148 9 7MB
English Pages 492 [661] Year 2008
W in dow s Se r ve r 2 0 0 8 : Th e D e fin it ive Gu ide by Jonat han Hassell Publisher : O' Re illy Pub Dat e: M a r ch 1 5 , 2 0 0 8 Print I SBN- 13: 9 7 8 - 0 - 5 9 - 6 5 1 4 1 1 - 2 Pages: 4 9 2 Table of Cont ent s | I ndex
Overview This pract ical guide has exact ly what you need t o work wit h Windows Server 2008. I nside, you'll find st ep- byst ep procedures for using all of t he m aj or com ponent s, along wit h discussions on com plex concept s such as Act ive Direct ory replicat ion, DFS nam espaces and replicat ion, net work access prot ect ion, t he Server Core edit ion, Windows PowerShell, server clust ering, and m ore. All of t his wit h a m ore com pact present at ion and a t ight er focus on t asks t han you'll find in bulkier references. Windows Server 2008: The Definit ive Guide t akes a refreshing approach. You won't find t he hist ory of Windows NT, or discussions on t he way t hings used t o work. I nst ead, you get only t he inform at ion you need t o use t his server. I f you're a beginning or int erm ediat e syst em adm inist rat or, you learn how t he syst em works, and how t o adm inist er m achines running it . The expert adm inist rat ors am ong you discover new concept s and com ponent s out side of your realm of expert ise. Sim ply put , t his is t he m ost t horough reference available for Windows Server 2008, wit h com plet e guides t o:
I nst alling t he server in a variet y of different environm ent s
File services and t he Windows perm ission st ruct ure
How t he dom ain nam e syst em ( DNS) works
Act ive Direct ory, including it s logical and physical st ruct ure, hierarchical com ponent s, scalabilit y, and replicat ion
Group Policy's st ruct ure and operat ion
Managing securit y policy wit h predefined t em plat es and cust om ized policy plans
Archit ect ural im provem ent s, new feat ures, and daily adm inist rat ion of I I S 7
Term inal Services from bot h t he adm inist rat or's user's point of view
Net working archit ect ure including DNS, DHCP, VPN, RADI US server, I AS, and I PSec
Windows clust ering services - - - applicat ions, grouping m achines, capacit y and net work planning, user account m anagem ent
Windows PowerShell script ing and com m and- line t echnology
Wit h Windows Server 2008: The Definit ive Guide, you t o com e away wit h a firm underst anding of what 's happening under t he hood, but wit hout t he sense t hat you're t aking a graduat e course in OS t heory. I f you int end t o work wit h t his server, t his is t he only book you need.
W in dow s Se r ve r 2 0 0 8 : Th e D e fin it ive Gu ide by Jonat han Hassell Publisher : O' Re illy Pub Dat e: M a r ch 1 5 , 2 0 0 8 Print I SBN- 13: 9 7 8 - 0 - 5 9 - 6 5 1 4 1 1 - 2 Pages: 4 9 2 Table of Cont ent s | I ndex
Preface Chapt er 1. I nt roducing Windows Server 2008 Sect ion 1.1. The Biggest Changes Sect ion 1.2. Net working I m provem ent s Sect ion 1.3. Securit y I m provem ent s Sect ion 1.4. Manageabilit y I m provem ent s Sect ion 1.5. Perform ance and Reliabilit y Upgrades Sect ion 1.6. Windows Server 2008 Edit ions Sect ion 1.7. Hardware Requirem ent s Sect ion 1.8. The Last Word Chapt er 2. I nst allat ion and Deploym ent Sect ion 2.1. I nst alling Windows Server 2008 Sect ion 2.2. I nit ial Configurat ion Tasks Sect ion 2.3. Deploym ent Sect ion 2.4. The Last Word Chapt er 3. File Services Sect ion 3.1. File and Print Server Feat ures Sect ion 3.2. Set t ing Up File Sharing Services Sect ion 3.3. NTFS File and Folder Perm issions Sect ion 3.4. The File Server Resource Manager Sect ion 3.5. Disk- Based Quot as Sect ion 3.6. Using Offline Files and Folders Sect ion 3.7. Using Previous Versions Sect ion 3.8. The Dist ribut ed File Syst em Sect ion 3.9. Com m and- Line Ut ilit ies Sect ion 3.10. The Last Word Chapt er 4. Dom ain Nam e Syst em Sect ion 4.1. Nut s and Bolt s Sect ion 4.2. Zones Versus Dom ains Sect ion 4.3. Resource Records Sect ion 4.4. Using Prim ary and Secondary Nam eservers Sect ion 4.5. Building a Nam eserver Sect ion 4.6. Subdom ains and Delegat ion Sect ion 4.7. Dynam ic DNS Sect ion 4.8. Act ive Direct ory- I nt egrat ed Zones Sect ion 4.9. Forwarding Sect ion 4.10. The Split DNS Archit ect ure Sect ion 4.11. Backup and Recovery Sect ion 4.12. Com m and- Line Ut ilit ies Sect ion 4.13. The Last Word Chapt er 5. Act ive Direct ory Sect ion 5.1. Act ive Direct ory Dom ain Services Obj ect s and Concept s Sect ion 5.2. Building an AD DS St ruct ure Sect ion 5.3. Underst anding Operat ions Mast er Roles Sect ion 5.4. Underst anding Direct ory Replicat ion Sect ion 5.5. Act ive Direct ory Troubleshoot ing and Maint enance Sect ion 5.6. The Last Word Chapt er 6. Group Policy and I nt elliMirror Sect ion 6.1. An I nt roduct ion t o Group Policy Sect ion 6.2. Group Policy I m plem ent at ion Sect ion 6.3. Local Group Policy
Sect ion 6.4. Dom ain Group Policy Sect ion 6.5. Deploym ent Considerat ions Sect ion 6.6. Troubleshoot ing Group Policy Sect ion 6.7. Ot her Group Policy Managem ent Tools Sect ion 6.8. Com m and- Line Ut ilit ies Sect ion 6.9. The Last Word Chapt er 7. Windows Securit y and Pat ch Managem ent Sect ion 7.1. Underst anding Securit y Considerat ions Sect ion 7.2. Locking Down Windows Sect ion 7.3. Using Audit ing and t he Event Log Sect ion 7.4. The Last Word Chapt er 8. I nt ernet I nform at ion Services 7 Sect ion 8.1. Maj or I m provem ent s Sect ion 8.2. The New Archit ect ure Sect ion 8.3. Roles Sect ion 8.4. Managing I I S Graphically Sect ion 8.5. Managing I I S from t he Com m and Line Sect ion 8.6. The Last Word Chapt er 9. Windows Server 2008 Server Core Sect ion 9.1. The Lack of a Shell Sect ion 9.2. Realist ic Deploym ent Scenarios Sect ion 9.3. No Managed Code Sect ion 9.4. Few Third- Part y Soft ware Applicat ions Sect ion 9.5. I nst allat ion Sect ion 9.6. I nit ial Configurat ion Sect ion 9.7. Adm inist ering Windows Server 2008 Server Core Machines Sect ion 9.8. The Last Word Chapt er 10. Term inal Services Sect ion 10.1. The Rem ot e Deskt op Prot ocol Sect ion 10.2. Adding t he Term inal Server Role Sect ion 10.3. Enabling Rem ot e Deskt op Sect ion 10.4. On t he User's Side Sect ion 10.5. Term inal Services Adm inist rat ion Sect ion 10.6. Term inal Services Rem ot eApp Sect ion 10.7. Term inal Services Web Access Sect ion 10.8. Term inal Services Gat eway Sect ion 10.9. Com m and- Line Ut ilit ies Sect ion 10.10. The Last Word Chapt er 11. DHCP and Net work Access Prot ect ion Sect ion 11.1. Dynam ic Host Configurat ion Prot ocol Sect ion 11.2. Net work Access Prot ect ion Sect ion 11.3. The Last Word Chapt er 12. An I nt roduct ion t o Clust ering Technologies Sect ion 12.1. Net work Load- Balancing Clust ers Sect ion 12.2. Server Clust ering Sect ion 12.3. Com m and- Line Ut ilit ies Sect ion 12.4. The Last Word Chapt er 13. PowerShell Sect ion 13.1. Why PowerShell? Sect ion 13.2. I nst alling PowerShell Sect ion 13.3. PowerShell and Securit y Sect ion 13.4. St art ing Up PowerShell Sect ion 13.5. Cm dlet s: The Heart of PowerShell Sect ion 13.6. Get t ing Help wit h PowerShell Sect ion 13.7. Using Dat a St ores and PowerShell Providers Sect ion 13.8. The Pipeline Sect ion 13.9. Form at t ing Basics Sect ion 13.10. Variables Sect ion 13.11. Writ ing Script s Sect ion 13.12. Obj ect s: .NET, WMI , and COM Sect ion 13.13. Advanced PowerShell Sect ion 13.14. Learning More About PowerShell Sect ion 13.15. The Last Word Chapt er 14. Hyper- V
Sect ion Sect ion Sect ion Sect ion Colophon I ndex
14.1. 14.2. 14.3. 14.4.
How I t Works Get t ing St art ed wit h Hyper- V Virt ualizat ion St rat egy The Last Word
W in dow s Se r ve r 2 0 0 8 : Th e D e fin it ive Gu ide by Jonat han Hassell Copyright © 2008 Jonat han Hassell. All right s reserved. Print ed in t he Unit ed St at es of Am erica. Published by O'Reilly Media, I nc., 1005 Gravenst ein Highway Nort h, Sebast opol, CA 95472. O'Reilly books m ay be purchased for educat ional, business, or sales prom ot ional use. Online edit ions are also available for m ost t it les ( safari.oreilly.com ) . For m ore inform at ion, cont act our corporat e/ inst it ut ional sales depart m ent : ( 800) 998- 9938 or corporat [email protected] .
Edit or :
John Osborn
Pr odu ct ion Edit or :
Rachel Monaghan
Copye dit or :
Colleen Gorm an
Pr oofr e a de r :
Rachel Monaghan
I n de x e r :
Lucie Haskins
Cove r D e sign e r :
Karen Mont gom ery
I n t e r ior D e sign e r :
David Fut at o
I llu st r a t or :
Jessam yn Read
Pr in t in g H ist or y:
March 2008:
First Edit ion.
Nut shell Handbook, t he Nut shell Handbook logo, and t he O'Reilly logo are regist ered t radem arks of O'Reilly Media, I nc. Windows Server 2008: The Definit ive Guide, t he im age of an albat ross, and relat ed t rade dress are t radem arks of O'Reilly Media, I nc. Many of t he designat ions used by m anufact urers and sellers t o dist inguish t heir product s are claim ed as t radem arks. Where t hose designat ions appear in t his book, and O'Reilly Media, I nc. was aware of a t radem ark claim , t he designat ions have been print ed in caps or init ial caps. While every precaut ion has been t aken in t he preparat ion of t his book, t he publisher and aut hor assum e no responsibilit y for errors or om issions, or for dam ages result ing from t he use of t he inform at ion cont ained herein. This book uses RepKover™, a durable and flexible lay- flat binding. I SBN: 978- 0- 596- 51411- 2 [ M]
Pr e fa ce Microsoft 's server- orient ed Windows operat ing syst em s have grown by leaps and bounds in capabilit ies, com plexit ies, and sheer num ber of feat ures since t he release of Windows NT Server in t he early 1990s. Wit h each release, syst em adm inist rat ors have found t hem selves grappling wit h new concept s, from dom ains, direct ory services, and virt ual privat e net works, t o client quarant ining, disk quot a, and universal groups. Just when you've m ast ered one set of changes, anot her com es along and suddenly you're scram bling once again t o get up t o speed. A vicious cycle t his I T business is. One source of help for t he beleaguered adm inist rat or has always been t he t echnical book m arket and it s com m unit ies of aut hors, publishers, and user groups. Maj or releases of popular operat ing syst em s have always been accom panied by t he publicat ion of books writ t en t o support t hem , oft en encouraged by t he soft ware m anufact urers. Som e t out t hem selves as com plet e guides t o t heir soft ware com padres, while ot hers approach t heir subj ect gingerly, as t hough t heir readers were of a quest ionable int ellect ual capacit y. But over t he years, m any of t hese books have becom e as com plex, and have accum ulat ed as m uch det rit us, as t he operat ing syst em s t hey explain. You now see on t he shelves of your friendly local bookst ores 1,200- plus- page m onst rosit ies t hat you m ight find useful, but only if you enj oy dealing wit h 30 pounds of paper in your lap or on your desk, and only if you find it product ive t o wade t hrough references t o " how t hings worked" four versions of Windows NT ago. Aft er all, t here's a lim it t o how m any t im es you can revise som et hing before it 's best t o sim ply st art from scrat ch. Do you need all of t hat obsolet e inform at ion t o do your j ob efficient ly? I 'm wagering t hat you don't ( m y luck in Las Vegas not wit hst anding) , and it was in t hat spirit t hat I set out t o writ e Windows Server 2008: The Definit ive Guide. I have t rim m ed t he cont ent of t his volum e t o include j ust enough background on a subj ect for you t o underst and how different feat ures and syst em s work in t his version of Windows. I want you t o com e away from reading sect ions wit h a firm underst anding of what 's happening under t he hood of t he syst em , but wit hout t he sense t hat you're t aking a graduat e course in OS t heory. Most of all, I want t his book t o be a pract ical guide t hat helps you get your work done—" here's how it works; here's how t o do it ." The book you're eit her holding in your hands right now or reading online provides a m ore com pact present at ion, a lower price, and a t ight er focus on t asks t han ot her books on t he m arket . I hope t hat t his work m eet s your expect at ions, and I hope you t urn t o it again and again when you need t o underst and t he m assive product t hat is Windows Server 2008.
P2 .1 . Au die n ce Beginning- t o- int erm ediat e syst em adm inist rat ors will find t his book a very helpful reference t o learning how Windows Server 2008 works and t he different ways t o adm inist er m achines running t hat operat ing syst em . This book has st ep- by- st ep procedures, discussions of com plex concept s such as Act ive Direct ory replicat ion, DFS nam espaces and replicat ion, net work access prot ect ion, t he Server Core edit ion, Windows PowerShell, and server clust ering. Alt hough I 've elim inat ed m at erial t hat isn't relevant t o day- t o- day adm inist rat ion, you will st ill find t he chapt ers full of useful inform at ion. Advanced syst em adm inist rat ors will also find t his book useful for discovering new concept s and com ponent s out side of t heir realm of expert ise. I 've found t hat senior syst em adm inist rat ors oft en focus on one or t wo specific areas of a product and are less fam iliar wit h ot her areas of t he OS. This book provides a st epping- st one for furt her explorat ion and st udy of secondary part s of t he operat ing syst em . One ot her it em t o m ent ion: t hroughout t he book I 've t ried t o highlight t he use of t he com m and line in addit ion t o ( or in som e cases, as opposed t o) graphical ways t o accom plish t asks. Com m and lines, in m y opinion, are fabulous for quickly and efficient ly get t ing t hings done, and t hey provide a great basis for launching int o script ing repet it ive t asks. Microsoft has done an excellent j ob of int egrat ing com m and- line funct ions int o t his revision of Windows, and I 've at t em pt ed t o do t he effort j ust ice wit hin t he t ext . But none of t his should m ake you shy away from t his book if you are a GUI aficionado: you'll st ill find everyt hing you're accust om ed t o wit hin
t his volum e.
P2 .2 . Or ga n iza t ion a n d St r u ct u r e I n st ruct uring t he cont ent s of t his book I have t ried t o m ake a logical progression t hrough t he product , from a high- level overview t hrough com plet e discussions and t reat m ent s of all it s m aj or com ponent s. Here's how t his book is organized:
Chapt er 1
Covers t he product on a very general basis, from Microsoft 's philosophy behind t he product it self and t he different versions of t he product t hat are available, t o an overview of t he feat ures in t his release t hat are new or ot herwise im proved and a com plet e overview of t he syst em design. This chapt er is designed t o give t he adm inist rat or a com plet e and syst em at ic overview of t he product .
Chapt er 2
Provides a det ailed guide t o inst alling t he product in a variet y of environm ent s. I also include inform at ion on m ass deploym ent s using Windows Deploym ent Services, a vast im provem ent over previous im age inst allat ion opt ions offered in t he box.
Chapt er 3
Discusses t he file services built int o Windows Server 2008. The chapt er begins wit h an overview of sharing and a guide t o creat ing shares, publishing t hem t o Act ive Direct ory, m apping drives, using t he My Run com m and and from wit hin I nt ernet Net work Places applet , and accessing shares from t he St art Explorer. Then I dive int o a det ailed discussion of t he Windows perm ission st ruct ure, including perm ission levels, " special" perm issions, inherit ance, and ownership. Here, you'll also find a guide t o set t ings perm issions. Also covered in t his chapt er is an overview of t he Dist ribut ed File Syst em ( DFS) , and how t o set it up and m anage it .
Chapt er 4
Covers t he dom ain nam e syst em , or DNS. Because DNS is such a fundam ent al com ponent of Act ive Direct ory, I want ed t o include a separat e t reat m ent of how it works, including a discussion of t he different t ypes of resource records and zone files support ed, int egrat ion wit h Act ive Direct ory, t he split DNS archit ect ure, and backup and recovery of DNS dat a.
Chapt er 5
Most inst allat ions of Windows Server 2008 will include inst allat ion of t he Act ive Direct ory t echnology because so m any product s t hat require t he server OS are t ight ly int egrat ed wit h Act ive Direct ory.
Chapt er 5 provides a com plet e guide t o t he t echnical port ion of Act ive Direct ory, including it s logical and physical st ruct ure, hierarchical com ponent s ( dom ains, t rees, forest s, and organizat ional unit s) , scalabilit y, and replicat ion. Coverage of t he LDAP st andards is included, as well as a discussion of m igrat ion and securit y considerat ions. Then I m ove int o planning st rat egies, inst alling Act ive Direct ory ont o Windows Server, and t he day- t o- day adm inist rat ive t ools.
Chapt er 6
Discusses Group Policy ( GP) , one of t he m ost underappreciat ed m anagem ent t echnologies in any server product . Chapt er 6 is dedicat ed t o int roducing GP and it s st ruct ure and operat ion. I begin wit h a survey of GP and Act ive Direct ory int eract ion, obj ect s, and inherit ance. Then I provide a pract ical guide t o im plem ent ing GP t hrough user and com put er policies and adm inist rat ive t em plat es, inst alling soft ware t hrough GP, adm inist rat ion t hrough script ing, and redirect ing folders and ot her user int erface elem ent s. I also discuss I nt elliMirror, a cool t echnology for applicat ion dist ribut ion ( sim ilar t o ZENworks from Novell) .
Chapt er 7
Helps ensure t hat you are well versed in locking down your syst em s t o prot ect bot h your own com put ers and t he I nt ernet com m unit y as a whole. I cover securit y policy, including ways t o m anage it using predefined t em plat es and cust om ized policy plans, and an overview of t he Securit y Configurat ion and Analysis Tool, or SCAT. Then I provide a com plet e procedural guide t o locking down bot h a Windows net work server and a st andard Windows client syst em ( despit e t he fact t hat t his is a server book, adm inist rat ors oft en are responsible for t he ent ire net work, and client and server securit y go hand in hand) .
Chapt er 8
Covers t he det ails of t he m aj or I I S revam p in t his release. I n version 7, I I S is arguably t he best web server soft ware available. I cover t he archit ect ural im provem ent s and new feat ures in t his release, and t hen m ove on t o a pract ical discussion of daily I I S adm inist rat ion.
Chapt er 9
Covers t he new Server Core edit ions of Windows Server 2008, including deploym ent , act ivat ion, and using t hese new GUI - less versions of t he operat ing syst em .
Chapt er 10
Provides a guide t o Term inal Services, including an overview from t he server adm inist rat or's perspect ive and a sim ilar overview from a t ypical user's point of view. Then I cover how t o inst all bot h Term inal Services it self and applicat ions such as Microsoft Office and ot her t ools inside t he Term inal Services environm ent . A guide t o configuring Term inal Services follows, including procedures for general configurat ion, rem ot e cont rol opt ions, environm ent set t ings, logons, sessions, and perm ission cont rol.
Concluding t he chapt er is a guide t o daily adm inist rat ion using Term inal Services Manager, t he Act ive Direct ory user t ools, Task Manager, and com m and- line ut ilit ies.
Chapt er 11
Covers t he st andard net working archit ect ure of t he operat ing syst em , including addressing and rout ing issues. Then I m ove int o a discussion of t he various net work subsyst em s: t he Dom ain Nam e Syst em ( DNS) , t he Dynam ic Host Configurat ion Prot ocol ( DHCP) , and a discussion of VPN connect ivit y, t he different phases of VPN, t unneling and encrypt ion, and t he RADI US server bundled wit h .NET Server, t he I nt ernet Aut hent icat ion Service ( I AS) . Finishing up t he chapt er, I discuss I PSec, it s support from wit hin t he OS, and how t o inst all, configure, use, and adm inist er it . Coverage of client quarant ining is also included.
Chapt er 12
Covers Windows clust ering services. First , a discussion of t he different t ypes of clust ering services is provided, and t hen I cover successfully planning a basic clust er and it s different elem ent s: t he applicat ions, how t o group t he m achines, capacit y and net work planning, user account m anagem ent , and t he possible point s of failure. A t reat m ent of Net work Load Balancing clust ers follows, and I round out t he chapt er wit h a guide t o creat ing and m anaging server clust ers, as well as an overview of t he adm inist rat ive t ools bundled wit h t he OS.
Chapt er 13
Discusses Windows PowerShell, t he powerful obj ect - based script ing and com m and- line t echnology now bundled wit h Windows Server 2008.
Chapt er 14
Covers t he fundam ent als of Microsoft 's current ly prerelease virt ualizat ion solut ion called Hyper- V, including it s st ruct ure, operat ion, and set up on Windows Server 2008. We'll also look at creat ing virt ual m achines, and we'll wrap up wit h what t o expect upon Hyper- V's official release.
P2 .3 . Con ve n t ion s Use d in Th is Book The following t ypographical convent ions are used in t his book.
Plain t ext
I ndicat es m enu t it les, m enu opt ions, m enu but t ons, and keyboard accelerat ors ( such as Alt and Ct rl) .
I t alic
I ndicat es new t erm s, URLs, em ail addresses, filenam es, file ext ensions, pat hnam es, direct ories, and com m and- line ut ilit ies.
Constant width
I ndicat es com m ands, opt ions, swit ches, variables, at t ribut es, keys, funct ions, t ypes, classes, nam espaces, m et hods, m odules, propert ies, param et ers, values, obj ect s, event s, event handlers, XML t ags, HTML t ags, m acros, t he cont ent s of files, or t he out put from com m ands.
Constant width bold Shows com m ands or ot her t ext t hat should be t yped lit erally by t he user.
Constant width italic
Shows t ext t hat should be replaced wit h user- supplied values.
This icon signifies a t ip, suggest ion, or general not e.
This icon indicat es a warning or caut ion.
P2 .4 . Usin g Code Ex a m ple s This book is here t o help you get your j ob done. I n general, you can use t he code in t his book in your program s and docum ent at ion. You do not need t o cont act O'Reilly for perm ission unless you're reproducing a significant port ion of t he code. For exam ple, writ ing a program t hat uses several chunks of code from t his book does not require perm ission. Selling or dist ribut ing a CD- ROM of exam ples from O'Reilly books does require perm ission. Answering a quest ion by cit ing t his book and quot ing exam ple code does not require perm ission. I ncorporat ing a significant am ount of exam ple code from t his book int o your product 's docum ent at ion does require perm ission. O'Reilly appreciat es, but does not require, at t ribut ion. An at t ribut ion usually includes t he t it le, aut hor, publisher, and I SBN. For exam ple: "Windows Server 2008: The Definit ive Guide by Jonat han Hassell. Copyright 2008 Jonat han Hassell, 978- 0- 596- 51411- 2." I f you feel your use of code exam ples falls out side fair use or t he perm ission given above, feel free t o cont act
O'Reilly at perm [email protected] .
P2 .5 . W e 'd Lik e t o H e a r fr om You Please address com m ent s and quest ions concerning t his book t o t he publisher: O'Reilly Media, I nc. 1005 Gravenst ein Highway Nort h Sebast opol, CA 95472 800- 998- 9938 ( in t he Unit ed St at es or Canada) 707- 829- 0515 ( int ernat ional or local) 707- 829- 0104 ( fax) O'Reilly has a web page for t his book, where it list s errat a, exam ples, and any addit ional inform at ion. You can access t his page at : ht t p: / / www.oreilly.com / cat alog/ 9780596514112 To com m ent or ask t echnical quest ions about t his book, send em ail t o: bookquest [email protected] For m ore inform at ion about our books, conferences, Resource Cent ers, and t he O'Reilly Net work, see t he O'Reilly web sit e at : ht t p: / / www.oreilly.com
P2 .6 . Sa fa r i® Book s On lin e When you see a Safari® Books Online icon on t he cover of your favorit e t echnology book, t hat m eans t he book is available online t hrough t he O'Reilly Net work Safari Bookshelf. Safari offers a solut ion t hat 's bet t er t han e- books. I t 's a virt ual library t hat let s you easily search t housands of t op t ech books, cut and past e code sam ples, download chapt ers, and find quick answers when you need t he m ost accurat e, current inform at ion. Try it for free at ht t p: / / safari.oreilly.com .
P2 .7 . Ack n ow le dgm e n t s I 've always liked t he fact t hat t he acknowledgm ent s in t echnical books are t ypically in t he front . That way, when you read t he rem ainder of t he book, you already know who t o t hank for it , unlike in a m ovie. So, wit hout furt her ado: John Osborn at O'Reilly was inst rum ent al in get t ing t his process organized and off t he ground and provided very welcom e guidance and feedback during t he init ial st ages of writ ing t his book. Errors and short com ings were dut ifully found by t he t echnical review t eam , which consist ed of I T professionals Dan Green, Eric Rezabek, and Debbie Tim m ons. Special t hanks t o t he m any folks at Microsoft and Waggener- Edst rom wit h whom I worked during t he developm ent of t he book—t heir assist ance and t im ely inform at ion was quit e helpful in put t ing t oget her t his proj ect . Of course, m y fam ily is also t o t hank: part icularly m y wife, Lisa, who pat ient ly accept ed t he insufficient answer of " not yet " repeat edly t o her reasonable quest ion of " Aren't you done wit h t hat book?"
Ch a pt e r 1 . I n t r odu cin g W in dow s Se r ve r 2 0 0 8 I t all st art ed wit h Windows NT, Microsoft 's first serious ent ry int o t he net work server m arket . Versions 3.1 and 3.5 of Windows NT didn't garner very m uch at t ent ion in a Net Ware- dom inat ed world because t hey were sluggish and refused t o play well wit h ot hers. Along cam e Windows NT 4.0, which used t he new Windows 95 int erface ( revolut ionary only t o t hose who didn't recognize Apple's Macint osh OS user int erface) t o put a friendlier face on som e sim ple yet fundam ent al archit ect ural im provem ent s. Wit h version 4.0, larger organizat ions saw t hat Microsoft was serious about ent ering t he ent erprise com put ing m arket , even if t he product current ly being offered was st ill lim it ed in scalabilit y and availabilit y. For one, Microsoft m ade concessions t o Net Ware users, giving t hem an easy way t o int egrat e wit h a new NT net work. The com pany also included a revised securit y feat ure set , including finely grained perm issions and dom ains, which signified t hat Microsoft considered ent erprise com put ing an im port ant part of Windows. Aft er a record six and one- half service packs, NT 4.0 is considered by som e t o be t he m ost st able operat ing syst em ever t o com e out of Redm ond. However, despit e t hat , m ost adm inist rat ors wit h Unix experience required an OS m ore credible in an ent erprise environm ent —one t hat could com pare t o t he enorm ous Unix m achines t hat penet rat ed t hat m arket long ago and had unquest ionably occupied it ever since. I t wasn't unt il February 2000, when Windows 2000 Server was released, t hat t hese calls were answered. Windows 2000 was a com plet e revision of NT 4.0 and was designed wit h st abilit y and scalabilit y as first priorit ies. However, som et hing was st ill lacking. Sun and I BM included applicat ion server soft ware and developer- cent ric capabilit ies wit h t heir indust rial- st rengt h operat ing syst em s, Solaris and AI X. Windows 2000 lacked t his funct ionalit y. I n addit ion, t he infam ous securit y problem s associat ed wit h t he bundled Windows 2000 web server, I nt ernet I nform at ion Services ( I I S) , cast an om inous cloud over t he t hought t hat Windows could ever be a viable I nt ernet - facing ent erprise OS. Given t hat m any saw Microsoft as " bet t ing t he com pany" on a web services init iat ive called .NET, it was crit ical t hat Microsoft save face and do it right t he next t im e. I t wasn't t oo lat e, but cust om ers were very concerned about t he num erous securit y vulnerabilit ies and t he lack of a convenient pat ch m anagem ent syst em t o apply correct ions t o t hose vulnerabilit ies. Things had t o change. From st age left , ent er Windows Server 2003. What dist inguished t he release ot her t han a longer nam e and a t hree- year difference in release dat es? Securit y, prim arily. Windows Server 2003 cam e m ore secure out of t he box and was heavily influenced by t he m ont h- long halt of new developm ent in March 2002, referred t o by Microsoft as t he beginning of t he Trust wort hy Com put ing I nit iat ive, wherein all developers and product m anagers did not hing but review exist ing source code for securit y flaws and at t end t raining on new best pract ices for writ ing secure code. Perform ance was also im proved in t he Windows Server 2003 release, focus was put on m aking t he operat ing syst em scalable, and in general ent erprise adm inist rat ion was m ade m ore efficient and easier t o aut om at e. Microsoft also updat ed som e bundled soft ware via t he Windows Server 2003 R2 release, m aking it m ore st raight forward t o m anage ident it ies over different direct ory services and securit y boundaries, dist ribut e files and replicat e direct ory st ruct ures am ong m any servers, and m ore. But as always, no soft ware is perfect , and t here's always room for im provem ent . As business requirem ent s have changed, Microsoft developers worked in t andem on Windows Vist a and t he next release of Windows on t he server. When Windows Vist a was released t o m anufact uring, t he t eam s split again, and t he Windows Server 2008 group added a few new feat ures and t hen focused on perform ance and reliabilit y unt il t he release.
1 .1 . Th e Bigge st Ch a n ge s Unlike t he t ransit ion from Windows 2000 Server t o Windows Server 2003, which was a fairly m inor " point " - st yle updat e, Windows Server 2008 is a radical revision t o t he core code base t hat m akes up t he Windows Server product . Windows Server 2008 shares quit e a bit of fundam ent al code wit h Windows Vist a, which was a product derived direct ly from t he t echniques of t he secure developm ent m odel ( SDM) —sea change in program m ing m et hodologies at Microsoft t hat put s secure code at t he forefront of all act ivit y. Thus, a lot of new feat ures and enhancem ent s you will see in t he product are a result of a m ore secure code base and an increased focus on syst em int egrit y and reliabilit y.
The m ost radical changes t o Windows Server 2008 include Server Core and t he new I nt ernet I nform at ion Services 7.0.
1 .1 .1 . Se r ve r Cor e Server Core is a m inim al inst allat ion opt ion for Windows Server 2008 t hat cont ains only a subset of execut able files and server roles. Managem ent is done t hrough t he com m and line or t hrough an unat t ended configurat ion file. According t o Microsoft :
Server Core is designed for use in organizat ions t hat eit her have m any servers, som e of which need only t o perform dedicat ed t asks but wit h out st anding st abilit y, or in environm ent s where high securit y requirem ent s require a m inim al at t ack surface on t he server.
Accordingly, t here are lim it ed roles t hat Core servers can perform . They are:
Dynam ic Host Configurat ion Prot ocol ( DHCP) server
Dom ain Nam e Syst em ( DNS) server
File server, including t he file replicat ion service, t he Dist ribut ed File Syst em ( DFS) , Dist ribut ed File Syst em Replicat ion ( DFSR) , t he net work filesyst em , and single inst ance st orage ( SI S)
Print services
Dom ain cont roller, including a read- only dom ain cont roller
Act ive Direct ory Light weight Direct ory Services ( AD LDS) server
Windows Server Virt ualizat ion
I I S, alt hough only wit h a port ion of it s norm al abilit ies—nam ely only st at ic HTML host ing, and no dynam ic web applicat ion support
Windows Media Services ( WMS)
Addit ionally, Server Core m achines can part icipat e in Microsoft clust ers, use net work load balancing, host Unix applicat ions, encrypt t heir drives wit h Bit locker, be rem ot ely m anaged using Windows PowerShell on a client m achine, and be m onit ored t hrough Sim ple Net work Managem ent Prot ocol, or SNMP. Most adm inist rat ors will find placing Server Core m achines in branch offices t o perform dom ain cont roller funct ions is an excellent use of slight ly older hardware t hat m ight ot herwise be discarded. The sm aller foot print of Server Core allows t he OS t o do m ore wit h fewer syst em resources, and t he reduced at t ack surface and st abilit y m ake it an excellent choice for an appliance- like m achine. Plus, wit h a branch office, you can com bine Server Core wit h t he abilit y t o deploy a read- only dom ain cont roller and encrypt everyt hing wit h Bit Locker, giving you a great , light weight , and secure solut ion.
1 .1 .2 . I I S I m pr ove m e n t s The venerable Microsoft web server has undergone quit e a bit of revision in Windows Server 2008. I I S 7 is, for t he first t im e, fully ext ensible and fully com ponent ized—you only inst all what you want , so t he service is light er, m ore responsive, and less vulnerable t o at t ack. The adm inist rat ive int erface for I I S has also been com plet ely redesigned. Key im provem ent s include:
Newly rearchit ect ed com ponent ized st ruct ure
For t he first t im e in I I S hist ory, adm inist rat ors exercise com plet e cont rol over exact ly what pieces of I I S are inst alled and running at any given t im e. You can run t he exact services you require—no m ore, no less. This is of course m ore secure, not t o m ent ion easier t o m anage and bet t er perform ing.
Flexible ext ensibilit y m odel
I I S 7 allows developers t o access a brand- new set of API s t hat can int eract wit h t he I I S core direct ly, m aking m odule developm ent and cust om izat ion m uch easier t han it ever has been. Developers can even hook int o t he configurat ion, script ing, event logging, and adm inist rat ion areas of I I S, which opens a lot of doors for ent erprising adm inist rat ors and t hird- part y soft ware vendors t o ext end I I S' capabilit ies sooner rat her t han lat er.
Sim plified configurat ion and applicat ion deploym ent
Configurat ion can be accom plished ent irely t hrough XML files. Cent ral I I S configurat ion can be spread across m ult iple files, allowing m any sit es and applicat ions host ed by t he sam e server t o have independent but st ill easily m anaged configurat ions. One of Microsoft 's favorit e dem os of I I S 7 is set t ing up a web farm wit h ident ically configured m achines; as new m em bers of t he farm are brought online, t he adm inist rat or sim ply uses XCOPY and m oves exist ing configurat ion files over t o t he new server, and in a m at t er of seconds, t he I I S set up on t he new m achine is ident ical t o t hat on t he exist ing m achines. This is perhaps t he m ost m eaningful, and m ost welcom e, change in I I S 7.
Delegat ed m anagem ent
Much like Act ive Direct ory allows adm inist rat ors t o assign perm issions t o perform cert ain adm inist rat ive funct ions t o ot her users, I I S adm inist rat ors can delegat e cont rol of som e funct ions t o ot her people, like sit e owners.
Efficient adm inist rat ion
I I S Manager has been com plet ely redesigned and is j oined by a new com m and- line adm inist rat ion ut ilit y, appcm d.exe.
