2008 behaves the same way as a domain controller running Microsoft Windows 2000/2003 Server.
While AD DS is stopped, other domain controllers can

service new domain logon requests.


Allows for faster maintenance tasks that would

otherwise require a reboot.

Restartable Directory Services

To stop the Active Directory service, use one

of the following methods:


Services Net SC

snap-in

stop/start command

command

Powershell WinRS

Directory Services Auditing

In Windows 2000/2003, Active Directory

audit logs can show you who made changes to what object attributes, but the events do not display the old and new values. there was one audit policy - Audit directory service access - that controlled whether auditing for directory service events was enabled or disabled.

In Windows 2000/2003,

Directory Services Auditing


In Windows Server 2008, this policy is divided into four subcategories:

Directory Service Access Directory Service Changes Directory Service Replication Detailed Directory Service Replication

The new audit policy subcategory adds the following capabilities to auditing in

AD DS:

Modifications to an attribute Creation of a new object

Moving of an object
Undeleting an object

Directory Services Auditing

The ability to audit changes to objects in AD DS is

enabled with a new audit policy subcategory called Directory Service Changes.
There is no GUI tool available in Windows Server 2008

to view or set audit policy subcategories. Use Auditpol.exe from the command prompt.

Directory Services Auditing

A new event (5136) is generated when the action is performed on the object This event lists the previous value of the changed attribute, and the new value

Fine-Grained Passwords

Before Windows Server 2008 One password policy per domain In Windows Server 2008

Still set only one password policy at domain level Additional settings for users needing different policy available in ADSIEdit These settings are called Password Settings objects (PSOs) Does NOT apply to:

Computer objects Organizational Units

Requires Windows Server 2008 Domain Functional Mode

Fine-Grained Passwords
PSO settings include attributes for the following password and account

settings:
Enforce password history Maximum password age Minimum password age Minimum password length Passwords must meet complexity requirements Store passwords using reversible encryption

Account lockout duration


Account lockout threshold Reset account lockout after

Fine-Grained Passwords

RSOP
A user or group object can have multiple PSOs linked to it, either because of membership in multiple groups that each have different PSOs applied to them or because multiple PSOs are applied to the object directly.

However, only one PSO can be applied as the effective password policy.
Only the settings from that PSO can affect the user or group. The settings from other PSOs that are linked to the user or group cannot be merged in any way.

Fine-Grained Passwords

To create and manage use one of the following tools:


ADSIEdit
LDIF

Fine-Grained Passwords

LDIF file sample:

dn: CN=PSO1, CN=Password Settings Container,CN=System,DC=contoso,DC=com changetype: add objectClass: msDS-PasswordSettings

msDS-MaximumPasswordAge:-1728000000000
msDS-MinimumPasswordAge:-864000000000 msDS-MinimumPasswordLength:8 msDS-PasswordHistoryLength:24 msDS-PasswordComplexityEnabled:TRUE msDS-PasswordReversibleEncryptionEnabled:FALSE msDS-LockoutObservationWindow:-18000000000 msDS-LockoutDuration:-18000000000 msDS-LockoutThreshold:0 msDS-PasswordSettingsPrecedence:20 msDS-PSOAppliesTo:CN=user1,CN=Users,DC=contoso,DC=com

To import:

Ldifde i f c:\pso.ldf

Active Directory Snapshots

In Windows Server 2008, you can use the NTDSUTIL to create snapshots of the current Active Directory database (NTDS.DIT) By using the Active Directory database mounting tool, you can examine any changes that are made to data that is stored in Active Directory Domain Services. You can use the AD snapshot to export objects and settings, and import them to the live AD instance Users cannot be fully restored in this manner because of SID issues

Active Directory Snapshots

The snapshot creation process can be automated Use the DSAMAIN tool to mount the AD snapshot to a specific LDAP port You can connect to that AD instance by using any management tool:
DSA.msc
LDP.exe ADSIEDIT.msc CSVDE and LDIFDE

Windows Server 2008 Unattended Installation

Module Overview
Unattended Windows Server 2008 installation Unattended Domain Controller installation

Unattended Windows Server 2008 Installation


Unattend.xml format Unattended.xml syntax

Unattended deployment scenarios

Unattend.xml Format

Unattend.xml

Used to automate setup


Located on install media or on the network

UI elements can be hidden or shown but pre-configured by Unattend.xml Uses a hierarchical XML format

Unattend.xml Syntax <unattend> <userdata>

<ProductKey value="****-*****-**********-*****" showui="no" />


;Setup will prompt for Product Key value if this entry is not filled

</userdata>
<setupdata> <skipeula value ="yes"/>

Unattended Deployment Scenarios

Elements required for unattended upgrade:


<ProductKey value="****-*****-*****-**********" showui="no" /> <skipeula value ="yes"/> <Upgrade value="Yes" showui=no/>

Lesson 2: Unattended Domain Controller Installation


Unattended Dcpromo Syntax Example Unattended Dcpromo Procedure

Installing a Read Only Domain Controller Using an

Unattend File

Unattended Dcpromo Syntax New Options dcpromo /?:unattend shows all options

INI Format for Dcpromo Answer File


Example: [DCINSTALL] UserName=Jsmith Password=* SiteName=NorthRegion

Example Unattended Dcpromo Procedure dcpromo.exe /unattend:<path_to_unattend_file>\<unatt end_file_name>


[DCInstall] ; New forest promotion ReplicaOrNewDomain=Domain NewDomain=Child NewDomainDNSName=research.cont oso.local DomainNetbiosName=RESEARCH DomainLevel=3 InstallDNS=Yes ConfirmGc=Yes DNSDelegation=Yes DatabasePath=C:\Windows\NTDS LogPath=D:\NTDS

Installing a Read Only Domain Controller Using an Unattend File


Run adprep /rodcprep if necessary Create RODC account:

dcpromo.exe /CreateDCAccount /unattend:"Path to answer file


Attach server to RODC account: dcpromo.exe /UseExistingAccount:Attach /unattend:"Path to answer file"

Lab 1: Install Active Directory on Server Core using an Unattend file


Exercise 1: Create and Use an Answer

File to Automate Dcpromo

Lab 2: Deploy an RODC in a Branch Office Using an Unattend file


Exercise 1: Create an Unattend File to

Automate the Installation of an RODC


Answer File

Exercise 2: Deploy an RODC Using an

Module 4: Using Windows Deployment Services

Module Overview
Windows Deployment Services Working with the WIM format

Lesson 1: Windows Deployment Services


History of deployment Introducing the Windows Deployment Services Benefits of WDS WDS environment and components Relationship between WDS server and client Windows Pre-Installation environment Enhancements for Windows Vista and Windows

Server 2008

History of Deployment
Previous Solutions: RIS, ADS Single solution for entire enterprise Windows Vista and Windows Server 2008 shipped in

WIM format

Designed for deployment reduces cost and risk

Windows Deployment Services Introduction

RIS
WDS

Windows Deployment Services Microsoft Management Console Native support for Windows PE as a boot operating system New client menu for selecting boot operating systems

Benefits of WDS

WDS
Lower TCO

Extensibility Support of Mixed Environments

WDS Environment

Server Components

Management Components

Client Components

WDS Server and Client

WDS Server Service TFTPD

Client Setup Application Special IBS Mode Language Selection Automation

File Share
DNS and DHCP Load balancing capable

Windows Pre-Installation Environment with WDS

WDS Server

Diskpart

WDS and Componentized Operating Systems


Windows Vista and Windows Server 2008 Features turned on and off Drivers treated as components Language independent MUIs: Multilingual User Interface packs

Upgrading and Interoperability RIS Windows 2000 Server and Server 2003 Boot capability (PXE) Remote
Wizard based-installation

WDS for Server 2003 (Service Pack 2)


Utilizes WIM

Can run RISSETUP images backward compatibility

WDS for Server 2008


No longer RIS compatible Multicast capable

Multicasting

Scheduled-Cast

Auto-Cast

After Clients are connected, transmission starts Efficient, but labor intensive

Client can join at anytime Server repeats transmission until all clients are completed

WDS Management

Single set of management tools


Remote administration

Other WDS management utilities

Lesson 2: Working with the WIM Format


Storage capabilities of WIM Advantages of WIM as an installation medium Creating and editing WIM files

WIM Storage Capabilities

Multiple images in one file Compression Single Instance Storage

WIM Installation Advantages


Hardware Application Layer (HAL) independent Non-destructive deployment Smaller file for over-the-wire installations

A Single Image file has Greater Flexibility

WIM Creation and Editing


Capture image on existing computer

WDS Server

Golden Image

Edit image using ImageX


No need to reload and reimage a computer

Demonstration: ImageX
Use ImageX to mount an image Viewing and editing WIM files

Merging and creating WIM files with ImageX

Working with Windows Deployment Services

Exercise 1: Configure WDS Exercise 2: Create Images with

WDS

Exercise 3: Associate Language

Pack with Image with WDS Naming

Exercise 4: Using Unattend files Exercise 5: Custom Computer

Exercise 6: Deploy Image with WDS

Introduction to the WSD Solution Accelerator

Microsoft Deployment Toolkit

Module Overview
Introduction to the Microsoft Deployment Toolkit Using the Microsoft Deployment Toolkit

Introduction to the Microsoft Deployment Toolkit


The Microsoft Deployment Toolkit Choosing an Image Strategy

MDT Components
Preparing for Lite Touch Installation Preparing for Zero Touch Installation

The Microsoft Deployment Toolkit

Deployment Challenges

More complex hardware More complex configurations

MDT Advantages MDT Approaches

Automation Built-in Tools Light Touch Zero Touch

Choosing an Image Strategy

Thin Images

Contain few if any core applications or language packs

Thick Images Hybrid Images

Contain core applications, language packs, and other files


Mix thin and thick image strategies

MDT Components

Task Sequences Answer File

Binds operating system source files with a configuration

Contains settings to perform an unattended installation of Windows


Defines a subset of install and configuration files and how to connect to them

Deployment Points

Light Touch Installation (LTI) vs. Zero Touch Installation (ZTI)

What is Light Touch Deployment? Originally LTI was the installation of the OS without SMS (Systems Management Service)/SCCM (System Center Configuration Manager) using BDD (Business Desktop Deployment) or MDT (Microsoft Deployment Toolkit). In this technology we can PXE boot or execute a VBScript to initiate the OS deployment. This would require a technical person to interact with the machine to initiate the build, but would then be unattended, hence Light Touch.

What is Zero Touch Deployment? If you're deploying with SCCM (System Center Configuration Manager) the endpoint machine requires no interaction in the REFRESH COMPUTER scenario (i.e. when wiping the existing OS and replacing with new) hence Zero Touch.