Ch a pt e r 1 . I n t r odu cin g W in dow s Se r ve r 2 0 0 8 I t all st art ed wit h Windows NT, Microsoft 's first serious ent ry int o t he net work server m arket . Versions 3.1 and 3.5 of Windows NT didn't garner very m uch at t ent ion in a Net Ware- dom inat ed world because t hey were sluggish and refused t o play well wit h ot hers. Along cam e Windows NT 4.0, which used t he new Windows 95 int erface ( revolut ionary only t o t hose who didn't recognize Apple's Macint osh OS user int erface) t o put a friendlier face on som e sim ple yet fundam ent al archit ect ural im provem ent s. Wit h version 4.0, larger organizat ions saw t hat Microsoft was serious about ent ering t he ent erprise com put ing m arket , even if t he product current ly being offered was st ill lim it ed in scalabilit y and availabilit y. For one, Microsoft m ade concessions t o Net Ware users, giving t hem an easy way t o int egrat e wit h a new NT net work. The com pany also included a revised securit y feat ure set , including finely grained perm issions and dom ains, which signified t hat Microsoft considered ent erprise com put ing an im port ant part of Windows. Aft er a record six and one- half service packs, NT 4.0 is considered by som e t o be t he m ost st able operat ing syst em ever t o com e out of Redm ond. However, despit e t hat , m ost adm inist rat ors wit h Unix experience required an OS m ore credible in an ent erprise environm ent —one t hat could com pare t o t he enorm ous Unix m achines t hat penet rat ed t hat m arket long ago and had unquest ionably occupied it ever since. I t wasn't unt il February 2000, when Windows 2000 Server was released, t hat t hese calls were answered. Windows 2000 was a com plet e revision of NT 4.0 and was designed wit h st abilit y and scalabilit y as first priorit ies. However, som et hing was st ill lacking. Sun and I BM included applicat ion server soft ware and developer- cent ric capabilit ies wit h t heir indust rial- st rengt h operat ing syst em s, Solaris and AI X. Windows 2000 lacked t his funct ionalit y. I n addit ion, t he infam ous securit y problem s associat ed wit h t he bundled Windows 2000 web server, I nt ernet I nform at ion Services ( I I S) , cast an om inous cloud over t he t hought t hat Windows could ever be a viable I nt ernet - facing ent erprise OS. Given t hat m any saw Microsoft as " bet t ing t he com pany" on a web services init iat ive called .NET, it was crit ical t hat Microsoft save face and do it right t he next t im e. I t wasn't t oo lat e, but cust om ers were very concerned about t he num erous securit y vulnerabilit ies and t he lack of a convenient pat ch m anagem ent syst em t o apply correct ions t o t hose vulnerabilit ies. Things had t o change. From st age left , ent er Windows Server 2003. What dist inguished t he release ot her t han a longer nam e and a t hree- year difference in release dat es? Securit y, prim arily. Windows Server 2003 cam e m ore secure out of t he box and was heavily influenced by t he m ont h- long halt of new developm ent in March 2002, referred t o by Microsoft as t he beginning of t he Trust wort hy Com put ing I nit iat ive, wherein all developers and product m anagers did not hing but review exist ing source code for securit y flaws and at t end t raining on new best pract ices for writ ing secure code. Perform ance was also im proved in t he Windows Server 2003 release, focus was put on m aking t he operat ing syst em scalable, and in general ent erprise adm inist rat ion was m ade m ore efficient and easier t o aut om at e. Microsoft also updat ed som e bundled soft ware via t he Windows Server 2003 R2 release, m aking it m ore st raight forward t o m anage ident it ies over different direct ory services and securit y boundaries, dist ribut e files and replicat e direct ory st ruct ures am ong m any servers, and m ore. But as always, no soft ware is perfect , and t here's always room for im provem ent . As business requirem ent s have changed, Microsoft developers worked in t andem on Windows Vist a and t he next release of Windows on t he server. When Windows Vist a was released t o m anufact uring, t he t eam s split again, and t he Windows Server 2008 group added a few new feat ures and t hen focused on perform ance and reliabilit y unt il t he release.
1 .1 . Th e Bigge st Ch a n ge s Unlike t he t ransit ion from Windows 2000 Server t o Windows Server 2003, which was a fairly m inor " point " - st yle updat e, Windows Server 2008 is a radical revision t o t he core code base t hat m akes up t he Windows Server product . Windows Server 2008 shares quit e a bit of fundam ent al code wit h Windows Vist a, which was a product derived direct ly from t he t echniques of t he secure developm ent m odel ( SDM) —sea change in program m ing m et hodologies at Microsoft t hat put s secure code at t he forefront of all act ivit y. Thus, a lot of new feat ures and enhancem ent s you will see in t he product are a result of a m ore secure code base and an increased focus on syst em int egrit y and reliabilit y.
The m ost radical changes t o Windows Server 2008 include Server Core and t he new I nt ernet I nform at ion Services 7.0.
1 .1 .1 . Se r ve r Cor e Server Core is a m inim al inst allat ion opt ion for Windows Server 2008 t hat cont ains only a subset of execut able files and server roles. Managem ent is done t hrough t he com m and line or t hrough an unat t ended configurat ion file. According t o Microsoft :
Server Core is designed for use in organizat ions t hat eit her have m any servers, som e of which need only t o perform dedicat ed t asks but wit h out st anding st abilit y, or in environm ent s where high securit y requirem ent s require a m inim al at t ack surface on t he server.
Accordingly, t here are lim it ed roles t hat Core servers can perform . They are:
Dynam ic Host Configurat ion Prot ocol ( DHCP) server
Dom ain Nam e Syst em ( DNS) server
File server, including t he file replicat ion service, t he Dist ribut ed File Syst em ( DFS) , Dist ribut ed File Syst em Replicat ion ( DFSR) , t he net work filesyst em , and single inst ance st orage ( SI S)
Print services
Dom ain cont roller, including a read- only dom ain cont roller
Act ive Direct ory Light weight Direct ory Services ( AD LDS) server
Windows Server Virt ualizat ion
I I S, alt hough only wit h a port ion of it s norm al abilit ies—nam ely only st at ic HTML host ing, and no dynam ic web applicat ion support
Windows Media Services ( WMS)
Addit ionally, Server Core m achines can part icipat e in Microsoft clust ers, use net work load balancing, host Unix applicat ions, encrypt t heir drives wit h Bit locker, be rem ot ely m anaged using Windows PowerShell on a client m achine, and be m onit ored t hrough Sim ple Net work Managem ent Prot ocol, or SNMP. Most adm inist rat ors will find placing Server Core m achines in branch offices t o perform dom ain cont roller funct ions is an excellent use of slight ly older hardware t hat m ight ot herwise be discarded. The sm aller foot print of Server Core allows t he OS t o do m ore wit h fewer syst em resources, and t he reduced at t ack surface and st abilit y m ake it an excellent choice for an appliance- like m achine. Plus, wit h a branch office, you can com bine Server Core wit h t he abilit y t o deploy a read- only dom ain cont roller and encrypt everyt hing wit h Bit Locker, giving you a great , light weight , and secure solut ion.
1 .1 .2 . I I S I m pr ove m e n t s The venerable Microsoft web server has undergone quit e a bit of revision in Windows Server 2008. I I S 7 is, for t he first t im e, fully ext ensible and fully com ponent ized—you only inst all what you want , so t he service is light er, m ore responsive, and less vulnerable t o at t ack. The adm inist rat ive int erface for I I S has also been com plet ely redesigned. Key im provem ent s include:
Newly rearchit ect ed com ponent ized st ruct ure
For t he first t im e in I I S hist ory, adm inist rat ors exercise com plet e cont rol over exact ly what pieces of I I S are inst alled and running at any given t im e. You can run t he exact services you require—no m ore, no less. This is of course m ore secure, not t o m ent ion easier t o m anage and bet t er perform ing.
Flexible ext ensibilit y m odel
I I S 7 allows developers t o access a brand- new set of API s t hat can int eract wit h t he I I S core direct ly, m aking m odule developm ent and cust om izat ion m uch easier t han it ever has been. Developers can even hook int o t he configurat ion, script ing, event logging, and adm inist rat ion areas of I I S, which opens a lot of doors for ent erprising adm inist rat ors and t hird- part y soft ware vendors t o ext end I I S' capabilit ies sooner rat her t han lat er.
Sim plified configurat ion and applicat ion deploym ent
Configurat ion can be accom plished ent irely t hrough XML files. Cent ral I I S configurat ion can be spread across m ult iple files, allowing m any sit es and applicat ions host ed by t he sam e server t o have independent but st ill easily m anaged configurat ions. One of Microsoft 's favorit e dem os of I I S 7 is set t ing up a web farm wit h ident ically configured m achines; as new m em bers of t he farm are brought online, t he adm inist rat or sim ply uses XCOPY and m oves exist ing configurat ion files over t o t he new server, and in a m at t er of seconds, t he I I S set up on t he new m achine is ident ical t o t hat on t he exist ing m achines. This is perhaps t he m ost m eaningful, and m ost welcom e, change in I I S 7.
Delegat ed m anagem ent
Much like Act ive Direct ory allows adm inist rat ors t o assign perm issions t o perform cert ain adm inist rat ive funct ions t o ot her users, I I S adm inist rat ors can delegat e cont rol of som e funct ions t o ot her people, like sit e owners.
Efficient adm inist rat ion
I I S Manager has been com plet ely redesigned and is j oined by a new com m and- line adm inist rat ion ut ilit y, appcm d.exe.
1 .2 . N e t w or k in g I m pr ove m e n t s The Windows Server 2008 t eam has m ade a special effort at im proving net work perform ance and efficiency. For t he first t im e, t here is a dual- I P layer archit ect ure for nat ive I Pv4 and I Pv6 support t oget her, sim ult aneously. ( I f you've ever configured I Pv4 and I Pv6 on a Windows Server 2003 m achine, you'll know what a pain it is t o get t hem t o int eroperat e wit hout falling all over each ot her.) Com m unicat ions securit y is enhanced t hrough bet t er I Psec int egrat ion t hroughout t he various pieces of t he TCP/ I P st ack. Hardware is used m ore efficient ly and robust ly t o speed up perform ance of net work t ransm issions, int elligent t uning and opt im izat ion algorit hm s run regularly t o ensure efficient com m unicat ion, and API s t o t he net work st ack are m ore direct ly exposed, m aking it easier for developers t o int eract wit h t he st ack. Let 's t ake a look at som e of t he im provem ent s in what t he t eam is calling Next Generat ion Net working.
1 .2 .1 . TCP/ I P St a ck En h a n ce m e n t s As I alluded t o earlier, m any changes in Windows Server 2008 were m ade t o t he TCP/ I P st ack it self. One such im provem ent is t he aut o- t uning TCP window size: Windows Server 2008 can aut om at ically t une t he size of t he receive window by each individual connect ion, increasing t he efficiency of large dat a t ransfers bet ween m achines on t he sam e net work. Microsoft quot es t he following exam ple: " ... on a 10 Gigabit Et hernet net work, packet size can be negot iat ed up t o 6 Megabyt es in size." The dead gat eway det ect ion algorit hm present in Windows Server 2003 has been slight ly im proved: Windows Server 2008 now t ries every so oft en t o send TCP t raffic t hrough what it t hinks t o be a dead gat eway. I f t he t ransm ission doesn't error out , t hen Windows aut om at ically changes t he default gat eway t o t he previously det ect ed dead gat eway, which is now live. And Windows Server 2008 support s offloading net work processing funct ions from t he CPU it self t o t he processing circuit ry on t he net work int erface card, freeing up t he CPU t o m anage ot her processes. There are also im provem ent s t o net work scaling. For exam ple, in previous versions of Windows Server, one NI C was associat ed wit h one single, physical processor. However, wit h t he right net work card, Windows Server 2008 support s scaling NI Cs and t heir associat ed t raffic am ong m ult iple CPUs ( a feat ure called receive- side scaling) , perm it t ing m uch higher am ount s of t raffic t o be received by one NI C on a highly loaded server. This part icularly benefit s m ult iprocessor servers, since m ore scale can be added sim ply by adding processors or NI Cs and not by adding ent irely new servers.
1 .2 .2 . Ch a n ge s t o Te r m in a l Se r vice s Net work applicat ions are growing in popularit y wit h each passing week. Windows Server 2008 sees m ore work in t he Term inal Services/ Rem ot e Deskt op area t han m ight have been expect ed, and som e of t he new capabilit ies are very welcom e im provem ent s. Aside from t he t hree new feat ures, t he t eam worked on im proving t he core processes t hat m ake TS t ick, including single sign- on t o Term inal Services sessions, m onit or spanning and high- resolut ion support for sessions, int egrat ion wit h t he Windows Syst em Resource Manager t o bet t er m onit or perform ance and resource usage, and t hem es t hat m ake TS sessions seam less t o t he client . There are t hree key new feat ures added in t he Windows Server 2008 release. The first is Term inal Services Rem ot eApp. Like t he funct ionalit y offered by Cit rix Met aFram e years ago, Windows Server 2008 will support —out of t he box—t he abilit y t o define program s t o be run direct ly from a TS- enabled server but be int egrat ed wit hin t he local copy of Windows, adding independent t askbar but t ons, resizable applicat ion window areas, Alt - Tab swit ching funct ionalit y, rem ot e populat ion of syst em t ray icons, and m ore. Users will have no idea t hat t heir applicat ion is host ed elsewhere, except for t he occasional slow response because of net work lat ency or server overload. I t 's also sim ple t o enable t his funct ionalit y: adm inist rat ors creat e .RDP files, which are essent ially t ext - based profiles of a Term inal Services connect ion t hat t he client reads and uses t o configure an RDP session for t hat part icular program . They can also creat e .MSI files t hat can populat e profiles; t he m ain advant age here is t hat .MSI files are t radit ionally very easy t o deploy via aut om at ed syst em m anagem ent m et hods like Syst em s Managem ent Server, Group Policy and I nt elliMirror, and so on.
Next , t here's t he Term inal Services Gat eway. This feat ure allows users t o access Term inal Services- host ed applicat ions from a web port al anywhere on t he I nt ernet , secured via an encrypt ed HTTPS channel. The gat eway can send connect ions t hrough firewalls and correct ly navigat e NAT t ranslat ion sit uat ions t hat st ym ied t he use of t his t echnology before. This saves corporat ions from having t o deploy VPN access t o rem ot e users for t he sole purpose of accessing a Term inal Services m achine; plus, since t he dat a is sent over HTTPS, alm ost anyone can access t he sessions, even at locat ions where t he RDP prot ocol is blocked by t he firewall. Adm inist rat ors can set connect ion aut horizat ion policies, or CAPs, t hat define user groups t hat are perm it t ed t o access TS t hrough t he TS Gat eway m achine. Finally, in conj unct ion wit h t he Term inal Services Rem ot eApp feat ure, t here is also in Windows Server 2008 t he TS Web Access feat ure, which let s adm inist rat ors publicly display available TS Rem ot e Program s on a web page. Users can browse t he list for t he applicat ion t hey want t o run, click on it , and t hen be seam lessly em bedded in t he applicat ion—using all t he feat ures of TS Rem ot e Program s—while ret aining t he abilit y t o launch ot her program s from t he sam e Web Access sit e. The service is sm art enough t o know t hat m ult iple program s launched by t he sam e user should reside in t he sam e Term inal Services session, m aking resource m anagem ent a bit sim pler. And, you can even int egrat e TS Web Access wit hin SharePoint sit es using an included web part .
1 .2 .3 . Act ive D ir e ct or y: Re a d- On ly D om a in Con t r olle r s Windows Server 2008 int roduces t he concept of a read- only dom ain cont roller ( RODC) , which is great for branch offices and ot her locat ions where t he m achines host ing t he dom ain cont roller role can't be physically prot ect ed in t he sam e way as a m achine in a dat acent er m ight be. RODCs hold a read- only copy of Act ive Direct ory, which allows for t he im m ediat e benefit s of fast er logons and quicker aut hent icat ion t urnaround t im es for ot her net work resources, but also for t he long- t erm securit y benefit s. No at t acker can creat e changes in an easily accessible DC in a branch office t hat will t hen replicat e up t o t he m ain t ree at t he corporat e office, since t he DC is read- only. The RODC can also cache t he credent ials of branch office users and, wit h j ust one cont act t o a regular, writ eable dom ain cont roller up t he t ree, can direct ly service users' logon request s. However, t his caching is left off by default in t he Password Replicat ion Policy for securit y reasons.
1 .3 . Se cu r it y I m pr ove m e n t s Securit y problem s have plagued Microsoft since t he Windows incept ion, but only in t he last few years, as m ore people have becom e connect ed, have t hose flaws been exploit ed by m alcont ent s. I ndeed, som e of t he vulnerabilit ies in product s t hat we see pat ches for on " Pat ch Tuesdays" are t he result s of poor design decisions. These t ypes of flaws are t he ones Microsoft is hoping t o st am p out in t he release of Windows Server 2008. You'll see quit e a bit of change t o t he archit ect ure of services in Windows Server 2008, including increasing t he num ber of layers required t o get t o t he kernel, segm ent ing services t o reduce buffer overflows, and reducing t he size of t he high- risk, privileged layers t o m ake t he at t ack surface sm aller. While fundam ent ally changing t he design of t he operat ing syst em , t he Windows Server 2008 t eam has also included several feat ures designed t o elim inat e securit y breaches and m alware infest at ions, as well as capabilit ies m eant t o prot ect corporat e dat a from leakage and int ercept ion. Let 's t ake a look at som e of t he im provem ent s.
1 .3 .1 . Ope r a t in g Syst e m File Pr ot e ct ion A new feat ure current ly known as operat ing syst em file prot ect ion ensures t he int egrit y of t he boot process for your servers. Windows Server 2008 creat es a validat ion key based on t he kernel file in use, a specific hardware abst ract ion layer ( HAL) for your syst em , and drivers t hat st art at boot t im e. I f, at any subsequent boot aft er t his key is creat ed, t hese files change, t he operat ing syst em will know and halt t he boot process so you can repair t he problem . Operat ing syst em file prot ect ion also ext ends t o each binary im age t hat resides on t he disk drive. OS file prot ect ion in t his m ode consist s of a filesyst em filt er driver t hat reads every page t hat is loaded int o m em ory, checking it s hashes, and validat ing any im age t hat at t em pt s t o load it self int o a prot ect ed process ( processes t hat are oft en t he m ost sensit ive t o elevat ion at t acks) . These hashes are st ored in a specific syst em cat alog, or in an X.509 cert ificat e em bedded wit hin a secure file on t he drive. I f any of t hese t est s result in failure, OS file prot ect ion will halt t he process t o keep your m achine secure. This is act ive prot ect ion against problem at ic m alware.
1 .3 .2 . Bit Lock e r The need for drive encrypt ion has been a popular t opic in a lot of securit y channels lat ely, and in bot h Windows Vist a and Windows Server 2008 Microsoft has risen t o t he call by developing a feat ure called Bit Locker. Bit Locker is designed especially for scenarios where a t hief m ay gain physical access t o a hard drive. Wit hout encrypt ion, t he hacker could sim ply boot anot her operat ing syst em or run a hacking t ool and access files, com plet ely bypassing t he NTFS filesyst em perm issions. The Encrypt ing File Syst em in Windows 2000 Server and Windows Server 2003 went a st ep fart her, act ually scram bling bit s on t he drive, but t he keys t o decrypt t he files weren't as prot ect ed as t hey should have been. Wit h Bit Locker, t he keys are st ored wit hin eit her a Trust ed Plat form Module ( TPM) chip on board your syst em , or a USB flash drive t hat you insert upon boot up. Bit Locker is cert ainly com plet e: when enabled, t he feat ure encrypt s t he ent ire Windows volum e including bot h user dat a and syst em files, t he hibernat ion file, t he page file, and t em porary files. The boot process it self is also prot ect ed by Bit Locker—t he feat ure creat es a hash based on t he propert ies of individual boot files, so if one is m odified and replaced by, for exam ple, a Troj an file, Bit Locker will cat ch t he problem and prevent t he boot . I t 's definit ely a st ep up from t he lim it at ions of EFS, and a significant im provem ent t o syst em securit y over unencrypt ed drives.
1 .3 .3 . D e vice I n st a lla t ion Con t r ol Anot her securit y problem plaguing businesses everywhere is t he proliferat ion of t he USB t hum b drive. No m at t er how securely you set your perm issions on your file servers, no m at t er how finely t uned your docum ent dest ruct ion capabilit ies are, and no m at t er what sort of int ernal cont rols you have on " eyes- only"
docum ent at ion, a user can sim ply pop a t hum b drive int o any open USB port and copy dat a over, com plet ely bypassing your physical securit y. These drives oft en cont ain very sensit ive inform at ion t hat ideally should never leave t he corporat e cam pus, but t hey're j ust as oft en found on keychains t hat are lost , inside com put er bags left unat t ended in an airport lounge, or in som e equally dangerous locat ion. The problem is significant enough t hat som e business have t aken t o disabling USB port s by pouring hot glue int o t he act ual port s. Effect ive, cert ainly, but also m essy. I n Windows Server 2008, an adm inist rat or will have t he abilit y t o block all new device inst alls, including USB t hum b drives, ext ernal hard drives, and ot her new devices. You can sim ply deploy a m achine and allow no new devices t o be inst alled. You'll also be able t o set except ions based on device class or device I D—for exam ple, t o allow keyboards and m ice t o be added, but not hing else. Or, you can allow specific device I Ds, in case you've approved a cert ain brand of product t o be inst alled, but no ot hers. This is all configurable via Group Policy, and t hese policies are set at t he com put er level.
1 .3 .4 . W in dow s Fir e w a ll w it h Adva n ce d Se cu r it y The Windows Firewall version included wit h Windows Server 2003 Service Pack 1 was exact ly t he sam e as t hat included in Windows XP Service Pack 2. Microsoft bundled t hat firewall wit h Service Pack 1 as a st opgap m easure—deploy t his firewall now, Microsoft said, so you will be prot ect ed, and we will work t o im prove t he firewall in t he next version of Windows. That t im e is here. The new Windows Firewall wit h Advanced Securit y com bines firewall and I Psec m anagem ent int o one convenient MMC snap- in. The firewall engine it self has been rearchit ect ed t o reduce coordinat ion overhead bet ween filt ering and I Psec. More rules funct ionalit y has been enabled, and you can specify explicit securit y requirem ent s such as aut hent icat ion and encrypt ion very easily. Set t ings can be configured on a per- AD com put er or user group basis. Out bound filt ering has been enabled; t here was not hing but int ernal filt ering in t he previous version of Windows Firewall. And finally, profile support has been im proved as well—on a percom put er basis, t here is now a profile for when a m achine is connect ed t o a dom ain, a profile for a privat e net work connect ion, and a profile for a public net work connect ion, such as a wireless hot spot . Policies can be im port ed and export ed easily, m aking m anagem ent of m ult iple com put ers' firewall configurat ion consist ent and sim ple.
1 .3 .5 . N e t w or k Acce ss Pr ot e ct ion Viruses and m alware are oft en st opped by soft ware defenses before t hey can run wit hin a user's session, but t he ult im at e prot ect ion would be if t hey never even got access t o t he net work. I n Windows Server 2008, Microsoft has creat ed a plat form whereby com put ers are exam ined against a baseline set by t he adm inist rat or, and if a m achine doesn't st ack up in any way against t hat baseline, t hat syst em can be prevent ed from accessing t he net work—quarant ined, as it were, from t he healt hy syst em s unt il t he user is able t o fix his broken m achine. This funct ionalit y is called Net work Access Prot ect ion. NAP can be broken down int o t hree key com ponent s:
Healt h policy validat ion
Validat ion is t he process wherein t he m achine at t em pt ing t o connect t o t he net work is exam ined and checked against cert ain healt h crit eria t hat an adm inist rat or set s.
Healt h policy com pliance
Com pliance policies can be set so t hat m anaged com put ers t hat fail t he validat ion process can be
aut om at ically updat ed or fixed via Syst em s Managem ent Server or som e ot her m anagem ent soft ware, as well as by Microsoft Updat e or Windows Updat e.
Lim it ed access
Access lim it ing can be t he enforcem ent m echanism for NAP. I t 's possible t o run NAP in m onit oring- only m ode—which logs t he com pliance and validat ion st at e of com put ers connect ing t o t he net work—but in act ive m ode, com put ers t hat fail validat ions are put int o a lim it ed- access area of t he net work, which t ypically blocks alm ost all net work access and rest rict s t raffic t o a set of specially hardened servers t hat cont ain t he t ools m ost com m only needed t o get m achines up t o snuff.
Keep in m ind t hat NAP is only a plat form by which t hese checks can be m ade—pieces of t he puzzle are st ill needed aft er deploying Windows Server 2008, including syst em healt h agent s ( SHAs) and syst em healt h validat ors ( SHVs) t hat ensure t he checks and validat ions are m ade on each individual client m achine. Windows Vist a ships wit h default SHAs and SHVs t hat can be cust om ized.
1 .4 . M a n a ge a bilit y I m pr ove m e n t s Servers are only effect ive if t he adm inist rat or configures t hem properly. Windows Server product s have t radit ionally been fairly sim ple t o operat e, but in Windows Server 2008 t here are m any im provem ent s t o t he init ial set up and configurat ion experience. Much of t hese det ails are st ill being worked out , and t hese elem ent s m ay change as we draw nearer t o t he ant icipat ed release dat e, but let 's t ake a look anyway and see what Windows Server 2008 has t o offer in t erm s of m anageabilit y enhancem ent s.
1 .4 .1 . Se r ve r M a n a ge r Server Manager is a one- st op shop for viewing inform at ion on a server, looking at it s st abilit y and int egrit y, m anaging inst alled roles, and t roubleshoot ing configurat ion issues t hat m ay arise. Server Manager replaces t he Configure Your Server, Manage Your Server, and Securit y Configurat ion Wizard int erfaces. I t cent ralizes a variet y of MMC 3.0 snap- ins, allowing you t o see at a glance what roles and feat ures are inst alled on any given m achine, and giving you an easy j um ping- off point t o begin m anagem ent of t hose pieces.
1 .4 .2 . W in dow s D e ploym e n t Se r vice s Many an adm inist rat or have com e t o love Rem ot e I nst allat ion Services ( RI S) , t he add- on t o Windows 2000 Server and Windows Server 2003 t hat st ream ed an inst allat ion of client and server operat ing syst em s over t he net work and provided t he abilit y t o cust om ize inst allat ions and set t hem off wit h j ust a few keyst rokes. I n Windows Server 2008, Microsoft has radically revised RI S and renam ed it Windows Deploym ent Services ( WDS) . WDS st ill works using pre- boot execut ion environm ent ( PXE) and t rivial file t ransfer prot ocol ( TFTP) t o an OS, but it includes Windows PE, a graphical front end t o t he inst allat ion process t hat replaces t he ugly, less funct ional t ext - based blue screen set up phase t hat 's plagued corporat e Windows since NT 3.0.
1 .5 . Pe r for m a n ce a n d Re lia bilit y Upgr a de s Am ong t he ot her enhancem ent s in Windows Server 2008, work was done t o im prove overall syst em reliabilit y and perform ance. For exam ple, t o view processes in previous versions of Windows Server, you had t wo basic t ools, bot h of which were virt ually unchanged from release t o release—t he Task Manager and t he Perform ance Monit or. I n Windows Server 2008, t hese t ools have been com bined int o a single int erface, called t he Perform ance Diagnost ics Console ( which is also int egrat ed int o t he aforem ent ioned Server Manager) , t o m ake it easier t o view st at ist ics and alert s about how well your m achine is handling it s dut ies. The Resource View is a sim pler, but m ore powerful, view of how cert ain processes and services, am ong ot her m et rics, are using t he available resources on your m achine. The Reliabilit y Monit or shows a det ailed view of exact ly what event s are occurring on a regular or int erm it t ent basis t o degrade t he st abilit y of your server. For exam ple, you can see problem s and degradat ions based on soft ware inst allat ion act ivit y, applicat ion failures, hardware m isst eps, Windows failures, and ot her, uncat egorized problem s. The Reliabilit y Monit or generat es a " st abilit y index," which is a painfully arbit rary num ber supposedly represent ing, on a scale of 1 t o 10, how prist ine your syst em is.
1 .6 . W in dow s Se r ve r 2 0 0 8 Edit ion s As always, Microsoft has split up t he various edit ions of Windows Server 2008 so t hat , in t heory, each cust om er segm ent is served by t he right product wit h t he right feat ure set at t he right price. Windows Server 2008 is available in t he following edit ions:
Windows Web Server 2008
This version of Windows Server 2008 is opt im ized t o host web sit es using I I S and is t herefore lim it ed in it s support of hardware and in it s feat ure set . I t 's designed specifically as a web server, so you won't find m any feat ures enabled ot her t han I I S, ASP.NET, and som e ot her web host ing- specific capabilit ies. Avoid t his edit ion unless you have m achines whose sole purpose is serving web and ot her I nt ernet cont ent .
St andard Edit ion ( SE)
This is t he plain- vanilla version of Windows t hat m ost corporat ions likely will deploy. I ncluded wit h it is support for up t o t wo processors and 4 GB of m em ory. SE includes m ost of t he feat ures and support of t he ot her edit ions, including t he .NET Fram ework, I I S 7, Act ive Direct ory, t he dist ribut ed and encrypt ing filesyst em s, and various m anagem ent t ools. You also receive Net work Load Balancing ( a feat ure previously reserved for t he " prem ium edit ions" of t he NT server product ) and a sim ple Post Office Prot ocol 3 ( POP3) server which, coupled wit h t he exist ing Sim ple Mail Transfer Prot ocol ( SMTP) server bundled wit h I I S, can t urn your Windows Server 2003 m achine int o an I nt ernet m ail server.
Ent erprise Edit ion ( EE)
Aim ed squarely at m ore dem anding environm ent s, EE adds clust ering support , support for eight processors, 64 GB of RAM for x86- based syst em s and up t o 2 TB of RAM for x64 syst em s, t he abilit y t o hot - add m em ory t o a running server, and unlim it ed net work connect ions, am ong ot her t hings.
Dat acent er Edit ion ( DE)
This perform ance- and scalabilit y- enhanced Windows Server 2008 edit ion support s from 8 t o 32 processors, hot - adding of processors and t heir replacem ent , and feat ures t he sam e m em ory support of t he Ent erprise Edit ion. Wit h t he except ion of m ore ext ensive firewalling feat ures and som e increase in virt ual m achine licensing, DE is ident ical t o EE.
For m ore inform at ion, visit t he Microsoft web sit e at ht t p: / / www.m icrosoft .com / windowsserver2008/ en/ us/ edit ions- overview.aspx .
1 .7 . H a r dw a r e Re qu ir e m e n t s Table 1- 1 list s Microsoft 's m inim um and recom m ended syst em requirem ent s for running Windows Server 2008.
Ta ble 1 - 1 . M in im u m a n d r e com m e n de d syst e m r e qu ir e m e n t s for W in dow s Se r ve r 2 0 0 8 Re qu ir e m e n t s
M in im u m
Re com m e n de d
Processor
1 GHz ( x86 processor) or 1.4 GHz ( x64 processor)
2 GHz or fast er
Mem ory
512 MB RAM
2 GB RAM or great er
Available Disk Space 10 GB Drive
DVD- ROM drive
Display
Super VGA ( 800 x 600) or higher resolut ion m onit or
Ot her
Keyboard and Microsoft Mouse or com pat ible point ing device
40 GB or great er
However, anyone wit h prior experience wit h Windows operat ing syst em s is likely fam iliar wit h t he sim ple fact t hat Microsoft 's m inim um syst em requirem ent s ( and oft en, t he recom m ended requirem ent s as well) are woefully inadequat e for all but t he m ost casual serving dut ies. Based on price and perform ance considerat ions as of t his writ ing, I recom m end t he following specificat ions for any Windows Server 2008 version available t hrough t radit ional channels. I 'll refer t o t hese as t he " realist ic m inim um s" from t his point on in t he book.
A Pent ium I I I 1GHz processor
A server m achine capable of using dual processors
At least 512 MB of RAM
At least 9 GB of disk space
I n t his day and age, PC hardware changes in value, speed, and availabilit y on what seem s like a daily basis. Unless your sole j ob is t o cont inually specify t he hardware plat form s and configurat ions on which your client and server com put ers will run, it only t akes m issing a week's wort h of developm ent s t o m iss out on new processor speeds, chipset replacem ent s or int roduct ions, and hard- drive enhancem ent s. Of course, t he m et hodology for select ing hardware for your servers rem ains t rue regardless of t he operat ing syst em —disk speed is t he single m ost prom inent bot t leneck in a fileserver, whereas an applicat ion server has perform ance obst acles in t he processor and m em ory.
1 .8 . Th e La st W or d Windows Server 2008 present s an int erest ing set of feat ures t hat result in t angible benefit s for m any adm inist rat ors. The Server Core version of t he product is perhaps t he m ost useful new inst allat ion opt ion of Windows on t he server in quit e a while, and it 's appropriat e for use in m any sit uat ions where rock- solid servers are required. I f your server farm host s net work- int ensive applicat ions, you'll find t he changes t o t he TCP/ I P st ack and ot her net work perform ance im provem ent s t ant alizing, and hardware assist ance now m akes net work scaling m uch m ore cost effect ive by requiring fewer physical servers t han before. Securit y is of course of param ount im port ance, and NAP alone is wort h invest ing in Windows Server 2008. Managem ent capabilit ies are im proved as well. Two general cam ps of people and t heir organizat ions will find com pelling reasons t o im m ediat ely upgrade t o Windows Server 2008:
Those st ill running a version of Windows NT or Windows 2000 Server
NT Server 4.0 reached t he end of it s support able life on Decem ber 31, 2004. Windows 2000 Server's m ainst ream support ended June 30, 2005, and while ext ended support will be available unt il July 13, 2010, it 's sm art t o consider a m ove. Windows Server 2008, a fundam ent ally m aj or release, provides a good j um p up t o new feat ures, alt hough it will likely require a hardware refresh if you are st ill running Windows NT or Windows 2000 in product ion.
Those wit h current Microsoft Select , Soft ware Assurance, or Open License agreem ent s t hat allow t hem t o upgrade t o t he lat est release at no addit ional cost
I f t here's no fee or addit ional m onet ary out lay for your upgrade, you can get t he benefit of Windows Server 2008 for lit t le overall m onet ary cost .
I f you are not a m em ber of eit her group, t he value of upgrading t o Windows Server 2008 is less clear, t hough a st rong case could be m ade for m oving up. I f you're happily chugging away wit h Windows Server 2003 or R2, have read t his chapt er and don't see any feat ures you absolut ely m ust have now, and don't have an updat e agreem ent wit h Microsoft , you m ight want t o skip t his release and wait for Windows Server 2009 ( or what ever t he appropriat e year m ight be) . For m ost corporat ions, it 's a quest ion of t im ing. Consider t hat t he next radically different revision of Windows is about t hree years away on t he deskt op and four t o five years away on t he server. You'll have plent y of t im e t o m ove t o Windows Server 2008 in t hat window. For ot hers, it 's a quest ion of finances: if you can't afford t o upgrade t o Windows Server 2008, t hen it 's a dead end. I f you are sat isfied wit h Windows Server 2003, or t he R2 edit ion, and have secured it properly, not hing in Windows Server 2008 is absolut ely m andat ory. The sam e goes wit h t hose running t he original release of Windows Server 2003 wit h Service Pack 1 wit hout a com plim ent ary upgrade rout e t o R2.
Ch a pt e r 2 . I n st a lla t ion a n d D e ploym e n t Now t hat you've been t horoughly int roduced t o what 's new, what 's hot , and what 's not in Windows Server 2008, t he t im e has com e t o inst all t he operat ing syst em on your m achines. I nst alling Windows Server 2008 is easy: t he fun com es in configuring and cust om izing t he operat ing syst em . I 'll begin by covering t he inst allat ion process. Then I devot e a large part of t his chapt er t o unat t ended inst allat ions, aut om at ed deploym ent , and bat ch m achine im aging, because you can gain a significant t im e savings by let t ing your com put er handle as m any of t he t edious inst allat ion t asks as possible. So, let 's j um p in and get st art ed.
2 .1 . I n st a llin g W in dow s Se r ve r 2 0 0 8 I t 's a fairly effort less procedure t o inst all Windows Server 2008 ont o new syst em s. Here are t he st eps:
1 . Turn t he syst em power on and insert t he Windows Server 2008 DVD int o t he drive. I f you receive a prom pt asking you t o select from what locat ion t o boot , choose t he opt ion t o boot from t he CD. The syst em will boot and begin t he init ial inst allat ion procedure. Figure 2- 1 shows t he beginning of t his phase from t he I nst all Windows screen. Choose t he correct language, t im e and currency form at , and keyboard input m et hod, and t hen click Next .
Figu r e 2 - 1 . Be gin n in g t h e W in dow s in st a lla t ion pr oce ss
2 . Click t he " I nst all now" but t on in t he m iddle of t he screen.
3 . When you click t he next screen, shown in Figure 2- 2, you are prom pt ed for your product key. You do not have t o ent er t he key now, but you will be required wit hin a cert ain am ount of t im e t o ent er a valid key once inst allat ion is com plet e. Ent er your key if you wish and t hen click Next . Not e t hat if you don't ent er a key now, m ake sure t hat when you choose an edit ion t o inst all ( on t he next screen) , you choose t he edit ion t hat corresponds t o t he key you will ent er lat er; ot herwise, you m ay need t o reinst all.
Figu r e 2 - 2 . En t e r in g t h e pr odu ct k e y
4 . I f you did not ent er a key, t he screen shown in Figure 2- 3 will appear, asking you t o select t he edit ion of Windows t hat you purchased. ( I f you had ent ered a key, Windows would have aut om at ically chosen t he correct edit ion based on t he cont ent s of your key.) Choose which edit ion of t he product —including t he st andard inst allat ion or t he Server Core flavor—t o inst all. Then, click Next .
Figu r e 2 - 3 . Se le ct in g t h e e dit ion of W in dow s Se r ve r 2 0 0 8 t o in st a ll
5 . Read t he t erm s of t he license agreem ent . I f you accept ( which, of course, you have t o do t o cont inue inst allat ion) , check t he box and click t o cont inue.
6 . The " Which t ype of inst allat ion do you want ?" screen appears, depict ed in Figure 2- 4. I f you were running t his inst allat ion from wit hin Windows, t he Upgrade select ion would be enabled, allowing you t o m ove t o Windows Server 2008 wit h m ost of your program s, files, and set t ings int act . This is not t he recom m ended pat h; here, in t his exam ple, we are com plet ing a clean inst allat ion ont o a form at t ed, blank disk. I n t his case, t he only available opt ion is Cust om . Click " Cust om ( advanced) " t o cont inue.
Figu r e 2 - 4 . Se le ct in g a n in st a lla t ion t ype
7 . A screen list ing your current disk part it ions will appear, as shown in Figure 2- 5. You can delet e, creat e, and form at part it ions t o your heart 's cont ent here. Once you have at least one part it ion wit h 15 GB or m ore of disk space on it , you can click Next . I f you haven't yet form at t ed, Set up will handle t hat .
Figu r e 2 - 5 . D e le t in g, cr e a t in g, a n d for m a t t in g disk pa r t it ion s
8 . Finally, files are copied and set t ings are finalized. This process can t ake a lit t le while, up t o 30 m inut es, so feel free t o st ep away ( Figure 2- 6) .
Figu r e 2 - 6 . Com ple t in g t h e in st a lla t ion pr oce ss
Your inst allat ion will be com plet e once t he syst em rest art s a couple of t im es. The first screen you see will prom pt you t o add an adm inist rat or password; as you'll recall, nowhere during t he set up process did you creat e a user account . Windows adds t he adm inist rat or account aut om at ically, and creat es a com plex t em porary password t o prot ect t he account during inst allat ion and t he init ial boot process, but upon first logon you m ust change it .
Ch a pt e r 2 . I n st a lla t ion a n d D e ploym e n t Now t hat you've been t horoughly int roduced t o what 's new, what 's hot , and what 's not in Windows Server 2008, t he t im e has com e t o inst all t he operat ing syst em on your m achines. I nst alling Windows Server 2008 is easy: t he fun com es in configuring and cust om izing t he operat ing syst em . I 'll begin by covering t he inst allat ion process. Then I devot e a large part of t his chapt er t o unat t ended inst allat ions, aut om at ed deploym ent , and bat ch m achine im aging, because you can gain a significant t im e savings by let t ing your com put er handle as m any of t he t edious inst allat ion t asks as possible. So, let 's j um p in and get st art ed.
2 .1 . I n st a llin g W in dow s Se r ve r 2 0 0 8 I t 's a fairly effort less procedure t o inst all Windows Server 2008 ont o new syst em s. Here are t he st eps:
1 . Turn t he syst em power on and insert t he Windows Server 2008 DVD int o t he drive. I f you receive a prom pt asking you t o select from what locat ion t o boot , choose t he opt ion t o boot from t he CD. The syst em will boot and begin t he init ial inst allat ion procedure. Figure 2- 1 shows t he beginning of t his phase from t he I nst all Windows screen. Choose t he correct language, t im e and currency form at , and keyboard input m et hod, and t hen click Next .
Figu r e 2 - 1 . Be gin n in g t h e W in dow s in st a lla t ion pr oce ss
2 . Click t he " I nst all now" but t on in t he m iddle of t he screen.
3 . When you click t he next screen, shown in Figure 2- 2, you are prom pt ed for your product key. You do not have t o ent er t he key now, but you will be required wit hin a cert ain am ount of t im e t o ent er a valid key once inst allat ion is com plet e. Ent er your key if you wish and t hen click Next . Not e t hat if you don't ent er a key now, m ake sure t hat when you choose an edit ion t o inst all ( on t he next screen) , you choose t he edit ion t hat corresponds t o t he key you will ent er lat er; ot herwise, you m ay need t o reinst all.
Figu r e 2 - 2 . En t e r in g t h e pr odu ct k e y
4 . I f you did not ent er a key, t he screen shown in Figure 2- 3 will appear, asking you t o select t he edit ion of Windows t hat you purchased. ( I f you had ent ered a key, Windows would have aut om at ically chosen t he correct edit ion based on t he cont ent s of your key.) Choose which edit ion of t he product —including t he st andard inst allat ion or t he Server Core flavor—t o inst all. Then, click Next .
Figu r e 2 - 3 . Se le ct in g t h e e dit ion of W in dow s Se r ve r 2 0 0 8 t o in st a ll
5 . Read t he t erm s of t he license agreem ent . I f you accept ( which, of course, you have t o do t o cont inue inst allat ion) , check t he box and click t o cont inue.
6 . The " Which t ype of inst allat ion do you want ?" screen appears, depict ed in Figure 2- 4. I f you were running t his inst allat ion from wit hin Windows, t he Upgrade select ion would be enabled, allowing you t o m ove t o Windows Server 2008 wit h m ost of your program s, files, and set t ings int act . This is not t he recom m ended pat h; here, in t his exam ple, we are com plet ing a clean inst allat ion ont o a form at t ed, blank disk. I n t his case, t he only available opt ion is Cust om . Click " Cust om ( advanced) " t o cont inue.
Figu r e 2 - 4 . Se le ct in g a n in st a lla t ion t ype
7 . A screen list ing your current disk part it ions will appear, as shown in Figure 2- 5. You can delet e, creat e, and form at part it ions t o your heart 's cont ent here. Once you have at least one part it ion wit h 15 GB or m ore of disk space on it , you can click Next . I f you haven't yet form at t ed, Set up will handle t hat .
Figu r e 2 - 5 . D e le t in g, cr e a t in g, a n d for m a t t in g disk pa r t it ion s
8 . Finally, files are copied and set t ings are finalized. This process can t ake a lit t le while, up t o 30 m inut es, so feel free t o st ep away ( Figure 2- 6) .
Figu r e 2 - 6 . Com ple t in g t h e in st a lla t ion pr oce ss
Your inst allat ion will be com plet e once t he syst em rest art s a couple of t im es. The first screen you see will prom pt you t o add an adm inist rat or password; as you'll recall, nowhere during t he set up process did you creat e a user account . Windows adds t he adm inist rat or account aut om at ically, and creat es a com plex t em porary password t o prot ect t he account during inst allat ion and t he init ial boot process, but upon first logon you m ust change it .
2 .2 . I n it ia l Con figu r a t ion Ta sk s Aft er your password is changed, Windows Server 2008 logs you in as an adm inist rat or, and t he I nit ial Configurat ion Tasks screen appears, as shown in Figure 2- 7. On t his screen, you can com plet e t he num erous but som et im es t edious st eps t o configure a newly inst alled m achine for daily use, like set t ing t he t im e zone, adding I P addresses and configuring t hem , nam ing t he com put er and j oining it t o a workgroup or dom ain, updat ing, and so on.
Figu r e 2 - 7 . Th e I n it ia l Con figu r a t ion Ta sk s scr e e n
I st rongly recom m end t hat t he first st ep you com plet e on t his screen is t o im m ediat ely click t he " Download and inst all updat es" link ( assum ing you have an act ive net work connect ion t hat can rout e t o t he I nt ernet ) t o apply t he lat est securit y fixes and service packs before placing t he m achine int o product ion.
I n t oday's host ile I nt ernet environm ent , I st rongly encourage you t o perform your inst allat ion on a m achine t hat is at least prot ect ed by a hardware firewall, and preferably on a m achine t hat is com plet ely disconnect ed from t he net work, unless you are using a net work- based deploym ent m et hod ( m ore on t his lat er in t he chapt er) . While t he Windows Server 2008 firewall is init ially on upon first boot , I have never heard of a virus, worm , or Troj an ent ering a syst em from t he net work wit hout t hat syst em having net work access. And Linksys, D- Link, and ot her hardware firewalls are cheap, reusable, and can com e in handy in a variet y of scenarios. I t 's a sim ple st ep t o t ake t o prevent hours of headaches.
2 .2 .1 . Un de r st a n din g Pr odu ct Act iva t ion Ret ail copies of Windows Server 2008 have a feat ure known as act ivat ion , which is an ant ipiracy m easure inst it ut ed by Microsoft . I n essence, when you inst all Windows wit h a specific license key on a com put er, a hash is creat ed using t he key and several at t ribut es of hardware on t he com put er, including t he net work card's MAC address. ( The exact way t his hash is creat ed is, of course, secret .) This hash can't uniquely ident ify a com put er, but it ident ifies a specific inst allat ion of Windows. This hash is sent t o Microsoft during t he act ivat ion procedure. The t heory is t hat if you lat er t ry t o use t he sam e product key for an inst allat ion on different hardware ( for exam ple, on anot her com put er) , t he hash creat ed would be different , and act ivat ion would fail because it 's likely you are t rying t o use m ore t han one copy of Windows when you're licensed for only a single inst allat ion. You have 30 days t o act ivat e t he product upon init ial inst allat ion wit h a ret ail- purchased copy of Windows Server 2008. When you reach t his deadline, you won't be able t o log on t o t he syst em , t hough it will cont inue t o run wit hout console access unt il you reboot it . The cat ch t o act ivat ion is t his: if you change enough hardware in t he sam e syst em t o change t he hash, Windows will com plain t hat you need t o act ivat e t he soft ware again. You m ight need t o act ually call a t oll- free num ber t o speak wit h a represent at ive in t his case t o explain why your hardware changed. This service is available 24 hours a day, 7 days a week, but it 's a pain t o spend t im e pleading your case. The service is fast , and m any users have report ed t hat t he st aff running it is helpful and usually quit e accom m odat ing, but it 's t he principle of t he sit uat ion. There are t wo t ypes of product keys t hat are issued for Windows Server 2008. The first t ype is what we j ust discussed, and t hat 's t he individual, one- m achine license keys t hat are issued wit h new com put ers, ret ail copies of Windows Server 2008, and so on. ( There are m inor differences in t hose keys, such as t he OEM- t ype keys t hat don't t echnically require user- init iat ed act ivat ion, but t hat 's out side t he scope of t his discussion.) The second t ype is keys m eant t o unlock soft ware licensed under corporat e agreem ent s. Unlike Volum e Act ivat ion 1.0 ( which you m ay have seen in act ion in Windows Server 2003) , which produced keys t hat bypassed product act ivat ion, Volum e Act ivat ion 2.0 st ill gives keys for bulk- licensed copies, but it doesn't disable act ivat ion. I nst ead, t hese keys have m ult iple allowed act ivat ions associat ed wit h t hem —hence t heir nam e, m ult iple act ivat ion keys, or MAKs. According t o Microsoft , " com put ers can be act ivat ed on an individual basis or by a cent ral com put er" ( see t he next point ) " which can act ivat e m ult iple com put ers at a t im e." You can m anage t hese act ivat ions and individual com put ers' product keys over t he net work. The Key Managem ent Service ( KMS) , which t ackles t his t ask, runs on Windows Server 2003 m achines wit h Service Pack 1 or lat er, or Windows Server 2008. Machines running KMS can handle act ivat ions of int ernal m achines t hat run Windows Vist a Business, Windows Vist a Ent erprise, or any Windows Server 2008 edit ion wit hout having t o rout e request s t o act ivat e each of t hose com put ers t o Microsoft 's public act ivat ion service. While t his m ight seem like a great loophole t o get around act ivat ion, it 's not quit e set - and- forget ; copies of t he operat ing syst em act ivat ed t hrough a business's KMS will be required t o react ivat e by connect ing t o m achines running KMS at least once every 180 days. Addit ionally, you m ust have 25 or m ore physical Windows Vist a m achines, or 5 physical Windows Server 2008 m achines, on t he sam e net work for KMS t o funct ion. The m achine running KMS will of course need t o act ivat e it self using a KMS- specific key, which, once validat ed, aut horizes t hat m achine t o act ivat e it s subordinat es.
I nt erest ingly, t he default configurat ion of a Windows Server 2008 is t o act as a KMS client , so wit h a properly deployed KMS st ruct ure, your new Windows Server 2008 inst allat ions should aut om at ically det ect t he KMS servers on your net work and act ivat e t hem selves accordingly.
2 .3 . D e ploym e n t The deploym ent st ory in Windows Server 2008 ( and Windows Vist a, for t hat m at t er) has radically changed. Windows Deploym ent Services ( WDS) replaces t he old Rem ot e I nst allat ion Services ( RI S) product t hat was included wit h Windows 2000 and Windows Server 2003. I t has a num ber of enhancem ent s, im provem ent s, and new feat ures, but perhaps t he m ost im port ant and t he m ost useful of t hem is t he abilit y for WDS t o read, m anage, and st ream t he new Windows I m aging Form at ( WI M) . WI M support was first baked int o Windows Vist a and solves a num ber of problem s t hat you m ay have st um bled on if you've worked wit h im aging product s for Windows in t he past . While WDS can st ill deploy what it calls " legacy" im ages—for exam ple, Windows XP inst allat ions in t he form at you used t o use in conj unct ion wit h Rem ot e I nst allat ion Services—WDS shines when you set up different WI M files wit h boot and inst all im ages for different archit ect ures and syst em s. Wit h som e upfront grunt work ( and t hat m ay be put t ing it m ildly) , you can significant ly reduce t he t im e it t akes t o achieve a com plet e deploym ent on m achines t hat are of different t ypes, archit ect ures, and configurat ions. Let 's t ake a look at som e crit ical com ponent s of t he deploym ent infrast ruct ure under Windows Server 2008.
2 .3 .1 . W in dow s I m a gin g For m a t Windows Vist a int roduced t he Windows I m aging Form at , a hardware- independent form at t hat st ores im ages of t he operat ing syst em . The prem ise of WI M is t o m ake im ages m any- t o- one in nat ure; in ot her words, m ult iple im ages can be cont ained wit hin one WI M file. Since Windows Vist a was archit ect ed t o be so m odular, 95% of t he base operat ing syst em can be replicat ed am ong any num ber of im ages; as a result , Microsoft it self can ship j ust one binary im age for each processor archit ect ure—x86 and x64—t o everyone in t he channel. Addit ionally, t he sizes of each of t he im age files are reduced using single- inst ance st orage t echniques and enhanced com pression. Furt her, you can creat e WI M files very easily for your own uses and m odify t hem as well. Perhaps t he best usabilit y im provem ent of t he WI M form at is t he abilit y t o edit im ages offline using st andard file m anagem ent t ools like Windows Explorer. You can add files and folder t o an im age; for inst ance, inst ead of t he painful driver addit ion process in Rem ot e I nst allat ion Services, you can sim ply drop drivers direct ly int o a WI Mbased im age and have t hem aut om at ically present for fut ure deploym ent s. Best of all, you don't need t o creat e independent im ages for each edit you m ake—t he addit ions, m odificat ions, and delet ions you m ake can coexist in one im age, reducing m anagem ent burden.
2 .3 .2 . W in dow s PE Windows Pre Environm ent , or Windows PE, is an execut ion environm ent designed t o assist in inst alling and t roubleshoot ing operat ing syst em inst allat ions. Rat her t han t he old blue- background, t ext - based inst allat ion screen wit h previous versions of NT, Windows PE com es in graphical form at and cont ains a full com plem ent of t ools t o assist wit h get t ing Windows Server 2008 and Windows Vist a inst alled on a drive. The big win wit h Windows PE is t hat st andard Windows net work drivers work wit h it out of t he box—no hunt ing for special NDI S drivers only for net work deploym ent use. Addit ionally, it has a built - in firewall t o prot ect t he operat ing syst em in it s m ost vulnerable st at e, when it is part ially inst alled, and t he abilit y t o insert drivers from any sort of rem ovable m edia int o t he session. You m ight recall t he frust rat ion of only being able t o add a driver by hit t ing F6 at t he right m om ent of Set up and t hen having t he driver only on a floppy disk. Windows PE elim inat es t his annoyance.
2 .3 .3 . W in dow s D e ploym e n t Se r vice s Windows Deploym ent Services is t he next generat ion of Windows 2000 and Windows Server 2003's RI S. I t released wit h Windows Server 2003 Service Pack 2 and is t he only support ed m et hod of deploying Windows Vist a over t he net work, so if you want t o st ream Vist a im ages t o deskt ops and not ebooks over t he Net , you'll need t o upgrade your RI S servers t o t hat service pack level and t hen deploy WDS. WDS support s bot h x86 and x64 im ages as well.
Like RI S, WDS uses t he Preboot Execut ion Environm ent ( PXE) capabilit ies of m ost m odern BI OSes and net work int erface cards t o load a session of Windows PE. Windows PE t hen present s a m enu t o t he user consist ing of all t he appropriat e im age and configurat ion opt ions available on t he WDS m achine. The user select s a t arget , and t he im age—in WI M form at , of course—is laid ont o t he disk of t he t arget m achine. I t 's all very elegant when you have configured it properly, and it m akes it possible t o reim age a syst em —in som e cases, wit h applicat ions and configurat ions as well—in less t han 30 m inut es. I m agine t he boon t o your support depart m ent : inst ead of wast ing hours t racking down som e obscure problem , you sim ply st ream a new im age t o a m achine while t he user is out t o lunch, and voilà! Problem solved. True, t hat 's a rosy case, but it 's possible and realist ic wit h WDS and WI M. What 's changed from RI S? Here's a quick rundown, court esy of Microsoft :
The abilit y t o deploy Windows Vist a and Windows Server 2008 aside from sim ply Windows XP and t he old NT- based operat ing syst em s
Windows PE can be used as a boot operat ing syst em , allowing for bot h deploym ent and t roubleshoot ing
Support for WI M deploym ent s
Abilit y t o t ransm it dat a and im ages using m ult icast funct ionalit y, which allows t he perform ance of deploym ent services over t he net work t o scale significant ly bet t er and m ore efficient ly
An enhanced PXE server st ub
A new, m ore user- friendly boot m enu form at t hat is bot h easier t o use and easier t o configure
A new m anagem ent console t hat helps you m anage WDS servers on your net works, and t he boot and inst all im ages cont ained t hereon
There are t wo t ypes of WDS servers t hat you can creat e: a t ransport server and a deploym ent server. The t ransport server only offers t he core net working services; it doesn't give you all t he funct ionalit y of WDS but is useful if you want t o t ake advant age of t he m ult icast ing feat ures in larger environm ent s. A deploym ent server offers everyt hing t hat WDS offers, including t he t ransport com ponent s. For t he purposes of t his sect ion of t he chapt er, we'll assum e t hat we are working wit h a deploym ent server.
2 .3 .4 . I n st a llin g a n d Con figu r in g W in dow s D e ploym e n t Se r vice s To inst all WDS, you need a Windows Server 2008 m achine t hat is som ehow j oined t o a dom ain. You'll also need DHCP working on your net work, a valid DNS archit ect ure, a part it ion form at t ed as NTFS, and a user account t hat is bot h a dom ain user and a local adm inist rat or on t he server running WDS. I f you m eet all t hose requirem ent s, you can inst all WDS by loading Server Manager, clicking Add Roles on t he Roles Sum m ary pane, and t hen select ing Windows Deploym ent Services. Once you have added t he role, it 's t im e t o configure t he WDS server. There is a com m and- line ut ilit y, apt ly nam ed WDSUTI L, and t here is t he graphical com ponent , which is an MMC snap- in. For t his exam ple, we'll walk t hrough t he graphical int erface for WDS. Your first st eps should be as follows.
1 . We'll need t o creat e a shared folder t hat st ores t he necessary program s and support ing files t o enable PXE- based net working boot ing, t he files for Windows PE which each m achine will st ore in a dynam ic RAM disk, t he boot im ages for Windows PE it self so t hat it can fully run on your client m achines, and t he inst all im ages for your operat ing syst em s ( t hese are t he act ual WI M files t hem selves t hat are m eant t o be deployed t o your t arget m achines) .
2 . We t hen have t o t ell WDS how t o answer PXE request s from t he net work, so t hat incom ing client request s are answered or ignored depending on how securit y- conscious you want your deploym ent t o be.
3 . Next , your DHCP set t ings should be changed, whet her your DHCP service is host ed on a Windows Server 2008 m achine or provided by som e ot her net work device. Specifically, all DHCP broadcast s on UDP port 67 by client com put ers should be forwarded direct ly t o bot h t he DHCP server and t he Windows Deploym ent Services PXE server. Also, all t raffic t o UDP port 4011 from t he client com put ers t o t he Windows Deploym ent Services PXE server should be rout ed appropriat ely. The WDS Configurat ion Wizard will t ake care of t his st ep in m ost environm ent s.
The Windows Deploym ent Services Configurat ion Wizard will handle a lot of t hese t asks for you, so let 's load it and run t hrough t he wizard t o get a baseline configurat ion prepared. I f you haven't already, inst all t he WDS role by using t he Add Roles Wizard, which you can ent er from t he appropriat e link at t he bot t om of t he I nit ial Configurat ion Tasks page. Then, from t he Adm inist rat ive Tools subm enu off t he St art m enu, select Windows Deploym ent Services. I n t he left pane, expand t he server list , right - click on t he current server, and select Configure Server. The wizard launches.
1 . On t he Select Server Roles screen, shown in Figure 2- 8, check t he Windows Deploym ent Services box and click Next .
Figu r e 2 - 8 . Th e Se le ct Se r ve r Role s scr e e n
2 . The Overview of Windows Deploym ent Services screen appears, as shown in Figure 2- 9. Read t he overview and list ing of requirem ent s, and t hen click Next when you finish.
Figu r e 2 - 9 . Th e Ove r vie w of W in dow s D e ploym e n t Se r vice s scr e e n
3 . The Select Role Services screen appears, depict ed in Figure 2- 10. Here, you select which of WDS's t wo roles you want t o inst all, or you can opt for bot h. The Deploym ent Server role provides all of t he funct ions and feat ures of WDS and requires t he com ponent s of t he Transport Server role, which act ually m ove t he bit s and byt es of your operat ing syst em im ages around t he net work. You can inst all t he Transport Server role wit hout t he Deploym ent Server role, but you cannot have t he Deploym ent Server role wit hout t he Transport Server role. Try it ; t he Add Roles Wizard will flash an error if you at t em pt t he rem ove t he lat t er and keep t he form er. For t he purposes of our dem onst rat ion here, select bot h roles and click Next .
Figu r e 2 - 1 0 . Th e Se le ct Role Se r vice s scr e e n
4 . The Confirm I nst allat ion Select ions screen appears. Verify t he set t ings you've chosen in t he wizard and t hen click t he I nst all but t on. You m ay need t o rest art t he m achine you are using.
Once t he WDS roles are inst alled, it is t im e t o run t he configurat ion wizard. The Welcom e Page appears, as shown in Figure 2- 11. Read t he int roduct ion and t hen click Next .
Figu r e 2 - 1 1 . Th e W e lcom e Pa ge of t h e W in dow s D e ploym e n t Se r vice s Con figu r a t ion W iza r d
The Rem ot e I nst allat ion Folder Locat ion screen appears, as shown in Figure 2- 12. Here, you t ell WDS where t o st ore im ages t o st ream t o client s. This folder m ust reside on a volum e form at t ed by NTFS. I t 's recom m ended t hat you choose a volum e t hat doesn't cont ain t he Windows syst em files for best perform ance, alt hough you won't be prevent ed from select ing t he syst em disk—sim ply acknowledge t he warning t hat will appear. Choose a pat h, and t hen click Next .
Figu r e 2 - 1 2 . Th e Re m ot e I n st a lla t ion Folde r Loca t ion scr e e n
The PXE Server I nit ial Set t ings screen appears, depict ed in Figure 2- 13. Here, you can est ablish whet her your WDS m achines will respond t o client s who aren't m ade known t o WDS before you begin t heir deploym ent . I f you want any com put er t o be able t o st ream an im age t o it s drive ( subj ect t o t hat user having appropriat e perm issions) , t hen choose " Respond t o all known and unknown client com put ers." You can also elect t o have unknown client s m ake a request t hat can subsequent ly be approved by an adm inist rat or. To require t hat client s be prest aged wit hin WDS, choose t he second opt ion, and t o t urn off WDS net work boot ing com plet ely, choose t he first opt ion. Click Finish t o com plet e t he wizard.
Figu r e 2 - 1 3 . Th e PXE Se r ve r I n it ia l Se t t in gs scr e e n
The wizard will t rundle for a while, com plet ing t he init ial configurat ion st eps, and t hen you will see t he Configurat ion Com plet e screen, shown in Figure 2- 14.
Figu r e 2 - 1 4 . Th e Con figu r a t ion Com ple t e scr e e n
Next up, you need t o add t he boot im ages. These are t he im ages t hat download over t he PXE- based net work connect ion and set up t he Windows PE- based environm ent in which all of t he deploym ent m agic happens. Expand t he server t o which you want t o add t he boot im ages, right - click on t he Boot I m ages folder, and select Add Boot I m age. Then, insert t he operat ing syst em m edia int o t he local CD or DVD drive, and browse t o t he BOOT.WI M file ( on t he Windows Server 2008 DVD, it is locat ed in t he \ Sources direct ory off of t he root of t he CD) . Click Open, and t hen ent er a friendly im age nam e and descript ion, click Next , and wait as t he im ages are copied t o t he WDS m achine's shared folder t hat you est ablished during t he configurat ion wizard. Finally, you add t he inst all im ages, which as you will recall are t he act ual t arget im ages st ream ed down over t he net work ont o t he m achines on which you want an operat ing syst em inst alled. To get st art ed, I recom m end put t ing a default im age of Windows Vist a or Windows Server 2008 on your WDS m achine. While t his im age won't com e out of t he box t weaked t o your liking or wit h applicat ions and set t ings preconfigured, I have found it useful t o have t he abilit y t o inst all a vanilla Windows syst em over t he net work for ot her purposes as well. Addit ionally, you can st art wit h t hese plain im ages, st ream t hem t o a syst em , cust om ize t hem , capt ure t he result ing im age, and t hen re- upload it t o t he WDS m achine, all wit hout t ouching dist ribut ion m edia. To add a default inst all im age of Windows Server 2008 ont o your WDS m achine:
1 . Click on t he server t hat will st ore t he inst all im age and expand it t o expose t he t ree of folders beneat h it .
2 . Right - click on t he I nst all I m ages folder in t he left pane and select Add I nst all I m age.
3 . The I m age Group screen appears, as shown in Figure 2- 15. Type a nam e for t his im age group—groups are sim ply ways t o organize collect ions of im ages. For exam ple, t ype in Windows Server 2008 I nst allat ions int o t he group nam e box. You can t hen add m ore im ages lat er and st ore t hem in t his group t o m ake it easy t o adm inist er t hem from t he WDS MMC snap- in. Click Next .
Figu r e 2 - 1 5 . Th e I m a ge Gr ou p scr e e n
4 . The I m age File screen appears. Browse t he dist ribut ion m edia t o find t he I NSTALL.WI M file locat ed on t he disc. For Windows Server 2008, you can find t his im age in t he \ Sources folder off t he root of t he m edia. Click Open.
5 . The List of Available I m ages screen is next ( see Figure 2- 16) . Here, you select which of t he edit ions of t he product you would like t o m ake available t o inst allat ion client s. Clear t he checkboxes of im ages t hat you would like t o exclude from t he WDS server, and t hen click Next .
Figu r e 2 - 1 6 . Th e List of Ava ila ble I m a ge s scr e e n
6 . The Sum m ary screen shows Click Next t o add t he im ages t o t he st ore. This could t ake a while, as t here is a lot t o copy and m anage.
Your boot and inst all im ages are now set up on t he WDS server.
2 .3 .5 . Th e Boot M e n u The Boot m enu is a t ext - based screen t hat appears when WDS first begins loading aft er t he PXE net work environm ent has been est ablished. The boot m enu allows t he user t o choose bet ween boot archit ect ures—x86 client s can choose t he right archit ect ure, and t here is a special boot version for x64 archit ect ures as well—and furt her along in t he process, it will dict at e what choices appear in t he inst allat ion m enu.
WDS and 64- Bit Client s: A Quick Tip You m ight find t hat som e of your x64- based hardware isn't being det ect ed correct ly by your hardware and/ or t he PXE soft ware. I n t his case, you m ay want t o explicit ly inst ruct WDS t o show bot h x64 and x86 opt ions on t he boot m enu. The sim plest way t o do t his is from t he com m and line, as follows:
WDSUTIL /Set-Server /Defaultx86x64ImageType:both
2 .3 .6 . Cr e a t in g a n d M odifyin g I m a ge s Now t hat you have a sense of how t o deploy WDS, and you have a few plain- vanilla inst all im ages on your server, you can set about creat ing cust om im ages. You can creat e boot im ages and inst all im ages t hat are different from t he default s and suit ed t o your requirem ent s.
2 .3 .6 .1 . Cr e a t in g a n d m odifyin g boot im a ge s You can creat e t wo different t ypes of boot im ages for your needs: a capt ure im age, which is what you boot a client com put er int o in order t o capt ure an im age of it s hard drive for lat er deploym ent ; and a discover im age, which is used t o inst all an operat ing syst em via WDS ont o a com put er t hat , for lack of hardware or soft ware support , doesn't allow a PXE environm ent t o be creat ed. Capt ure im ages aut om at ically boot int o t he Windows Deploym ent Services Capt ure Ut ilit y in lieu of Set up. You use a capt ure im age on a com put er t hat is ready t o be im aged, and once it is boot ed, a wizard creat es an inst all im age of t he reference com put er and saves it as a .wim file. You can t hen upload t his WI M file ont o your WDS server for deploym ent t o ot her t arget m achines. Alt ernat ively, you can burn a CD or DVD t hat cont ains a capt ure im age and t he I m ageX com m and- line ut ilit y. You can t hen boot t he sourced syst em wit h t he m edia, run I m ageX t o creat e t he WI M- based im age, and t hen connect over t he net work t o a m achine and upload t hat im age for st orage. I find it useful t o have one of t hese capt ure im age DVDs available, even if you choose not t o m ake t hat m et hod your st andard way of capt uring im ages. To creat e a capt ure im age:
1 . Open t he Windows Deploym ent Services MMC snap- in.
2 . Expand Boot I m ages in t he left pane.
3 . Right - click on an im age t o use it as t he foundat ion for your capt ure im age, and select Creat e Capt ure Boot I m age.
4 . Ent er a nam e, descript ion, and t he locat ion t o save t he im age.
5 . Finish out t he wizard and t hen right - click t he boot im age folder and select Add Boot I m age from t he result ing m enu.
6 . Browse t o t he new capt ure im age you j ust creat ed, and t hen click Next .
7 . Finish t he addit ion wizard and close out . Your capt ure im age is now ready t o be deployed.
The second t ype of boot im age you can creat e, a discover im age, forces Set up.exe t o launch in Windows Deploym ent Services m ode and t hen ping around t he net work t o find an act ive WDS m achine. You can use t hese im ages on a CD or DVD t o allow WDS t o st ream deploym ent s t o m achines t hat don't or won't support PXE. To creat e a discover im age, use t he following procedure:
1.
1 . Open t he Windows Deploym ent Services MMC snap- in.
2 . Expand Boot I m ages in t he left pane.
3 . Right - click on an im age t o use it as t he foundat ion for your discover im age, and select Creat e Discover Boot I m age.
4 . Ent er a nam e, descript ion, and t he locat ion t o save t he im age.
5 . Finish out t he wizard and t hen right - click t he boot im age folder and select Add Boot I m age from t he result ing m enu.
6 . Browse t o t he new discover im age you j ust creat ed, and t hen click Next .
7 . Finish t he addit ion wizard and close out . Your discover im age is now ready t o be deployed.
I f you are int erest ed in creat ing hard m edia, such as a CD or DVD, t o cont ain your discover im age, you can download t he Windows Aut om at ed I nst allat ion Kit from t he Microsoft web sit e and inst all it . From t hat point , open a com m and prom pt t o t he C: \ Program Files\ Windows AI K\ Tools\ PETools folder and com m ence t he following procedure:
1 . Creat e a Windows PE build environm ent by ent ering CopyPE {arch} c:\WinPE, replacing t he archit ect ure of t he boot im age you'd like when issuing t he com m and.
2 . Copy t he discover im age t o a t arget direct ory using t he following com m and:
copy /y c:\boot.wim c:\winpe\iso\sources
3 . Go back t o t he PETools folder in st ep one, and creat e t he boot able I SO im age using t he OSCDI MG ut ilit y t hat is bundled in t he Windows Aut om at ed I nst allat ion Kit . Type t he following:
oscdimg -b -bc:\winpe\ISO\boot\etfsboot.com c:\windpe\ISO c:\winpe.sio
4 . Burn t he result ing c: \ winpe.iso file t o a CD or DVD using your preferred burning and m ast ering soft ware.
2 .3 .6 .2 . Cr e a t in g in st a ll im a ge s You can build cust om inst all im ages ( t he im ages t hat consist of t he act ual operat ing syst em and any changes you want t o bake int o t he package) from prepared com put ers and upload t hem for deploym ent t o t arget
m achines. Generally, you boot t he source com put er norm ally, run t he sysprep ut ilit y in m ost cases t o st rip out physical m achine- specific inform at ion and securit y ident ifiers, t hen reboot int o a WDS- based capt ure im age, t ake a WI M- form at t ed im age of t he client , upload it som ewhere else, and t hen reboot . Specifically, aft er you have finished configuring t he source ( or reference, as Microsoft refers t o it ) com put er t he way you'd like it t o be im aged, run t he following from t he com m and line:
sysprep /oobe /generalize /reboot
Aft er t he ut ilit y has finished and t he com put er has rest art ed, press F12 and select t he capt ure im age from t he boot m enu t hat will be displayed. Choose t he drive t hat cont ains t he operat ing syst em on which you j ust ran SYSPREP, provide a nam e and descript ion for t he im age, and click Next t o cont inue. Then browse t o a locat ion on t he m achine where you can st ore t he result ing .WI M file, ent er a nam e of t he im age file, and t hen click Save. Finally, click " Upload im age t o WDS Server," ent er t he nam e of your WDS m achine, and click Connect , ent ering credent ials if prom pt ed or necessary. ( Choose t he correct im age group along t he way if you are so prom pt ed.) Click Finish, and your im age will be creat ed, prepared, and uploaded, and will be ready for deploym ent t o your t arget m achines.
2 .3 .6 .3 . Syspr e p: t h e syst e m pr e pa r a t ion t ool The m ost com m on cat ch t o any im aging solut ion is t he need t o ident ify and scrub securit y ident ifier ( SI D) inform at ion from your im age. Deploying an im age ont o m ult iple com put ers, all wit h t he sam e SI D inform at ion, is an invit at ion t o disast er. Sysprep is t he answer t o t his problem .
Sysprep will not reim age a dom ain cont roller, a m em ber of any clust er, or a m achine funct ioning as a cert ificat e server because of t he inherent m achine- specific charact erist ics of t hose services. However, aft er Sysprep has com plet ed, t hese services are cert ainly support ed and available t o be inst alled.
Here's an overview of how Sysprep works:
1 . You generat e a prot ot ype im age and configure everyt hing on t hat syst em as needed.
2 . You t hen copy t he profile of t he account t hat has t he set t ings and cust om izat ions you've been perform ing t o t he Default User profile, so t hat all fut ure users of t he syst em get t hose t weaks.
3 . Then you run Sysprep. This scrubs SI Ds and personal inform at ion from your prot ot ype and shut s down t he m achine.
4 . Next , you boot t he com put er from your WDS capt ure im age and generat e t he WI M file. You can opt ionally upload t hat im age as well.