Preparing for Light Touch Installation

1 Install Microsoft Deployment 2 Start Deployment Workbench

3 Install additional components


4 Populate the Distribution Share 5 Create a Task Sequence 6 Create a Deployment Point

Preparing for Zero Touch Installation

1 Perform Deployment Workbench 2


configuration

3
4 5 6 7

Perform SMS configuration


Prepare and build a reference image Capture a reference image Add the image and create a task sequence Configure SMS to deploy the OS image

Test

Lesson 2: Using the Microsoft Deployment Toolkit


System Image Manager Maintaining Images

Injecting Device Drivers


Slipstreaming Language Packs

System Image Manager

Launch SIM directly or use Task Sequence properties Open a Windows image or catalog file Customize a setting in an answer file Create an answer file

Maintaining Images

Maintenance Procedure 1 Use ImageX to mount an Windows image 2 add/remove drivers, language packs, 3
Windows features
Use ImageX to unmount the Windows image Use Pkgmgr.exe or OCSetup to

Injecting Device Drivers

Device Drivers 1 Start Deployment Workbench 2 Add driver to Distribution Share

3 Add a New Driver Group


4 New Driver Wizard finishes 5 Repeat this procedure for each set of
drivers

Slipstreaming Language Packs

Language Packs 1 Start Deployment Workbench. 2 Start the Add New Package wizard

3 Define package source directory


4 The New Package Wizard finishes 5 Repeat this procedure for each package to
be added

Lab 1: Installing, Configuring, and Using MDT

Exercise 1: Installing Microsoft

Deployment Toolkit
Deployment Toolkit

Exercise 2: Configuring Microsoft Exercise 3: Creating an MDT Build

Exercise 4: Creating Deployment Points


Exercise 5: Lite Touch Installation

Upgrading and Migrating Active Directory

Windows Server 2008 Upgrade Overview

Upgrading Windows Server 2003 Domain Controllers to Windows Server 2008


Active Directory Upgrade Sequence

Methods of Upgradation and Migration


In-Place Upgradation

Domain Restructuring
Tools for Migration- ADMT Precautions before Migration

Upgrade Sequence
Migrating GPOs Migrating Roaming Profiles

Upgrading File and Print, Web, and Remote Infrastructure Servers

Module Overview
Upgrading File and Print Servers Upgrading Web and Application Servers Upgrading Remote Infrastructure Servers

Lesson 1: Upgrading File and Print Servers

Changes in File Service Functionality File Server Storage Changes Migrating EFS Files Changes to Print Services in Windows Server 2008

Changes in File Service Functionality

Self Healing NTFS

Transactional NTFS

File Server Resource Manager

File Server Storage Changes

Services for NFS Storage Manager for SANs

Migrating EFS Files

Can now use smart cards Migrate using Robocopy

or the new Backup


migration!

Preserve keys during

Changes to Print Services in Windows Server 2008

XPS Print Path


XML Paper Specification
More accurate and efficient printing Conversion paths available

Client Side Rendering


Reduces print server load Automatic with Windows Vista clients Reduces driver mismatch problems

Upgrading Web and Application Servers


Application Server in Windows Server 2008 New Features in IIS 7.0 Changes from IIS 6.0 New in .NET Framework 3.0 Application Pools Taking Advantage of Integrated Mode Application Server on Server Core Metabase Compatibility Migrating ASP.NET Applications Compatibility with ASP.NET 1.1 Upgrade Path

Application Server in Windows Server 2008

Application Server Role

Web Server Role Developer Framework

Operating System Infrastructure

New Features in IIS 7.0

Shared configuration

Application Pool isolation

Componentized installation

Simpler management

Changes from IIS 6.0 Configuration Architecture


Metabase replaced Web.config and applicationHost.config

Authentication
IIS and ASP.NET authentication united
Anonymous authentication under worker process

SSL

Moved from Metabase to HTTP.SYS Change transparent to user and administrator

New in .NET Framework 3.0

Windows Communication Foundation

Windows Workflow Foundation

Unifies Microsoft programming model Create SOA applications across platforms

Workflow enabled scenarios Design and implement graphically

Application Pools
Classic Mode Integrated Mode

Taking Advantage of Integrated Mode

Identify and alter any instances of:


The application web.config file defines

<httpModules> configuration

The application web.config file defines

<httpHandlers> configuration

The application web.config file defines

<identity impersonate="true" /> configuration

Application Server on Server Core

Small footprint installation of Server 2008 that can run:


Active Directory DHCP Server File Services Streaming Media Hyper-V AD LDS DNS Server Print Services Web Services (IIS)

Limited attack surface, high performance Different migration path

Metabase Compatibility

Enable in Management Console

Not installed by Default

Develop new scripts in new interfaces

Some limitations to legacy mappings

Migrating ASP.NET Applications


ASP 1.0 no longer supported ASP 1.1 SP1 can be installed and used Upgrade to at least .NET 2.0 strongly recommended

Compatibility with ASP.NET 1.1


Ensure that "IIS Metabase Compatibility" is installed Install .NET Framework v1.1 and .NET Framework

v1.1 SP1

Enable the ASP.NET v1.1 ISAPI Extension Add the IgnoreSection Handler to Framework v1.1

machine.config to system.webServer application pool

Move your site or application to a Framework v1.1

Upgrade Path

Windows 2000 Server and Prior


No direct upgrade to Server 2008 supported
Backup, wipe, and reload

Windows Server 2008 Server Core


No direct upgrade

Backup, wipe, and reload

Windows Server 2003 to Windows Server 2008


OS upgrade supported IIS not upgraded. Add role and restore applications

Upgrading Remote Infrastructure Servers


Remote Infrastructure Challenges Read-Only Domain Controller (RODC)

RODC Functionality
RODC Requirements and Special Considerations RODC Replication, Promotion and Deployment

Windows BitLocker Drive Encryption (BDE)


Distributed File System (DFS) in the Remote Infrastructure

Remote Infrastructure Challenges

Communication
Management Security

Read-Only Domain Controller (RODC)

Reasons for deployment


Benefits of deployment Functionality Requirements and considerations

Replication

Promotion in the Windows Server 2003 environment


Administrator role separation

RODC Functionality

Read-only Active Directory database


Unidirectional replication Credential caching Administrator role separation Read-only domain name system

RODC Requirements and Special Considerations


Operations master role must be Windows Server 2008 Microsoft Office Outlook requires the global catalog server role Universal group membership caching Domain functional level Forest functional level

Must forward authorization requirements


Must update forest with ADPrep Cant have multiple domain controllers in the same domain

RODC Replication, Promotion and Deployment

Can only replicate with other Windows Server 2008 machines


Deployment prerequisites Promotion to RODC in a Windows Server 2003 environment Deploying a Read-Only Domain Controller

Windows BitLocker Drive Encryption (BDE)

Integral security feature in Windows Server 2008


Data encryption Tight integration with Active Directory

Functionality requirements
Full-disk encryption Integrity checking

Recovery options
Installation Remote Management Group Policy settings

Distributed File System (DFS) in the Remote Infrastructure


DFS Replication (DFS-R)
DFS Namespaces Sharing files across branch offices Differential replication of changes to files Reduction of bandwidth used for replicating new files Efficient and scalable replication SYSVOL replication using DFS-R Migrating SYSVOL from FRS to DFS

Upgrading a Windows Server 2003 File and Print Server


Exercise 1: Adding the File and Print

Server Roles to Windows Server 2008

Exercise 2: Create DFS Namespaces Exercise 3: Schedule a Backup Exercise 4: Migrate a Printer

Upgrading a Windows Server 2003 Web Server to Windows Server 2008 and IIS 7.0
Exercise 1: Export Application and

Configuration Data from IIS 6.0 Server 2008 Server 2008

Exercise 2: Configure IIS 7.0 on


Exercise 3: Import Configuration to

Best Practices for Performing an Upgrade


Step Check system requirements. Read Relnotes.htm and hardware compatibility information. Determine whether your current operating system is one from which you can upgrade to Windows Server 2003. If you have server clusters, review the choices for upgrading on cluster nodes. Reference System Requirements and Hardware Compatibility Important files to review Hardware compatibility Upgrading or Installing

For upgrades in any domain where all domain controllers run Windows NT 4.0, review the upgrade plan. Decide whether to upgrade any FAT or FAT32 partitions to NTFS. Check the system log for errors that could cause problems during the upgrade.

Upgrading to Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition on Cluster Nodes Checklist: Preparation for upgrading a cluster Upgrades in a Windows NT 4.0 Domain

Choosing a File System for the Installation Partition Preparing your system for an upgrade

Best Practices for Performing an Upgrade


Step Reference

Back up files. If upgrading from Windows NT 4.0, prepare mirror sets or other disk sets for upgrade. Disconnect UPS devices.

Preparing your system for an upgrade Working with volume, mirror, or stripe sets or stripe sets with parity Preparing your system for an upgrade

Review hardware and software.

Preparing your system for an upgrade

Start Setup, and follow the instructions provided.

Start Setup on an x86-based computer Start Setup on an Itanium architecture-based computer Start Setup on an x64-based computer Domain and forest functionality Upgrading from a Windows NT domain

If domain controller upgrades are complete, review concepts about domain functional levels and, if appropriate, raise the functional level.

Troubleshooting Upgradation errors

Troubleshooting ADPrep Errors

Troubleshooting ForestPrep Errors


Troubleshooting DomainPrep Errors Troubleshooting RODCPrep Errors

Prepare a Windows Server 2008 Server Core Installation for Use as a Remote Infrastructure Server
Exercise 1: Enable Remote Desktop

and Remote Administration of Windows Firewall


Encryption (BDE) and BDE Remote Admin Tool Separation on a Read-Only Domain Controller System Replication

Exercise 2: Install BitLocker Drive

Exercise 3: Configure Admin Role

Exercise 4: Configure Distributed File

Supporting Windows Server 2008 for Networking

Module 4

DNS Domain Name System


This module discusses Domain Name System features implemented in Windows Server 2008.

Module Overview
This module contains the following Parts: Part 1 DNS Overview

Part 2 - Adding and Configuring DNS the DNS Server Role


Part 3 - IPv6 Features Part 4 Global Names Zone (GNZ)

Part 5 DNS Security Features


Part 6 - DNS Client Part 7 - Support and Troubleshooting

Part 1: DNS Overview


Part 1 Consists of the following Lessons:

Lesson Lesson

1 DNS Functional Description (Review) 2 - New DNS Functionality in Windows Server 2008

Lesson 1 DNS Functional Description (Review)


Lesson 1 DNS Functional Description (Review)

What does DNS Do?