5 . Finally, you reboot t he com put er wit hout t he floppy, and proceed t hrough m ini- Set up again so t hat all personal inform at ion can be rest ored and new SI Ds can be generat ed. ( You can script t his process so t hat
a m ini- unat t ended inst allat ion is perform ed.)
2 .3 .7 . Con figu r in g a n d Pe r for m in g Un a t t e n de d I n st a lla t ion s w it h Scr ipt s I f you are int erest ed in furt her aut om at ing t he deploym ent of operat ing syst em s using WDS, look int o using unat t ended inst allat ion script s: not only can you kick off an OS deploym ent over t he net work, but you can cust om ize t he responses t o set up prom pt s, inst alled program s, product keys t hat are configured, and m ore, so t hat even if you aren't using an im aged syst em , you achieve a consist ent set up on all m achines you roll out . I n Windows Server 2008 and Windows Deploym ent Services, t here are essent ially t wo different unat t end files: a WDS client unat t end file, which resides on t he WDS server and direct s t he WDS client int erface t o inst all t he right im age and part it ion disks correct ly; and t he act ual unat t end file for t he im age it self, which is t he t ype of unat t end file wit h which you m ay be m ore fam iliar. This is st ored in t he $OEM$ st ruct ure com m on in t he Windows 2000 and Windows Server 2003 days, or in t he \ Unat t end direct ory in t he im age, and aut om at es t he rem ainder of t he Set up process t hat t he WDS unat t end file can't address. You'll find t he Windows Aut om at ed I nst allat ion Kit will com e in handy if you are creat ing m ore t han t he sim plest unat t end files—in part icular, t he Windows Syst em I m age Manager can walk you t hrough creat ing an unat t end file, which can t hen be assigned ( associat ed, in effect ) eit her t o client s hit t ing a specific server or specific client s t hem selves, as well as different m achines based on x86 and x64 archit ect ures. The form at of t he WDS client unat t end file is easy t o read, as it 's in XML, which has a fam iliar synt ax and st ruct ure. A sam ple follows. Code View:
OnError
username domain password
OnError
Windows Vista x86 Windows Vista Install.wim
0 1
OnError
0
false
1 1 C CLIENTMACHINE NTFS true false
OnError en-US
en-US
Here's t he process t o int egrat e unat t end files wit h your WDS deploym ent . St art by associat ing t he WDS unat t end file t o t he appropriat e im age.
1 . Creat e your unat t end.xm l file for t he WDS client . I suggest using t he Windows Syst em I m age Manager, part of t he Windows Aut om at ed I nst allat ion Kit .
2 . Once you've creat ed t he unat t end.xm l file, upload it t o your WDS server at t he \ Rem ot eI nst all\ WDSClient \ Unat t end folder.
3 . Open Windows Deploym ent Services Manager.
4 . Right - click t he WDS server t hat is host ing t he im age t o which your new unat t end file should be assigned, and click Propert ies.
5 . Navigat e t o t he Client t ab.
6 . Check t he " Enable unat t ended inst allat ion" box, browse t o your unat t end file at \ Rem ot eI nst all\ WDSClient \ Unat t end folder ( use t he full net work pat h—don't go t hrough t he WDS server's local C: drive) , and click Open.
7 . Click OK.
Next , you can associat e t he Windows Set up unat t ended file t o t he im age for a full hands- off deploym ent . To do so:
1 . Open Windows Deploym ent Services Manager.
2 . Expand t he im age group t hat cont ains t he im age you want t o use.
3 . Right - click t he specific im age and select Propert ies.
4 . Navigat e t o t he General t ab.
5 . Click " Allow im age t o inst all in unat t end m ode," and t hen click t he Select file and browse t o your Windows Set up unat t end file. Click OK.
6 . Click OK t o close out of t he Propert ies sheet .
2 .4 . Th e La st W or d I n t his chapt er, I 've covered quit e a bit about t he various m et hods t o inst all Windows, how act ivat ion works, ways t o recover from a bungled Set up, and what t o do when Windows Server 2008 j ust won't boot . I 've also looked at aut om at ed rollout s of t he product and it s client bret hren. I n t he next chapt er, we'll st ep t hrough in det ail t he file and print service funct ionalit y of Windows Server 2008.
Ch a pt e r 3 . File Se r vice s One of Windows Server 2008's prim ary funct ions wit hin a t ypical organizat ion is t o serve files and connect m ult iple m achines t o a sm aller num ber of print ers. Windows Server 2008 enables you t o creat e any num ber of shared folders t hat cont ain docum ent s and program s t hat your users can access via such m et hods as Windows Explorer, Net work Neighborhood, or m apped drives. The operat ing syst em also enables you t o creat e a hierarchy of shared folders st ored across m ult iple m achines t hat can appear t o end users as t hough t hey're st ored on a single server. Print services are sim ple t o configure and m anage. Windows Server 2008 enables you t o share a print er connect ed eit her physically t o t he server, or t o a print server device t hat is at t ached direct ly t o t he net work. I t can also host drivers for m ult iple operat ing syst em s and aut om at ically dist ribut e t he correct drivers t o client syst em s. You'll need t o be fam iliar wit h t he following t erm inology t o get t he m ost from t his chapt er. Feel free t o skip t o t he next sect ion if you've been working wit h Windows for a while.
Disk
A disk is t he act ual, physical hard disk wit hin t he m achine.
Drive
A drive is a logical obj ect form at t ed for use wit h Windows. This can be eit her an ent ire physical disk or a part it ion.
Par t it ion
A part it ion is a port ion of a physical disk t hat can be used wit h volum es.
Volum e
A volum e is eit her a drive or a part it ion wit hin Windows—it 's a com m on t erm for bot h.
I n t his chapt er, I 'll discuss in dept h all t he file and print services Windows Server 2008 provides.
3 .1 . File a n d Pr in t Se r ve r Fe a t u r e s Several feat ures are present in Windows Server 2008 t o enable fast er, m ore seam less access t o file and print services on your net work. Alt hough t he infrast ruct ure of t he file and print syst em s has not been com plet ely redesigned, it cert ainly has been m odified t o provide for ease- of- use enhancem ent s, increased dat a int egrit y,
aut om at ic and assist ed backup, and ot her key feat ures, including t he following:
Dist ribut ed File Syst em ( DFS)
DFS is a feat ure in Windows Server 2008 t hat perm it s an adm inist rat or t o creat e one logical filesyst em layout despit e t he fact t hat shares can be scat t ered across t he net work on different servers. This m akes it easier for client s t o find and st ore files consist ent ly, and it allows for bet t er equipm ent ut ilizat ion. One server can host m ult iple DFS root s, which are " st art ing" point s for a hierarchy of shared folders. I n addit ion, a Windows Server 2008 server can use Act ive Direct ory sit e t opology t o rout e DFS request s from client s t o t he closest available server, increasing response t im e.
Encrypt ing File Syst em ( EFS)
Nat ive encrypt ion abilit ies are built int o t he NTFS filesyst em used in Windows Server 2008. By sim ply checking a checkbox in t he Propert ies sheet for a file, you can easily encrypt and decrypt files and folders t o prot ect t heir int egrit y. This feat ure is part icularly useful for m obile com put ers, which have a great er risk of dat a loss and capt ure t han t radit ional corporat e deskt op m achines.
Volum e shadow copy
The volum e shadow copy feat ure is perhaps one of t he m ost useful feat ures of Windows Server 2008. The server will t ake snapshot s of files at specific periods during t he day, t hereby m aking available a library of previous versions of a file. I f a user accident ally overwrit es a file, saves an incorrect version, or som ehow dest roys t he prim ary copy, he can sim ply click Previous Versions in t he Explorer view of t he folder and access a shadow copy version.
Windows Search Service
The Windows Search Service, new t o Windows Server 2008, cat alogs and indexes t he cont ent s of server hard disks, enabling users t o search in files in different form at s and languages for t he dat a t hey need. The engine has been enhanced over several revisions of t he product t o accelerat e t he search process and t o use less processor t im e when cat aloging and indexing files.
I n t his chapt er, you will find com plet e coverage of Windows Server 2008 file services—folder sharing, perm issions, shadow copies, DFS, and backup st rat egies, t echniques, and procedures. You will also becom e fam iliar wit h a user service known as roam ing profiles, which allows your users' preferred deskt op set t ings t o t ravel wit h t hem t o any workst at ion in t he net work t hey m ight be using.
Ch a pt e r 3 . File Se r vice s One of Windows Server 2008's prim ary funct ions wit hin a t ypical organizat ion is t o serve files and connect m ult iple m achines t o a sm aller num ber of print ers. Windows Server 2008 enables you t o creat e any num ber of shared folders t hat cont ain docum ent s and program s t hat your users can access via such m et hods as Windows Explorer, Net work Neighborhood, or m apped drives. The operat ing syst em also enables you t o creat e a hierarchy of shared folders st ored across m ult iple m achines t hat can appear t o end users as t hough t hey're st ored on a single server. Print services are sim ple t o configure and m anage. Windows Server 2008 enables you t o share a print er connect ed eit her physically t o t he server, or t o a print server device t hat is at t ached direct ly t o t he net work. I t can also host drivers for m ult iple operat ing syst em s and aut om at ically dist ribut e t he correct drivers t o client syst em s. You'll need t o be fam iliar wit h t he following t erm inology t o get t he m ost from t his chapt er. Feel free t o skip t o t he next sect ion if you've been working wit h Windows for a while.
Disk
A disk is t he act ual, physical hard disk wit hin t he m achine.
Drive
A drive is a logical obj ect form at t ed for use wit h Windows. This can be eit her an ent ire physical disk or a part it ion.
Par t it ion
A part it ion is a port ion of a physical disk t hat can be used wit h volum es.
Volum e
A volum e is eit her a drive or a part it ion wit hin Windows—it 's a com m on t erm for bot h.
I n t his chapt er, I 'll discuss in dept h all t he file and print services Windows Server 2008 provides.
3 .1 . File a n d Pr in t Se r ve r Fe a t u r e s Several feat ures are present in Windows Server 2008 t o enable fast er, m ore seam less access t o file and print services on your net work. Alt hough t he infrast ruct ure of t he file and print syst em s has not been com plet ely redesigned, it cert ainly has been m odified t o provide for ease- of- use enhancem ent s, increased dat a int egrit y,
aut om at ic and assist ed backup, and ot her key feat ures, including t he following:
Dist ribut ed File Syst em ( DFS)
DFS is a feat ure in Windows Server 2008 t hat perm it s an adm inist rat or t o creat e one logical filesyst em layout despit e t he fact t hat shares can be scat t ered across t he net work on different servers. This m akes it easier for client s t o find and st ore files consist ent ly, and it allows for bet t er equipm ent ut ilizat ion. One server can host m ult iple DFS root s, which are " st art ing" point s for a hierarchy of shared folders. I n addit ion, a Windows Server 2008 server can use Act ive Direct ory sit e t opology t o rout e DFS request s from client s t o t he closest available server, increasing response t im e.
Encrypt ing File Syst em ( EFS)
Nat ive encrypt ion abilit ies are built int o t he NTFS filesyst em used in Windows Server 2008. By sim ply checking a checkbox in t he Propert ies sheet for a file, you can easily encrypt and decrypt files and folders t o prot ect t heir int egrit y. This feat ure is part icularly useful for m obile com put ers, which have a great er risk of dat a loss and capt ure t han t radit ional corporat e deskt op m achines.
Volum e shadow copy
The volum e shadow copy feat ure is perhaps one of t he m ost useful feat ures of Windows Server 2008. The server will t ake snapshot s of files at specific periods during t he day, t hereby m aking available a library of previous versions of a file. I f a user accident ally overwrit es a file, saves an incorrect version, or som ehow dest roys t he prim ary copy, he can sim ply click Previous Versions in t he Explorer view of t he folder and access a shadow copy version.
Windows Search Service
The Windows Search Service, new t o Windows Server 2008, cat alogs and indexes t he cont ent s of server hard disks, enabling users t o search in files in different form at s and languages for t he dat a t hey need. The engine has been enhanced over several revisions of t he product t o accelerat e t he search process and t o use less processor t im e when cat aloging and indexing files.
I n t his chapt er, you will find com plet e coverage of Windows Server 2008 file services—folder sharing, perm issions, shadow copies, DFS, and backup st rat egies, t echniques, and procedures. You will also becom e fam iliar wit h a user service known as roam ing profiles, which allows your users' preferred deskt op set t ings t o t ravel wit h t hem t o any workst at ion in t he net work t hey m ight be using.
3 .2 . Se t t in g Up File Sh a r in g Se r vice s Adding a file server role t o a m achine involves t he following:
Configuring t he m achine as a file server
This process involves t urning on file sharing and creat ing t he first shared folder. Windows also creat es a few of it s own shares by default , which I 'll discuss in m ore det ail as t he chapt er progresses.
Est ablishing disk space lim it s by enabling disk quot as, if necessary
Disk quot as are a sim ple way t o lim it and cont rol t he am ount of disk space your users t ake up wit h t heir dat a. Quot as m onit or and lim it a user's disk space on a per- part it ion or per- volum e basis; quot as do not st ret ch across m ult iple disks. The wizard can configure Windows t o apply default quot a set t ings t hat you select t o any new users of any NTFS filesyst em . This st ep is not required t o set up file sharing services, but you m ight find t he feat ure useful. And t here is anot her way of m anaging quot as—t hrough t he File Server Resource Manager, where you can enable per- folder quot as and furt her lim it ing by file- t ype filt ers.
Set t ing up St orage Ut ilizat ion Monit oring
Wit h St orage Ut ilizat ion Monit oring, you can inst ruct Windows Server 2008 t o keep t abs on how m uch disk capacit y is being used on volum es and t o generat e report s t o t he adm inist rat or based on predefined t hresholds. These report s can be sim ple alert s, or t hey can det ail large files in order by owner, group, and so on, helping you pinpoint pot ent ial t arget s for archival or delet ion in order t o free up disk space.
Turning on t he Windows Search Service
The Windows Search Service reads t he cont ent s of m ost files on t he server and m akes a cat alog of t heir cont ent s for easy search and ret rieval at lat er point s in t im e. Because t he user int erface for t he Add Roles Wizard present s t his opt ion, I m ent ion it here, but I cover it in det ail in Chapt er 13.
I nst alling m anagem ent t ools
The Add Roles Wizard will, when you first set up t he file server role on each Windows Server 2008 m achine, add t he File Services com ponent t o Server Manager, allowing you easy access t o share and st orage m anagem ent feat ures and t he classic Disk Managem ent console.
Creat ing shared folders and set t ing share perm issions for each folder
Finally, you'll want t o creat e t he shared folders and apply perm issions t o t hem . Aft er all, t hat 's why you st art ed t he process, right ?
To configure a m achine as a file server, open Server Manager from t he St art m enu, click Roles, select Add Roles from t he right pane, and walk t hrough t he Add Roles Wizard. Click Next off t he int roduct ory screen, select File Services from t he list of available roles, and click Next . You'll t hen see t he I nt roduct ion t o File Services wizard, as shown in Figure 3- 1.
Figu r e 3 - 1 . Th e I n t r odu ct ion t o File Se r vice s scr e e n
Once you click Next off t his int roduct ory screen, you'll be present ed wit h t he Select Role Services screen, as shown in Figure 3- 2.
Figu r e 3 - 2 . Th e Se le ct Role Se r vice s scr e e n
Here, you can select t he different services t hat fall under t he broad " role" definit ion of a file server. The File Server role at t he t op of t he list is required; check t hat , and t hen select t he various subcom ponent s t hat you need. Do not e t hat t he I ndexing Service is a relic from Windows XP and Windows Server 2003 and should only be used in very specific scenarios; t he new Windows Search Service has t rem endously im proved perform ance and search accuracy feat ures and replaces t he I ndexing Service for m ost any search funct ion t hat you will encount er. Finally, t he Services for Net work File Syst em opt ion inst alls NFS support , which is useful in a m ixed environm ent where m achines running Linux, any flavor of Unix, and in som e cases, Mac OS X, need t o access files st ored on a net work share.
You can't run t he I ndexing Service and t he Windows Search Service on t he sam e m achine.
Once you have select ed t he subcom ponent s you want , click Next . ( For t he purposes of t his walkt hrough, select File Server, File Server Resource Manager, and Windows Search Service.) You'll t hen see t he Configure St orage Ut ilizat ion Monit oring screen, as shown in Figure 3- 3.
Figu r e 3 - 3 . Th e Con figu r e St or a ge Ut iliza t ion M on it or in g scr e e n
On t his screen, you can t ake advant age of a new feat ure int roduced in Windows Server 2003 R2 t hat allows you t o ask Windows t o proact ively look at disk capacit y and, specifically, t he am ount of free space available on a part icular volum e, analyze what is occupying t he space t hat is used, and generat e a preconfigured report t o send t o t he adm inist rat or wit h t his inform at ion. There will be m ore on t his opt ion lat er in t his chapt er as we delve int o t he File Server Resource Manager in det ail; but for now, let 's check t he box t o m onit or drive C: and accept t he default Files by Owner and Files by File group report s, and click Next . The Set Report s Opt ions screen appears, where you can choose where t o receive t he report s generat ed by t he st orage m onit or. Just accept t he default s for now and click Next . Now, you will see t he Select Volum es t o I ndex for Windows Search Service screen, as shown in Figure 3- 4.
Figu r e 3 - 4 . Th e Se le ct Volu m e s t o I n de x for W in dow s Se a r ch Se r vice scr e e n
On t his last screen of t he wizard, you select t he disks or volum es t hat t he Windows Search Service will index. Again, m ore on t he Windows Search Service lat er in t his chapt er, but go ahead and select drive C: t o index and click Next . Finally, click t he I nst all but t on on t he confirm at ion screen, and t he panel shown in Figure 3- 5 will appear, let t ing you know Windows Server 2008 is inst alling t he subcom ponent s of t he File Server role as you request ed.
Figu r e 3 - 5 . Th e I n st a lla t ion Pr ogr e ss scr e e n
3 .2 .1 . Cr e a t in g a Sh a r e M a n u a lly Only m em bers of t he Adm inist rat ors, Server Operat ors, or Power Users groups can aut horize sharing folders by default , t hough t he user int erface will allow ot her users t o t ry t o share before present ing t hem wit h a User Account Cont rol ( UAC) prom pt . However, you can configure net work- based GP set t ings t o rest rict ot her users and groups from doing so as well. Shares creat ed using Windows Server 2008 are, by default , configured t o allow t he Aut hent icat ed Users group—all users who logged int o t he m achine or net work—read- only access. I n som e previous releases of Windows Server, all users were allowed full cont rol of a share by default , which m ade for som e st icky sit uat ions on com prom ised m achines. Share perm issions are different from file- and folder- level perm issions, which are m ore granular. File- and folder- level perm issions ( also known as NTFS perm issions) are covered lat er in t his chapt er. I f you have a sm aller business wit h fewer em ployees and less em phasis on securit y, you m ight find sim ple share- level perm issions sufficient for prot ect ing cont ent t hat should be confident ial. However, in larger organizat ions, share- level perm issions oft en don't provide enough m anageabilit y and flexibilit y. Also, t he st orage and shared folder hierarchies in a large organizat ion are oft en m ore com plex t han in sm aller businesses, which m akes adm inist ering share- level prot ect ion on lot s of shares very t edious and unwieldy.
Som e file sharing opt ions m ight be lim it ed if sim ple file sharing is enabled. When t his opt ion is enabled on workst at ions running Windows XP Professional, it is im possible t o creat e, m anage, and change perm issions on shares rem ot ely because all rem ot e connect ions aut hent icat e t o t hat com put er using t he Guest account . I t is recom m ended t hat , in a business net working environm ent , you disable sim ple file sharing. Consult a good Windows XP book for m ore inform at ion on sim ple file sharing under Windows XP.
You can creat e a share in t hree ways: using t he Provision a Shared Folder Wizard, using t he Explorer GUI , and using t he com m and line. To share a folder using t he Provision a Shared Folder Wizard, follow t hese st eps:
1 . Open Server Manager, and in t he left pane, expand Roles, File Services, and click on Share and St orage Managem ent .
2 . I n t he right pane, click t he Provision Share link t o open t he Provision a Shared Folder Wizard.
3 . On t he Shared Folder Locat ion page, shown in Figure 3- 6, select t he folder for sharing. Click Browse t o access a direct ory t ree. You can also click t he Provision St orage but t on t o launch t he wizard t o prepare volum es on t he syst em t hat haven't yet been form at t ed or allocat ed, saving you t he effort from swit ching in and out of wizards and cont rol panels t o get a drive reader. Once you have a sat isfact ory locat ion, click Next .
Figu r e 3 - 6 . Th e Sh a r e d Folde r Loca t ion pa ge
4 . The NTFS Perm issions page, shown in Figure 3- 7, appears. Here, you can elect t o change NTFS perm issions—t hose perm issions t hat are in effect on t he filesyst em level, not j ust enforced on individual shares—t hat are now on t he obj ect you select ed, or t o m aint ain t he exist ing perm issions. Select t he appropriat e radio but t on, click t he Edit Perm issions but t on t o bring up t he classic perm issions assignm ent dialog if necessary, and t hen click Next . ( There will be m ore det ail on NTFS perm issions lat er in t his chapt er.)
Figu r e 3 - 7 . Th e N TFS Pe r m ission s pa ge
5 . The Share Prot ocols screen appears, depict ed in Figure 3- 8. Here, you can choose how t he share will appear over t he net work t o client s using various prot ocols, like SMB ( t he st andard Windows file sharing prot ocol and t he one used by som e open source t ools like Sam ba) and NFS ( which, as discussed earlier, serves Linux and Unix) . Ent er t he share nam e and verify t he share pat h, which is denot ed as a st andard universal nam ing convent ion ( UNC) pat h, reflect s what you ent er. I f you didn't inst all NFS during t he Add Roles Wizard, t hen t he NFS opt ion will be grayed out . Click Next when you are finished.
Figu r e 3 - 8 . Th e Sh a r e Pr ot ocols pa ge
6 . The SMB Set t ings screen, shown in Figure 3- 9, is displayed. The Share Pat h field is repeat ed from t he previous screen for your reference. I n Descript ion ( an opt ional field) , t ype a descript ion of t he shared resource. Descript ions can help you as an adm inist rat or, as well as your users, underst and t he purpose of a share. Use som et hing clear, such as " Account ing docum ent s for Q3 1999" or " I nact ive Proposals." Under Advanced Set t ings, you can set a user lim it on t he share, which is useful for enforcing a soft ware license policy on older soft ware running over t he net work; you can also decide whet her access- based enum erat ion ( ABE) is enabled, which let s you hide from a user shares t o which he has no access, rat her t han displaying t hem and t hen t hrowing up a " deny" dialog box when he t ries t o access t hem ; and you can choose offline set t ings. Click t he Advanced but t on t o change any of t hese set t ings. On t he Caching t ab of t he Advanced dialog, you can configure how t he cont ent s in t his share are m ade available t o users not current ly connect ed t o t he net work. I n Offline set t ing, specify how you want t o m ake t he cont ent s of t he shared folder available t o users when t hey are not connect ed t o t he net work. Click t he but t on t o m ake furt her t uning adj ust m ent s. The t hree opt ions are fairly self- explanat ory: t he first opt ion gives t he user cont rol over which docum ent s are available offline, t he second m akes all docum ent s available, and t he t hird prevent s any docum ent s from being used offline. Not e t hat checking t he " Opt im ized for perform ance" checkbox aut om at ically caches docum ent s so t hat users can run t hem locally, which is helpful for busy applicat ion servers because it lowers overall t raffic t o and from t he server. Aft er you finish, click OK, and t hen click Next .
Figu r e 3 - 9 . Th e SM B Se t t in gs pa ge
7 . The SMB Perm issions screen ( see Figure 3- 10) appears. Here, you can set up t he share- level perm issions—not t he filesyst em perm issions—t hat will be enforced for users browsing t o t he share over t he net work. Users at t he console will st ill be able t o look at t he cont ent s of t he share unless file- level NTFS perm issions rest rict t hem from doing so. As t he screen not es, t he m ore rest rict ive of t he share- level perm issions and t he NTFS perm issions will apply. The available share- level perm issions are as follows.
All users have read- only access
Bot h adm inist rat ors and norm al users will only be able t o read files from t his share; no writ ing or m odificat ion is allowed.
Adm inist rat ors have full access; ot her users have read- only access
Mem bers of t he Adm inist rat ors group ret ain full cont rol over t he share, including t he abilit y t o set new NTFS file perm issions; everyone else has only read privileges. This is t he best set t ing for a share t hat cont ains a program t o be run over a net work.
Adm inist rat ors have full access; ot her users have read and writ e access
All users can read and writ e. Only m em bers of t he Adm inist rat ors group ret ain t he abilit y t o change NTFS file perm issions, however.
Use cust om share and folder perm issions
Using t he cust om perm issions feat ure, you can assign specific perm issions and deny perm issions t o users and groups. This is how a user would rem ove t he default read- only access for all users, a wide- open door, in effect , t hat m ight not be desired for sensit ive m at erials.
Figu r e 3 - 1 0 . Th e SM B Pe r m ission s pa ge
8 . The Quot a Policy screen, shown in Figure 3- 11, appears. You can specify a quot a t hat lim it s t he m axim um size t hat t his folder will be allowed t o reach. This quot a is assigned at t he local level—not e t hat t he pat h is now based off a drive local t o your server, rat her t han t he UNC net work pat h as in t he past few screens. To apply a quot a, check t he apt ly nam ed box, and t hen choose whet her t o sim ply creat e one quot a on t his pat h, or t o use a quot a t em plat e t o creat e quot as on t he folders current ly in t hat pat h as well as any exist ing subfolders t hat are yet t o be creat ed. There will be m ore on quot as and quot a t em plat es lat er in t his chapt er; for t he purposes of t his dem onst rat ion, accept t he default 100 MB Lim it quot a and click Next .
Figu r e 3 - 1 1 . Th e Qu ot a Policy pa ge
9 . The File Screen Policy screen appears, shown in Figure 3- 12. A file screen allows you t o prevent som e t ypes of files from being st ored on a share, which is a great way t o keep m iscellaneous m ult im edia files from clogging up your server. I n t he case of a share t hat is st oring account ing docum ent s, t here seem s lit t le reason t o allow t he host ing folder t o cont ain audio and video files. To apply a file screen, check t he " Apply file screen" box, and t hen choose a preconfigured file screen t em plat e from t he drop- down box. There will be m ore on file screens and t em plat es lat er in t his chapt er; for now, accept t he default and click Next .
Figu r e 3 - 1 2 . Th e File Scr e e n Policy pa ge
1 0 . The DFS Nam espace Publishing screen ( shown in Figure 3- 13) appears. Here, you can publish your new share t o a DFS nam espace. More on DFS lat er—click Next now t o m ove t hrough t his screen t o t he final port ion of t he wizard.
Figu r e 3 - 1 3 . Th e D FS N a m e spa ce Pu blish in g scr e e n
1 1 . Finally, t he Review Set t ings and Creat e Share screen is displayed, as shown in Figure 3- 14. Verify t he set t ings t hat you chose during t he wizard and, if t hey all look good t o you, click Creat e. Aft er a m om ent , you should receive a green check on t he confirm at ion screen indicat ing t hat your share has been successfully provisioned.
Figu r e 3 - 1 4 . Re vie w Se t t in gs a n d Cr e a t e Sh a r e scr e e n
3 .2 .2 . D e fa u lt Sh a r e s Upon inst allat ion, Windows Server 2008 creat es several default shares t hat serve various purposes. You can exam ine t hese using t he Share and St orage Managem ent feat ure of Server Manager. Open Server Manager, expand t he File Services role, and click on Share and St orage Managem ent . Figure 3- 15 shows t he default screen, which on t he Shares t ab shows t he shares configured on a m achine.
Figu r e 3 - 1 5 . Th e Sh a r e s t a b of Sh a r e a n d St or a ge M a n a ge m e n t
Let 's st ep t hrough t he default shares and list t heir funct ion and purpose.
C$ and ot her sim ilar drive let t ers
These shares are known as adm inist rat ive shares, and t hey provide a quick way for you t o access a cert ain com put er over t he net work and inspect t he cont ent s of t he drive. Windows Server 2008 creat es one of t hese adm inist rat ive shares for each local drive in a syst em . You can't easily get rid of t hese shares perm anent ly because t hey are re- creat ed upon reboot if t hey are not present . You can't adj ust t he share perm issions on t hem eit her. St ill, t hey're a handy t ool in your t oolbox for rem ot e m anagem ent and t roubleshoot ing.
ADMIN$
This also is an adm inist rat ive share t hat m aps direct ly t o t he locat ion of t he Windows Server 2008 syst em files; it is t he sam e as t he %systemroot% environm ent variable. This is useful for spreading out operat ing syst em updat es, especially across different operat ing syst em s. Recall t hat Windows 2000 used \WINNT, whereas Windows Server 2008 uses good old \WINDOWS. I f you writ e a script t o pass a file t o all of t hese servers, you don't have t o account for t his difference if you use ADMIN$ on each m achine as t he locat ion.
IPC$
This share is part of Windows Server 2008's m et hod of sharing resources, not files, wit h ot her m achines. Any t ype of rem ot e m anagem ent funct ion ot her t han sharing files uses t his share.
NETLOGON
Mandat ory on dom ain cont rollers, t his share is a place t o put logon and logoff script s, program s, and profile inform at ion for users t o read and access before t hey are logged on t o t he net work. I t 's locat ed at % Syst em Root % \ sysvol\ dom ainnam e\ SCRI PTS on t he filesyst em of t he server.
PRINT$
Print drivers t hat are shared t o t he net work, usually for previous versions of operat ing syst em s, are st ored in t his share and request ed by client s at t he t im e of print er inst allat ion on t he client s. I t 's locat ed at % Syst em Root % \ Syst em 32\ spool\ drivers on t he filesyst em of t he server.
SYSVOL
This is used for int ernal dom ain cont roller operat ions and shouldn't be m odified or delet ed. I t 's locat ed at % Syst em Root % \ Sysvol\ Sysvol on t he local filesyst em of t he server.
Creat ing a Hidden Share You m ight need t o share a resource but not m ake it publicly known. For exam ple, t he Payroll depart m ent m ight need it s own file share, but t he rest of t he com pany doesn't require access t o it , and in t he int erest of confident ialit y, you m ight want t o hide it from public display. You can do t his by t yping $ as t he last charact er of t he shared resource nam e. Users can m ap a drive t o t his shared resource by nam ing it explicit ly ( including t he $ appended t o t he end) , but t he share is hidden in Explorer, in My Com put er on t he rem ot e com put er, and in t he net view com m and on t he rem ot e com put er.
3 .2 .3 . Pu blish in g Sh a r e s t o Act ive D ir e ct or y By publishing shares t o Act ive Direct ory, your users can use t he Find feat ure on t he St art m enu on t heir Windows deskt ops t o find rem ot e shares based on t heir ident ifier or descript ion. This is handy for using a new piece of sim ple soft ware t hat 's being run direct ly from t he net work. I t is equally handy for ret rieving an elect ronic PowerPoint present at ion t hat m ight have been given earlier in t he day. Not e t hat you m ust use an account wit h dom ain adm inist rat or or ent erprise adm inist rat or privileges t o publish a share t o Act ive Direct ory. To publish a share, follow t hese st eps:
1 . From t he Adm inist rat ive Tools applet in t he Cont rol Panel, open Act ive Direct ory Users and Com put ers.
2 . Right - click t he appropriat e organizat ional unit ( OU) .
3 . Select Shared Folder from t he New m enu.
4 . Ent er a nam e and descript ion of t he share.
5 . Ent er t he pat h ( net work locat ion) t o t he folder you want t o share, and t hen click Finish.
The share has now been added t o t he direct ory.
3 .3 . N TFS File a n d Folde r Pe r m ission s File- and folder- level perm issions are one of t he m ost dreaded and t edious, but necessary, t asks of syst em adm inist rat ion. However, t hey are significant in t erm s of prot ect ing dat a from unaut horized use on your net work. I f you have ever worked wit h Unix perm issions, you know how difficult t hey are t o underst and and set : com plex CHMOD- based com m ands, wit h num bers t hat represent bit s of perm ission signat ures—it 's so easy t o get lost in t he confusion. Windows Server 2008, on t he ot her hand, provides a rem arkably robust and com plet e set of perm issions, m ore t han any com m on Unix or Linux variet y available t oday. I t 's also t rue t hat no one would argue how m uch easier it is t o set perm issions in Windows t han t o set t hem in any ot her operat ing syst em . That 's not t o say, however, t hat Windows perm issions are a cinch t o grasp; t here's quit e a bit t o t hem .
3 .3 .1 . St a n da r d a n d Spe cia l Pe r m ission s Windows support s t wo different views of perm issions: st andard and special. St andard perm issions are oft en sufficient t o be applied t o files and folders on a disk, whereas special perm issions break st andard perm issions down int o finer com binat ions and enable m ore cont rol over who is allowed t o do what funct ions t o files and folders ( called obj ect s) on a disk. Coupled wit h Act ive Direct ory groups, Windows Server 2008 perm issions are part icularly powerful for dynam ic m anagem ent of access t o resources by people ot her t han t he syst em adm inist rat or—for exam ple, in t he case of changing group m em bership. ( You'll m eet t his feat ure of Act ive Direct ory, called delegat ion , in Chapt er 5 .) Table 3- 1 describes t he st andard perm issions available in Windows.
Ta ble 3 - 1 . W in dow s Se r ve r 2 0 0 8 st a n da r d pe r m ission s Type
D e scr ipt ion
Read ( R)
Allows user or group t o read t he file.
Writ e ( W)
Allows user or group t o writ e t o t he cont ent s of a file or folder and t o creat e new files and folders. I t is possible t o have writ e perm issions wit hout read perm issions.
Read and Execut e ( RX)
Allows user or group t o read at t ribut es of a file or folder, view it s cont ent s, and read files wit hin a folder. Files inside folders wit h RX right s inherit t he right s ont o t hem selves.
List Folder Cont ent s ( L)
Sim ilar t o RX, but files wit hin a folder wit h L right s will not inherit RX right s. New files, however, aut om at ically get RX perm issions.
Modify ( M)
Allows user or group t o read, writ e, execut e, and delet e t he file or folder.
Full Cont rol ( FC)
Sim ilar t o M, but also allows user or group t o t ake ownership and change perm issions. Users or groups can delet e files and subfolders wit hin a folder if FC right s are applied t o t hat folder.
The following key point s should help you t o underst and how perm issions work:
File perm issions always t ake precedence over folder perm issions. I f a user can execut e a program in a folder, she can do so even if she doesn't have read and execut e perm issions on t he folder in which t hat program resides.
Sim ilarly, a user can read a file for which he explicit ly has perm ission, even if t hat file is in a folder for which he has no perm ission, by sim ply knowing t he locat ion of t hat file. For exam ple, you can hide a file list ing em ployee Social Securit y num bers in a prot ect ed folder in Payroll t o which user Mark Jones has no
folder perm issions. However, if you explicit ly give Mark read right s on t hat file, by knowing t he full pat h t o t he file, he can open t he file from a com m and line or from t he Run com m and on t he St art m enu.
Perm issions are cum ulat ive: t hey " add up" based on t he overall perm issions a user get s as a result of her t ot al group m em berships.
Deny perm issions always t rum p Allow perm issions. This applies even if a user is added t o a group t hat is denied access t o a file or folder t hat t he user was previously allowed t o access t hrough his ot her m em ber ships.
Windows also has a bunch of perm issions labeled special perm issions, which, sim ply put , are very focused perm issions t hat m ake up st andard perm issions. You can m ix, m at ch, and com bine special perm issions in cert ain ways t o m ake st andard perm issions. Windows has " st andard perm issions" sim ply t o facilit at e t he adm inist rat ion of com m on right s assignm ent s. There are 14 default special perm issions, shown in Table 3- 2. The t able also shows how t hese default special perm issions correlat e t o t he st andard perm issions discussed earlier.
Ta ble 3 - 2 . W in dow s Se r ve r 2 0 0 8 spe cia l pe r m ission s Spe cia l pe r m ission
R
W
Traverse Folder/ Execut e File
RX
L
M
FC
X
X
X
X
List Folder/ Read Dat a
X
X
X
X
X
Read At t ribut es
X
X
X
X
X
Read Ext ended At t ribut es
X
X
X
X
X
Creat e Files/ Writ e Dat a
X
X
X
Creat e Folders/ Append Dat a
X
X
X
Writ e At t ribut es
X
X
X
Writ e Ext ended At t ribut es
X
X
X
Delet e Subfolders and Files
X
Delet e Read Perm issions
X
X
X
X
X
X
X
Change Perm issions
X
Take Ownership
X
Full Cont rol
X
X
X
X
The default special perm issions are furt her described in t he following list .
X
X
Traverse Folder/ Execut e File
Traverse Folder allows you t o access a folder nest ed wit hin a t ree even if parent folders in t hat t ree deny a user access t o t he cont ent s of t hose folders. Execut e File allows you t o run a program .
List Folder/ Read Dat a
List Folder allows you t o see file and folder nam es wit hin a folder. Read Dat a allows you t o open and view a file.
Read At t ribut es
Allows you t o view basic at t ribut es of an obj ect ( read- only, syst em , archive, and hidden) .
Read Ext ended At t ribut es
Allows you t o view t he ext ended at t ribut es of an obj ect —for exam ple, sum m ary, aut hor, t it le, and so on for a Word docum ent . These at t ribut es will vary from program t o program .
Creat e Files/ Writ e Dat a
Creat e Files allows you t o creat e new obj ect s wit hin a folder; Writ e Dat a allows you t o overwrit e an exist ing file ( t his does not allow you t o add dat a t o exist ing obj ect s in t he folder) .
Creat e Folders/ Append Dat a
Creat e Folders allows you t o nest folders. Append Dat a allows you t o add dat a t o an exist ing file, but not delet e dat a wit hin t hat file ( a funct ion based on file size) , or delet e t he file it self.
Writ e At t ribut es
Allows you t o change t he basic at t ribut es of a file.
Writ e Ext ended At t ribut es
Allows you t o change t he ext ended at t ribut es of a file.
Delet e Subfolders and Files
Allows you t o delet e t he cont ent s of a folder regardless of whet her any individual file or folder wit hin t he folder in quest ion explicit ly grant s or denies t he Delet e perm ission.
Delet e
Allows you t o delet e a single file or folder, but not ot her files or folders wit hin it .
Read Perm issions
Allows you t o view NTFS perm issions on an obj ect , but not t o change t hem .
Change Perm issions
Allows you t o bot h view and change NTFS perm issions on an obj ect .
Take Ownership
Allows you t o t ake ownership of a file or folder, which inherent ly allows t he abilit y t o change perm issions on an obj ect . This is grant ed t o adm inist rat or- level users by default .
You also can creat e cust om com binat ions of perm issions, known as special perm issions, ot her t han t hose defined in Windows Server 2008 by default ; I cover t hat procedure in det ail lat er in t his sect ion.
3 .3 .2 . Se t t in g Pe r m ission s Set t ing perm issions is a fairly st raight forward process t hat you can perform t hrough t he GUI . To set NTFS perm issions on a file or folder, follow t hese st eps:
1 . Open Com put er or Windows Explorer and navigat e t o t he file or folder on which you want t o set perm issions.
2 . Right - click t he file or folder, and select Propert ies.
3 . Navigat e t o t he Securit y t ab.
4 . Click t he Edit but t on t o change perm issions.
5 . I n t he t op pane, add t he users and groups for whom you want t o set perm issions. Then click each it em , and in t he bot t om pane, grant or disallow t he appropriat e perm issions.
Figure 3- 16 shows t he process of assigning writ e right s t o user Jonat han Hassell for a specific file.
Figu r e 3 - 1 6 . Gr a n t in g pe r m ission s on a folde r t o a u se r
I f a checkbox under Allow or Deny appears gray, t his signifies one of t wo t hings: t hat t he perm issions displayed are inherit ed from a parent obj ect ( I discuss inherit ance in m ore det ail in t he next sect ion) , or t hat furt her special perm issions are defined t hat cannot be logically displayed in t he basic Securit y t ab user int erface. To review and m odify t hese special perm issions, sim ply click t he Advanced but t on. On t his screen, by using t he Add but t on, you can creat e your own special perm issions ot her t han t hose inst alled by default wit h Windows Server 2008. You also can view how perm issions will flow down a t ree by configuring a perm ission t o affect only t he current folder, all files and subfolders, or som e com binat ion t hereof.
3 .3 .3 . I n h e r it a n ce a n d Ow n e r sh ip Perm issions also m igrat e from t he t op down in a process known as inherit ance. This allows files and folders creat ed wit hin already exist ing folders t o have a set of perm issions aut om at ically assigned t o t hem . For
exam ple, if a folder has RX right s set , and you creat e anot her subfolder wit hin t hat folder, users of t he new subfolder will aut om at ically encount er RX perm issions when t hey t ry t o access it . You can view t he inherit ance t ree by clicking t he Advanced but t on on t he Securit y t ab of any file or folder. This will bring up t he screen shown in Figure 3- 17, which clearly indicat es t he origin of right s inherit ance in t he I nherit ed From colum n.
Figu r e 3 - 1 7 . Vie w in g t h e or igin of pe r m ission s in h e r it a n ce
You can block t his process by clicking t he Edit but t on and unchecking t he " I nclude inherit able perm issions from t his obj ect 's parent " checkbox on t he screen in Figure 3- 17. Any children of t he folder for which you've st opped inherit ance will receive t heir perm ission from t hat folder, and not from furt her up t he folder t ree. Also, if you ever decide t o revert t o st andard perm issions inherit ance on an obj ect for which you've blocked t he process, sim ply recheck t he checkbox. Cust om perm issions t hat you've defined will rem ain, and all ot her perm issions will aut om at ically t rickle down as usual. There also is a concept of ownership. The specified " owner" of a file or folder has full cont rol over t he file or folder and t herefore ret ains t he abilit y t o change perm issions on it , regardless of t he effect of ot her perm issions on t hat file or folder. By default , t he owner of t he file or folder is t he obj ect t hat creat ed it . Furt herm ore, t here is a special perm ission called Take Ownership t hat an owner can assign t o any ot her user or group; t his allows t hat user or group t o assum e t he role of owner and t herefore assign perm issions at will. The adm inist rat or account on a syst em has t he Take Ownership perm ission by default , allowing I T represent at ives t o unlock dat a files for t erm inat ed or ot herwise unavailable em ployees who m ight have set perm issions t o deny access t o ot hers. To view t he owner of a file, click t he Owner t ab on t he Advanced Perm issions dialog box. The current owner is displayed in t he first box. To change t he owner—assum ing you have sufficient perm issions t o do so—sim ply click Edit , acknowledge t he UAC prom pt , select a user from t he whit e box at t he bot t om , and click OK. Should t he user t o whom you want t o t ransfer ownership not appear in t he whit e box, click Ot her Users and Groups, t hen click Add, and t hen search for t he appropriat e user. You also can elect t o recursively change t he owner on all obj ect s beneat h t he current obj ect in t he filesyst em hierarchy. This is useful in t ransferring ownership of dat a st ored in a t erm inat ed em ployee's account . To do so, select t he checkbox for " Replace owner on subcont ainers
and obj ect s" at t he bot t om of t he screen. Click OK when you've finished. ( This operat ion can t ake a while.)
3 .3 .4 . D e t e r m in in g Effe ct ive Pe r m ission s As a result of Microsoft 's inclusion of Result ant Set of Policy ( RSoP) t ools in Windows Server 2008, you can now use t he Effect ive Perm issions t ab on t he Advanced Perm issions screen t o view what perm issions a user or group from wit hin Act ive Direct ory, or a local user or group, would have over any obj ect . Windows exam ines inherit ance, explicit , im plicit , and default access cont rol list s ( ACLs) for an obj ect , calculat es t he access t hat a given user would have, and t hen enum erat es each right in det ail on t he t ab. Figure 3- 18 dem onst rat es t his.
Figu r e 3 - 1 8 . Th e Effe ct ive Pe r m ission s t a b
The Effect ive Perm issions display has t wo prim ary lim it at ions. First , it does not exam ine share perm issions. I t concerns it self only wit h NTFS filesyst em - based ACLs, and t herefore, only filesyst em obj ect s. And second, it funct ions only for users and groups in t heir individual account s. I t will not display correct perm issions if a user is logged in t hrough a rem ot e access connect ion or t hrough Term inal Services, and it also m ight display part ially inaccurat e result s for users com ing in t hrough t he local Net work service account . Alt hough t hese are reasonably significant lim it at ions, using t he Effect ive Perm issions t ool can save you hours of head scrat ching as t o why a pesky Access Denied m essage cont inues t o appear. I t 's also an excellent t ool t o t est your knowledge of how perm issions t rickle down, and how allow and deny perm issions override such inherit ance at t im es.
3 .3 .5 . Acce ss- Ba se d En u m e r a t ion ABE is a great feat ure t hat is long overdue t o be bundled wit h Windows Server. Essent ially, t his feat ure rem oves any access- denied errors for users by showing t hem only what t hey're allowed t o access—if t hey don't have perm ission t o use a file, browse a folder, or open a docum ent , t hen it won't appear in what ever file
m anagem ent t ool t hey're using at t he t im e. This also closes an arguably significant securit y hole, in t hat if users can see folders t hey're not able t o access, it m ight prom pt hacking at t em pt s or ot her t ries t o circum vent securit y, whereas one is less likely t o hack what one doesn't know is t here. Or so t he t heory goes. I t looks like t he real drawbacks at t his point are:
ABE only works when you're connect ing via UNC t o a net work share. I t won't work for local files. Of course, t his doesn't seem like a t errible drawback since not m any users are browsing locally on Windows Server 2008 m achines, and t hose t hat are would hopefully be adm inist rat or- level people anyway.
You do need t o be running Windows Server 2008 or Windows Server 2003 wit h Service Pack 1. Ot her server operat ing syst em s on t he net work won't be able t o offer ABE, m aking for an inconsist ent user experience.
To apply ABE t o a shared folder, open Server Manager, expand Roles and File Services, and t hen click Share and St orage Manager. From t he m iddle pane, double- click on t he shared folder for which you want t o enable ABE, click t he Advanced but t on, and check t he " Enable access- based enum erat ion" box. Aft er you do t his, what will your users see? Not hing—t hat is, not hing t hat t hey don't have perm ission t o access.
3 .3 .6 . Au dit in g Obj ect access audit ing is a way t o log m essages concerning t he successful or unsuccessful use of perm issions on an act ion against an obj ect . Windows Server 2008 writ es t hese m essages t o t he Securit y Event Log, which you can view using t he Event Viewer in t he Adm inist rat ive Tools applet inside t he Cont rol Panel. First , t hough, you m ust enable audit ing at t he server level and t hen enable it on t he specific files and folders you want t o m onit or. You can enable audit ing overall in one of t wo ways—eit her on a syst em - by- syst em basis by edit ing t he local syst em policy, or on select ed m achines ( or all m achines) part icipat ing in a dom ain t hrough GP. I n t his sect ion, I 'll focus on edit ing local syst em policies. To begin, follow t hese st eps:
1 . Select St art
All Program s
Adm inist rat ive Tools, and click Local Securit y Policy.
2 . Expand Local Policies in t he left hand navigat ion pane, and click Audit Policy.
3 . Double- click Audit Obj ect Access.
4 . To enable audit ing, select which event s—a successful access of a file or folder, an unsuccessful at t em pt , or bot h—t o audit , and t hen click OK.
5 . Close t he Local Securit y Policy box.
Audit event s for t he appropriat e t ypes of accesses will now be writ t en t o t he Securit y event log as t hey happen. Here is a quick sum m ary of enabling audit ing t hrough dom ain- based GPs: creat e a new GPO linked t o a select ed cont ainer of m achines, and navigat e t hrough Com put er Configurat ion, Windows Set t ings, Securit y Set t ings, and
Local Policies t o Audit Policy. Select t he appropriat e event s, and click OK. Give t he dom ain cont roller a few m inut es t o replicat e t he policy t o ot her dom ain cont rollers in t he dom ain, and t hen refresh t he policy on your client m achines t hrough gpupdate /force or by reboot ing t he m achines. Now, select t he obj ect s wit hin t he filesyst em you want t o audit and right - click t hem . Choose Propert ies and click t he Securit y t ab in t he result ing dialog box. Then click Advanced and select t he Audit ing t ab. You'll be present ed wit h a screen m uch like t hat shown in Figure 3- 19.
Figu r e 3 - 1 9 . En a blin g a u dit in g on a n obj e ct
Assigning audit obj ect s in Windows is m uch like assigning perm issions. Sim ply click Edit , and t hen click Add, and a dialog will appear where you can ent er t he users t o audit . Not e t hat audit inst ruct ions work for bot h users and groups, so alt hough you m ight not care what m em bers of t he Adm inist rat ors group do, t hose in Finance m ight need a lit t le m ore m onit oring. Click OK t here, and t hen select which act ions—a successful obj ect access or a failed use—of an event should be writ t en t o t he log. You can easily specify different audit ing set t ings bet ween t he various perm issions, saying t hat you don't want t o know when som eone fails t o read t his obj ect but you want t o know whenever som eone adds t o it . Once you're finished, click OK and t hen Apply t o save t he set t ings. Audit ing is a helpful way t o keep t rack of what 's happening on your file shares.
3 .4 . Th e File Se r ve r Re sou r ce M a n a ge r Windows Server 2008 includes t he File Server Resource Manager, an int egrat ed console t hat cont ains various t ools and report ing funct ions so t hat you can det erm ine, cont rol, and adm inist er t he am ount and kind of dat a st ored on your file servers. FSRM provides a single and convenient place for you t o configure quot as on folders and volum es, screen for unaccept able t ypes of files, and generat e com prehensive report s on exact ly where your disk space is going. To access t he FSRM, open Server Manager, expand t he File Services role in t he left pane, expand Share and St orage Managem ent , and click File Server Resource Manager. The default screen is shown in Figure 3- 20.
Figu r e 3 - 2 0 . Th e File Se r ve r Re sou r ce M a n a ge r con sole
3 .4 .1 . Con figu r in g t h e FSRM The first st ep in using t he FSRM is configuring som e opt ions t hat will be used by t he console. I n t he Act ions pane, click t he Configure Opt ions link, and you'll see a screen like Figure 3- 21.
Figu r e 3 - 2 1 . Con figu r in g FSRM opt ion s
The FSRM is designed t o send em ail alert s and report s via em ail; on t he Em ail not ificat ions t ab, ent er t he out going SMTP server ( eit her t hrough an inst alled SMTP service on t he local m achine or anot her m ail server provided eit her by your organizat ion or your I SP) , and t he To and From addresses. You can also choose t o send a t est em ail by clicking on t hat but t on. Figure 3- 22 shows t he Not ificat ion Lim it s t ab.
Figu r e 3 - 2 2 . Th e N ot ifica t ion Lim it s t a b
On t his screen, you can set som e lim it s as t o how oft en t he FSRM and Windows Server 2008 send not ificat ions for sim ilar event s. I f t he FSRM det ect s, say, a quot a exceeded event , and t he user cont inues t o t ry t o exceed t he quot a, wit h t hese not ificat ion lim it s t he FSRM will wait a cert ain am ount of t im e before sending an em ail not ificat ion, writ ing an event log ent ry, and sending com m and and report not ificat ions. Configure your lim it , in m inut es, for each of t hese not ificat ion t ypes. Figure 3- 23 shows t he St orage Report s t ab.
Figu r e 3 - 2 3 . Th e St or a ge Re por t s t a b
On t his t ab, you can specify your preferences for each report t hat can be generat ed by t he FSRM. For exam ple, if you highlight t he File Screening Audit report and click t he Edit Param et ers but t on, you'll be able t o select which users are included in t he report . To t ake a look at all of t he param et ers for t he report s, click t he Review Report s but t on. The default s work pret t y well here, but as you'll see as we dig furt her int o t he FSRM, you m ay want t o alt er t hem slight ly t o cust om ize t he report s for your environm ent . Figure 3- 24 shows t he Report Locat ions t ab.
Figu r e 3 - 2 4 . Th e Re por t Loca t ion s t a b
On t his screen, choose where t o save each t ype of report t hat t he FSRM can generat e. You can st ore t hem eit her on t he local drive or on a net work volum e. Figure 3- 25 shows t he File Screen Audit t ab.
Figu r e 3 - 2 5 . Th e File Scr e e n Au dit t a b
Here, you can t ell t he FSRM whet her t o log screening act ivit y in t he audit ing dat abase. I f you don't int end t o use file screening report s, t hen clearing t his checkbox will give you a slight perform ance im provem ent since t he ext ra logging isn't required.
3 .4 .2 . Con figu r in g Qu ot a s w it h t h e FSRM I t 's m ore st raight forward t o configure quot as using t he FSRM, as t he int erface is cleaner and t he rules a bit m ore flexible. Using t he FSRM, you can creat e quot as for specific folders or volum es and configure t he not ificat ions generat ed by Windows when t hose quot as are exceeded. FSRM im proves on t he disk- based quot a feat ure, covered in t he next m aj or sect ion in t his chapt er, and t akes it a couple of st eps furt her by allowing you t o cust om ize " aut o quot as" t hat aut om at ically apply t o bot h exist ing and fut ure folders, and define quot a t em plat es t hat can be used anywhere in an organizat ion's I T infrast ruct ure. Let 's st art off wit h sim ply applying a quot a t o a single folder. To do so, wit hin t he FSRM, double- click t he Quot a Managem ent it em in t he m iddle pane, and t hen double- click on Quot as. From t he right pane, click t he Creat e Quot a link. You'll see a screen m uch like Figure 3- 26.
Figu r e 3 - 2 6 . Th e Cr e a t e Qu ot a scr e e n
Ent er t he pat h t o t he folder in t he t op box, or click Browse t o find it graphically. Select " Creat e quot a on pat h," and t hen choose eit her a pre- exist ing t em plat e, which offers som e preconfigured lim it s, or choose t he " Define cust om quot a propert ies" opt ion and click t he Cust om Propert ies but t on. I f you select t he lat t er opt ion, you'll be prom pt ed wit h t he Quot a Propert ies screen, where you can ent er t he space lim it , define whet her t he quot a is hard or soft , and add different not ificat ion t hresholds. Click OK when you're done, and t he sum m ary window on t he Creat e Quot a screen will show your select ions. I f all looks good, t hen click Creat e, and t he quot a placem ent is com plet e. That process works well for one- off quot a needs, but suppose t hat you want t o cent ralize quot a m anagem ent across all folders and volum es. The best way t o do t hat is t o use t he quot a t em plat e facilit y wit h FSRM. By applying quot a t em plat es t o folders, you can sim ply m ake one change t o t he t em plat e's configurat ion, and all folders t o which t hat t em plat e has been applied will reflect t he change. Think of it as having a " group" of quot as t o m ake adm inist rat ion sim pler.
To m ake a quot a t em plat e, double- click t he Quot a Managem ent it em in t he m iddle pane of t he FSRM and t hen double- click on Quot a Tem plat es. From t he right pane, click t he Creat e Quot a Tem plat e link. You'll see a screen m uch like Figure 3- 27.
Figu r e 3 - 2 7 . Th e Cr e a t e Qu ot a Te m pla t e scr e e n
I n t he t op drop- down box, you can select an exist ing t em plat e and copy t he set t ings from it int o t he new t em plat e you're creat ing, which is a great t im esaver when you need t o m ake j ust a few m inor changes. Ot herwise, ent er t he t em plat e nam e, a friendly nam e if you wish, and t hen select t he space lim it and t he severit y of t he lim it . You can also configure t he specific t hresholds for not ificat ion when users hit a quot a. Click Add t o define a new not ificat ion; you will see t he Add Threshold screen appear, as shown in Figure 3- 28.
Figu r e 3 - 2 8 . Th e Add Th r e sh old scr e e n
Not e t he first box, called " Generat e not ificat ions when usage reaches ( % ) ." I n t his box, specify t he act ual t hreshold at which t he act ion you're going t o define on t hese screens will t ake place. Now, t he m ost com m on not ificat ion adm inist rat ors send is an em ail m essage, bot h t o t he user who exceeded t he lim it and t o t he adm inist rat or him self. On t he E- m ail Message t ab, you can check t o whom t o send such m essages, and also change t he t ext of t he m essage. On t he Event Log t ab, you can cust om ize t he t ext of a warning event t hat will be sent t o t he Event Log, and on t he Com m and t ab you can define a script or program t hat will be run when a user exceeds t he t hreshold you set . Finally, on t he Report t ab, you can t ell t he FSRM t o aut om at ically generat e a st orage report ( covered a bit lat er in t his sect ion) when t he quot a is exceeded. Each of t hese t abs has a st raight forward int erface. Click OK when you've finished, and t hen OK again t o finish creat ing t he t em plat e. Once t he t em plat e is in place, you can use it t o apply quot as t o specific folders. Then when you need t o increase t he quot a on all folders using a given t em plat e, for exam ple, you can sim ply edit t he space lim it field wit hin t he t em plat e definit ion, and all folders will t hen reflect t he new lim it .
3 .4 .3 . Scr e e n in g for File Type s Anot her useful capabilit y of t he FSRM is t he abilit y t o screen for cert ain file t ypes and prevent t hem from being st ored on your file servers. I f your st orage resources are lim it ed and space is at a prem ium , t here probably isn't a legit im at e reason t o st ore t ons of MP3 and WMA files wit hin your user's hom e direct ories. Even if you have plent y of " first line" space, t hese files are probably part of your backup set , and if t hey are you're likely needlessly wast ing precious backup m edia st oring t he lat est Mariah Carey CD in an off- sit e locat ion in case disast er st rikes. File screening can help keep t his t ype of wast e t o a m inim um . FSRM is pret t y flexible. For exam ple, it allows for t he following scenarios:
You can prevent all m usic files from being st ored on a server, except for t hose files wit h specific filenam es ( your m arket ing t hem e, or a m edia file relat ing t o an upcom ing com m ercial) or files placed on t he server by a cert ain person or group wit hin your com pany.
You can get a pre- warning em ailed t o you whenever a suspicious script or EXE file is st ored on a shared volum e, t hus alert ing you t o a possible securit y breach or virus infest at ion.
You can writ e not ificat ions of screening alert s t o t he event log, so if you have an event log consolidat ion program running on all of your servers, you can see t he screening report s direct ly from t hem .
Like quot as, t he file screening feat ure offers t he capabilit y t o creat e file groups, which are sim ply collect ions of file ext ensions wit h like charact erist ics ( for exam ple, a m edia file group would cont ain MP3, WMA, OGG, and ot hers) t hat can be used t o specify included or excluded files in a part icular screen, and file screening t em plat es, which are ready- t o- use rules for screening different t ypes of files. Again, by using t em plat es ext ensively, you can m ake changes t o all servers using file screening wit h j ust one or t wo m odificat ions t o t he t em plat e.
3 .4 .3 .1 . D e fin in g a file gr ou p You can define a file group wit hin t he FSRM. To do so:
1 . I n t he right pane of Server Manager, expand Roles, File Services, Share and St orage Managem ent , File Server Resources Manager, and File Screening Managem ent .
2 . Right - click File Groups, and t hen click " Creat e file group."
3 . Type a nam e for t he file group.
4 . I n t he " Files t o include" box, ent er a filenam e pat t ern ( like *.exe) for files you'd like t o include in t he group, and click Add. I n t he " Files t o exclude" box, ent er a pat t ern for files you'd like t o exclude.
5 . Click OK.
3 .4 .3 .2 . Cr e a t in g a file scr e e n To creat e a single file screen:
1 . I n File Screening Managem ent , right - click File Screens, and t hen click " Creat e file screen."
2 . The Creat e File Screen box appears. Figure 3- 29 shows t his. Ent er t he pat h t o which t he file screen will apply ( t his includes subfolders of t he specified folder by default ) .
Figu r e 3 - 2 9 . Th e Cr e a t e File Scr e e n dia log box
3 . Select t he " Define cust om file screen propert ies" opt ion, and t hen click Cust om Propert ies.
3.
4 . The File Screen Propert ies screen appears. You can elect t o use an exist ing t em plat e, or creat e a cust om screen.
5 . Under " Screening t ype," select whet her t o apply act ive screening, which prevent s users from saving files t hat are m em bers of blocked file groups and generat es not ificat ions of such act ions; or passive screening, which sends not ificat ions but does not prevent users from saving blocked files.
6 . Under File Groups, select each file group t hat you want t o include in t he screen. To select t he checkbox for t he file group, click t he file group label t wice.
7 . To configure em ail not ificat ions for t he file screen, set t he following opt ions on t he E- m ail Message t ab:
Select " Send em ail t o t he following adm inist rat ors" in order t o not ify said persons when an at t em pt is m ade t o save an unaut horized file, and ent er t he adm inist rat ive account s t hat will receive not ificat ions. To ent er m ult iple account s, separat e t hem wit h sem icolons.
Select " Send em ail t o t he user who at t em pt ed t o save an unaut horized file" if you want t o alert t he user t hat he alm ost breached policy.
You can also edit t he subj ect line and m essage body. To insert addit ional variables in t he t ext , click I nsert Variable and t hen choose t he appropriat e variable as list ed on t he screen.
8 . On t he Event Log t ab, select t he " Send warning t o event log" checkbox, and edit t he default log ent ry. Bot h of t hese t asks are opt ional. I n addit ion, on t he Com m and t ab, you can t ell Windows t o run a program or script when a violat ion occurs, and on t he Report t ab, you can elect t o aut om at ically generat e a report upon a violat ion.
9 . Click Creat e t o save t he file screen.
Not e t hat when you're creat ing a " one- off" file screen, you have t he opt ion t o save it as a file screen t em plat e, m eaning t hat ( a) it can be reused lat er if you need t o apply t he sam e set t ings t o a different t arget , and ( b) FSRM rem em bers t he link bet ween t he t arget of your one- off screen and t he newly creat ed t em plat e—in essence, it creat es t he t em plat e and t hen applies t he screen, so you get t he advant ages of t em plat e use.
3 .4 .3 .3 . Cr e a t in g a n e x ce pt ion t o a scr e e n A file screen except ion essent ially overrides any screening t hat would ot herwise apply t o a folder and it s subfolders—it basically blocks rules derived from a parent folder. You can't , however, apply an except ion t o a folder t hat already has a file screen applied: you need t o eit her apply t he except ion t o a subfolder or m ake changes t o t he exist ing screen. To creat e an except ion t o a screen:
1.
1 . I n File Screening Managem ent , right - click File Screens, and t hen click " Creat e file screen except ion."
2 . This opens t he Creat e File Screen Except ion dialog box. Ent er t he pat h t o which t he except ion will apply.
3 . Under " File groups," select each file group t hat you want t o include in t he except ion.
4 . Click OK.
3 .4 .4 . Ge n e r a t in g St or a ge Re por t s The FSRM includes a great facilit y t o get a pict ure of exact ly how your st orage is behaving. You can look at t rends in how your disk space is being occupied and see alert s and not ificat ions of users who are going over quot a or at t em pt ing t o save files t hat are in violat ion of your file screening policies. You can schedule t hese report s t o be generat ed aut om at ically on a t im e rot at ion t hat you specify, or you can creat e ad hoc report s as you see fit . The following report s are available out of t he box:
Duplicat e files
File screening audit
Files by file group
Files by owner
Large files
Least recent ly accessed files
Most recent ly accessed files
Quot a usage
To generat e an ad hoc report :
1 . Right - click t he St orage Report s Managem ent node under t he FSRM ent ry in t he left pane, and click " Generat e report s now."
2 . The St orage Report s Task Propert ies dialog box appears as shown in Figure 3- 30. Add each volum e or
2. folder t hat you want t o report on t o t he Scope box, and in " Report dat a," select and form at each report t hat you want t o include. To edit t he param et ers of any part icular report , highlight t he report label and click t he Edit Param et ers but t on. When you finish edit ing t he param et ers, click OK.
3 . Back on t he St orage Report s Task Propert ies screen, select each file form at t hat you want t o save t he report in.
4 . The Delivery t ab allows you t o elect t o have t he report em ailed t o adm inist rat ors once it has been generat ed. To enable t his, check t he " E- m ail report t o t he following adm inist rat ors" box and t hen ent er each em ail address t hat you want t he report delivered t o. To ent er m ult iple account s, separat e each wit h sem icolons.
5 . Click OK when you're finished, and t hen choose whet her t o open t he report s when t hey're finished or t o look at t hem lat er.
Figu r e 3 - 3 0 . Th e St or a ge Re por t s Ta sk Pr ope r t ie s scr e e n
You can also schedule report s t o be creat ed, which allows you t o m onit or your st orage resources on a regular schedule. To creat e a scheduled report :
1 . Right - click t he St orage Report s Managem ent node under t he FSRM ent ry in t he left pane, and click " Schedule a new report t ask."
2 . Follow st eps t wo t hrough four in t he previous procedure t o define t he propert ies of t he report .
3 . Click t he Schedule t ab, t hen t he Creat e Schedule but t on, and t hen t he New but t on on t he result ing screen, t o define a schedule. This is shown in Figure 3- 31.
4 . Select t he int erval at which t o generat e t he report ( daily, weekly, m ont hly, or one- t im e report s are suppor t ed) .
5 . The opt ions below t he int erval box m orph t hem selves depending on your select ed int erval. Ent er t his inform at ion as necessary.
6 . Ent er t he t im e of day t o generat e t he report under " St art t im e."
7 . Click OK t o save t he schedule.
8 . Click OK t o save t he t ask.
Figu r e 3 - 3 1 . Cr e a t in g a sch e du le d r e por t t a sk
3 .5 . D isk - Ba se d Qu ot a s Windows 2000 first int roduced t he disk- based quot a feat ure, allowing an adm inist rat or t o define a lim it or set of lim it s on t he consum pt ion of disk space by individual users. Windows Server 2008's quot a m anagem ent feat ures som e int erest ing propert ies:
Windows Server 2008 can dist inguish bet ween volum es, so you can set different quot as on different volum es t o perhaps segregat e t ypes of dat a, or t o offer a disk exclusively t o a set of users for t heir daily work.
You can assign disk- based quot as on m apped drives as long as t he physical volum es t o which t he m apped drives point were creat ed wit h Windows 2000 Server or Windows Server 2003 or were upgraded t o eit her of t he lat er versions from Windows NT 4.0.
Unlike som e t hird- part y soft ware program s, Windows Server 2008 does not allow grace writ es. That is, som e soft ware allows a user t o cont inue an operat ion—say, a file copy process—even if during t he m iddle of t hat operat ion t he disk- based quot a is reached. Windows Server 2008 does not allow t his; it will cut off t he operat ion when t he quot a is reached.
As usual, t hough, neat feat ures always cont ain weak point s. First , quot as are support ed only on disks form at t ed wit h t he NTFS filesyst em . This isn't t oo surprising because m ost progressive filesyst em feat ures aren't available under t he various flavors of FAT. Second and perhaps m ore dist urbing is t hat , due t o an archit ect ural lim it at ion, disk- based quot as ( t hose assigned on t he volum e level, t hat is) can be added only t o individual users. This creat es quit e a headache, as m ost ot her net work operat ing syst em s allow you t o set a default quot a based on group m em bership. I n t his m anner, all norm al users could have 500 MB, power users and execut ives could have 1.5 GB, and adm inist rat ors could have unrest rict ed space. Alt ernat ively, payroll users could have 250 MB, while t he sales t eam wit h t heir m yriad PowerPoint present at ions m ight need 1 GB a piece. Alas, Windows Server 2008 doesn't support t his by default out of t he box at t he disk level, but lat er in t his sect ion I 'll show you a problem at ic but workable way around t his lim it at ion.
3 .5 .1 . Se t t in g D e fa u lt D isk Qu ot a s To set up default disk quot as t hrough Windows Explorer, follow t hese st eps:
1 . Open Com put er, right - click t he drive for which you want t o enable quot a support , and select Propert ies.
2 . Navigat e t o t he Quot a t ab.
3 . Make sure t he " Enable quot a m anagem ent " checkbox is checked. I f it 's not , quot a support is not enabled. I f you want t o cont inue, check t his checkbox.
4 . Choose one or m ore of t he following select ions based on your needs:
Deny disk space t o users exceeding quot a lim it
I f you check t his checkbox, when users reach t heir disk- based usage lim it , Windows ret urns an " insufficient disk space" error, t hereby prevent ing t hem from writ ing m ore dat a unt il t hey eit her change or rem ove files t o m ake m ore space available. To individual applicat ion program s, where t his behavior is handled in various ways, it appears t hat t he volum e is full. I f t he checkbox is not checked, users can exceed t heir disk- based quot a lim it , which m akes t his an effect ive way t o sim ply t rack disk usage by user and not enforce lim it s on st orage space use.
Lim it disk space t o
Here, specify t he am ount of space newly creat ed users of t he disk can fill, and t he am ount of space t hat can be used before alert s are recorded in t he event log ( known as t he soft quot a, or warning level) . You can use decim al values and varying unit s t o fine- t une your set t ings.
Log event when a user exceeds his quot a lim it
I f quot as are enabled, disk event ent ries are recorded hourly in t he syst em event log when a user reaches his hard quot a, or official lim it .
Log event when a user exceeds her warning level
I f quot as are enabled, disk event ent ries are recorded hourly in t he syst em event log when a user reaches her soft quot a, or warning level.
3 .5 .2 . Con figu r in g I n dividu a l Qu ot a En t r ie s You m ight find it useful t o set individual disk- based quot as for specific users t hat exem pt t hem from a m ore lim it ing default quot a you m ight have configured. You can set t hese individual quot a ent ries t hrough t he GUI by clicking t he Quot a Ent ries but t on on t he Quot a t ab under t he Propert ies sheet of t he disk in quest ion. I n t he Quot a Ent ries for Drive box, select Quot a from t he pull- down m enu and click New Quot a. Figure 3- 32 shows t his.
Figu r e 3 - 3 2 . En t e r in g a n e w disk qu ot a e n t r y
Select t he user t o which t o apply t he new disk- based quot a, and in t he box, configure t he rest rict ions on t he user's space.
3 .6 . Usin g Offlin e File s a n d Folde r s Offline Files and Folders is a neat feat ure, offered for t he first t im e in Windows 2000 Professional, which synchronizes files and folders when you connect t o and disconnect from t he net work. Sim ilar t o t he Windows 95 Briefcase, except m uch m ore versat ile and aut om at ed, Offline Files and Folders caches a copy of select ed files and folders on a com put er's hard drive. When t hat com put er becom es disconnect ed from t he net work for any reason, Windows reads t he cache on t he m achine and int ercept s request s for files and folders inside t he cache. The end user can st ill open, save, delet e, and renam e files on net work shares because Windows is fooling him int o t hinking t hat everyt hing is st ill on t he net work and not in t he cache. Windows records all changes, and t he next t im e an appropriat e net work connect ion is det ect ed, t he changes are uploaded t o t he net work and t he cache, and t he act ual net work file st ores are synchronized.
What happens when a com m on net work share—call it Cont ract s—is m odified by t wo different users while t hey're offline? I n t his inst ance, it 's really a case of who get s connect ed first . User A will synchronize wit h t he net work, and his m odified version of t he file will be t he one now st ored live on t he net work volum e. When User B at t em pt s t o synchronize, Windows will prom pt him t o choose whet her t o keep t he exist ing version ( t he one t hat User A m odified) or t o overwrit e it wit h t he one t hat User B has worked on.
This has obvious advant ages for m obile users. I n fact , as I writ e t his, I am sit t ing at a rest st op on I nt erst at e 20 out side August a, Georgia, t aking an ext ended break from a road t rip. To open t his file, I navigat ed t hrough Windows Explorer t o m y regular net work st orage locat ion for t his book and it s assort ed files. I not iced no difference bet ween m y office and t his car, at least as far as Windows' int erface t o t he net work was concerned. However, t om orrow, when I am back in m y office, I will plug t he Et hernet cable int o m y lapt op, and Windows will synchronize any files I m odified in t hat folder wit h t he files on m y servers in t he office. Using t his feat ure, I always have t he lat est file wit h m e wherever I am , be it in t he office or on t he road, and I don't really have t o consciously t hink about it . But t here's also a plus side t hat you m ight not have considered: if you enable Offline Files on regular deskt op m achines, not j ust m obile lapt ops, you creat e a poor m an's fault - t olerant net work. ( The price you pay for such fault t olerance is bandwidt h.) That is, when t he net work connect ion disappears, Windows doesn't care if you are using a big m ini- t ower syst em or an ult ra- t hin not ebook. So, your deskt op users st ill can safely and happily use net work resources, even if t he net work has disappeared, and you as t he adm inist rat or can rest assured in knowing what ever t he users do will be updat ed safely on t he net work when it reappears. Now, of course, t his is no subst it ut e for a well- planned net work wit h qualit y com ponent s, but in a pinch, offline folders do well t o reduce user panic and wast ed help- desk calls.