Name resolution service for TCP/IP Networks

Summary of Existing Features 2003 and 2008 (new features are covered in Lesson 2):

Active Directory Support

Stub Zones
Integration with other MS nets services Ease of Administration

Dynamic Update (RFC 2136(


Incremental Zone x-Fer Conditional Forwarders

Lesson 2: New DNS Functionality in Windows Server 2008


DNS Server Role Background Zone Loading

DNS IPv6 Support


Read-only domain controller support GlobalNames zone DNS Client-side Changes

LLMNR

Additional Detail on Following Slides

Complete coverage in following Parts of this Module as noted

DNS Server Role


DNS is now a Windows Server 2008 Server Role

Installed No

from Server Manager via the Add Roles Wizard longer installed via Add/Remove Windows Components

Detailed coverage of DNS installation and configuration is

provided in Part 2 of this Module.

Background Zone Loading


Windows Server 2008 DNS loads zone data from Active Directory in the background

during restart

Enables DNS to respond to requests from other zones. When the DNS server starts, it:

Background Zone Loading Process:

Enumerates all zones to be loaded Loads root hints from files or AD DS storage Loads all file-backed zones, that is, zones that are stored in files rather than in AD DS Begins responding to queries and remote procedure calls (RPCs) Spawns one or more threads to load the zones that are stored in AD DS

Allows DNS to begin responding almost immediately on restart:

Instead of waiting until its zones are fully loaded.

Zone Loading Behavior Windows Version Comparison

OS and SP Level

Background Zone Loading Support

Behavior when zone not fully loaded

2003 2003 SP1 2008

No No Yes

Gives bad response No Response Query AD for the data and respond

IPv6 Support
Windows Server 2008 DNS fully supports IPv6 address format in UI, Zone Data, DNS

queries:

Zone Data:

AAAA Records for IPv6 hosts


GUI and dnscmd tool Accept/display IPv6 addresses Can resolve names for IPv4 or IPv6 clients Can send recursive queries to IPv6-only servers Server forwarder list can contain both IPv4 and IPv6 addresses DHCP clients can also register IPv6 addresses

UI:

DNS Queries

Supports the ip6.arpa domain namespace for reverse mapping

Detailed coverage of IPv6 support in DNS is provided in Part 3 of this Module.

Read-only Domain Controller (RODC) Support


New zone type to support RODC:

Primary read-only zone

AKA branch office zone

Behavior:

RODCreplicates a full read-only copy of all application directory partitions used by DNS:

Domain partition ForestDNSZones

DomainDNSZones.

Ensures that DNS server running on RODC has a full read-only copy of any DNS zones stored on a centrally located domain controller in those directory partitions.

RODC administrator can view contents of a primary read-only zone Changes only allowed on the centrally located domain controller. These changes to the DNS Server service are required to support Active Directory on an RODC.

GlobalNames Zone
New DNS Zone type:

Holds static, single-label network names

Purpose/Benefits:

Enables organizations with critical reliance on single-label network names can move away from WINS to an all-DNS environment
Provides the benefits of static, global, single-label names to all-DNS networks Ensures that single-label names are unique across the entire forest. WINS may still be needed where dynamic registrations of single-label names is required.

Replication scope is forest-wide:

Does not support dynamic updates:

GlobalNames Zone functionality and configuration is covered in detail in Part 4 of this Module.

DNS Client-side Changes


DNS Client-side Changes in Windows Server 2008 include:

New GPO Settings

15 total, 2 new in WS-08

LLMNR

Link-local multicast name resolution Multi-cast DNS (mDNS) Resolves names on a local network segment when a DNS server is not available IPv6 enabled by default DNS Client service performs name registration Auto-generation of IPv6 DNS server addresses

Miscellaneous Client-side Changes

Client-side Changes are listed in this Lesson, and covered in detail in Part 6 of the Module

Part 2: Adding and Configuring the DNS Server Role


This Part of the Module consists of the following two

Lessons:

Lesson Lesson

1: Adding (Installing) DNS Server Role 2: Configuring DNS Server Role

Lesson 1: Installing DNS Server Role


Demo:

Instructor Student

will demo installation and configuration of DNS Server Role

shots

workbook contains screen-

Lesson 2: Configuring DNS Server Role


DNSCmd.exe Best Practices

Wherever possible, point DCs to common DNS


Preferred (common enterprise wide) Alternate (may be local)

Not bandwidth intensive

All other hosts including clients and member servers should point to local DNS Servers

Part 3: DNS IPv6 Support


This Part of the Course examines IPv6-specific

considerations in DNS, and includes the following Lessons:

Lesson Lesson

1: DNS IPv6 Support Details 2: IPv6 Addresses in the Hosts

File

280

Lesson 1: DNS IPv6 Support Details


This lesson discusses the topics listed below (detail on following slides): DNS Record types for IPv6

AAAA Record

IPv6 Support in DNS UI and Tools DNS Functional Changes:

Forward Lookups Reverse Lookups

IPv6 support in DNS on Server 2008

Forward lookups Reverse lookups

Hosts file

DNS Record Types for IPv6


AAAA (quad A) record

Provides

name to IPv6 resolution

Comparable

to host address (A) records used for IPv4 name resolution.

The

only new record type needed to support name resolution for IPv6 hosts

IPv6 Support in DNS UI and Tools


DNS MMC Snap-in

UI

accepts IPv6 addresses


example, in Server Forwarder list

For

DNSCMD.exe

Command-line

addresses

syntax accepts IPv6

DNS Functional Changes Forward Lookups


Slight differences in DNS functional behavior during name

resolution with IPv6 addresses:


Clients can send recursive queries to IPv6 only servers

(server-to-server)
Servers can accept IPv6 addresses in addition to (or

instead of) IPv4 addresses


No change to forward lookup zone structure:
Forward Lookup zones are assigned friendly names

Support for AAAA record type is only change to

accommodate IPv6

DNS Functional Changes Reverse Lookups


Since name assigned to reverse lookup zone is a partial IP address:

Reverse lookup zones for IPv6 addresses require much longer names

However, PTR record structure (for host name) remains unchanged.


Ip6.arpa supported in WS-08 DNS (RFC3152)

Reverse lookup domain names in IPv6:

IP6.INT deprecated in favor of IP6.ARPA


New reverse lookup namespace (RFC 1886) Each hexadecimal digit in fully expressed 32-digit IPv6 address becomes a separate level in the reverse domain hierarchy, in inverse order

.IP6.ARPA. is appended to the record

Sample IP6.ARPA Record


IPv6 Address:

FEC0::1:2AA:FF:FE3F:2A1C
Fully expressed as:

FEC0:0000:0000:0001:02AA:00FF:FE3F:2A1C

IP6.ARPA Reverse lookup domain name is


C.1.A.2.F.3.E.F.F.F.0.0.A.A.2.0.1.0.0.0.0.0.0.0.0.0.0.0.0.C.E.F.IP6.ARPA.

Example IP6.ARPA PTR record (folded for readability):


C.1.A.2.F.3.E.F.F.F.0.0.A.A.2.0.1.0.0.0.0.0.0.0.0.0.0.0.0.C.E.F.IP6.ARPA. IN PTR host1.microsoft.com

Lesson 2: IPv6 Addresses in the Hosts File


Hosts File now supports static entries for IPv6 Format is:

Address
Example:

Name

3ffe:ffff:6c2b:f282:204:5aff:fe56:f62 ipv6test

As in previous versions, Hosts file is checked before name

resolution using DNS is attempted.

Part 4: GlobalNames Zone (GNZ)


Lesson 1 GlobalNames Zone Functional Description Lesson 2 GlobalNames Zone Configuration

Lesson 3 Demo: Creating and Enabling the GlobalNames

Zone

Lesson 1: Global Names Zone Functional Description


What is the GlobalNames Zone (GNZ)?

New feature in Windows Server 2008 DNS New use of a Forward Lookup Zone

Enables resolution of static single-label network names using DNS rather than WINs

GNZ Records

Static records only

No dynamic update
Not intended to provide same level of functionality as WINS

GNZ versus WINS

Transition technology to allow migration from WINS to DNS

289

How GlobalNames Zone Works


GNZ is a standard forward lookup zone named

GlobalNames (with no quotes, and not case-sensitive)

1.DNS client makes request using a single-label name 2.Suffix is appended to name based on suffixes configured

at the client

3.If DNS Server is authoritative for the appended suffix, and

if the DNS Server hosts a GNZ

4.DNS Server checks GNZ first, before checking other

zones, resolves name if record exists.

5.Name registration requests matching names in the GNZ

are rejected, preserving global uniqueness of the GNZ records

GNZ Lookup Process (Slide 1 of 2)

3
GlobalNamesZone

2
1
DNS Client Joe Shmoe

DNS Server e.g. Name Server for redmond

Forward Lookup Zone (e.g. redmond.corp.microsoft.com)

NOTE: Steps describing this diagram are on provided in the

Student workbook and on the following slide.

291

GNZ Lookup Process (Slide 2 of 2)


1.Query/Update from a client to an authoritative DNS Server. 2.DNS Server looks in GNZ for the name first. 3.If the GNZ is configured for the name:

a)Lookups: b)Updates

from GNZ.

it is able to respond with the name

are rejected.

4.If the name is not found in the GNZ then the authoritative zone for

the name on the DNS Server is checked for queries or updates as normal.

5.The appropriate response for names not found in the GNZ for

queries or updates from the authoritative zone is passed on.


steps, to the client.

6.The DNS Server sends the response, as ascertained in the previous

292

The Value of GNZ


Greatest benefit is to large organizations with many

domain names (too many to include in suffix search list):

Requests
Benefits:

normally would time-out before all suffixes can be tried

GNZ

reduces response time

Eliminates
IPv6 support

overhead of having to maintain long suffix search list is only current solution for resolving a single label names to an IPv6 address

GNZ
293

Limitations of GNZ
Server 2008 required throughout in order to guarantee:

Desired Global

responses to queries

uniqueness

Forest wide replication to all DNS Servers required

No dynamic registration supported.

Records

are designed for widely known, static server names.

Client query must still be for an FQDN

294

Lesson 2: GlobalNames Zone Configuration


GNZ is just a forward lookup zone, specifically named GlobalNames.

No

special tools or configuration requirements

To create

Add

a new forward lookup zone, named GlobalNames (no spaces and no quotes and not case-sensitive).

Two requirements to trigger GNZ behavior in DNS:

The
The

existence a forward lookup zone called GlobalNames.