3 .6 .1 . En a blin g Offlin e File s To m ake a server's share cont ent s available offline using t he Cont rol Panel, follow t hese st eps:
1 . Open Server Manager.
2 . I n t he left pane, expand Roles, File Services; click Share and St orage Managem ent .
3 . I n t he list of shares in t he m iddle pane ( m ake sure you've select ed t he Shares t ab) , right - click t he share in quest ion and select Propert ies.
4 . On t he Sharing t ab, look under t he Offline Set t ings field t o det erm ine t he current st at us of caching on t his share. To change it , click t he Advanced but t on, and click t he Caching t ab.
5 . Select t he appropriat e set t ings ( described short ly) , and t hen click OK t wice when finished.
To m ake a share's cont ent s available offline using Windows Explorer, follow t hese st eps:
1 . Open Windows Explorer.
2 . Right - click t he shared folder in quest ion, and select Propert ies.
3 . Click t he Sharing t ab, and t hen click t he Advanced Sharing but t on, acknowledging t he UAC prom pt if necessary.
4 . Click t he Caching but t on.
5 . Select t he appropriat e set t ings, and t hen click OK when finished.
I n bot h of t hese processes, t he individual offline availabilit y configurat ion set t ings are as follows:
The first opt ion gives t he user cont rol over which docum ent s are available offline.
The second opt ion m akes all docum ent s available.
The t hird opt ion prevent s any docum ent s from being used offline.
You can enable Offline Files and Folders on Windows 2000 and Windows XP client s by opening any folder and select ing Folder Opt ions from t he Tools m enu. Then click t he Offline Files t ab, and select t he checkbox called Enable Offline Files.
3 .6 .2 . Poin t s t o Re m e m be r Be careful t o not e t hat offline access is allowed by default when creat ing a new share. I f you have sensit ive dat a st ored on a share accessible by m obile com put ers, t hat dat a can represent a real business int elligence risk if a m obile user's lapt op is st olen or com prom ised. Consider disabling offline access for shares t hat cont ain pot ent ially privat e corporat e inform at ion not suit able for st orage on com put ers t hat leave t he corporat e cam pus. Also, beware of t he false sense of securit y t hat Offline Files and Folders gives t he user. I f I were t o go t o t he airport wit hout plugging m y lapt op int o t he net work right before I left , I cert ainly would not have t he lat est version of any files I had m odified since I last connect ed t he lapt op t o t he net work; I 'm pot ent ially m issing m any m ore files t hat perhaps had been added since t hat t im e as well. A good rule of t hum b, even t hough it 's
low- t ech, is t o plug in t he lapt op right before you leave t he office, and t hen disconnect t he lapt op and reboot . This enables you t o synchronize for a final t im e and t o verify t hat t he ut ilit y is working correct ly. I t 's a lot bet t er t han arriving at a conference wit hout t he PowerPoint slides t hat com prise a significant port ion of your t alk. ( Not t hat I know from experience....) Not e t hat checking t he Opt im ized for Perform ance checkbox in t he Windows GUI aut om at ically caches docum ent s so t hat users can run t hem locally, which is helpful for busy applicat ion servers because it lowers overall t raffic t o and from t he server.
3 .7 . Usin g Pr e viou s Ve r sion s Previous versions ( née shadow copies) are a relat ively new t echnology wit hin Windows product s t hat enable a server t o t ake snapshot s of docum ent s on a disk t o record t heir st at es at cert ain point s in t im e. I f a user accident ally delet es or ot herwise overwrit es a file, she can open a version t he server saved earlier in t im e, t hereby elim inat ing t he need t o eit her re- creat e her work or cont act t he help desk t o get t hem t o rest ore t he file from t he m ost recent backup. When t he previous versions feat ure is enabled on a disk, client s connect ing t o a share on t hat disk will be able t o view and access previous point - in- t im e copies of eit her individual files or ent ire dir ect or ies. Furt her benefit s lurk beneat h t he surface of t his feat ure, however. The service behind shadow copies, called t he Volum e Shadow Copy Service ( VSS) , is act ually responsible for a newly developed applicat ion program m ing int erface ( API ) t hat allows server- based applicat ions such as Exchange, SQL, and backup program s t o t ake advant age of t he benefit s of shadow copies. Perhaps t he m ost fam ous exam ple is a backup t hat skips open files, eit her because t hey are current ly open by a user or because t hey are locked by anot her process. I n t he past , t his result ed in incom plet e backups, eit her because t he backup process halt ed in m idst ream because of t his unrecoverable error, or because t he process skipped t he open file. I f t he open file is, say, your Exchange em ail dat abase, t hat 's not necessarily a good t hing. But now, wit h volum e shadow copies, t he backup applicat ion can sim ply use an API t o t ake a snapshot of any open files and back up t hat snapshot . Now you have an inst ant backup of a dat abase at any point in t im e, wit h no int errupt ion in availabilit y t o t he user. This is a very nice feat ure. You definit ely can t ake advant age of previous versions in t he user realm as well. Part of t he volum e shadow copy service is a piece of client soft ware t hat Windows Vist a and Windows XP Service Pack 2 client s have int egrat ed int o t he product ; no separat e inst allat ion is needed. Windows 2000 client s can access t he soft ware at ht t p: / / go.m icrosoft .com / fwlink/ ?LinkI d= 22346 . Once t he user has t his client , Windows adds a t ab t o t he Propert ies sheet for any docum ent . This is shown in Figure 3- 33.
Figu r e 3 - 3 3 . Th e Pr e viou s Ve r sion s scr e e n
To rest ore a previous version of a file, all t he user has t o do is select t he appropriat e version and eit her copy it t o a different locat ion using t he Copy but t on, or rest ore it t o it s locat ion at t he t im e t he snapshot was t aken by using t he Rest ore but t on. ( This will overwrit e t he newer version because it 's assum ed t hat when a user want s t o rest ore a previous version, he doesn't want t he current version.) Not e t hat viewing an execut able file will run t hat file. To reduce confusion, when a user accesses t he Previous Versions link in t he Explorer view of a part icular share, she is present ed only wit h a list of unique copies—t hat is t o say, a list of versions t hat differ from one anot her, a condit ion t hat indicat es t he file or folder changed. I n addit ion, previous versions are read- only, in t hat users can copy, drag and drop, and perform any ot her funct ion on t hem as usual except for overwrit ing or delet ing t hem .
3 .7 .1 . En a blin g Pr e viou s Ve r sion s The good news here: previous versions are enabled by default . Less for t he adm inist rat or t o do! How does t his work in t erm s of syst em resources required? By default , t he syst em creat es a folder on t hat volum e called Syst em Volum e I nform at ion, where t he act ual snapshot s and logfiles of t he operat ions are st ored. By default , t his folder is allocat ed 10% of t he volum e's t ot al disk space, m uch like t he Recycle Bin default in Windows. You need at least 300 MB of disk space t o act ually creat e a previous versions snapshot . When you first enable previous versions, a current snapshot of t he volum e is t aken so t hat Windows can st ore a pict ure of t he " st at e" of files on t he disk. This st at e dat a is used t o det erm ine whet her files have changed from t he t im e at which t he st at e inform at ion was recorded. For exam ple, an adm inist rat ive assist ant is perform ing
rudim ent ary form at t ing funct ions on an Excel spreadsheet and she leaves for t he day. Overnight , t he Windows Server 2008 m achine on which t he file share resides is configured t o t ake a snapshot of all files—for t his exam ple, I will use 5: 30 a.m . When t his snapshot is t aken, t he st at e inform at ion for t his Excel spreadsheet is copied int o t he Syst em Volum e I nform at ion folder. Now, when t he adm inist rat ive assist ant arrives at t he office and begins t o work on t he spreadsheet , she is using t he sam e version as t he one she saved t he previous night ; rem em ber t hat t his is also t he one on which t he snapshot is based. When she finishes wit h som e form at t ing, she saves t he spreadsheet before she at t ends t he Tuesday m orning m eet ing of all em ployees. The VSS service det ect s t hat t he Excel file is one t hat already has st at e dat a, and it realizes t hat it has changed, so it im m ediat ely m akes available t he 5: 30 a.m . version of t he file—t he previous version—under t he appropriat e t ab in t he Propert ies sheet for t he Excel file. So now, when t he adm inist rat ive assist ant com es back and realizes t hat she unint ent ionally rem oved an ent ire page from t he workbook while she was form at t ing t he file, she can ret rieve t he version from t he previous night , and likely save som e heart ache. You should, however, not e t hree very im port ant it em s concerning how previous versions m ight and ( m ost not ably) m ight not rescue you or your users from cat ast rophe:
You can only rest ore t he shadow copy of a file t hat consist ed of t he oldest m odificat ion since t he m ost recent snapshot . Even if m ult iple changes are m ade t o a file t hroughout t he day, t he only previous version available for rollback is t he one t hat was m ade direct ly aft er t he m ost recent snapshot . This can be som ewhat count erint uit ive, but it 's crucial t hat your users not rely on t he previous versions feat ure as a crut ch and t hat t hey learn t o use it only when a m aj or disast er st rikes.
I f you renam e a file, you lose all access t o previous versions of t hat file, even if som e exist . VSS t racks exclusively by filenam e and st at e, so if t he filenam e changes, VSS ( at least at t his st age) isn't sm art enough t o follow t he renam e.
3 .7 .2 . Alt e r in g t h e Pr e viou s Ve r sion s Sch e du le By default , previous version copies are scheduled t o be m ade at 7: 00 a.m . and at noon on weekdays. Server perform ance can be adversely affect ed if you schedule shadow copies t o be t aken m ore frequent ly t han once every 60 m inut es.
Because t he t im es at which shadow copies are m ade can be far apart in t he work day, it 's best t o rem ind users t hat t he shadow copy funct ionalit y is not a crut ch and t hat t he best way t o ensure t hat no dat a is lost is t o save early and oft en.
Addit ionally, as soon as 64 shadow copies per volum e are st ored, t he oldest will be delet ed and becom e irret rievable as new shadow copies are m ade t o replace t hem . To change t he shadow copy schedule, follow t hese st eps:
1 . Open Com put er and right - click on t he volum e for which you want t o configure shadow copies.
2 . Navigat e t o t he Shadow Copies t ab.
3 . Select t he disk on which t o m odify t he shadow copy schedule, and t hen click t he Set t ings but t on.
4 . Click t he Schedule but t on in t he box t hat appears next .
5 . Change t he schedule as appropriat e.
3 .8 . Th e D ist r ibu t e d File Syst e m The Dist ribut ed File Syst em ( DFS) is a t echnology t hat allows several dist inct filesyst em s, pot ent ially on m ult iple servers, t o be m ount ed from one place and appear in one logical represent at ion. The different shared folders, which likely reside on different drives in different server m achines, can all be accessed from one folder, known as t he nam espace. Folder t arget s serve t o point from shared folder t o shared folder t o m im ic a direct ory t ree st ruct ure, which can be rearranged and alt ered according t o a part icular im plem ent at ion's needs. DFS also allows t he client s t o know only t he nam e of t he share point and not t he nam e of t he server on which it resides, a big boon when you field help- desk calls asking, " What server is m y last budget proposal locat ed on?" DFS nam espaces com e in t wo basic flavors: st andalone nam espaces, which st ore t he folder t opology inform at ion locally, and dom ain- based nam espaces, which st ore t he t opology st ruct ure in Act ive Direct ory and t hereby replicat e t hat inform at ion t o ot her dom ain cont rollers. I n t his case, if you have m ult iple nam espaces, you m ight have m ult iple connect ions t o t he sam e dat a—it j ust so happens t hat t hey appear in different shared folders. You even can set up t wo different share point s t o t he sam e dat a on t wo different physical servers, because DFS is int elligent enough t o select t he folder set t hat is geographically closest t o t he request ing client , saving net work t raffic and packet t ravel t im e. DFS in Windows Server 2008 is, essent ially, m ade of t wo com ponent s:
DFS nam espaces
These allow you t o group shared folders st ored on different servers and present t hem t o users in one coherent t ree, m aking t he act ual locat ion of t he files and folders irrelevant t o t he end user.
DFS replicat ion
This is a m ult im ast er replicat ion engine t hat support s scheduling, bandwidt h t hrot t ling, and com pression. Most not ably, DFS Replicat ion now uses an algorit hm known as Rem ot e Different ial Com pression ( RDC) , which efficient ly updat es files over a lim it ed- bandwidt h net work by looking at insert ions, rem ovals, and rearrangem ent s of dat a in files, and t hen replicat ing only t he changed file blocks. There is subst ant ial savings t o t his m et hod.
Figure 3- 34 shows a basic flow t hat DFS t ransact ions proceed t hrough in Windows Server 2008.
Figu r e 3 - 3 4 . Th e ba sic flow of D FS in W in dow s Se r ve r 2 0 0 8
Let 's walk t hrough t his. When an end user want s t o open a folder t hat is included wit hin a DFS nam espace, t he client sends a m essage t o t he nam espace server ( which is sim ply a m achine running t he Windows Server 2008 or Windows Server 2003 R2 version of DFS) . That m achine will t hen refer t he client t o a list of servers t hat host copies of t hose shared folders ( t hese copies are called folder t arget s) . The client m achine st ores a copy of t hat referral in it s cache and t hen goes down t he referral list in order, which is aut om at ically sort ed by proxim it y so t hat a client is always using servers wit hin his Act ive Direct ory sit e before t raversing t o m achines locat ed out side of his current locat ion. But let 's crack t he nut a lit t le furt her and see where DFS replicat ion com es int o play. I n a very basic scenario, you can st ore a folder on a server in New York and t he sam e folder on a server in London, and replicat ion will t ake care of keeping t he copies of t he folders synchronized. Users, of course, have no idea t hat t hese folders are kept in geographically disparat e locat ions. However, t he replicat ion m echanism is incredibly opt im ized: it det erm ines what has changed about t wo files and t hen, using rem ot e different ial com pression, only sends t he differences bet ween t he files and folders over t he wire. Over slow WAN links and ot her bandwidt h- m et ered lines, you'll see a real cost savings. You really see t he benefit s when relat ively m inor changes t o large files are m ade. According t o Microsoft , a change t o a 2 MB PowerPoint present at ion can result in only 60 KB being
t ransm it t ed across t he wire—which equat es t o a 97.7% savings in t erm s of am ount of dat a sent . Delving a bit furt her, we get t his explanat ion according t o t he product t eam , t hey " ran a t est on a m ix of 780 Office files ( . doc, .ppt , and .xls) replicat ing from a source server t o a t arget server using DFS Replicat ion wit h RDC. The t arget server had version n of t he files and t he source server had version n+ , and t he t wo versions differed wit h significant edit s. The percent savings in byt es t ransferred was on average 50 percent and significant ly bet t er for large files." Of course, wit h DFS you also get t he fault t olerance benefit of " failing over" t o a funct ional server if a t arget on anot her server isn't responding. I n previous versions of DFS in earlier releases of Windows Server, t here wasn't a sim ple way for you t o inst ruct client s, aft er a failure, t o resum e back t o t heir local DFS servers once t he m achines cam e back online. Now you can specify t hat client s should fail back t o a closer, less cost ly server when services are rest ored. Alt hough Windows Server 2008's DFS com ponent s are t wo separat e t echnologies, when t hey're used in t andem , t hey solve som e real problem s com panies face. Take branch office backup, for inst ance. I nst ead of t asking your adm inist rat ors in t hese offices wit h t ape drive m aint enance, backing up, st oring dat a off sit e, and everyt hing else associat ed wit h disast er avoidance, sim ply configure DFS t o replicat e dat a from t he servers in t he branch office back up t o a hub server in t he hom e office or anot her dat a cent er. Then, run t he backup from t he cent ral locat ion. You are m ore efficient in t hree ways:
You save on t ape hardware cost s.
You save t im e t hrough t he efficiencies in DFS replicat ion.
You save m anpower cost s because your I T workers at t he branch offices can m ove on t o ot her problem s and not spend t heir t im e babysit t ing a backup process.
What about soft ware dist ribut ion? DFS really excels at publishing docum ent s, applicat ions, and ot her files t o users t hat are separat ed geographically. By using nam espaces in conj unct ion wit h replicat ion, you can st ore m ult iple copies of dat a and soft ware at m ult iple locat ions t hroughout t he world, bet t er ensuring const ant availabilit y and good t ransfer perform ance while st ill m aking it t ransparent t o users where t hey're get t ing t heir files from . DFS replicat ion and nam espaces aut om at ically look at your AD sit e st ruct ure t o det erm ine t he lowest cost link t o use in t he event t hat a local nam espace server isn't available t o respond t o request s. The UI for m anaging DFS has also im proved over t he m ore clunky and less put - t oget her MMC snap- in in Windows 2000 and t he original version of Windows Server 2003. The new snap- in offers you t he abilit y t o configure nam espaces and ot her abilit ies t hat previously only exist ed t hrough t he com m and- line int erface.
3 .8 .1 . 3 .8 .1 .1 . Cr e a t in g a n a m e spa ce I n Server Manager, under t he File Services role service node, t he Nam espaces node in t he left pane cont ains any nam espaces you m ay creat e as well as any exist ing nam espaces you add t o t he console display. Beneat h each nam espace in t he t ree, you'll find a hierarchical view of folders. Folders wit h t arget s use a special icon t o different iat e t hem from ordinary folders wit hout t arget s. We'll use t his UI t o creat e a new nam espace, add som e folders and folder t arget s, and t hen event ually set up replicat ion bet ween t wo m achines t o dem onst rat e t he funct ionalit y. I n order t o creat e a new nam espace, t he following condit ions m ust be m et :
You need at least t wo servers, bot h running eit her Windows Server 2008 or Windows Server 2003 R2. You'll need t he DFS syst em inst alled, which you can do t hrough t he Add Roles Wizard as described earlier
in t his chapt er.
I f you want an AD- int egrat ed t opology, you will need t o have deployed Act ive Direct ory on your net work. For t he purposes of t his exercise, I 'll assum e t hat you have not deployed AD yet , and we will focus on t he non- AD specific DFS feat ures.
To deploy a new nam espace, right - click on t he Nam espace node in t he left pane and select New Nam espace from t he cont ext m enu. Then:
1 . On t he Nam espace Server page, shown in Figure 3- 35, ent er t he nam e of t he server t hat will host t he nam espace. Then click Next .
Figu r e 3 - 3 5 . Th e N a m e spa ce Se r ve r scr e e n
2 . On t he Nam espace Nam e and Set t ings page, ent er a nam e for your new nam espace. I 've nam ed m y new nam espace Files, as you can see in Figure 3- 36.
Figu r e 3 - 3 6 . Th e N a m e spa ce N a m e a n d Se t t in gs scr e e n
3 . The Nam espace Type screen appears, as shown in Figure 3- 37. Choose " St andalone nam espace" from t he list , and t hen click Next .
Figu r e 3 - 3 7 . Th e N a m e spa ce Type scr e e n
4 . On t he Review Set t ings and Creat e Nam espace screen, depict ed in Figure 3- 38, verify t he set t ings you've chosen and t hen click Next .
Figu r e 3 - 3 8 . Th e Re vie w Se t t in gs a n d Cr e a t e N a m e spa ce scr e e n
5 . The Com plet ion screen appears. Close t he wizard aft er confirm ing t hat t here were no errors during t he com plet ion process.
3 .8 .1 .2 . Addin g a n d m a n a gin g folde r s a n d folde r t a r ge t s in a n a m e spa ce I t 's very sim ple t o add a folder t o an already exist ing nam espace. I n t he left pane, right - click on t he nam e of t he nam espace and choose New Folder. You'll see t he New Folder screen. Ent er t he nam e of t he folder you'd like t o add in t he Nam e box. I f you'd like, you can go ahead and add som e folder t arget s t o t his folder at t he sam e t im e you're creat ing t he folder. Recall t hat folder t arget s allow you t o redirect a specific DFS nam espace folder t o a physical locat ion on a shared folder st ruct ure. For exam ple, if I want ed t o have t he Office folder appear in m y DFS nam espace st ruct ure, I could creat e a folder t arget , at t ached t o a DFS folder, t hat point ed t o t he act ual locat ion where Office resides. Folder t arget s are j ust a way t o clean up and sim plify t he appearance of files and folders wit hin your net work. I f you want t o m ove or renam e a part icular folder, sim ply right - click on t he folder wit hin t he left pane in t he console, select Move or Renam e, and com plet e t he appropriat e act ion. The DFS service handles t he rest ; m oving is a part icularly seam less act ion. To add a folder t arget , click t he Add but t on, and t he Add Folder Target screen will appear. Ent er t he correct pat h t o t he locat ion you want t he folder t arget t o reference, and t hen click OK. You can add m ult iple folder t arget s t o any one folder as a way of m aint aining fault t olerance. That way, if a user is direct ed t o a part icular m achine t hat is down, t he client will work down t he referral list it received from t he
nam espace server and t ry anot her server t hat host s a copy of t he folder t arget . You can adj ust how t his referral is done, wit hin or out side of a sit e, by right - clicking on t he nam e of t he nam espace in t he left pane of t he console and select ing Propert ies. Navigat e t o t he Referrals t ab, and t hen select t he appropriat e opt ion from t he Ordering Met hod box. You can choose " lowest cost ," which t akes int o account sit es and sit e links as configured wit hin Act ive Direct ory, " random order," which does exact ly what it sounds like it does, or " exclude t arget s out side of t he client 's sit e," which sim ply rem oves t he abilit y for client s t o access t arget s ext erior t o t heir current sit e. Not e t hat when you t ry t o add a t arget t o a folder t hat already has j ust one t arget , t he DFS MMC snap- in will prom pt you and ask if you'd like t o creat e a replicat ion group t o keep t he t wo t arget s synchronized. And t hat 's what t he next sect ion is all about .
3 .8 .1 .3 . Cr e a t in g a r e plica t ion gr ou p for a folde r Again, if you have m ore t han one folder t arget for fault t olerance purposes, you'll want t o configure a replicat ion group so t hat t he cont ent s of t he folders are kept synchronized and users have a t ransparent int erface t o t he it em s cont ained t herein. A replicat ion group is a set of servers t hat sends or receives updat es of replicat ed folders. When you enable DFS Replicat ion on a folder wit h t arget s, t he servers t hat host t he folder t arget s are aut om at ically m ade m em bers of t he replicat ion group, and t he folder t arget s are associat ed wit h t he replicat ed folder. All ot her propert ies, like t he nam e of t he group and t he nam e of t he folder, are ident ical as well. You can use DFS Replicat ion in bot h st andalone and dom ain- based nam espaces. Therefore, you can com plet e t his t ask regardless of t he t ype of nam espace you creat ed in t he previous sect ion. You do, however, need t o have Act ive Direct ory deployed, and you need t o be a m em ber of t he Dom ain Adm inist rat ors group. ( I 'll cover AD in Chapt er 5 ; if you want t o wait unt il you've read t hat chapt er before cont inuing wit h t his sect ion and procedure, t hat 's not a problem .) Not e, however, t hat t his requirem ent will ham per an at t em pt t o delegat e cont rol of your DFS st ruct ure. To creat e a replicat ion group for a folder:
1 . I n t he left pane of t he console, right - click on t he folder in t he nam espace you creat ed, and select Replicat e Folder.
2 . The Replicat ion Group and Replicat ed Folder Nam e screen appears. Ent er a nam e for t he replicat ion group ( m ost people keep t his as t he sam e nam e as t he nam espace folder pat h) and t hen also ent er t he nam e of t he replicat ed folder. Click Next t o cont inue.
3 . The Replicat ion Eligibilit y screen appears. I n t his st ep, t he Replicat e Folder Wizard det erm ines which, if any, folder t arget s are able t o part icipat e in replicat ion. Make sure t hat at least t wo of t hese t arget s, locat ed on different servers, are eligible, and t hen click Next .
4 . The Prim ary Folder Target screen appears. Here, specify t he folder t arget t hat will be used as t he prim ary m em ber of t he replicat ion group, i.e., t he m em ber whose cont ent is aut horit at ive, t he m ast er copy of t he cont ent . Click Next t o cont inue.
5 . The Topology Select ion screen appears. On t his screen, you can choose how t he connect ions am ong t he server m em bers of t he replicat ion group will be deployed. I f you have t hree or m ore m em bers in your replicat ion group, you can choose t he hub and spoke m et hodology, in which hub m em bers are connect ed t o ot her m em bers and dat a originat es from t he cent er and m oves out ward t o t he spokes. Your ot her choices are full m esh, in which each m em ber replicat es all dat a wit h all ot her m em bers, and no t opology, where you can creat e your own t opology. For t his exam ple, choose " full m esh," and t hen click Next t o cont inue.
6 . The Replicat ion Group Schedule and Bandwidt h screen appears. Here, you can choose whet her t o replicat e full t im e ( 24 x 7) or on a specific schedule. To set t he schedule, click t he Edit Schedule but t on. You can also choose how m uch bandwidt h t o use during replicat ion, which helps keep m ore bandwidt h available for regular usage. You can choose Full from t he list t o drop all bandwidt h concerns and replicat e everyt hing as fast as possible. Click Next t o cont inue.
7 . The Review Set t ings and Creat e Replicat ion Group screen appears. Verify all of t he set t ings you have chosen; if you need t o change som et hing, click t he Back but t on. Ot herwise, click Next , and t he wizard will set off creat ing your replicat ion group.
8 . The Confirm at ion screen appears. Make sure t here are no errors, and t hen click Close.
9 . The Replicat ion Delay screen appears. This m essage appears t o let you know t hat t here m ay be an init ial delay while t he configurat ion of t he replicat ion group is propagat ed am ong all of t he m em bers of t he group. Click OK t o acknowledge.
Your replicat ion group is now set up. I f you add a file or m ake ot her changes t o t he folder t arget locat ion on one m achine, DFS Replicat ion will pick up t he change and replicat e it t o all of t he ot her folder t arget s on t he ot her m achines wit hin t he replicat ion group, t hus enabling a seam less int erface t o files and folders for your users as long as t hey use Explorer t o find files t hrough t he nam espace you creat ed. From t he Replicat ion node, you can m anage all of t he propert ies and set t ings of DFS Replicat ion, such as t he schedule, bandwidt h t hrot t ling, t he t opology, and ot hers. On t he Replicat ed Folders t ab in t he Det ails pane of t he MMC console, you can also view t he nam espace pat h t hat corresponds t o t he replicat ed folder or folders.
3 .9 . Com m a n d- Lin e Ut ilit ie s I n t his sect ion, I 'll look at several ways you can m anage file, print , and user services from t he com m and line.
3 .9 .1 . Usin g Sh a r e s Som et im es it 's inconvenient t o use t he Windows GUI t o m ap a drive—t his is a problem part icularly in logon script s. How do you use a bat ch file t o t ell t he m ouse point er t o m ove over t o My Net work Places? There's a bet t er way. The net use com m and enables you t o m ap any drive t o any server on your net work, and in som e cases, out side net works, t oo. The synt ax is:
net use drive \\server\share
Here are som e com m on exam ples t hat you should find useful. To m ap drive H: t o Lisa Johnson's hom e direct ory on server MERCURY:
net use H: \\mercury\users\lmjohnson
To m ap t he first available drive let t er t o t he sam e direct ory:
net use * \\mercury\users\lmjohnson
Som et im es you m ight need t o connect t o a share on a dom ain t hat isn't t rust ed by your hom e dom ain. I f you have an account on t hat dom ain, you can use it t o connect , like so:
net use H: \\foreignmachine\sharename /user:foreigndomain\username
( I f you need t o use a password, you'll be prom pt ed for it .) I f you need t o t erm inat e a connect ion or m ap t o a server, use t he /d swit ch:
net use \\mercury\users\lmjohnson /d
To disconnect all drive m appings on t he local m achinem aps:
net use * /d
To connect t o a foreign m achine ( 152.1.171.133, in t his exam ple) over t he I nt ernet or an int ranet wit hout relying on nam e resolut ion:
net use H: \\152.1.171.133\c$
You also can use a different account wit h t he I P address:
net use H: \\152.1.171.133\c$ /user:hasselltech\hassell
And you can specify t hat t his m apping is for t he current session only and should not be rest ored upon logon. This is a feat ure t hat I call m ap persist ency—keeping t he sam e m appings across login sessions, a big t im esaver for your users. To do so:
net use H: \\152.1.171.133\c$ /persistent:no
3 .9 .2 . FSUTI L To set up default quot as and m odify t hem using t he com m and line, t ype t he following at t he prom pt :
fsutil quota modify [VolumeOrDrive] [warninglevel] [hardquota] [username]
replacing t he t ext in bracket s wit h t he appropriat e inform at ion as specified in t he following list :
VolumeOrDrive
The drive let t er or volum e nam e of t he disk on which you want t o m odify a quot a. Volum e nam es are t ricky t o specify because you m ust do so using t he globally unique ident ifier ( GUI D) , which can be a long st ring of seem ingly random num bers.
warninglevel
The am ount of space at which warnings will be recorded in t he syst em event log.
hardquota
The am ount of space at which users will reach t heir m axim um allowed disk space.
username
The user t o which t his quot a specificat ion applies.
Using fsut il.exe, you can creat e script s t o aut om at ically set quot a ent ries upon new- user creat ion t o work around t he lim it at ion of assigning quot as t o groups, as described earlier in t his chapt er. fsut il.exe can help you access funct ionalit y m ore quickly and efficient ly t han you can by using t he GUI int erface. The following exam ples, designed t o run from a com m and line, illust rat e t he quot a funct ionalit y available t hrough fsut il.exe. To disable quot a support on drive C:
fsutil quota disable C:
To enable quot a support on drive E:
fsutil quota enforce E:
To set a 250 MB quot a for Lisa Johnson ( user I D lm j ohnson ) on drive C:
fsutil quota modify C: 250000000 lmjohnson
To list t he current quot as set on drive D:
fsutil quota query D:
To t rack t he disk usage—in ot her words, t o list which users are t aking up what am ount or port ion of space—on drive F:
fsutil quota track F:
To list all users over quot a on any volum e on t he server:
fsutil quota violations
3 .9 .3 . M a n a gin g Offlin e Folde r s To m ake a share's cont ent s available offline from t he com m and line, at a prom pt , t ype:
net share nameofshare /CACHE:[manual | documents | programs | none]
/CACHE:manual enables m anual client caching of program s and docum ent s from t his share. /CACHE: documents enables aut om at ic caching of docum ent s from t his share. /CACHE:programs enables aut om at ic caching of docum ent s and program s ( dist inguished by t heir file ext ension) from t his share. /CACHE:none disables caching from t his share.
3 .9 .4 . VSSAD M I N The GUI for m anaging shadow copies is som ewhat com plet e; however, it lacks t he abilit y t o specify on which disk or volum e shadow copies are st ored. Also, an adm inist rat or cannot delet e specific shadow copy files using t he GUI . This m ight be needed if a user creat es an incorrect version of a file, t hen leaves and anot her worker com es back t he next day. An adm inist rat or m ight need t o delet e t he previous version as soon as possible so t hat t he new user doesn't inadvert ent ly work from t he incorrect version. The vssadm in.exe com m and- line ut ilit y was creat ed t o offer adm inist rat ors t he abilit y t o cont rol t hese fact ors. I 'll now walk t hrough several exam ples.
vssadmin Add ShadowStorage /For=C: /On=D: /MaxSize=150MB
This com m and specifies t hat st orage for shadow copies ( known as an associat ion ) of drive C: will be st ored on drive D: . I f a value is not specified, t here is no lim it t o t he am ount of space shadow copies can use. Shadow copies require at least 100 MB of space, and you can specify t he m axim um am ount in KB, MB, GB, TB, PB, and EB, alt hough it 's assum ed if you don't use a suffix, t he value is in byt es.
vssadmin Create Shadow /For=E: /AutoRetry=2
This com m and creat es a new shadow copy of drive E: . The /AutoRetry swit ch dict at es t hat if anot her process is at t em pt ing t o m ake shadow copies at t he sam e t im e vssadmin is at t em pt ing t o m ake t hem , t he ut ilit y will keep t rying for t wo m inut es.
vssadmin Delete Shadows /For=C: /Oldest
This com m and delet es t he oldest shadow copy on drive C: . You can use t he /all swit ch t o inst ead delet e all shadow copies t hat can be delet ed. You also can specify a specific shadow copy t o delet e by using /Shadow=ID,
where I D is t he hexadecim al num ber you obt ain t hrough t he List Shadows com m and, covered lat er in t his sect ion.
vssadmin Delete ShadowStorage /For=C: /On=D:
This com m and delet es t he st orage space on drive D: t hat is used t o st ore shadow copies of drive C: . I f you leave off t he /On swit ch, all shadow copy st orage associat ions for drive C: will be delet ed.
vssadmin Resize ShadowStorage /For=C: /On=D: /MaxSize=150MB
This com m and m odifies t he m axim um size for a shadow copy st orage associat ion bet ween drives C: and D: . Again, t he m axim um size has t o be 100 MB or m ore. I f you decrease t he m axim um size, older shadow copies can be delet ed t o m ake room for m ore recent shadow copies. Ot her useful com m ands:
vssadmin List Providers
This com m and list s regist ered volum e shadow copy providers.
vssadmin List Shadows
This com m and list s exist ing volum e shadow copies and t heir I D num bers, for use wit h t he Delete Shadows com m and.
vssadmin List ShadowStorage
This com m and shows t he disks eligible t o support shadow copy funct ionalit y.
3 .1 0 . Th e La st W or d I n t his chapt er, you've learned about all of Windows Server 2008's file, print , and user services. We began wit h an overview of sharing and a guide t o creat ing shares, publishing t hem t o Act ive Direct ory, and m apping drives, and t hen m oved int o a det ailed discussion of t he Windows perm ission st ruct ure, including perm ission levels, " special" perm issions, inherit ance, and ownership. You also saw an overview of t he Dist ribut ed File Syst em , how t o set it up, and how t o m anage it , and how offline files and folders operat e. Rounding out t he chapt er, you saw how t o adm inist er m ost of t hese services from t he com m and line. I n t he next chapt er, I 'll t alk about t he foundat ion of Windows Server 2008's Act ive Direct ory service—t he dom ain nam e syst em , or DNS.
Ch a pt e r 4 . D om a in N a m e Syst e m The Dom ain Nam e Syst em ( DNS) is a st aple of t he public I nt ernet and is t he nam e resolut ion syst em of choice for bot h large and sm all net works. DNS is a direct ory of I P addresses and t heir corresponding host nam es, m uch like a phonebook in funct ionalit y. However, DNS is m ore com plex t han a phonebook and it st ores m any t ypes of m appings as well as inform at ion on services provided by servers on your net work. Whereas Windows NT relied on t he Windows I nt ernet Nam ing Service ( WI NS) and Net BI OS for nam e resolut ion, Windows Server 2008 depends on DNS. I n fact , DNS is required for anyone t hat want s t o use Act ive Direct ory—DNS lies at t he heart of Act ive Direct ory, and t hey're inseparable. WI NS is obsolesced, at least in t erm s of pure Windows infrast ruct ure if you have an Act ive Direct ory net work wit h all m achines running Windows 2000 or lat er and DNS- aware applicat ions. I n t his chapt er, I 'll discuss t he fundam ent als of DNS, it s st ruct ure, and t he various t ypes of dat a it support s and requires, and t hen I 'll proceed t hrough inst alling and configuring a Windows DNS server and describe how you can int egrat e it wit h Act ive Direct ory.
4 .1 . N u t s a n d Bolt s Let 's go t hrough t he basic building blocks of DNS first before we break int o m ore advanced concept s. I 'm going t o provide you wit h a very fundam ent al, int roduct ory look at DNS, and t hen in t he following sect ions I 'll break down each part wit h m ore det ailed explanat ions and exam ples. Think of t his as an abst ract or execut ive sum m ary, j ust so we're all on t he sam e page before I m ove on t o m ore t echnical t opics. The m ain prem ise of DNS is t o provide nam e resolut ion services—t hat is, t o resolve friendly t ext ual host nam es t o t heir associat ed I P addresses. DNS is t he de fact o st andard for nam e resolut ion on t he I nt ernet and in m odern net works t hat use TCP/ I P as t he t ransm ission prot ocol. DNS is based on dom ains, which are sim ply t ext ual nam es t hat refer t o logical groupings of com put ers There are t op- level dom ains ( TLDs) , including som e t hat are probably fam iliar t o you: .COM, .NET, .ORG, and t he like. There are also second- level dom ains, which are less inclusive and usually t ake t he form of name.tld. For exam ple, m y dom ain is j onat hanhassell.com . O'Reilly has a dom ain nam e of oreilly.com . CNN's dom ain is cnn.com . Polit ically, t here is an organizat ion called I CANN, short for t he I nt ernet Consort ium of Assigned Nam es and Num bers, which t racks t he t op- level dom ains. This keeps ut t er confusion from breaking out when t housands upon t housands of t op- level dom ains m ight be issued. I ndividuals and businesses are allowed t o regist er second- level dom ain nam es beneat h t op- level dom ains—hassellt ech.net , for exam ple. DNS resolves nam es based on zones. Zones cont ain inform at ion on com put ers, services, and I P addresses for a collect ion of com put ers. Zones t ypically correspond t o DNS dom ains, but t hey cert ainly do not have t o. The DNS server or servers in a zone t hat cont ain a readable and writ able copy of t he zone file ( which cont ains all t hat inform at ion on com put ers, services, and addresses) is considered t o be aut horit at ive. You m ust have at least one aut horit at ive server per zone for DNS t o funct ion. Any ot her DNS servers wit hin t his zone are considered t o be secondary servers, m eaning t hey hold a read- only copy of t he DNS zone file. Finally, t here are t wo t ypes of zones: forward lookup zones, which resolve host nam es t o I P addresses, and reverse lookup zones, which do t he opposit e and resolve I P addresses t o host nam es. Reverse lookup zones fall under a special t op- level dom ain nam ed in- addr.arpa, which ordinary users and client s never see in t he course of t heir day- t o- day work. Now, let 's t ake a closer look at t hese elem ent s of DNS.
Ch a pt e r 4 . D om a in N a m e Syst e m The Dom ain Nam e Syst em ( DNS) is a st aple of t he public I nt ernet and is t he nam e resolut ion syst em of choice for bot h large and sm all net works. DNS is a direct ory of I P addresses and t heir corresponding host nam es, m uch like a phonebook in funct ionalit y. However, DNS is m ore com plex t han a phonebook and it st ores m any t ypes of m appings as well as inform at ion on services provided by servers on your net work. Whereas Windows NT relied on t he Windows I nt ernet Nam ing Service ( WI NS) and Net BI OS for nam e resolut ion, Windows Server 2008 depends on DNS. I n fact , DNS is required for anyone t hat want s t o use Act ive Direct ory—DNS lies at t he heart of Act ive Direct ory, and t hey're inseparable. WI NS is obsolesced, at least in t erm s of pure Windows infrast ruct ure if you have an Act ive Direct ory net work wit h all m achines running Windows 2000 or lat er and DNS- aware applicat ions. I n t his chapt er, I 'll discuss t he fundam ent als of DNS, it s st ruct ure, and t he various t ypes of dat a it support s and requires, and t hen I 'll proceed t hrough inst alling and configuring a Windows DNS server and describe how you can int egrat e it wit h Act ive Direct ory.
4 .1 . N u t s a n d Bolt s Let 's go t hrough t he basic building blocks of DNS first before we break int o m ore advanced concept s. I 'm going t o provide you wit h a very fundam ent al, int roduct ory look at DNS, and t hen in t he following sect ions I 'll break down each part wit h m ore det ailed explanat ions and exam ples. Think of t his as an abst ract or execut ive sum m ary, j ust so we're all on t he sam e page before I m ove on t o m ore t echnical t opics. The m ain prem ise of DNS is t o provide nam e resolut ion services—t hat is, t o resolve friendly t ext ual host nam es t o t heir associat ed I P addresses. DNS is t he de fact o st andard for nam e resolut ion on t he I nt ernet and in m odern net works t hat use TCP/ I P as t he t ransm ission prot ocol. DNS is based on dom ains, which are sim ply t ext ual nam es t hat refer t o logical groupings of com put ers There are t op- level dom ains ( TLDs) , including som e t hat are probably fam iliar t o you: .COM, .NET, .ORG, and t he like. There are also second- level dom ains, which are less inclusive and usually t ake t he form of name.tld. For exam ple, m y dom ain is j onat hanhassell.com . O'Reilly has a dom ain nam e of oreilly.com . CNN's dom ain is cnn.com . Polit ically, t here is an organizat ion called I CANN, short for t he I nt ernet Consort ium of Assigned Nam es and Num bers, which t racks t he t op- level dom ains. This keeps ut t er confusion from breaking out when t housands upon t housands of t op- level dom ains m ight be issued. I ndividuals and businesses are allowed t o regist er second- level dom ain nam es beneat h t op- level dom ains—hassellt ech.net , for exam ple. DNS resolves nam es based on zones. Zones cont ain inform at ion on com put ers, services, and I P addresses for a collect ion of com put ers. Zones t ypically correspond t o DNS dom ains, but t hey cert ainly do not have t o. The DNS server or servers in a zone t hat cont ain a readable and writ able copy of t he zone file ( which cont ains all t hat inform at ion on com put ers, services, and addresses) is considered t o be aut horit at ive. You m ust have at least one aut horit at ive server per zone for DNS t o funct ion. Any ot her DNS servers wit hin t his zone are considered t o be secondary servers, m eaning t hey hold a read- only copy of t he DNS zone file. Finally, t here are t wo t ypes of zones: forward lookup zones, which resolve host nam es t o I P addresses, and reverse lookup zones, which do t he opposit e and resolve I P addresses t o host nam es. Reverse lookup zones fall under a special t op- level dom ain nam ed in- addr.arpa, which ordinary users and client s never see in t he course of t heir day- t o- day work. Now, let 's t ake a closer look at t hese elem ent s of DNS.
4 .2 . Zon e s Ve r su s D om a in s As you learned in t he previous sect ion, a DNS dom ain in it s sim plest form is a second- level nam e coupled wit h an I CANN- sponsored t op- level dom ain—hassellt ech.net , for exam ple. I n DNS parlance, a zone is t he range of m achines and addresses t hat a specific nam eserver needs t o be concerned about . Zones don't necessarily need t o correspond t o DNS dom ains, m eaning t hat I can have m ult iple DNS zones for t he single hassellt ech.net dom ain. For exam ple, I can have one zone for sales.hassellt ech.net , anot her zone for billing.hassellt ech.net , and yet anot her for host ing.hassellt ech.net, all wit h separat e nam eservers but all wit hin t he cont rol of t he hassellt ech.net dom ain. Why would you want m ult iple DNS zones for a single DNS dom ain? To delegat e adm inist rat ion is a com m on reason. I f your organizat ion is spread all over t he count ry and you have an adm inist rat or for each office around t he count ry, t hat adm inist rat or is likely best equipped and skilled t o handle DNS configurat ion for his office—aft er all, he works wit h t he individual com put ers m ore t han a higher- level adm inist rat or at t he hom e office does. So, t he hom e office nam eserver is configured t o hold a few nam es and addresses for servers and m achines t here, and t he branch office nam eservers hold zones for t heir respect ive com put ers. I n t his configurat ion, when a com put er com es t o t heir servers and request s a nam e for an I P address associat ed wit h a branch office, t he nam eservers at t he hom e office will refer t he request ing com put er t o t he nam eserver at t hat branch office t hat holds t he nam es and addresses for t hat zone, a process known as delegat ing nam e resolut ion t o ot her servers. Addit ionally, t he branch office server is aut horit at ive for it s zone, m eaning t hat it holds t he definit ive nam e- t o- address correspondence for com put ers in it s zone. Of course, dom ains aren't lim it ed t o j ust a second- level nam e plus an I CANN- approved ext ension. You also can have m ult iple levels of nam es: for exam ple, cust om ers.ext ranet .m icrosoft .com is a valid nam e, as is payj on.corp.hassellt ech.net. As you read furt her int o t he chapt er, you'll see sit uat ions in which a longer, m ore ext ended dom ain nam e would be appropriat e.
4 .2 .1 . Zon e File s Zone inform at ion is st ored in zone files t hat , by default , are st ored as ASCI I t est files in % Syst em Root % \ syst em 32\ dns. The files are st ored in t he form at < domain> .dns ( e.g., hassellt ech.net .dns) . These ASCI I files hold t he different t ypes of inform at ion cont ained wit hin forward and reverse lookup zones, which we'll look at in j ust a bit . DNS also can st ore zone inform at ion wit hin Act ive Direct ory ( as an applicat ion part it ion) , an opt ion I 'll discuss in m ore det ail lat er in t his chapt er. For now, we'll proceed on t he assum pt ion t hat zone files are st ored in t his locat ion in ASCI I form at .
4 .2 .2 . For w a r d a n d Re ve r se Look u p Zon e s DNS handles forward lookups, which convert nam es t o I P addresses, and t he dat a is st ored wit hin a forward lookup zone. But DNS also handles reverse lookups, which convert I P addresses t o nam es. There's also som et hing called a reverse lookup zone, which does t he opposit e of a forward lookup zone—it cat alogs all m achines wit hin a cert ain net work range. You const ruct t he nam e of a reverse lookup zone in a rat her odd way. The easiest way t o const ruct a reverse lookup zone nam e is t o look at t he range of I P addresses you've been assigned, drop t he last dot t ed quad t hat cont ains t he num bers you cont rol, reverse t he order of t he rem aining dot t ed quads, and t hen add .in- addr.arpa. For exam ple, if your I P address is 64.246.42.130, t he nam e of t he associat ed reverse lookup zone is 42.246.64.in- addr.arpa. Reverse lookup zones are const ruct ed a bit different ly, depending on whet her you have a class A, B, or C I P address. Table 4- 1 shows t he respect ive ways t o generat e a reverse lookup zone nam e.
Ta ble 4 - 1 . Ge n e r a t in g a r e ve r se look u p zon e n a m e
Addr e ss cla ss
Re su lt in g zon e n a m e a n d m e t h od
Class A (12.0.0.0/8)
12.in-addr.arpa Only t he first quad is set , so only one quad needs t o be in t he reverse zone.
Class B (152.100.0.0/16)
100.152.in-addr.arpa Because only t wo dot t ed quads are included, only t wo need t o be not ed in t he reverse zone.
Class C (209.197.152.0/24)
152.197.209.in-addr.arpa All dot t ed quads set in t he I P address range need t o be included in t he reverse lookup zone nam e.
I n pract ice, it 's very likely t hat you don't need a reverse lookup zone for public- facing DNS servers, and it 's equally likely t hat you would be prevent ed, on a t echnical basis, from creat ing one. ( I nt ernal DNS servers are anot her m at t er, which you'll see in a bit .) Alt hough forward lookup zones concern host nam es and DNS dom ain nam es, which are under your cont rol and m anagem ent because you buy t hem from an accredit ed regist rar, reverse lookup zones deal m ainly wit h I P addresses and t heir owners, which probably are not under your cont rol. Unless you have cont act ed t he I nt ernet Assigned Nam es Aut horit y ( I ANA) and obt ained a block of I P addresses specifically from t hem , it 's probable t hat your I SP act ually owns t he addresses and t herefore is t he one t asked wit h m aint aining reverse lookup zones. There are really only a few reasons why it 's advant ageous t o cont rol your own reverse lookup zone. First and forem ost , som e m ail servers will refuse t o exchange I nt ernet m ail wit h your servers if t heir reverse lookups reveal t hat you're using a dynam ically assigned I P address block of t ypical I SPs. This can be a real problem , but your I SP usually can help you out wit h t his. Second, t he nslookup com m and can ret urn a nast y but harm less error m essage about being unable t o find a server nam e for your current I P address, depending on how you are connect ed t o t he I nt ernet . Alt hough t his is annoying, it 's sim ply saying no appropriat e reverse zone is configured for t he current com put er. So, when you've j ust inst alled Act ive Direct ory and you run nslookup t o check t hings out , and you get no result s, t his is m ost likely because you haven't yet configured a reverse lookup zone.
4 .3 . Re sou r ce Re cor ds A DNS zone cont ains various t ypes of ent ries, called resource records. Resource records are t he m eat of a DNS zone, providing inform at ion about host nam es, I P addresses, and in som e cases t he services offered by a part icular m achine. There are several different classes of record t ypes, t he m ost com m on of which I 'll define now.
4 .3 .1 . H ost ( A) Re cor ds Host records, or A records, sim ply m ap a host nam e t o an I P address. You generally creat e host records for each m achine in your net work. A sam ple A record looks like t his in a zone file:
colossus A 192.168.0.10
Using host records, you can im plem ent a load- balancing t echnique known as round- robin DNS. Round- robin DNS involves ent ering m ult iple A records, all configured wit h t he sam e host nam e, but wit h different I P addresses t hat correspond t o different m achines. This way, when com put ers cont act a nam eserver for a cert ain host nam e, t hey have an equal chance of receiving any one of t he num ber of m achines wit h A records. For exam ple, if I have a web sit e at www.hassellt ech.net and I have t hree web servers at 192.168.0.50, 192.168.0.51, and 192.168.0.52, I can configure t hree A records, all nam ed " www," but wit h t he t hree I P addresses m ent ioned earlier. Now, when client com put ers com e t o t he nam eserver and ask for t he I P address of www.hassellt ech.net, t hey have a 33% chance of receiving 192.168.0.50 as t he web server of choice, a 33% chance of receiving 192.168.0.51, and a 33% chance of receiving 192.168.0.52. I t 's a poor m an's loadbalancing syst em .
Let 's get a bit m ore t echnical: in t his scenario, Windows 2000 and Windows XP client s will cont inue t o at t em pt a connect ion t o t he first web server t hat was originally resolved. A DNS cache t im eout value on t he client is set t o 86,400 seconds ( one day) by default . I f you change t his value on t he client t o one second, you have bet t er odds of reaching your server. You can change t his value in t he Regist ry wit h t he following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
Change t he MaxCacheEntryTtlLimit t o t he num ber of seconds desired. I f t he group of m achines t hat serve web sit es are on different subnet s, t he DNS syst em can ret urn t he " proper" address from a round- robin record set —t hat is, t he one t hat is closest t o t he client request ing it . This funct ionalit y is enabled by default . For exam ple, if you have one A record set up for www.hassellt ech.net on I P address 192.168.0.51, and anot her A record set up for t he sam e host nam e on I P address 10.0.0.25, a client com put er locat ed on t he 10.0.0.0 subnet will receive t he 10.0.0.25 A record from his request , and a client com put er locat ed on t he 192.168.0.0 subnet will receive t he 192.168.0.51 A record from his request . Som e advant ages t o round- robin DNS balancing include t he following:
The price is right —it 's free wit h any nam eserver.
I t 's less com plex t han ot her, propriet ary balancing syst em s.
I t 's easy t o m aint ain. You can sim ply add and delet e A records in t he zone file for each host as t hey com e and go t o and from product ion service.
The disadvant ages include t he following:
I t 's less com plex t han ot her, propriet ary balancing syst em s. Yes, t his is an advant age and a disadvant age because a less com plex syst em is less flexible t han a propriet ary solut ion.
I f a web server goes down, DNS isn't aware of it . I t sim ply will cont inue t o dole out I P addresses regardless of whet her t he server is available.
I t doesn't t ake int o account t he various capabilit ies and capacit ies of each syst em —it dist ribut es t he load fairly equally, whet her your group of m achines includes a Pent ium 2 or a dual Pent ium I V Xeon m achine.
4 .3 .2 . Ca n on ica l N a m e ( CN AM E) Re cor ds CNAME, or canonical nam e, records allow you t o give m ult iple host nam es t o one I P address. Using CNAMEs, you can have a m achine answering on one I P address but list ening t o several different host nam es—www.hassellt ech.net, ft p.hassellt ech.net, and m ail.hassellt ech.net all m ight be on one I P address, 192.168.1.2. CNAMEs effect ively work as aliases. However, t here's a caveat t o t hese records: you can't have m ult iple ident ical CNAMEs. For exam ple, if you have a record for www- secure.hassellt ech.net on 192.168.1.2, you can't have anot her CNAME record nam ed wwwsecure.hassellt ech.net for a different I P address. CNAMEs are only for m ult iple nam es t o one I P address, not for m ult iple I P addresses t o one nam e. Not e t hat t hese nam es are zone- dependent , not server- dependent .
Som et im es Windows will refer t o CNAME records as aliases, in a confusing m ix of t echnical accuracy and com m on parlance.
A sam ple CNAME record in zone file form at looks like t his:
ftp CNAME colossus.hasselltech.net
4 .3 .3 . M a il Ex ch a n ge r ( M X) Re cor ds Mail exchanger, or MX, records ident ify t he m ail server or m ail servers for a specific zone or dom ain. Very sim ply, t hey inst ruct connect ing com put ers t o send all m ail dest ined for a dom ain t o a specific m achine configured t o receive I nt ernet em ail.
I n pract ice, a specific DNS zone can have m ult iple MX records. Each MX record is also assigned a preference num ber, which sim ply indicat es what st eps t he respect ive m achines list ed should t ake when receiving I nt ernet em ail. Lower preference num bers have higher priorit y. For exam ple, let 's say I have t he following MX records:
Hassellt ech.net , MX preference 10, t o m ail.hassellt ech.net
Hassellt ech.net , MX preference 100, t o queue.perigee.net
This inst ruct s connect ing com put ers t o send I nt ernet em ail dest ined t o hassellt ech.net t o t he m achine m ail.hassellt ech.net. However, if t hat m achine isn't answering request s, connect ing com put ers are inst ruct ed t o t ry t he m achine queue.perigee.net and deliver m ail t here because t he preference num ber is higher ( 100) t han t hat of t he first m achine, which is 10. MX preference num bers provide a bit of failover prot ect ion if your organizat ion's m ail server is on a flaky or nonperm anent connect ion.
Ent ering t wo MX records wit h t he sam e preference num ber dist ribut es t he load bet ween t he t wo host s roughly equally, m uch like round- robin DNS balancing using m ult iple A records.
Here is a sam ple MX record in zone file form at :
@ MX 10 mail.hasselltech.net @ MX 100 queue.perigee.net
4 .3 .4 . N a m e se r ve r ( N S) Re cor ds Nam eserver ( NS) records define t he nam eservers t hat can answer queries for a specific dom ain. They also delegat e t he resolut ion dut ies for various subdom ains t o ot her zones. For exam ple, you m ight configure an NS record for t he " sales" subdom ain t o delegat e nam e resolut ion dut ies t o t he salesns.hassellt ech.net m achine, which handles t hat zone, or an NS record for t he " billing" subdom ain t o delegat e dut ies t o t he billingdns.hassellt ech.net com put er. A sam ple NS record in zone file form at looks like t his:
@ NS colossus.hasselltech.net. @ NS ns2.hasselltech.net.
4 .3 .5 . St a r t of Au t h or it y ( SOA) Re cor ds The st art of aut horit y, or SOA, record for a zone nam es t he prim ary nam eservers t hat are aut horit at ive for a part icular zone and provides cont act inform at ion for t he prim ary adm inist rat or of t he zone. I t also cont rols how long a nonaut horit at ive nam eserver can keep t he inform at ion it ret rieved in it s own cache before needing t o verify t he dat a wit h t he aut horit at ive server again. There are t hree im port ant int ervals t o discuss at t his point when it com es t o SOA records:
Refresh int erval
The refresh int erval indicat es t o secondary nam eservers how long t hey can keep t heir copies of t he prim ary nam eserver's zones before being required t o request a refresh of t he zone.
Ret ry int erval
The ret ry int erval indicat es how long t he secondary nam eserver m ust wait before at t em pt ing t o cont act t he prim ary nam eserver again aft er a failed at t em pt t o refresh it s zones aft er t he refresh int erval has lapsed.
Minim um ( default ) TTL
This value indicat es t o ot her nam eservers how long t hey can use inform at ion t hey've previously ret rieved from t his aut horit at ive nam eserver before being required t o consult t he aut horit at ive server again for updat ed or refreshed inform at ion. This is, by default , 60 m inut es. You also can set TTL values for individual records t hat override t his m inim um default set t ing for a zone.
A sam ple SOA record in zone file form at looks like t his:
@ IN SOA colossus.hasselltech.net. admin.hasselltech.net. ( 200509171203; serial number 100; refresh 50; retry 86400 ; expire 3600 ) ; default TTL
4 .3 .6 . Poin t e r ( PTR) Re cor ds Point er ( PTR) records work very sim ilarly t o A records, except t hey perform t he funct ion in reverse—PTR records point I P addresses t o host nam es and reside in reverse lookup zones. A sam ple PTR record in zone file form at looks like t his:
61.130.98.66.in-addr.arpa. IN PTR alpha.enablehosting.com
4 .3 .7 . Se r vice ( SRV) Re cor ds Service ( SRV) records indicat e t he range and availabilit y of services in a part icular zone or dom ain. They cat alog t he prot ocols and services running on specific port s in a zone, creat ing a " Yellow Pages" of sort s for connect ing com put ers t o find m achines in t he zone t hat will handle t heir specific t ypes of request s. Like MX records, SRV records have a preference num ber, so you can perform a kind of poor m an's load balancing and fault t olerance wit h t hese as well.
SRV records require a bit m ore explanat ion because t hey are so im port ant t o Act ive Direct ory. Here is an exam ple SRV record in zone file form at :
_kerberos._tcp._sites.dc._msdcs 600 SRV 100 88 colossus.hasselltech.net.
The service—in t his case, Kerberos—is t he left m ost part of t he record, and t he _tcp refers t o whet her t he service operat es on t he TCP or UDP t ransm ission prot ocols. The right m ost part of t he record—in t his case, colossus.hasselt ech.net —ident ifies t he m achine t hat is list ening for request s for t he service nam ed in t he record. The first num ber in t he m iddle, 600, indicat es t he t im e t o live ( TTL) for t hat record, recorded in seconds. The right m ost num ber, 88, refers t o t he port num ber on which t he service is list ening. Finally, 100 refers t o t he preference num ber for t he record—t hese work exact ly like MX record preference num bers as described in t he previous sect ion. Why are SRV records crucial t o Act ive Direct ory? Because t hey indicat e which dom ain m achines are running what Act ive Direct ory services. Act ive Direct ory really looks for only four services t o be advert ised wit hin SRV records:
_kerberos
To provide user and com put er aut hent icat ions using Kerberos Key Dist ribut ion Cent er ( KDC) servers
_kpasswd
To provide a m echanism for changing Kerberos passwords securely
_ldap
For t he Light weight Direct ory Access Prot ocol, t he way ext ernal program s com m unicat e and exchange dat a wit h Act ive Direct ory
_gc
For t he Global Cat alog, which cont ains a subset of at t ribut es for all t he obj ect s in an Act ive Direct ory forest
A warning t hat applies from t his point forward: even t hough Microsoft has set up t hese ent ries wit h a leading underscore, you do not want t o use eit her " - " or " _" as t he first charact er in a DNS nam e, as it is not RFC- com pliant . This will cause problem s if you ever need t o int egrat e or operat e in conj unct ion wit h Unix- based BI ND DNS servers.
4 .4 . Usin g Pr im a r y a n d Se con da r y N a m e se r ve r s DNS has built - in redundancy by allowing for m ult iple prim ary and secondary nam eservers for a part icular dom ain or zone. Each server, whet her ident ified as prim ary or secondary, holds a copy of t he zone file and act s on it s cont ent s. Secondary nam eservers can answer queries wit hout any sort of archit ect ural lim it at ion, j ust as prim ary nam eservers can. However, t he secondary nam eservers m ust ret rieve updat es t o zones from t he prim ary nam eserver on a regular basis t o ensure t heir records are up- t o- dat e. Each zone can have only one prim ary nam eserver, but can have as m any secondary nam eservers as is pract ical. All changes, delet ions, and ot her m odificat ions t o a zone are m ade on t he prim ary nam eserver. However, nam eservers designat ed as secondary nam eservers hold read- only copies of t he zone cont ent s from t heir associat ed prim ary nam eservers—zones can't be direct ly m odified on secondary nam eservers. The secondary nam eserver will aut om at ically det erm ine t he prim ary nam eserver for a zone by exam ining t he SOA records for t hat zone, and will cont act t hat m achine on a regular basis t o force a zone file refresh.
Secondary nam eservers are not lim it ed t o zone t ransfers from only a prim ary nam eserver; t hey can accept t ransfers from ot her secondary nam eservers as well.
Several m echanism s exist t o force a zone t ransfer. For one, all of t he secondary nam eservers will query t he prim ary nam eserver for updat es: t hese refreshes are generally " pull" - st yle updat es, whereby m achines fet ch zones from a part icular com put er, rat her t han " push" - st yle updat es. I n addit ion, when a nam eserver ident ified as secondary for any zone is reboot ed or it s DNS service is rest art ed, it will aut om at ically query t he prim ary server on record for an updat e. You also can force a zone t ransfer by sim ply right - clicking t he zone inside t he DNS Managem ent snap- in on t he secondary server and select ing " Transfer from Mast er" or " Reload from Mast er," t o eit her refresh changes or refresh t he ent ire zone file, respect ively. Transfers also are t riggered by t he expirat ion dat e and refresh int erval, and, indirect ly, by t he ret ry int erval for a part icular zone. The secondary nam eserver will query t he prim ary at t he t im e indicat ed by t he refresh int erval—t his is generally 15 m inut es by default , but you m ight find a com pelling reason t o change t his depending on your net work t raffic and needs. I f t he serial num ber on t he SOA record for a zone is higher on t he prim ary nam eserver t han on t he secondary nam eserver's zone record, t he t ransfer will t ake place. However, if t he secondary nam eserver can't cont act t he prim ary nam eserver at t he t im e t he refresh int erval has elapsed, t he secondary nam eserver will wait for t he am ount of t im e specified in t he ret ry int erval and t hen t ry again. I f furt her at t em pt s fail, at t he t im e list ed in t he expirat ion dat e sect ion of t he record, t he secondary nam eserver will sim ply st op answering DNS request s, lest it give inaccurat e and obsolet e inform at ion t o client s.
4 .4 .1 . Fu ll a n d I n cr e m e n t a l Zon e Tr a n sfe r s A relat ively new DNS RFC, 1995, now allows for increm ent al zone t ransfers ( known in short hand as I XFRs) , which rem ove one of t he largest st um bling blocks of DNS adm inist rat ion. I t used t o be t hat when a zone refresh was needed, DNS couldn't discrim inat e t he changes m ade on t he prim ary server: even if only one line of a 6,000- line zone file had changed, t he ent ire zone needed t o be t ransferred t o t he secondary m achines in a process com m only referred t o as a full zone t ransfer ( or AXFR) . Alt hough t hat process wasn't a big deal if you had only one secondary nam eserver, it becam e a large headache for organizat ions wit h t ens or hundreds of secondary nam eservers spread across t he count ry or world. Wit h t he advent of RFC 1995, nam eservers now have t he abilit y t o det ect t he differences bet ween t wo zone files and t ransfer only t he changed inform at ion—saving bandwidt h, t ransfer t im e, and CPU power.
4 .5 . Bu ildin g a N a m e se r ve r I n t his sect ion, I 'll guide you t hrough t he process of act ually creat ing a nam eserver, and t hen in t he rem ainder of t he chapt er I 'll add t o t he funct ionalit y of t he nam eserver t o prepare it for use wit h Act ive Direct ory. Nam eservers need a const ant connect ion t o t he I nt ernet and a non- changing I P, eit her set st at ically on t he server it self or delivered consist ent ly t hrough a DHCP reservat ion. The m achine you're building out as a nam eserver doesn't need t o be t hat powerful; a fast Pent ium I I I m achine wit h 512 MB or so of RAM will be m ore t han sufficient .
I n t he following exam ples, I will use t he fict it ious dom ain nam e hassellt ech.net , wit h t he also fict it ious m achine nam e " colossus" and I P address 192.168.0.5. You can, of course, replace t hese as appropriat e when following along wit h your own com put er.
The first st ep is t o inst all t he nam eserver soft ware ont o your Windows Server 2008 com put er. To do so, follow t hese st eps:
1 . Open Server Manager.
2 . I n t he left pane, click Roles, and t hen in t he right pane, click Add.
3 . Click Next in t he Add Roles Wizard.
4 . Find DNS Server in t he list , check it s box, and click Next .
5 . Click Next on t he " I nt roduct ion t o DNS Server" screen.
6 . Click I nst all, wait for t he process t o com plet e, and t hen close t he Add Server Roles box.
I f you have your com put er set up t o receive an I P address via DHCP, t he DNS Server role inst allat ion will com plain loudly t hat DNS isn't int ended t o work on dynam ically assigned I P addresses. For t his exam ple, we can acknowledge t he warnings and cont inue. As m ent ioned previously, m ake sure nam eservers t hat are act ually in product ion—not a t est environm ent —have a consist ent , unchanging I P address.
Next , point your new nam eserver t o it self for nam e resolut ion so t hat when you run t est s, you're not querying your I SP's nam eservers. I n fact , m ost nam eservers point t o t hem selves, rat her t han t o ot her nam eservers, for nam e resolut ion. I recom m end set t ing t his t hrough t he com m and line using t he netsh com m and, like so:
netsh int ip set dns "Local Area Connection" static 192.168.0.5 primary
You can replace Local Area Connection wit h t he nam e, as it appears in your net work connect ion propert ies, of your net work connect ion. Also, replace 192.168.0.5 wit h t he local nam eserver's I P. Of course, you also can change t he nam eservers t o use for nam e resolut ion t hrough t he Windows int erface by following t hese st eps:
1 . I nside t he Cont rol Panel, double- click t he Net work Connect ions applet .
2 . I nside t he Net work Connect ions dialog box, right - click t he nam e of your net work connect ion and choose Propert ies from t he cont ext m enu.
3 . Navigat e t o t he General t ab, and t hen select I nt ernet Prot ocol ( TCP/ I P) .
4 . Click t he Propert ies but t on.
5 . Click t he " Use t he following DNS server address" radio but t on, and t hen ent er t he nam eserver's I P address int o t he box.
6 . Click OK.
Now t hat t he DNS server soft ware is inst alled, you need t o st art t he DNS service. Select St art , t hen click Adm inist rat ive Tools and select DNS. The DNS Managem ent snap- in will appear, as shown in Figure 4- 1 ( alt hough it will not have all of t he Forest Lookup Zones shown in t he figure) .
Figu r e 4 - 1 . Th e D N S M a n a ge m e n t sn a p- in
We'll m anually set up DNS lat er in t his chapt er, so ignore t he m essage t o use t he Configure Your DNS Server Wizard. At t his point , you have a funct ional nam eserver, which perform s " caching- only" funct ions—t hat is, it doesn't hold any DNS inform at ion unique t o it self, but it does know how t o cont act t he 13 root servers as held by I CANN, t he m ast er of DNS on t he I nt ernet , and it can resolve I nt ernet addresses by cont act ing t hem . Windows Server 2008's DNS soft ware knows how t o do t his by default , wit hout any configurat ion on your part .
4 .5 .1 . En a blin g I n cr e m e n t a l Tr a n sfe r s Windows Server 2008's DNS com ponent is com pliant wit h RFC 1995 and can do increm ent al t ransfers ( as m ent ioned earlier, known as I XFRs in DNS parlance) wit h ot her Windows Server 2003 or Windows Server 2008 servers support ing t he feat ure. I t can also st ill do t he old- st yle full zone t ransfers, referred t o as AXFRs, wit h noncom pliant nam eservers and wit h non- Windows Server 2003 or Windows Server 2008 m achines. There is no way t o inst ruct Windows Server 2008 t o always send full zone files t o all servers, regardless of whet her t hey are com pliant . You can, however, t ell Windows t o send increm ent al zone t ransfers t o all support ing servers, regardless of whet her t hey run Windows Server 2003 or Windows Server 2008. Here's how:
1 . Open t he DNS Managem ent snap- in.
2 . Right - click your server and select Propert ies from t he cont ext m enu.
3 . Navigat e t o t he Advanced t ab, and uncheck t he box labeled BI ND Secondaries.
4 . Click OK t o finish.
Now t he server will use increm ent al zone t ransfers t o all support ing servers, not j ust t o t hose running Windows Server 2003 or Windows Server 2008.
4 .5 .2 . Cr e a t in g a For w a r d Look u p Zon e
Now, t o furt her configure your server, let 's creat e a forward lookup zone file. I nside t he DNS snap- in, expand t he server nam e in t he left hand pane. Then do t he following:
1 . Right - click Forward Lookup Zones and select New Zone. The New Zone Wizard appears.
2 . Choose Prim ary Zone, and t hen click Next .
3 . Ent er t he zone nam e. I n t his exam ple, I 'll use hassellt ech.net . Click Next t o cont inue.
4 . Ent er a nam e for t he new zone file, which is st ored in ASCI I form at . The default nam e is your dom ain wit h .DNS appended t o t he end—hassellt ech.net .dns, for exam ple. The zone files are st ored in % Syst em Root % \ syst em 32\ dns. Click Next .
5 . On t he Dynam ic Updat e screen, choose t o allow bot h insecure and secure dynam ic updat es. I 'll discuss dynam ic DNS updat ing in a lat er sect ion. Click Next .
6 . Click Finish t o com plet e t he zone creat ion process.
The hassellt ech.net zone has now been creat ed.
4 .5 .3 . En t e r in g A Re cor ds in t o a Zon e I nside t he DNS snap- in, right - click t he hassellt ech.net node in t he left hand pane and choose New Host ( A) from t he cont ext m enu. The New Host dialog box appears, as shown in Figure 4- 2.
Figu r e 4 - 2 . En t e r in g a n e w A r e cor d
Ent er t he host nam e of t he m achine for which you're ent ering t he record, and t hen ent er t he I P address of t he m achine. As you ent er t he host nam e, t he fully qualified dom ain nam e ( FQDN) will adj ust t o show t he full host nam e, including t he dom ain, t o check your work. You also can check t he " Creat e associat ed point er ( PTR) " record checkbox, which ent ers a PTR record int o t he reverse lookup zone, if one is current ly configured. ( I f none is set up, t he process will t hrow an error.) Click OK.
4 .5 .4 . Con t r ollin g Rou n d- Robin Ba la n cin g You can enable or disable round- robin DNS balancing using t he nam eserver's Advanced Propert ies screen, which you'll find by right - clicking t he nam eserver nam e in t he DNS Managem ent Snap- in's left hand pane and select ing Propert ies from t he cont ext m enu. Figure 4- 3 shows t his screen, on t he Advanced t ab of t he Propert ies sheet .
Figu r e 4 - 3 . Adva n ce d pr ope r t ie s of a D N S se r ve r
Check " Enable round robin" in t he " Server opt ions" box t o enable round robin, and uncheck it t o disable it .
DNS round- robin funct ionalit y is enabled on a per- server level, not on a per- zone level.
Also, if you want t o t urn off t he subnet m ask ordering feat ure, uncheck " Enable net m ask ordering" in t he " Server opt ions" box, which is on t he Advanced Propert ies screen, as shown in Figure 4- 3.
4 .5 .5 . En t e r in g a n d Edit in g SOA Re cor ds
A default SOA record is creat ed when you creat e a new zone in Windows Server 2008. To m odify an SOA record, double- click it in t he DNS Managem ent snap- in. The screen will look som et hing like Figure 4- 4.
Figu r e 4 - 4 . SOA r e cor d pr ope r t ie s for a zon e
Here are descript ions of t he various fields on t his t ab:
Serial num ber
The serial num ber indicat es whet her t he SOA record has changed since t he last updat e on t he part of a nonaut horit at ive nam eserver. I f you want t o change t his num ber, click t he I ncrem ent but t on; you can't
sim ply edit t he field.
Prim ary server
This field denot es t he prim ary, aut horit at ive nam eserver for t his zone.
Responsible person
This field indicat es t he adm inist rat or responsible for configuring and edit ing t his zone. This is t he adm inist rat or's em ail address, but wit h a period in place of t he norm al at sign ( @) and a period appended t o t he end of t he st ring. For exam ple, if your adm inist rat or is host m ast er@hassellt ech.net , in t his field you would ent er host m ast er.hassellt ech.net .
Refresh int erval
The refresh int erval indicat es t o secondary nam eservers how long t hey can keep t heir copies of t he zones before being required t o request a refresh.
Ret ry int erval
The ret ry int erval indicat es how long t he secondary nam eserver m ust wait before at t em pt ing t o cont act t he aut horit at ive nam eserver again aft er a failed at t em pt t o refresh it s zone aft er t he refresh int erval has lapsed.