DNS configuration parameter enableglobalnamessupport is turned on.

GNZ is enabled using the dnscmd.exe utility:

dnscmd /config /enableglobalnamessupport 1

295

Default Order of Use of Client DNS Suffixes


Primary DNS Suffix

Domain client is joined to

Group Policy configured DNS Suffix Search List. Further processing

using DNS Suffixes stops here.


If there is no Group Policy:

Then the Connection Specific DNS Suffix for each adapter is used. (For Vista only, for IPv6 adapters using DHCPv6 servers Only) If there is a Connection Specific Suffix Search List configured via DHCPv6 Servers for an adapter, this is appended in order of the list.

If the name cannot be resolved via DNS using various Suffixes then the

query fails-over to WINS.

Additional GNZ Considerations


Availability and Uniqueness:

In

order to guarantee that names are globally unique and globally resolvable:

All the DNS Servers in the forest must host the GNZ.

Recommendations:

Create

GNZ as AD integrated zone

Configure All

for Forest-Wide replication

Windows Server 2008 Required:

authoritative DNS Servers for the domains must be WS-08 servers

All

servers hosting the GNZ must be Windows Server 2008 servers

Lesson 3: Demo: Creating and Enabling the GNZ


Demo:

Instructor

will Demo:

Installation Enabling

and configuration of the GlobalNames Zone GNZ behavior with DNSCMD.EXE

Student

shots

workbook contains screen-

Part 5: DNS Security Features


This Part of the Module describes DNS Security features

provided in Windows Server 2008:

Lesson Lesson Lesson Lesson

1: What are DNS Security Extensions (DNSSEC)? 2: DNSSec Support in Windows Server 2008 3: DNS Server Global Block List 4: Configuring DNS Global Block

List

Lesson 1: What is DNSSec?


DNS Security Extensions (DNSSec)

DNS

Client Protection from forged records Authentication based on RFC 2535 server only

Server

Loosely

Windows Server 2008 Support for DNSSec:

Secondary No

tools provided for creating the DNSSec specific records.

DNSSec Authentication
Each zone has its own public and private key to encrypt

and decrypt digital signatures. a private and public key.

An encrypted, or secure, zone is a DNS zone that has both When a RRset in a zone is signed using a private key,

resolvers containing the zone's public key can authenticate whether a RRset received from the zone is properly authorized. received from a secure zone actually came from the correct zone.

DNSSEC verifies to a resolver that the records it has

Lesson 2: DNSSec Support in Windows Server 2008


DNSSec in Windows Server 2008:

Provides

basic support of the DNS Security Extensions (DNSSEC) protocol as defined in RFC 2535. DNS currently can only function as secondary DNS server for existing DNSSEC-compliant, secure zones. not capable of signing zones and resource records (creating cryptographic digital signatures) or validating the SIG RRs.

WS-08

Currently

Windows Server 2008 DNSSec Behavior


Server-side:

Loads DNSSec records along with other RR types DNSSec records written to zone data file during zone transfer

Does not verify the digital signatures

Caches the response and uses it for ensuing queries

When a WS-08 DNS server receives a request for a resource record in a zone also containing DNSSEC resource records:

Attaches the appropriate DNSSEC records to the response.

Client-side:

Essentially, DNSSec aware only Does not read/store key for the trusted zone Does not perform any cryptography, authentication, or verification. Returns and Caches DNSSec records same as any other RR

Application (other than WS-08 DNS Client) must perform the necessary cryptography to authenticate resource records.

Why deploy DNS Sec?


Application requirement Organizational or Political requirement

Other specific requirement or compliance reason

Important: RFC 2535 on which current DNSSec support

is based has been superseded by RFC 4033, RFC 4034, and RFC 4035

Enabling DNSSec in Windows Server 2008


Disabled by default Enable via Registry Editor

Add subkey:

HKLM\SYSTEM\CCS\Services\DNS\Parameters
Add DWORD Entry

EnableDnsSec = 1

Lesson 3: DNS Server Global Block List


Prevents use of DNS dynamic updates for hijacking of DNS

protocol/service names, such as:


WPAD ISATAP

Global Block List Behavior:


DNS maintains list of blocked names Server does not resolve queries for names in list Replies to the query as though no resource record exists List applies only to zones for which server is authoritative Does not apply to forwarded or stub zone queries Query blocking only, not update blocking

Lesson 4: Configuring DNS Global Block List


Initial Configuration and List Contents:

The DNS Server service configures the block list on initial startup following installation/upgrade to WS-08 DNS

Initial contents of list depend on whether WPAD and ISATAP are already present when WS-08 DNS is deployed
If ISATAP or WPAD is present in any zone, it is omitted from the block list

Installation Scenarios and Considerations:

If ISATAP or WPAD is NOT present in any zone, it is included in the block list and blocking is enabled
DNS only checks for these protocols on initial startup:

Admin must manually disable blocking if WPAD or ISATAP are introduced AFTER deploying WS-08 DNS

See Student Workbook for Additional Scenarios and Considerations

Configuration Commands and Settings


Sample command produces default behavior, includes both words on the block list:

dnscmd /config /globalqueryblocklist wpad isatap


Custom words may be added by issuing command with complete list of words to be blocked Remove a word by re-issuing command with only desired words to be blocked.

Registry:

HKLM\SYSTEM\CCS\Services\DNS\Parameters\

DWORD: EnableGlobaQueryBlockList = 1 (default) MultiString: GlobalQueryBlockList

Default list depends on existence of wpad and/or isatap at first install/upgrade

Part 6: DNS Client


This Part of the Course examines various DNS client-side

changes and considerations for Windows Server 2008 DNS, and includes the following Lessons:

Lesson
Lesson Lesson

1: GPO Settings

2: Link-local Multicast Resolution (LLMNR) 3: Miscellaneous DNS Client-side Changes

Lesson

4: Auto Generation of DNS server IP addresses

Lesson 1: GPO Settings


15 total GP settings for DNS client in WS-08 Two are new:

Allow DNS Suffix Appending to Unqualified Multi-Label Name Queries (Unqualified = no dot at end)

Default is 1 in XP Default is 0 in Vista Default is 0 in Vista = LLMNR enabled by default

Turn off Multicast Name Resolution

Viewing DNS Client Local Policy Settings (Vista/2008):

gpedit.msc / Computer Configuration /Administrative Templates / Network / Client

Viewing DNS Client Group Policy Settings (2008 schema):

Group Policy Object Editor

Lesson 2: Link-Local Multicast Name Resolution (LLMNR)


Link-Local Multicast Name Resolution (LLMNR):

Can provide Peer-to-Peer name resolution for both IPv4 and IPv6 Currently the only solution for IPv6 P2P name resolution

Not a substitute for DNS or WINs:


Provides an option when DNS not available Local link only

How LLMNR works?

Uses link-scope multicast addresses

Client tries DNS first, proceeds with LLMNR only if DNS resolution fails
Querying host sends multicast query over UDP for target name LLMNR-enabled receiving host sends unicast reply containing responders host name to sender.

RFC 4795 is informational only

LLMNR queries are sent to and received on UDP port 5355

Disabling LLMNR
LLMNR is enabled by default in Vista/WS-08 Can be disabled for all or specific interfaces Create/set registry entries Disabling LLMNR on all interfaces:

HKLM/SYSTEM/CCS/Services/DnsCache/Parameters/EnableMulticast = 0
Disabling LLMNR on a specific interface:

HKLM/SYSTEM/CurrentControl

Replace <adapterGUID> with the GUID of interface to be disabled. Setting these values to 1 enables LLMNR for the respective interface or interfaces. Use Group Policy to disable LLMNR on managed computers.

Lesson 3: Miscellaneous DNS Client-side Changes


IPv6 behavior
IPv6 is Installed and Enabled by Default

IPv6 preferred over IPv4:


WS-08/Vista TCP/IP stack attempts to use IPv6 first May cause problems if connecting to misconfigured public

DNS
Does not impair IPv4 connectivity

DHCP Client no longer performs DNS registrations:


DNS client service now performs name registration

Lesson 4: Auto Generation of DNS server IP addresses


WS-08 or Vista DNS Client with no DNS Server addresses configured will

automatically populate configuration with the following well-known IPv6 DNS Server addresses:

fec0:0:0:ffff::1 fec0:0:0:ffff::2 fec0:0:0:ffff::3 Site-local addresses are formally deprecated in RFC 3879 for future IPv6 implementations Manually configure DNS servers with these addresses Add host routes to routing infrastructure so that the DNS servers are reachable from WS-08 and downlevel IPv6 hosts

These are site-local addresses

Recommendation:

Part 7: Support and Troubleshooting


This Part of the Module examines expected common

support issues with Windows Server 2008 DNS.

It consists of one Lesson:

Lesson

1: DNS Support Issues

Lesson 1: DNS Support Considerations


This Lesson will examine the following potential areas for

DNS support issues in Windows Server 2008:

IPv6-specific

Considerations for DNS on a Domain

Considerations

Controller

New

DNS Record Types

IPv6-specific Considerations
IPCONFIG Behavior (v4 versus v6)

Windows

Server 2008 includes both v4 and v6 versions of IPConfig.


Behavior

is version-specific for /renew and /release options:


- IPv4 only: /renew and /release - IPv6 only: /renew6 and /release6

/registerdns

option:

- Registers both v4 and v6 addresses.

DNS Registration Overwrite Scenarios

Considerations for DNS on a Domain Controller


DCPROMO and the DNS Server List

When promoting a server to Domain Controller, the dcpromo utility invokes autoconfiguration of the DNS client settings.

Differences in W2003 and WS-08 Behavior:

In Windows Server 2003:

Loopback adapter is added to the top of the DNS server list in all cases. The loopback adapter is added at top of the list for the first DC in a new domain The loopback adapter is added to the bottom of the list for any replica DC

In Windows Server 2008:


DC Points only to itself for DNS

DNS Event 4013


May appear on new DC after reboot if the DC points only to itself for DNS name resolution. May cause authentication delays of 15 minutes, or greater, following reboot after DCPOROMO.

New DNS Record Types


NAPTR for DDDS (Dynamic Delegation Discovery Service)

Will likely be used for performing a lookup of a phone number to SIP URI.

DNAME

Like a CNAME but for an entire domain. Can only be created with dnscmd
Improves the level of support for DNAME records from Windows 2003:

Windows 2003 RTM didnt recognize the DNAME record Windows 2003 SP1 recognized DNAME, but could not host it.

Please seek KB920162 :


http://support.microsoft.com/default.aspx?scid=kb;EN-US;920162

Event 5504 is logged when a Windows Server 2003-based DNS server receives a packet that contains a DNAME resource record Available via WS-08 DNS GUI, but crypto operations are not performed by WS-08 DNS. WS-08 DNS will only host the DNSSec records.

DNSSec record types:

Lesson 3: Other new DNS records


New DNS records not mentioned elsewhere:
NAPTR for DDDS (Dynamic Delegation Discovery Service)

for constructing a URI will likely be used for performing a lookup of a phone number to SIP URI.

DNAME like a CNAME but for an entire domain. Only

available through dnscmd

Supporting Windows Server 2008 - Networking

Module 3

DHCP and IPv6


This Module provides information about DHCP and IPv6 in Windows Server 2008.

In this Module
Part 1 DHCP in Windows Server 2008 Part 2 DHCP Client and Server Implementation Details

Part 3 IPv6 and DHCPv6


Part 4 Support and Troubleshooting

Part 1: DHCP in Windows Server 2008


This Part of the Module provides an overview of the purpose, features,

and configuration of DHCP in Windows Server 2008.


Lessons in this Part of the Module

Lesson 1 Whats Changed in DHCP? Lesson 2 - Adding the DHCP Server Role in Windows Server 2008

What You Will Learn

Explain the purpose and basic functionality of DHCP in Windows Server 2008. List and describe new and changed features in Windows Server 2008 DHCP. Add/Install the DHCP Server Role on Windows Server 2008.

Lesson 1 Whats Changed in DHCPv4?


Whats changed in DHCP?

Not

much has changed

Similar

to the W2003 DHCP interface with the addition of NAP integration. now supports IPv6 address configuration
Stateful
Detailed

Whats New: DHCPv6

DHCP

and Stateless Addressing


discussion later in Module

Lesson 2: Adding and Configuring the DHCP Server Role


Demo:

Walk-Through

of using Add Roles Wizard to add and configure the DHCP Role
Screen

Module

shots and descriptive text are in

Part 3: DHCP Client and Server Implementation Details


Lesson 1 DHCP Client Lesson 2 DHCP Server

Lesson 3 DHCP Backup and Restore

Lesson 1: DHCP Client


DHCP Client Registry Locations DHCP Client Service Information

DHCP Client WFAS Rules


Using the Netsh Dhcpclient context

Lesson 2: DHCP Server


DHCP Server Registry Locations DHCP Server Service Information

DHCP Server Database Location


DHCP Server WFAS Rules Using the Netsh Dhcp context

Lesson 3: DHCP Server Backup and Restore


DHCP Server Backup and Restore through the UI

What is backed up?

All scopes, including superscopes and multicast scopes


Reservations Leases

All options, including server options, scope options, reservation options, and class options
All registry keys and other configuration settings (for example, audit log settings and folder location settings) set in DHCP server properties

Where is the backup stored?

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\D HCPServer\Parameters

Restoring DHCP
Reasons for Restoring

Disk Failure

Database corruption
Moving Role to another Server (Including 2003 to 2008)

How to Restore?

Acquire backed up files from DHCP server


In DHCP MMC

Right-click server

Selecting restore
Select location for the backup files Stop and Restart DHCP service

Files Needed to Restore


Entire directory created during backup must be available Backup folder created at root of drive, for example:

c:\DhcpBackup
c:\DhcpBackup\DHCPcfg

with no extension)

(this is a file

c:\DhcpBackup\New\Dhcp.mdb c:\DhcpBackup\New\Dhcp.pat c:\DhcpBackup\New\Jxxx.txt

Part 4: IPv6 and DHCPv6


Lessons in this Part of the Module:

Lesson 1 IPv6 Overview Lesson 2 Core Networking WFAS Rules

Lesson 3 Network Interfaces


Lesson 4 Address Space and Address Types Lesson 5 Configuring Static IPv6 Addresses Lesson 6 Automatic Addressing Methods Lesson 7 IPv6 Parameter Overview Lesson 8 Server 2008 as a IPv6 Router Lesson 9 IPv6 routers and the M and O Flags Lesson 10 IPv6 Common Configurations Lesson 11 Disabling IPv6

Lesson 12 DHCPv6

Part 4: IPv6 and DHCPv6


What You Will Learn:

Explain the purpose of IPv6 in Windows Server 2008. Identify and explain the IPv6 Interfaces present on Windows Server 2008. Explain IPv6 addressing and routing concepts; identify and explain IPv6 address types. Configure IPv6 addresses and routing options on Windows Server 2008.

Explain the purpose of DHCPv6, and describe how it differs from DHCPv4.
Install and configure DHCPv6 on Windows Server 2008. Discuss likely DHCPv6 implementation scenarios.

Identify likely DHCPv6 support issues, and perform basic troubleshooting steps.

Lesson 1: IPv6 Overview


Why IPv6?

Overcomes historic IPv4 limitations, via:


Large address space Efficient routing Ease of configuration Enhanced security New Optimized Header Format Stateless and Stateful Address Configuration Built-in Security - Full Support for IPSec Improved Support for QoS Neighbor Discovery

Other Features/Benefits

Lesson 2: Core Networking WFAS Rules


Windows Firewall is enabled by default in Windows Server

2008

Be

aware of how default Firewall configuration affects connectivity

Core Networking WFAS Rules rules enable basic IPv6

connectivity and functionality

See

Table of Inbound and Outbound Rules in Student Guide

Lesson 3: Network Interfaces


Interface Types

IPv4 IPv6 Ethernet Tunnel


:

View existing Interfaces

C:\>netsh int show int C:\>netsh int ipv4 show int C:\>netsh int ipv6 show int Shows details for Ethernet adapter and IPv6 interfaces.

Viewing the IPv4 Interfaces:

Viewing the IPv6 Interfaces:

Viewing Interfaces using ipconfig /all:

Lesson 4: Address Space and Address Types


IPv6 Address space is 128bits as compared to IPv4s 32 IPv6 Address:

2001:0db8:0000:0001:0000:0000:0000

:0001

Suppressed Leading Zeros

2001:db8:0:1:0:0:0:1
Compressed Zeros

2001:db8:0:1::1

IPv6 Addresses Structure


Ipv6 Address Notation IPv6 Address with suppressed leading zeros

IPv6 Address with both suppressed and compressed zeros


IPv6 Address Network Identification

IPv6 Prefixes

IPv6 Address Types (Commonly seen) Link-Local Site-Local Multicast Global Unicast Address Teredo: Global Teredo IPv6 Service Prefix Global (for documentation)

IPv6 Prefix FE80:: (non-routable) FEC0:: FF00:: - FFFF:: 2000::/3 (RFC3587) 2001:0000:/3 (RFC4380) 2001:DB8::/32 (RFC3849)

6to4
ISATAP

2002::
[64-bit prefix]:0:5EFE:w.x.y.z

Lesson 5: Configuring Static IPv6 Addresses and DNS Client Settings


Using the Network Connections UI to Configure IPv6

Addresses and DNS Servers

Using Netsh to Configure IPv6 addresses and DNS Servers

IPv6 DNS

Addresses Servers

Lesson 6: Automatic Addressing Methods


Automatic Addressing Methods in IPv6

Stateless

Stateful

Stateless Addressing

Unmanaged

Client auto-generates address based on prefix obtained from router

Stateful Addressing

Managed

Client obtains address from DHCP server

Lesson 7: IPv6 Parameter Configuration Overview


IPv6 Common Parameters

Forwarding Advertising Router

Discovery Address

Managed Other

Stateful

Lesson 8: Windows Server 2008 as an IPv6 Router


This Lesson discusses:

Configure Publish

IPv6 Routing

IPv6 routes IPv6 Forwarding IPv6 Advertising

Configure Configure Inspect

the default IPv6 client parameter configuration.

Configuring IPv6 Routing


Enable Forwarding

Configured per interface netsh command :

Netsh int ipv6 set int interface_name (or idx number) forwarding=enabled
When Forwarding is enabled, server is now an IPv6 router, but the IPv6 clients are not aware of the router until Advertising is enabled

Enable Advertising

Causes the system to send Router Advertisement messages Allows IPv6 clients to be aware of the IPv6 router. netsh command:

netsh int ipv6 set int Local Area Connection (or idx number) Advertise=enabled

Publish Routes

netsh int ipv6 set route 2001:db8:0:1::/64 Local Area Connection publish=yes

netsh int ipv6 set route 2001:db8:0:2::/64 Local Area Connection 2 publish=yes

Router Discovery
IPv6 parameter that allows clients to:

Listen and Send Router Solicitation messages

Listen to Router Advertisement messages

Router Discovery is enabled by default netsh commands:

To show that RouterDiscovery is enabled by default:

netsh int ipv6 show int Local Area Connection

To enable RouterDiscovery:
netsh int ipv6 set int Local Area Connection (or idx

number) RouterDiscovery=enabled

IPv6 Auto-configuration of Stateless Addresses


With Forwarding, Advertising, and Publish Routes enabled on IPv6

router:

IPv6 clients with default IPv6 parameter config

will honor the Router Advertisement messages.


IPv6 client then receives the published routes and adds

them to its routing table


IPv6 client will auto-configure an IPv6 Address on the

same subnet prefix as the IPv6 Router.


Enables

automatic addressing in an IPv6 environment without a DHCPv6 server

This is known as Stateless address configuration

Lesson 9: IPv6 Routers and the M and O flags


M and O Flags

The
M O

IPv6 parameters that control Stateful Addressing


= Managed Address = Other Stateful

Managed Address Configuration


ManagedAddress Parameter (M flag):

Determines if the client will request a DHCPv6 lease

With ManagedAddress enabled:

Client sends a DHCP Solicit packet to initiate DHCPv6 process with DHCPv6 server

DHCPv6 process is discussed in Lesson 12 of this Module

To enable ManagedAddress via netsh:

Netsh int ipv6 set int interface_name (or idx number) ManagedAddress=enabled

Setting this parameter has no effect on an interface with router

discovery enabled and advertising disabled

In that case, behavior is controlled by router discovery.

Other Stateful Configuration


OtherStateful Parameter (O flag)

Determines if client will request DHCPv6 options (in addition to address) from DHCPv6 server

This setting functions only when ManagedAddress is disabled:

ManagedAddress enabled assumes DHCP will provide both address and options

With OtherStateful enabled and MagagedAddress disabled:

Client requests only DHCP options from DHCPv6 server

Netsh Command:

Netsh int ipv6 set int interface_name (or idx number)

Otherstateful=enabled

Lesson 10: IPv6 Common Configurations


IPv6 client honors Router config: (Vista default)

Default IPv6

configuration with no IPv6 Router present Router present and Managed Address and Other Stateful Enabled at the Router configuration with IPv6 Router present and Other Stateful Enabled

Default

IPv6 client forced DHCPv6 client IPv6 client Manual IPv6 addr + DHCPv6 options

Lesson 11: Disabling IPv6


UI

Network Connections > Connection Properties

Clear check box next to Internet Protocol version 6 (TCP/IPv6) component


Disables IPv6 on LAN interfaces and connections, but not on tunnel or IPv6 loopback interface

Registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpip6\ Parameters\DisabledComponents Bit mask values used to disable various interface types See Lesson text for specific bit mask values

Lesson 12: DHCPv6


Whats covered in this Lesson:

Overview
Review

of M and O flag behaviors

DHCPv6

Support in Windows

DHCPv6

Message Exchanges

DHCPv6 Support in Windows Vista and Windows Server 2008


In both OS versions:

Dual IPv4/IPv6 IP stack with DHCPv4/DHCPv6 client functionality DHCPv6 client is present by default, but only attempts DHCPv6-based communication when:

Local parameter config has ManagedAddress or OtherStateful enabled, or When indicated by the M and O flags in received Router Advertisement messages.

To configure multiple clients to use DHCPv6, the IPv6 router(s) in the environment can be configured with:

ManagedAddress=enable OtherStateful=enable DHCPv6 servers and relay agents in the environment must be configured to service each IPv6 subnet. Support stateful and stateless DHCPv6 configuration DHCPv6 relay agent included in the NPAS role and RRAS role service.

Windows Server 2008

DHCPv6 Message Exchanges


No Broadcast Message exchange initiated by client to obtain:

IPv6

addresses and configuration information


information only

Configuration

To Obtain IPv6 Addresses and Config Info


Client initiates discovery via Solicit message sent to locate the DHCPv6 servers:

All_DHCP_Relay_Agents_and_Servers address - FF02::1:2. Similar to DHCPDiscover message in DHCP for IPv4. Indicate that it can provide address and configuration services. Similar to DHCPOffer message in DHCP for IPv4.

Server responds with Advertise message:

Client responds with Request message:

Requests address and configuration settings from a specific DHCPv6 server.


Similar to DHCPRequest message in DHCP for IPv4. Contains address and configuration settings. Similar to the DHCPAck message in DHCP for IPv4.

Server sends Reply message:

To Obtain Config Info Only


Client sends Information-request message to request config settings

from DHCPv6 servers:

Similar

to the DHCPInform message in DHCP for IPv4. server sends Reply message with requested configuration settings. servers domain names

DHCPv6

With IPv6 routers configured to assign stateless address prefixes to

IPv6 hosts, this 2-message DHCPv6 exchange can be used to assign:

DNS DNS

Other

configuration settings not set through stateless address autoconfiguration.

Part 5: Support and Troubleshooting


Lessons in this Part of the Module

Lesson 1 Ipv6 Troubleshooting Tools Lesson 2 DHCP Logging Lesson 3 IPv6 FAQ Demonstrate and explain IPv6-specific options available for the ipconfig and ping commands. Enable logging for both DHCPv4 and DHCPv6 Use ipconfig, ping, and DHCP logging to gather useful troubleshooting information Answer common customer questions about IPv6 in Windows Server 2008.

What You Will Learn

Lesson 1: IPv6 Troubleshooting Tools


Ipconfig.exe Ping.exe

Route Print

Windows File and Print Services in Windows Server 2008

Objectives
Describe features of the major Windows file systems Secure access to files with permissions

Share folders with Windows file sharing


Use Windows storage management tools Work with Windows printers

Windows File Systems

A file system defines the method and format that an OS uses to store, locate, and retrieve files from electronic storage media

Modern file systems are composed of some or all of the following components:
Filenaming convention

Hierarchical organization
Data storage method Metadata Attributes Access control lists

(ACLs)

The FAT File System


FAT (File Allocation Table) consists of two variations: FAT16 and FAT32 FAT16 is limited to 2 GB partitions (Windows NT extends this to 4 GB) with a maximum file size of 2 GB FAT32 allows partitions up to 2 TB in size, but Windows 2000 and later limit the size of FAT32 partitions at creation to 32 GB due to performance; FAT32 supports files up to 4 GB in size

The NTFS File System


First introduced in Windows NT Supports file and folder permissions, an advantage over

FAT

Features added with the release of Windows 2000

Disk

quotas

Volume
Shadow

mount points
copies

File

compression
File System (EFS)

Encrypting

Disk Quotas
Disk quotas help administrators control how disk space is

used on a server

Options for setting quotas

Enable quota management Deny disk space to users exceeding quota limit

Do not limit disk usage


Limit disk space to Log event when a user exceeds their quota limit Log event when a user exceeds their warning level Quota Entries

Volume Mount Points

Volume mount points enable you to access a volume as a folder in another volume instead of by using a drive letter

Volume holding the folder to serve as the mount point must be an NTFS volume
Reasons for using mount points

Extend the apparent amount of free space on an existing volume


Consolidate frequently accessed volumes

Consolidate several shared volumes under a single network share

Shadow Copies

Allows access to previous versions of files and the ability to restore files that were deleted or corrupted Upon enabling Shadow Copies, Windows will warn that default settings are not ideal for heavily used servers The following can be configured in the Settings dialog box for Shadow Copies:
Located on this volume Details Maximum size Schedule

File Compression and Encryption


Both file compression and encryption are

implemented as attributes

Mutually exclusive; both compression and encryption

cannot be enabled on a file or on a folder

File compression can be enabled on an entire volume

Rules for compression behavior

Files copied to a new location inherit the compression attribute from the parent container Files moved to a new location on the same volume retain their current compression attributes Files moved to a new location on a different volume inherit the compression attribute from the parent container

File Compression and Encryption (cont.)


File encryption on NTFS made possible by Encrypting

File System (EFS) volume

Can be set on a file or a folder, but not an entire Rules for encryption behavior

Encrypted files that are copied or moved always stay encrypted, regardless of the destinations encryption attribute Unencrypted files that are moved or copied to a folder with the encryption attribute set are always encrypted

The user who initially encrypted the file can add

additional users who can decrypt the file; however, a user must have a valid EFS certificate in order to be added

File Compression and Encryption (cont.)

Securing Access to Files with Permissions


Two ways to secure files

Share NTFS

permissions permissions

Share permissions apply when using a network to access

shared files, while NTFS permissions apply whether accessing network shares or local files

If accessing a network share, the effective permissions will

always be the most restrictive permissions between Share and NTFS permissions

Share Permissions
Share permissions apply to folders and files accessed

across the network

Cant be configured on individual files Three share permissions

Read

Change
Full

Control

Generally, the default share permission is Read for

Everyone

NTFS Permissions

NTFS permissions can be configured on folders and files 6 permissions and 14 special permissions for folders

5 permissions and 13 special permissions for files


NTFS standard permissions

Read Read & Execute List folder contents

Write
Modify Full

NTFS Permissions (cont.)

File and Folder Ownership


Owner of an object is granted certain implicit permissions A user can become the owner of a file system object in

three ways

Create Take

the file or folder

ownership of a file or folder ownership

Assigned

NTFS Permission Inheritance

By default, initial permissions are set at the root of a volume, and then new folders and files inherit these settings unless configured otherwise
Permission inheritance can be disabled in the Advanced Security Settings dialog box, by clearing the Include inheritable permissions from this objects parent option

NTFS Permission Inheritance (cont.)

Windows File Sharing


File services role required to share folders Folders in Windows Server 2008 can only be shared by members of the Administrators or Server Operators groups Methods to configure folder sharing in Windows Server 2008

File Sharing Wizard Advanced Sharing dialog box

Shared Folders snap-in


Share and Storage Management

Windows File Sharing (cont.)

Windows File Sharing (cont.)

Default and Administrative Shares


Administrative shares are hidden shares available

only to members of the Administrators group shares:


Computers that arent domain controllers have these


Admin$ Drive$ IPC$

Domain controllers have the previous three shares,

plus these shares:

NETLOGON
Sysvol

Dollar sign at the end of a share name makes it

hidden

Managing Shares with the Shared Folders Snap-in

Shared Folders snap-in can be used to create, delete, and monitor shares, as well as view open files or monitor and manage user connections or sessions

Accessing File Shares from Client Computers


Shares are most commonly accessed via the following

methods:

UNC

Path Directory search the network a drive

Example syntax: \\server\share[\subfolder][\file]

Active

Browsing Mapping

Windows Storage Management


File Services role installs the File Services role service but

can also install the following additional services:

File

Server File System

Distributed File

Server Resource Manager (FSRM) for Network File System Search Service Server 2003 File Services

Services Windows Windows

Share and Storage Management


Share and Storage Management snap-in includes all

functions present in Shared Folders snap-in

Can also:

Provision Share

storage

files with NFS shares to DFS volumes

Publish Manage

Protocol column under the Shares tab will display whether

a share is using the Server Message Block (SMB) protocol or NFS

Share and Storage Management (cont.)

The Disk Management snap-in provides more advanced features than the Share and Storage Management snapin in relation to disk administration and can perform the following tasks:

Bring new disks online Initialize new disks

Import foreign disks


Create, format, and delete volumes Extend and shrink volumes Convert disks from basic to dynamic Create RAID volumes

Share and Storage Management (cont.)

MCTS Windows Server 2008 Active Directory

386

Distributed File System


Distributed File System (DFS) groups shared folders from

multiple servers into a single folder hierarchy, with replication for fault tolerance

A DFS hierarchy is referred to as a namespace


Entire namespaces can be replicated DFS load-balances the servers involved in replication

Does not require AD; however, load balancing and fault

tolerance are only available on a domain-based namespace

MCTS Windows Server 2008 Active Directory

387

Distributed File System (cont.)

388

File Server Resource Manager

File Server Resource Manager (FSRM) is a suite of services and management tools for monitoring storage space, managing quotas, controlling the types of files that users can store on a server, and creating storage reports Contains three tools

Quota Management File Screening Management Storage Reports Management

File Server Resource Manager (cont.)

File Server Resource Manager (cont.)

File Server Resource Manager (cont.)

Windows Printing
Print device

Physical print device, two basic types

Local print device


Network print device

Printer

The icon in the Printers folder that represents print devices

Print Server

A Windows computer thats sharing a printer

Print queue

A storage location for print jobs awaiting printing

Configuring a Print Server

A print server can provide additional printing functions Access control Printer pooling

Printer priority
Print job management Availability control In order to configure a Windows 2008 Server system as a print server, a printer must be shared

Configuring a Print Server (cont.)

The Sharing tab in a printers Properties dialog box provides the following options:

Share this printer


Share name Render print jobs on client computers List in the directory Additional Drivers

Configuring a Print Server (cont.)

Configuring a Print Server (cont.)


The Advanced tab of a print servers Properties dialog box

provides more options for controlling the print server


Always available / Available from Priority Driver Spooling options Hold mismatched documents Print spooled documents first Keep printed documents

Enable advanced printing features


Printing Defaults Print Processor Separator Page

Configuring a Print Server (cont.)

Printer Permissions

Provides similar control to Share and NTFS permissions

No permission inheritance for printers


Three standard permissions

Print
Manage printers

Manage documents
In addition, there are six special permissions

Print Management from the Print Services Role


Print Services role is not necessary to create printer shares or to manage the print server Provides the Print Management snap-in, which can be used to manage multiple printers and print servers Allows the installation of two other role services: Line Printer Daemon (LPD) and Internet Printing

Print Management from the Print Services Role (cont.)


Print Management MMC is made available Using Print Management, you can view status information and

manage all printers and print servers on the network


Tasks you can perform
Install a new printer

Share a printer
Migrate printers Deploy printers by using group policies List or remove printers from Active Directory Display printers based on a filter

Chapter Summary

File systems define the method and format that an OS uses to store, locate, and retrieve files from storage media; Windows supports two file systems: FAT and NTFS FAT file system consists of two variations: FAT16 and FAT32 FAT16 is limited to 2 GB partitions, and FAT32 supports up to 2 TB; FAT file systems lack encryption, file compression, and file and folder security

Chapter Summary (cont.)

NTFS is the ideal file system on Windows systems; features include file and folder security, disk quotas, mount points, shadow copies, file compression, and EFS

Files can be accessed interactively (locally) or across the network (remotely)


Share permissions are applied only to network access, and NTFS permissions are applied to interactive and network access; the most restrictive permission of the two is enforced

Chapter Summary (cont.)

There are three share permissions: Read, Change, and Full control; NTFS permissions have 6 standard permissions and 13 special permissions

Files can be shared by using the File Sharing Wizard, the Advanced Sharing dialog box, the Shared Folders snapin, and the Share and Storage Management snap-in
Windows includes administrative shares automatically, which are hidden and accessible only by members of the Administrators group

Chapter Summary (cont.)


The File Services role adds tools to manage all aspects of storage and can install several additional role services Windows printing consists of these components: print device, printer, print server, and print queue The Print Services role provides printer sharing, the Print Management snap-in, and optionally the LPD Service and Internet Printing role services

Introduction to IIS 7.0 Architecture

Introduction to IIS 7.0 Architecture


A new service, Windows Process Activation Service (WAS), which enables sites to use protocols other than HTTP and HTTPS A Web server engine that can be customized by adding or removing modules A new approach to processing requests, integrating the request-processing pipelines from IIS and ASP.NET

IIS 7.0 Components Protocol Listeners Hypertext Transfer Protocol Stack (HTTP.sys) World Wide Web Publishing Service (WWW service) Windows Process Activation Service (WAS) IIS 7.0 Modules Native Modules Managed Modules IIS 7.0 Request Processing IIS 7.0 Application Pools HTTP Request Processing in IIS 7.0

IIS 7.0 Components


HTTP.sys World Wide Web Publishing Service (WWW service) Windows Process Activation Service (WAS)

Protocol Listeners - HTTP.sys


Picks up the client request from the web browser and sends it to IIS for processing. Once IIS processes the request, HTTP.sys returns a response to the client browser. IIS 7.0 provides HTTP.sys as the protocol listener that listens for HTTP and HTTPS requests.

Hypertext Transfer Protocol Stack (HTTP.sys) {Since IIS 6.0 replacing Windows Sockets API (Winsock) used in IIS 5.0}
The HTTP listener is part of the networking subsystem of Windows operating systems, and it is implemented as a kernel-mode device driver called the HTTP protocol stack (HTTP.sys). HTTP.sys listens for HTTP requests from the network, passes the requests onto IIS for processing, and then returns processed responses to client browsers.

HTTP.sys provides the following benefits: Kernel-mode caching. Requests for cached responses are served without switching to user mode. Kernel-mode request queuing. Requests cause less overhead in context switching because the kernel forwards requests directly to the correct worker process. If no worker process is available to accept a request, the kernel-mode request queue holds the request until a worker process picks it up. Request pre-processing and security filtering.

World Wide Web Publishing Service (WWW service) In IIS 7.0, functionality that was previously handled by the World Wide Web Publishing Service (WWW Service) alone is now split between two services:
WWW Service Windows Process Activation Service (WAS)

How WWW Service works in IIS 6.0

In IIS 6.0, WWW Service manages the following main areas in IIS: HTTP administration and configuration WWW Service reads configuration information from the IIS metabase and uses that information to configure and update the HTTP listener, HTTP.sys. In addition, WWW service starts, stops monitors, and manages worker processes that process HTTP requests. Process management WWW Service monitors performance and provides performance counters for Web sites and for the IIS cache. Performance monitoring WWW Service manages application pools and worker processes, such as starting, stopping, and recycling worker processes. Additionally, WWW Service monitors health of the worker processes, and invokes rapid fail detection to stop new processes from starting when several worker processes fail in a configurable amount of time.

How WWW Service works in IIS 7.0


In IIS 7.0, WWW service no longer manages worker processes. Instead, WWW Service is the listener adapter for the HTTP listener, HTTP.sys. As the listener adapter, WWW Service is primarily responsible for configuring HTTP.sys, updating HTTP.sys when configuration changes, and notifying WAS when a request enters the request queue. Additionally, WWW Service continues to collect the counters for Web sites. Because performance counters remain part of the WWW Service, they are HTTP specific and do not apply to WAS.

Windows Process Activation Service (WAS)


In IIS 7.0, Windows Process Activation Service (WAS) manages application pool configuration and worker processes instead of WWW Service. This enables you to use the same configuration and process model for HTTP and non-HTTP sites.

Configuration Management in WAS


On startup, WAS reads certain information from the ApplicationHost.config file, and passes that information to listener adapters on the server. Listener adapters are components that establish communication between WAS and protocol listeners, such as HTTP.sys. The following list describes the type of information that WAS reads from configuration: Global configuration information Protocol configuration information for both HTTP and non-HTTP protocols Application pool configuration, such as the process account information Site configuration, such as bindings and applications Application configuration, such as the enabled protocols and the application pools to which the applications belong

Process Management
WAS manages application pools and worker processes for both HTTP and non-HTTP requests.

IIS 7.0 Modules


Native Modules - Native modules are native code DLLs that perform feature-specific work for processing requests. For example, WindowsAuthModule performs Windows Integrated authentication using NTLM, and HttpLoggingModule passes information and processing status to HTTP.sys for logging. Managed Modules - Managed modules can perform request work alongside native modules. By including managed modules, you can take advantage of managed features, such as Forms authentication, for requests to all types of content, not just ASP.NET content.

Handler Mappings
In IIS 7, handlers generate responses for requests made to sites and applications. Like modules, handlers are implemented as either native or managed code. When you have a certain type of content in your site or application, you must have a handler that can process requests for that type of content and you must map that handler to the content type. For example, there is a handler (Asp.dll) that processes requests for ASP pages, and, by default, IIS 7 maps the handler to all requests for ASP files.

ISAPI Filters
Internet Server Application Programming Interface (ISAPI) filters are programs that you can add to IIS to enhance Web server behavior.

IIS 7.0 Request Processing


In IIS 7.0, the IIS and ASP.NET request pipelines combine to process requests with an integrated approach. The new request-processing architecture consists of an ordered list of native and managed modules that perform specific tasks in response to requests.

Benefits include: All file types can use features that were originally available only to managed code. Second, this design eliminates the duplication of several features in IIS and ASP.NET. (In IIS 6.0 IIS and ASP.NET used separate pipelines) You can manage all of the modules in one location, instead of managing some features in IIS and some in the ASP.NET configuration.

IIS 7.0 Application Pools


Integrated application pool mode (Combined pipeline) Classic application pool mode (Separate pipeline)

HTTP Request Processing in IIS 7.0


IIS 7.0 has a similar HTTP request-processing flow as IIS 6.0. The diagrams in this section provide an overview of an HTTP request in process. The following list describes the request-processing flow that is shown in figure 1: 1. When a client browser initiates an HTTP request for a resource on the Web server, HTTP.sys intercepts the request. 2. HTTP.sys contacts WAS to obtain information from the configuration store. 3. WAS requests configuration information from the configuration store, applicationHost.config. 4. WWW Service receives configuration information, such as application pool and site configuration. 5. WWW Service uses the configuration information to configure HTTP.sys. 6. WAS starts a worker process for the application pool to which the request was made. 7. The worker process processes the request and returns a response to HTTP.sys. 8. The client receives a response.

In a worker process, an HTTP request passes through several ordered steps, called events, in the Web Server Core.

Figure : Detail of a HTTP request inside the Worker Process

Upgrading IIS 6.0 to IIS 7.0/7.5


Upgradation Steps Upgradation Paths

Implementing FTP Configuring FTP Sites Securing FTP Sites Implementing SMTP Configuring SMTP

Upgrading Branch Office Servers

Migrating or Upgrading a Windows Server 2003 Branch Office Server to Windows Server 2008 Low-Touch Branch Office Server Deployment

LAB

Prepare a Windows Server 2008 Server Core Installation for use as a Branch Office Server

Windows Server 2008: Virtualization

Clinic Outline
Overview of Microsoft Hyper-V Technical Background and Architecture

Managing Microsoft Hyper-V


Implementation Scenarios Recommendations

More Control

Increased Protection

Greater Flexibility

Spend Less Time on Everyday Tasks


Enhanced Scripting and Task Automation Role Based Installation and Management

Hardens the OS and Protects Your Environment


Better Security and Compliance Network Access Protection

Quickly Respond to Changing Business Needs


Centralized Application and Remote Access Solutions Integrated Server Virtualization

Microsoft Hyper-V Overview


Hypervisor and Standards based Runs on Windows Server 2008 x64 as a Role CPU must support hardware-assisted virtualization

and DEP

Microsoft Hyper-V Core Design Scenarios Production Server Consolidation


Replace many physical servers with virtual machines

Business Continuity Management


Move workloads to different physical locations

Dynamic Data Center


Dynamically allocate resources to respond to needs

Test and Development


Repeatable, customizable environments

Technical Background

Architecture Management SCVMM Technical Features

High Availability

Architecture Child partition


Provided by Windows Win Virtualizaton Others

Parent partition
Virtualization Stack WMI VM Service VM Worker

Guest Applications

VSP Windows (core) s Kernel VMBus Windows Hypervisor Hardware

VSCs

Windo ws

Kernel

Enlightments

Installing Microsoft Hyper-V

Server Manager

OCSetup Command

Managing Microsoft Hyper-V


Managing Virtualization Settings Managing Virtual Hard Disks (VHDs)

Modifying Virtual Hard Disks


Managing Virtual Networking Using the Virtual Switch

Managing Virtualization Settings

Creating Virtual Hard Disks

Modifying Virtual Hard Disks

Editing disks

Compact
Convert Expand Inspecting disks View Information Merge with Parent

Demonstration: Working with Virtual Hard Disks

Creating a dynamically expanding disk Creating a fixed disk Creating a differencing disk Editing an existing disk Inspecting an existing disk

Managing Virtual Networking

Default Network Switches

Internal
External None

Creating New Network Switches

Demonstration: Working with Virtual Switches

Default Virtual Switches Adding a new Virtual Switch VLAN Settings

Managing Virtual Machines


Creating Virtual Machines Managing Virtual Machine Settings

Managing Running Virtual Machines

Creating Virtual Machines


New Virtual Machine Wizard Setting Name Description Used to refer to the Virtual Machine

Location:
Memory: Network: Virtual Hard Disk: OS Installation:

Folder in which the VM files are stored


Amount of physical RAM to allocate to the VM The virtual switch that the virtual network adapter is attached to Allows you to create a new disk or select an existing disk The method for installing the operating system into the VM

Managing Virtual Machines

Managing Running Virtual Machines


Connecting to Running VMs

Virtual Machine Connection (VMC)

Uses an implementation of Remote Desktop Protocol (RDP) Allows interaction with VM before it is started
Using Snapshots

Point-in-time Allows for rollback when VM is offline Replaces previous undo disks functionality
Saved State

Records the running state of the VM

Microsoft Hyper-V Features and Capabilities

Migrate to Microsoft Hyper-V Secure Virtualization Platform Manage with Group Policy

Snapshots
Automation via WMI CPU Utilization Control Utilization Counters Offline VHD Manipulation

Support nonMicrosoft Guests


Dynamic Secure Storage

High Availability in Microsoft Hyper-V


Failover Clustering Multiple Servers working together as

a single system.

Live Migration Backup

Failover Clustering

Automatic Failover Host

Host

Cluster

Virtual Machine Live Migration

Virtual Machines

HOST1

HOST2

SCVMM

Backing up Virtual Machines


Volume shadow copy No need to power down virtual machines

VSS ensures a consistent state in the virtual machine


Must have backup integration component enabled

System Center Virtual Machine Manager

Maximize Data Center Rapid Provisioning Leverage Expertise Manage Virtual Machines

Implementation/Usage Scenarios

Server Consolidation Dynamic Data Center Branch Office Operations Testing and Development

Server Consolidation

Operational Efficiency Reduced Cost Uniform Platform Simplified Management

Dynamic Data Center

Flexible Resource Management


Hot-add resources Live Virtual Machine Migration Group Policy Guest Support

Branch Office Management

Server Core Server Consolidation Deployment

Testing and Development

Production System Management Virtual Machine Snapshots

Live Migration
Cloning

Application and Systems Development


Virtual Machine Snapshots System Center Virtual Machine Manager Cloning

Recommendations

Verify hardware supports virtualization

Place virtual hard disk files on dedicated disks


Implement a uniform hardware base to ensure maximum portability Install virtual machine enhancements

Lab: Microsoft Hyper-V

In this lab, you will:


Configure Microsoft Hyper-V Create and Manage a Virtual Machine Explore Microsoft Hyper-V Using

Windows PowerShell

Best Practices for Windows Common Dos and Donts

Hosted by

Best Practices for Windows Security Common Dos and Donts

Hosted by

1. Keep Systems up to date


CERT, and others: 90 95% of successful attacks could be prevented with up-to-date systems Every single attack in Hacking Exposed is balanced with a configuration or patch already in existence Many world-wide security attacks would not have been successful if systems were updated

Hosted by

How to Keep Systems UP-to-Date


Apply Service Packs

Apply Hotfixes
Use automated patch distribution

0 50 users use Windows Update

Apply service pack three Windows 2000 and configure Configure XP


50- 500 users user Software Update Services Download free from Microsoft, install and configure

Configure Clients
500 + Use Software Update Services Feature pack and SMS Download Feature Pack (free to licensed SMS users) Configure for automated update and auditing

Hosted by

2. Follow Microsoft advice for hardening systems Checklists, security templates, instructions abound!

Use them!
Many successful attacks could have been

prevented by using these instructions.

Hosted by

What Microsoft Advice?


Windows Security Checklists: www.microsoft.com/security

Hosted by

3. Use Native Security Tools


For deploying security settings

Security Templates secedit Security Configuration and Analysis Group Policy

To secure systems
Software Restriction policies

Password reset disks


Authorization manager

Hosted by

4. Design a BaseLine Policy


Auditing Services

Accounts
Security Options User Rights Then design incremental policies for computer and user roles in your network

Hosted by

Strengthen passwords
Teach users how to make strong passwords Audit password strength periodically

Hosted by

Hosted by

Turn on Auditing Review Logs


Monitor for attack indicators

643 domain policy changed 644 user account locked 675 pre-authentication failed 681 domain logon filature 529, 530, 531, 532, 533, 535,534, 539, 548, 549 logon failure

Monitor for attack patterns

Large number of failed logons, then success

Hosted by

Adjust User Rights


Restrict to Administrators, NETWORK SERVICE, LOCAL SERVICE Adjust memory quotas

Hosted by

Use deny rights to restrict access


Use deny rights to restrict access Deny logon rights

Deny access from network


Deny local logon Logon as a batch job Logon using terminal services

Hosted by

Do not grant to anyone:


Act as part of the operating system Debug

Hosted by

Restrict to Administrators
Right to Restore files and folders Change System Time Allow logon to Terminal Services (on non

terminal services boxes)

Hosted by

Deny access
To SUPPORT_388945a0 account To computer from network Logon as a batch Logon through terminal services To non-operating systems service accounts Logons from terminal services To compute from network

Hosted by

Adjust Security Options


Rename administrator, guest account
Restrict CD-ROM, floppy to local user Digitally sign network communications Restrict anonymous connections Tighten accessible named pipes/shares Do not store LAN Manager password Use NTLMv2 session security

Use NTLMv2 only, refuse LM and NTLM


Shutdown clear memory page file

Hosted by

Manage Event Logs


Enlarge all Especially security log Archive and clear frequently Monitor for sudden increase in size

Examine contents looking for attack patterns

Hosted by

Manage Services
Set permissions: who can start , stop, disable?

Dont use domain accounts for services


Disable unnecessary services Will vary for each computer role Create a baseline which disables most; enable those
needed only as necessary

Hosted by

Unnecessary services?
Baseline:

Application Layer Gateway Service Application Management ASP .NET State Service Automatic Updates Background Intelligent Transfer Service. Certificate Services Client Service for Netware Clustering Service*COM+_System Application DHCP Server

Distributed Link Tracking


Client. Distributed Link Tracking Server. Distributed Transaction Coordinator DNS Server Error Reporting Service Fax Service File Replication File Server for Macintosh FTP Publishing Service

Hosted by

More services you dont need


Help and Support HTTP SSL Human Interface Device
Access

IP Version 6 Helper Service


Kerberos Key Distribution Center License Logging Service Message Queuing Message Queuing Down Level Clients Message Queuing Triggers

IIS Admin Service IMAPI CD Infrared Internet Authentication


Service

Internet Connection Firewall Intersite Messaging

Messenger
Microsoft POP3 Service MSSQL$UDDI

Hosted by

And More
MSSQLServerADHelper
.NET Framework Support Service NetMeeting Remote Desktop Sharing

Remote Access Connection Manager


Remote Desktop Help Session Manager Remote Installation Remote Procedure Call Locator

Network DDE
Network DDE DSDM NNTP Portable Media Serial Number

Remote Server Manager


Remove Server monitor Remote Storage Notification Remote Storage Manger Removable Storage Resultant Set of Policy Provider Routing and Remote Access SAP Agent Secondary Logon

Print Server for Macintosh


Print Spooler Remote Access Auto Connection Manager

Hosted by

And More

Shell Hardware Detection


SMTP Simple TCP/IP Services Single Instance Storage Groveler Smart Card SNMP Service SNMP Trap Service Special Administration Console Helper SQLAgent$ Task Scheduler TCP/IP Print Server Telephony

Telnet
Terminal Services Licensing Terminal Services Session Directory Themes Trivial FTP Daemon UPS Upload manager Virtual Disk Service Web Client Web Element Manager Windows Audio Windows Image Acquisition (WIA)

Hosted by

And more
WINS Windows Media Services Windows System Resource Manger WinHTTP Web Proxy Auto Discovery service Wireless Configuration World Wide Web Publishing Service

Hosted by

Set Restricted Groups Add group Enter authorized members Users added in normal GUI will be removed if not also added here

Hosted by

Set Object ACLs, SACLs


Use NTFS Set common settings in templates, policies

Hosted by

5. Use IPSec Policies


File Server Example Block access from all to any port Allow access from Any source address to the file server for
ports 445, 137, 138 and 139

Restrict access to terminal services (port 3389) by


allowing access from specific computers. (this helps to compensate for the blocking of RPC traffic used by many management services.)

Allow all traffic to and from the file server and domain
controllers

Allow traffic between the file server and Microsoft


Operations Manager (MOM)

Hosted by

6. Use Constrained Delegation


Only where delegation is required No blanket rights Only for specific services Not for administrator accounts

Hosted by

7. Ensure Correct Time


NTLMv2 authentication requires client and server clocks to be within 30 minutes of each other. Kerberos only allows a 5 minute difference. Event correlations between computers will not be possible if there are time differences. Evidence must be correctly identified or it is not valid evidence.

Hosted by

8. Set account restrictions


Logon hours Logon to Restrict delegation others

Hosted by

Accounts have unique SIDS; policy that might impact these accounts cannot be centrally set Guest the group Guests Support 388045a0

Hosted by

9. Use Administrative Templates

Hosted by

10. Use Certificate Services


Key archival for EFS Certificates for smart cards, authentication, IPSec, email etc. SSL

Hosted by

Bonus -

Dont use EFS

Unless properly managed Archived keys Recovery policy in place