Expires aft er
This value essent ially indicat es how long a zone file is valid for use in product ion environm ent s. I t dict at es how long a secondary nam eserver will cont inue at t em pt ing a zone t ransfer from it s prim ary nam eserver. When t his expirat ion dat e is reached, t he zone on t he secondary nam eserver expires, and t hat server st ops responding t o queries.
Minim um ( default ) TTL
This value indicat es t o ot her nam eservers how long t hey can use inform at ion t hey've previously ret rieved from t his nam eserver before being required t o consult t he aut horit at ive server again for updat ed or refreshed inform at ion. This is, by default , 60 m inut es. You also can set TTL values for individual records t hat override t his m inim um default set t ing for a zone.
TTL for t his record
This value overrides t he m inim um ( default ) TTL as described earlier and is lim it ed t o only t his SOA record.
4 .5 .6 . Cr e a t in g a n d Edit in g N S Re cor ds NS records, as you learned earlier in t his chapt er, link t he host nam es of nam eservers t o t heir I P addresses. To creat e t hese records, inside t he DNS Managem ent snap- in right - click t he zone file in quest ion and select Propert ies. Then select t he Nam e Servers t ab. You'll be greet ed wit h t he screen shown in Figure 4- 5.
Figu r e 4 - 5 . Edit in g N S r e cor ds for a zon e
The prim ary NS record is displayed, as it was creat ed by default when you first const ruct ed t he zone. Click t he Add but t on t o insert a new NS record—for exam ple, for a secondary nam eserver. I n t he box t hat appears, t ype in t he new m achine's fully qualified dom ain nam e and click t he Resolve but t on. Windows Server 2008 uses a reverse lookup t o det erm ine t he I P address of t he host nam e you ent ered. I f you agree wit h it s finding, click t he Add but t on beside t he I P address and t he NS record will be ent ered. Click OK t wice t o close.
4 .5 .7 . Cr e a t in g a n d Edit in g CN AM E Re cor ds
Recall t hat CNAME records m ap different host nam es t o pre- exist ing A records, allowing m ult iple DNS nam es for a host . To creat e t hese records, right - click t he hassellt ech.net node in t he left hand pane of t he DNS Managem ent snap- in and choose New Alias ( CNAME) from t he cont ext m enu. The New Resource Record dialog box appears, as shown in Figure 4- 6.
Figu r e 4 - 6 . En t e r in g a n e w CN AM E r e cor d
Ent er t he aliased nam e of t he m achine for which you're ent ering t he record ( t his is t he canonical nam e) , and t hen ent er t he fully qualified dom ain nam e of t he host you're aliasing. As you ent er t he CNAME, t he fully qualified dom ain nam e field j ust below will adj ust t o show t he full host nam e, including t he dom ain, t o check your work. Click OK t o finish.
4 .5 .8 . Cr e a t in g a n d Edit in g M X Re cor ds As you'll rem em ber from earlier in t his chapt er, MX records dict at e how m ail is delivered t o a specific DNS zone. To creat e t hese records, inside t he DNS snap- in right - click t he hassellt ech.net node in t he left hand pane and choose New Mail Exchanger ( MX) from t he cont ext m enu. The New Resource Record dialog box appears, as shown in Figure 4- 7.
Figu r e 4 - 7 . En t e r in g a n e w M X r e cor d
Ent er t he nam e of t he dom ain or zone for which you're ent ering t he record, and t hen ent er t he fully qualified dom ain nam e of t he host t o which m ail for t hat dom ain or zone should be delivered. As you ent er t he CNAME, t he fully qualified dom ain nam e field j ust below will adj ust t o show t he full host nam e, including t he dom ain, t o check your work. Finally, in t he Mail server priorit y box, t ype t he MX preference num ber t hat should apply t o t his record. Click OK t o close.
4 .5 .9 . Ge n e r a t in g a Re ve r se Look u p Zon e You learned earlier in t his chapt er t hat reverse lookup zones m ap I P addresses t o t heir corresponding host nam es. To creat e t hese records, inside t he DNS Managem ent snap- in right - click t he Reverse Lookup Zones folder and choose New Zone from t he cont ext m enu. You'll be present ed wit h t he New Zone Wizard. Click Next t o bypass t he int roduct ory screen, and you'll see Figure 4- 8.
Figu r e 4 - 8 . Cr e a t in g a n e w r e ve r se look u p zon e
Then follow t hese st eps:
1 . Choose " Prim ary zone," and click Next .
2 . Ent er t he net work num bers for your net work in t he Net work I D field—for exam ple, 192.168.0.0—and t hen click Next .
3 . The Dynam ic Updat es page appears. Select t o allow bot h insecure and secure updat es, and t hen click Next .
4 . Click Finish t o com plet e t he wizard.
Your reverse lookup zone has been creat ed.
4 .5 .1 0 . Cr e a t in g a n d Edit in g PTR Re cor ds Rem em ber t hat PTR records m ap I P addresses t o t heir host nam es and are vit al wit hin a reverse lookup zone. To creat e t hese records, right - click t he appropriat e reverse lookup zone wit hin t he DNS Managem ent snap- in and select New Point er ( PTR) from t he cont ext m enu. The New Resource Record dialog will appear, as shown in Figure 4- 9.
Figu r e 4 - 9 . En t e r in g a n e w PTR r e cor d
On t his screen, all you need t o do is ent er t he last dot t ed quad of a specific I P address, and t hen ent er t he host nam e t o which t hat address should refer. The FQDN for t he reverse lookup record will fill in aut om at ically. Click OK t o finish.
4 .5 .1 1 . Con figu r in g a Se con da r y N a m e se r ve r I n t his sect ion, I 'll cover creat ing a secondary nam eserver t o serve a zone. Som e prelim inary st eps are necessary, t hough: first , t he m achine should be running Windows Server 2008, and it should have t he DNS service inst alled, as m ent ioned before. The m achine's net work connect ion should be configured so t hat it s preferred nam eserver is it self. ( Also, for t he purposes of t his sect ion, t he secondary nam eserver will be called ns2.hassellt ech.net at I P address 192.168.0.6.) To proceed:
1 . Open t he DNS Managem ent MMC snap- in.
2 . Right - click Forward Lookup Zones and select New Zone from t he cont ext m enu. The New Zone Wizard will appear; click Next t o skip t he int roduct ory screen.
3 . Choose Secondary t o creat e a secondary lookup zone, which will indicat e t o Windows t hat t his should be a secondary nam eserver. Click Next .
4 . Ent er t he nam e of an exist ing zone on t he Zone Nam e screen, and click Next .
5 . Specify t he nam eservers from which Windows can fet ch t he exist ing zone files. Sim ply ent er t he prim ary nam eserver in t he box, click Add, and t hen click Next , as shown in Figure 4- 10.
6 . Click Finish t o creat e t he zone.
Figu r e 4 - 1 0 . Spe cifyin g a pr im a r y D N S se r ve r for a se con da r y D N S zon e
4 .5 .1 2 . Upgr a din g a Se con da r y N a m e se r ve r t o Pr im a r y Perhaps you decide, upon acquiring a new business int o your organizat ion, t hat you need m ore horsepower in responding t o DNS queries. Or, perhaps event ually you'd like t o clust er your DNS servers. I n t hese cases, you would want t o prom ot e som e secondary nam eservers t o prim ary st at us. I t 's an easy process t o prom ot e an exist ing secondary nam eserver t o a prim ary nam eserver.
1.
1 . Open t he DNS Managem ent snap- in.
2 . Right - click t he zone folder t hat you want t o convert , and select Propert ies from t he cont ext m enu.
3 . Navigat e t o t he General t ab, as shown in Figure 4- 11.
Figu r e 4 - 1 1 . Pr om ot in g a D N S se r ve r
4 . To t he right of t he Type ent ry—it should now say eit her Prim ary or Secondary—click t he Change but t on. The Change Zone Type screen will appear, as shown in Figure 4- 12.
Figu r e 4 - 1 2 . Ch a n gin g a se r ve r fr om pr im a r y t o se con da r y
5 . Click t he " Prim ary zone" radio but t on t o perform t he prom ot ion.
6 . Click OK.
The server will now be a prim ary server for t hat zone.
4 .5 .1 3 . M a n u a lly Edit in g Zon e File s All zone files are st ored in % Syst em Root % \ syst em 32\ dns. The files are st ored in t he form at < domain> .dns ( e.g., hassellt ech.net .dns) . You can edit t hem wit h your favorit e t ext edit or or wit h a script t hat you can writ e t o perform large- scale and/ or aut om at ed m achine rollout s.
When you direct ly edit zone files, m ake sure you m anually increm ent t he serial num ber value in t he zone's SOA record. You can increm ent by any value. Ot herwise, t he changes are likely t o be m issed by any secondary nam eservers during a zone t ransfer.
4 .5 .1 4 . Con t r ollin g t h e Zon e Tr a n sfe r Pr oce ss For obvious reasons, you'll find it necessary t o cont rol which m achines can perform a zone t ransfer from nam eservers—aft er all, users at large on t he I nt ernet have no legit im at e need t o ret rieve a full copy of your zones, and having a full record of your connect ed m achines is a rat her significant securit y breach. I n Longhorn Server, t his process is locked down by default . To verify t his, open t he DNS Managem ent snap- in and expand t he nam eserver's nam e. Find a zone under Forward Lookup Zones, right - click it , and choose Propert ies. Click over t o t he Zone Transfers t ab. You'll see t he screen depict ed in Figure 4- 13.
Figu r e 4 - 1 3 . Con t r ollin g zon e t r a n sfe r s
You see t hat you can disallow zone t ransfers wholesale by unchecking t he box labeled " Allow zone t ransfers." However, if you choose t o enable t hem t o have secondary nam eservers, you can lock down t he access t o t hose zone files a bit m ore granularly. The first opt ion, " To any server," leaves t he t ransfer process wide open. The second opt ion, " Only t o servers list ed on t he Nam e Servers t ab," seem s t o be t he m ost reasonable opt ion by rest rict ing t ransfer t o t he servers ident ified as aut horit at ive for t he dom ain on t hat t ab. The t hird opt ion, " Only t o t he following servers," can lock down t hat list even furt her. Sim ply select t he opt ion, ent er an I P address int o t he box, and click Add when you're done. Make t he list as long or short as it needs t o be, and t hen finish t he process by clicking OK. Windows Server 2008 also support s a feat ure list ed in RFC 1996 known as zone m odificat ion not ificat ion, which nearly cont radict s what I wrot e earlier about t he zone t ransfer process being prim arily a pull, rat her t han a push, process. Click t he Not ify but t on on t he Zone Transfer t ab t o explore t his feat ure; you'll be greet ed wit h t he screen in Figure 4- 14.
Figu r e 4 - 1 4 . N ot ify dia log scr e e n
The not ificat ion feat ure will cont act t he servers list ed on t his Not ify screen when changes are m ade t o t he zone file on t he prim ary nam eserver. You can have t he server cont act t he aut horit at ive nam eservers for a zone or dom ain as list ed on t he Nam e Servers t ab, or cont act only t he servers in t he list t hat you creat e on t his screen. ( To creat e t his list , sim ply ent er an I P address and click Add. Repeat as necessary t o build t he list .) Click OK when you've configured or disabled t his feat ure as you wish.
4 .6 . Su bdom a in s a n d D e le ga t ion I t 's rare t o find an organizat ion running it s own DNS t hat is sm all enough t o not t ake advant age of subdom ains and delegat ion. By delegat ion, I m ean let t ing one group, whet her logical or physical, adm inist er a sect ion of an organizat ion's net work. Let 's t ake a look at an exam ple. Perhaps m y com pany has t wo offices: one in Bost on and t he ot her in Charlot t e, Nort h Carolina. Alt hough I have an overarching dom ain nam e, m ycom pany.com , I m ight want t o delineat e t hese t wo locat ions wit hin m y net work—I can call all m achines in Bost on wit h t he nort h.m ycom pany.com dom ain suffix and all m achines in Charlot t e wit h t he sout h.m ycom pany.com dom ain suffix. Because t he respect ive I T groups at each locat ion have a bet t er sense of which m achines are going in and out of t he net work at t heir own offices t han a cent ral group of adm inist rat ors at t he headquart ers sit e, t he decision was m ade t o let each office's group adm inist er DNS wit hin each subdom ain. To m ake t his happen, t here are t hree st eps t o follow: first , t he overarching dom ain's DNS zone needs t o be t old t here will be a subdom ain t hat will be adm inist ered elsewhere. Second, t he overarching ( in t echnical t erm s, t he " root " but not t he ult im at e TLD- root ) nam eserver needs t he address of t he subdom ain's nam eserver for it s records. And finally, t he subdom ain's nam eserver needs t o be inst alled and configured.
4 .6 .1 . D e le ga t in g a D om a in I nside t he DNS Managem ent snap- in, right - click t he zone t hat is t he parent of t he subdom ain you want t o creat e ( e.g., m ycom pany.com ) , and select New Delegat ion from t he pop- up m enu. The New Delegat ion Wizard appears; click past t he int roduct ory screen t o t he Delegat ed Dom ain Nam e Screen. Here, sim ply ent er t he subdom ain you want t o creat e and delegat e in t he t op box. The bot t om box will expand t o show t he full dom ain nam e of what you ent ered. Click Next t o m ove on. On t he next screen, ent er t he nam e of t he subdom ain you'd like t o delegat e, and click Next . The Nam e Servers screen appears, as shown in Figure 4- 15.
Figu r e 4 - 1 5 . I de n t ifyin g de le ga t e d n a m e se r ve r s
On t his page, insert t he fully qualified dom ain nam e and I P address of t he nam eservers t hat will be responsible for t he new dom ain. Just click Add t o ent er t hese on t he New Resource Record screen t hat will appear. When you're finished, click OK, and t hen click Next . Click Finish t o com plet e t he wizard. The newly delegat ed dom ain will appear in t he DNS Managem ent snap- in, but it will be grayed out t o indicat e it s delegat ed st at us. How does t his process m odify t he act ual zone files wit hin t he DNS service? For one, it adds new NS records t o t he parent dom ain t o indicat e t he server responsible for a part icular subdom ain. For exam ple, if I were delegat ing t he fully qualified subdom ain nort h.m ycom pany.com wit h a nam eserver at dns1.nort h.m ycom pany.com , t he result ing record would look like t his:
north NS dns1.north.mycompany.com
Next , t he delegat ion wizard adds an A record t o t he parent zone so t hat it can find t he new nam eserver via it s I P address, like t his:
dns1.north A 192.168.1.105
This A record is known as a glue record because it is t he only way DNS and request ing client s would know t he I P address of t he delegat ed nam eserver—aft er all, t he prim ary zone no longer holds inform at ion on and cont rols t hat zone. The A record elim inat es t hat problem and provides a direct way t o get in t ouch wit h t hat delegat ed nam eserver.
When Delegat ion Goes Lam e Lam e delegat ion is t he condit ion when an NS record point s t o an incorrect m achine. This can be caused when a zone is delegat ed t o a server t hat has not been properly configured as an aut horit at ive nam eserver for t hat zone, or an aut horit at ive nam eserver for a zone has an NS r ecor d t hat point s t o anot her m achine t hat is not aut horit at ive for t he zone. When lam e delegat ion occurs, t hese nam eservers direct queries t o servers t hat will not respond aut horit at ively, if at all. This causes unnecessary net work t raffic and ext ra work for servers. According t o t he Dom ain Healt h Survey, 25% of all zones have lam e delegat ions. I 'll t alk about a ut ilit y lat er in t his chapt er, called DNSLint , t hat can help you det ect lam e delegat ions and fix t hem .
4 .6 .2 . Cr e a t in g t h e Su bdom a in Logically, creat ing t he subdom ain you've j ust delegat ed is very sim ple. From t he delegat ed server, inside t he DNS Managem ent snap- in, you can right - click t he Forward Lookup Zones folder and choose New Zone. From t here, j ust follow t he inst ruct ions in t he " Creat ing a Forward Lookup Zone" sect ion, earlier in t his chapt er.
4 .7 . D yn a m ic D N S Dynam ic DNS is Windows Server 2008's way of bringing t oget her t he one good feat ure of WI NS—aut om at ic m achine regist rat ion and record updat ing—wit h t he resiliency and open st andards advant age of DNS, a st aple of t he I nt ernet . Wit h dynam ic DNS, m achines running Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2008 can regist er t heir presence aut om at ically wit h t he nam eserver t hat cont rols t he zone associat ed wit h t heir connect ion's DNS suffix. I n t he case of t he exam ples so far in t his chapt er, if I have a m achine nam ed sales1.nort h.m ycom pany.com , t his com put er would aut om at ically regist er an A record for t hat host nam e and I P address wit h t he nam eserver t hat cont rols nort h.m ycom pany.com —a handy feat ure, indeed. Figure 4- 16 shows t he act ual flow of dynam ic DNS regist rat ion when a workst at ion needs t o regist er it self.
Figu r e 4 - 1 6 . Th e flow of dyn a m ic D N S r e gist r a t ion
The process works a bit different when I P addresses are assigned by a Windows DHCP server. The client , when it receives it s I P address from t he DHCP server, only regist ers an A record in t he nam eserver's forward lookup zone. The DHCP server by default is responsible for regist ering t he PTR records in t he nam eserver's reverse lookup zone, if one exist s.
I f you want t o alt er t his behavior, you can configure t he DHCP server t o t ake care of bot h part s of t he regist rat ion by looking on t he propert ies sheet for t he DHCP scope in quest ion wit hin t he DHCP snap- in. Open t he DHCP snap- in, expand your m achine in t he left pane, and t hen click Scopes. I n t he right pane, select t he scope you want t o alt er and t hen right - click it and select Propert ies. Now, navigat e t o t he DNS t ab and select Always Updat e DNS. The DHCP server will regist er A records in t he forward lookup zone and PTR records in t he reverse lookup zone for all client s leasing an address.
When does t his regist rat ion t ake place? Five possible act ions will t rigger a DNS regist rat ion on t he part of t he client :
The com put er has been rest art ed.
The com put er's DHCP lease, if t he m achine uses a dynam ic I P address, has j ust been renewed.
The com put er's st at ically assigned I P address has been changed.
A full 24 hours have passed since t he last DNS regist rat ion on record.
An adm inist rat or issues t he ipconfig /registerdns com m and from t he com m and line.
Alt hough t he default period for reregist ering DNS dynam ically is 24 hours, you can change t his value inside t he Regist ry on t he client . On t he HKEY_LOCAL_MACHI NE\ SYSTEM\ Current Cont rolSet \ Services\ Tcpip\ Param et ers key, add a new REG_DWORD ent ry called DefaultRegistrationRefreshInterval, and give it a value in seconds. ( For reference, t here are 86,400 seconds in a day.)
4 .7 .1 . Sca ve n gin g Obviously, wit h m ult iple m achines regist ering DNS inform at ion periodically t hroughout t he day, you need t o clean up t hat inform at ion when it expires. The Windows Server 2008 DNS scavenging process finds t he dynam ically regist ered records t hat haven't been updat ed for som e t im e, and t hen sim ply delet es t hem t o ensure t hat aft er a delay for propagat ion bet ween servers, t he zone inform at ion cont ains t he m ost up- t o- dat e dat a on t he m achines and addresses t herein. Let 's t ake a look at how scavenging is present ed in t he user int erface and how you can best cont rol it . To cont rol scavenging for all zones on a part icular nam eserver, right - click t he server's nam e from t he DNS Managem ent snap- in and select Set Aging/ Scavenging for All Zones. The Server Aging/ Scavenging Propert ies screen appears, as shown in Figure 4- 17.
Figu r e 4 - 1 7 . Se t t in g dyn a m ic D N S sca ve n gin g
At t he t op of t he screen, you see t he m ast er swit ch t o enable or disable scavenging. Addit ionally, you see t wo opt ions. One of t hem is for t he no- refresh int erval, which is sim ply t he t im e a dynam ically regist ered record should be allowed t o st ay regist ered in a " read- only" fashion before t he scavenger can t ake a look at it . This m eans client com put ers cannot reregist er t hem selves during t his period. The ot her opt ion is for t he refresh int erval, which is t he am ount of t im e a record should rem ain and be allowed t o be refreshed aft er t he no- refresh int erval has passed before t he scavenger should rem ove it . I n essence, t he scavenger process is not allowed t o t ouch a record unless bot h t he no- refresh and t he refresh int ervals have passed in full. To enable scavenging, check t he t op checkbox and click OK. I f you have Act ive Direct ory- int egrat ed zones, you'll be asked t o confirm your choice for t hose as well. Click OK once again, and scavenging will be enabled. Anot her st ep rem ains—you need t o enable scavenging on t he nam eserver, which you can do by right - clicking t he server nam e inside DNS Managem ent , select ing Propert ies, and clicking t he Advanced t ab. This is shown in Figure 4- 18.
Figu r e 4 - 1 8 . Se t t in g u p sca ve n gin g on t h e se r ve r
At t he bot t om of t he screen, check t he checkbox labeled " Enable aut om at ic scavenging of st ale records," and t hen ent er a period of t im e aft er which t he scavenger can aut om at ically engage. I f you want t o cont rol scavenging and it s associat ed int ervals for an individual zone, right - click t he zone inside DNS Managem ent and select Propert ies. Then, navigat e t o t he General t ab and click t he Aging but t on. The screen is ident ical t o t he server- wide scavenging cont rol screen shown in Figure 4- 17. For t he scavenging service t o do t he m at hem at ics required t o calculat e t hese int ervals, t he DNS service adds a nonst andard bit of inform at ion t o a resource record's zone inform at ion. For inst ance, an A record on a server or zone wit h scavenging enabled m ight look like t his:
colossus [AGE:47363030] 36400 192.168.0.5
The AGE port ion is t he incept ion point of t he record, m easured in som e sm all int erval since a cert ain dat e. How t hat num ber is det erm ined is unim port ant ; what m at t ers is t hat wit h scavenging enabled, t he AGE inform at ion is added t o a DNS record so t hat t he no- refresh and refresh int ervals can be honored correct ly. You can see t hat t im est am p in a hum an- readable form at by right - clicking any record in t he DNS Managem ent snap- in and select ing Propert ies. The Record t im est am p field will show t he dat e and t im e t he record was creat ed in DNS, as shown in Figure 4- 19.
To view t he record t im est am p, select Advanced from t he View m enu of t he console.
Figu r e 4 - 1 9 . Vie w in g a r e cor d's t im e st a m p in t h e GUI
4 .7 .2 . Pr e ve n t in g D yn a m ic D N S Re gist r a t ion I f your organizat ion hasn't deployed Act ive Direct ory yet , t he dynam ic DNS regist rat ion default set t ings t hat m odern Windows client operat ing syst em s have can be aggravat ing t o I T groups—your nam eservers will be
pelt ed, som et im es forcefully, wit h regist rat ion at t em pt s from Windows syst em s t hat believe t hat for an Act ive Direct ory in your organizat ion, t hey need t o regist er t hem selves. Of course, t hat 's not necessarily t rue, but it 's t he default behavior. Fort unat ely, you can t urn t his off, eit her t hrough a Regist ry change ( t o m ake t he m odificat ion on a larger scale) or t hrough t he GUI . To do so t hrough t he GUI , follow t hese st eps:
1 . Open t he connect ion's propert ies.
2 . On t he Net work t ab, select TCP/ I P, and t hen click t he Propert ies but t on.
3 . Navigat e t o t he DNS t ab.
4 . Uncheck " Regist er t his connect ion's addresses in DNS."
5 . Click OK.
To do so t hrough t he Regist ry, open t he Regist ry Edit or, and t hen t ake t he following st eps:
1 . Navigat e t hrough HKEY_LOCAL_MACHI NE\ Current Cont rolSet \ Services\ TcpI p.
2 . Click t he Param et ers key.
3 . Add a new value, of t ype REG_DWORD, called DisableDynamicUpdate.
4 . Set t he value of t he new ent ry t o 1.
Alt ernat ively, you can t ype t he following at t he com m and line:
reg add hklm\system\currentcontrolset\services\tcpip\parameters /v DisableDynamicUpdate /t REG_DWORD /d 1 /f
You also can use Group Policy ( GP) t o deploy a policy t hat disables t his t o all m achines in a dom ain, or t o a subset of t hose m achines, but GP in t his case necessit at es Act ive Direct ory. I n any case, t he proper obj ect is under Com put er Configurat ion/ Adm inist rat ive Tem plat es/ Net work/ DNS client . The obj ect is called Dynam ic Updat e, and t o t urn it off, change t he st at e t o Disabled. Chapt er 6 covers GP in m ore det ail.
4 .8 . Act ive D ir e ct or y- I n t e gr a t e d Zon e s Up t o t his point , I 've t reat ed t he Windows Server 2008 DNS service as a t radit ional nam eserver, m ost ly com pliant wit h t he relevant RFCs, which can act in bot h prim ary and secondary " m odes" for a zone. However, Windows Server 2008 offers a t hird m ode specific t o Windows t hat , alt hough not list ed in an RFC, offers som e dist inct advant ages if you've m ade an infrast ruct ure invest m ent in Act ive Direct ory and Windows. The t hird m ode, Act ive Direct ory- int egrat ed DNS, offers t wo pluses over t radit ional zones. For one, t he fault t olerance built int o Act ive Direct ory elim inat es t he need for prim ary and secondary nam eservers. Effect ively, all nam eservers using Act ive Direct ory- int egrat ed zones are prim ary nam eservers. This has a huge advant age for t he use of dynam ic DNS as well: nam ely, t he wide availabilit y of nam eservers t hat can accept regist rat ions. Recall t hat dom ain cont rollers and workst at ions regist er t heir locat ions and availabilit y t o t he DNS zone using dynam ic DNS. I n a t radit ional DNS set up, only one t ype of nam eserver can accept t hese regist rat ions—t he prim ary server, because it has t he only read/ writ e copy of a zone. By creat ing an Act ive Direct ory- int egrat ed zone, all Windows Server 2008 nam eservers t hat st ore t heir zone dat a in Act ive Direct ory can accept a dynam ic regist rat ion, and t he change will be propagat ed using Act ive Direct ory m ult im ast er replicat ion, som et hing you'll learn about in Chapt er 5 . All you need t o do t o set up t his scenario is inst all Windows Server 2008 on a m achine, configure it as a dom ain cont roller, inst all t he DNS service, and set up t he zone. I t 's all aut om at ic aft er t hat . Cont rast t his wit h t he st andard prim ary- secondary nam eserver set up, where t he prim ary server is likely t o be very busy handling request s and zone t ransfers wit hout worrying about t he added load of dynam ic DNS regist rat ions. Act ive Direct ory- int egrat ed zones relieve t his load considerably. And t o add t o t he benefit s, Act ive Direct ory- int egrat ed zones support com pression of replicat ion t raffic bet ween sit es, which also m akes it unnecessary t o use t he old- st yle " uncom pressed" zone t ransfers.
As you read in t he previous sect ion, part of t he dynam ic DNS funct ionalit y provided in Windows Server 2008 is t he scavenger process. Recall t he no- refresh int erval funct ion, which was creat ed t o elim inat e exorbit ant am ount s of t raffic being passed bet ween dom ain cont rollers for each DNS re- regist rat ion.
Act ive Direct ory- int egrat ed zones also afford a big securit y advant age, in t hat t hey provide t he capabilit y t o lock down dynam ic DNS funct ionalit y by rest rict ing t he abilit y of users and com put ers t o regist er records int o t he syst em —only com put ers t hat are m em bers of t he Act ive Direct ory dom ain t hat host s t he DNS records can add and updat e records dynam ically t o t hese zones. However, t o have an Act ive Direct ory- int egrat ed zone, your nam eservers m ust be dom ain cont rollers for an Act ive Direct ory dom ain. I f ot her nam eservers are used t hat are not dom ain cont rollers, t hey can act only as t radit ional secondary nam eservers, holding a read- only copy of t he zone and replicat ing via t he t radit ional zone t ransfer process. I f you're already running a nam eserver t hat is a dom ain cont roller wit h an act ive zone in service, it 's easy t o convert t hat t o an Act ive Direct ory- int egrat ed zone. ( And for t hat m at t er, it 's easy t o revert t o a prim ary or secondary zone—t his isn't a be- all and end- all.) Here's how t o go forward:
1 . Open t he DNS Managem ent snap- in.
2 . Right - click t he zone folder you want t o convert , and select Propert ies from t he cont ext m enu.
3 . Navigat e t o t he General t ab, as shown in Figure 4- 20.
Figu r e 4 - 2 0 . Con ve r t in g a zon e t o Act ive D ir e ct or y- in t e gr a t e d m ode
4 . To t he right of t he Type ent ry—it should now say eit her Prim ary or Secondary—click t he Change but t on. The Change Zone Type screen will appear, as shown in Figure 4- 21.
Figu r e 4 - 2 1 . St or in g a zon e in Act ive D ir e ct or y
5 . Check t he " St ore t he zone in Act ive Direct ory" checkbox.
6 . Click OK.
You'll not e t hat your opt ions expand once you've convert ed t o Act ive Direct ory- int egrat ed zones. Go back t o t he zone's propert ies, and on t he General t ab, not e a couple of t hings:
The Dynam ic Updat es field now allows Secure Only updat es.
You have opt ions for replicat ing zone changes t hroughout all dom ain cont rollers in Act ive Direct ory.
Let 's focus on t he lat t er for a m om ent .
4 .8 .1 . Re plica t ion Am on g D om a in Con t r olle r s Windows Server 2008 allows you t o t une how Act ive Direct ory replicat es DNS inform at ion t o ot her dom ain cont rollers. ( While I 'll present AD in all of it s glory in Chapt er 5 , I 'll cover t his briefly here.) Click t he Change but t on beside t he Replicat ion field on t he zone propert ies, and you'll be present ed wit h t he Change Zone Replicat ion Scope screen, as shown in Figure 4- 22.
Figu r e 4 - 2 2 . Con t r ollin g D N S r e plica t ion in Act ive D ir e ct or y
The default set t ing is " To all dom ain cont rollers in t he Act ive Direct ory dom ain," which inst ruct s Windows t o behave exact ly as it did in Windows 2000 Server: replicat e DNS inform at ion t o all dom ain cont rollers in Act ive Direct ory, regardless of whet her t hey're act ually running t he DNS service. Obviously, if you have 20 dom ain cont rollers in your dom ain, but only 3 dom ain cont rollers t hat run DNS, t his is a lot of replicat ion t raffic t hat is j ust wast ed. On t his screen, you can select t o replicat e t he DNS inform at ion only t o dom ain cont rollers running DNS in eit her t he forest or t he dom ain. This is very helpful, and for large organizat ions, it should cut down on WAN t raffic.
4 .9 . For w a r din g Forwarding, in t he sim plest t erm s, is t he process by which a nam eserver passes on request s it cannot answer locally t o anot her server. You can m ake forwarding work t o your advant age so t hat you effect ively com bine t he resolver caches for m any nam eservers int o one. By doing t his, you allow client s t o resolve previously ret rieved sit es from t hat " m ega- cache" before requiring a t rue refresh lookup of t he inform at ion from aut horit at ive nam eservers on t he public I nt ernet . Here's how it works. DNS behavior by default is t o consult t he preferred nam eserver first t o see whet her it has t he necessary zone inform at ion for which t he client is searching. I t doesn't m at t er t o t he client if t he preferred nam eserver has t he zone inform at ion but isn't aut horit at ive; having t he inform at ion is enough for t he client , and it t akes t he ret urned result s and m akes t he connect ion. But if t he server doesn't have t he zone recorded in it s files, it m ust go upst ream , t o t he public I nt ernet , t o ask ot her nam eservers for t he zone inform at ion t hat 's needed. This t akes t im e because it adds a delay t o t he init ial resolut ion while t he preferred nam eserver is searching t he I nt ernet for t he answer. However, aft er t he nam eserver looks up t he inform at ion once, it st ores it in it s cache of resolved nam es so t hat t he next user looking for t he sam e resolver inform at ion doesn't incur t hat delay: t he preferred nam eserver can sim ply answer out of it s cache and ret urn t he dat a nearly inst ant aneously. Forwarding t akes t his cache and expands it t o m ult iple nam eservers. Consider an organizat ion wit h four or five nam eservers. Client s likely will have different preferred nam eservers, set t o one of each of t hose four or five. So, when one client want s inform at ion t hat 's not in her nam eserver's cache, her preferred nam eserver will search it out and ret urn it , and all fut ure users of t hat part icular preferred nam eserver will get inform at ion for t hat zone ret urned out of it s cache. But t he ot her users in t he organizat ion won't be able t o t ake advant age of t hat cached ent ry because t hey're likely using ot her m achines as t heir preferred nam eservers. A forwarder com es in and adds an ext ra st ep t o t his process: if t he preferred nam eserver doesn't have zone inform at ion in it s cache, it will ask a separat e server, known as t he forwarder, if it has inform at ion on t he request ed zone. The forwarder is sim ply anot her nam eserver t hat looks up zone inform at ion on t he I nt ernet and st ores it in it s own cache for easy reference. So, if all nam eservers in an organizat ion are configured t o ask t he sam e forwarder for cached inform at ion if it has som e, all of t hose nam eservers are t aking advant age of t he forwarder's cache and t he near- inst ant aneous response t he forwarder can give t o resolut ion request s. Again, t he forwarder act s like a regular nam eserver in all respect s; it 's j ust t hat ot her nam eservers in an organizat ion are configured so t hat t hey can use t he forwarder's cache. I f, however, t he forwarder m achine t akes t oo long t o respond t o a request , t he original preferred nam eserver can t ake over and m ake a request t o t he I nt ernet it self, so you don't lose t he abilit y t o resolve DNS request s—you're only m aking it m ore efficient . You also can have m ore t han one forwarder for your organizat ion if you're worried about a single point of failure, but you lose a bit of t he advant age because you're again using m ore t han one cache dat abase. Now, t o set up forwarding:
1 . Open t he DNS Managem ent snap- in on t he m achine you want t o set up t o forward request s elsewhere.
2 . Right - click t he server nam e and choose Propert ies from t he cont ext m enu.
3 . Navigat e t o t he Forwarders t ab, and t hen in t he " Select ed dom ain's forwarder I P address list " field, ent er t he I P address t o which request s should be forwarded. This is shown in Figure 4- 23.
Figu r e 4 - 2 3 . Se t t in g u p a for w a r din g D N S syst e m
4 . Also as shown in Figure 4- 23, ent er " 5" in t he " Num ber of seconds before forward queries t im e out " field. Five seconds is a st andard num ber t hat ensures efficient nam e resolut ion if t he forwarders som ehow fail at t heir t ask.
5 . Click Apply t o com plet e t he process.
4 .9 .1 . Sla vin g Slaving is a logical ext ension t o t he forwarding process. Servers slaved t o a specific nam eserver forward request s t o t hat server and rely ent irely on t hat server for resolut ion; in plain forwarding, on t he ot her hand, t he original nam eserver can resolve t he request it self aft er a t im eout period by querying t he root nam eservers. Wit h slaving, t he upst ream nam eserver becom es t he proxy t hrough which all slaved nam eservers m ake t heir request s.
This is useful m ainly in sit uat ions where you need m ult iple nam eservers wit hin your organizat ion t o handle Act ive Direct ory- and int ernal- relat ed t asks, but you want out side request s t o st ay out side t he firewall. You can set up one very secure nam eserver and place it out side your firewall and int ernal net work, allowing it t o service request s from t he inside t o t he out side and from t he out side t o cert ain m achines wit hin t he net work. Then, you can slave t he int ernal m achines t o t he one m achine out side t he firewall, m aking t hem depend ent irely on t he m achine in t he host ile environm ent but keeping t hat environm ent out of your int ernal net work and away from t he m any nam eservers you adm inist er locally. Because m ost firewalls are st at eful inspect ion m achines t hat only allow packet s inside t he firewall t hat are in response t o com m unicat ions init iat ed int ernally, and because your int ernal nam eservers query only t he ext ernal nam eserver and not t he I nt ernet it self, t he public has no reason t o know t hat your int ernal nam eservers exist , and no abilit y t o get t o t hem , eit her. Set t ing up slaving, as opposed t o forwarding, involves only one ext ra checkbox. To enable slaving, follow t hese st eps:
1 . Open t he DNS Managem ent snap- in on t he m achine you want t o set up t o slave t o anot her server.
2 . Right - click t he server nam e and choose Propert ies from t he cont ext m enu.
3 . Set up forwarding first . Navigat e t o t he Forwarders t ab, and t hen in t he " Select ed dom ain's forwarder I P address list " field, ent er t he I P address t o which request s should be forwarded. This is shown in Figure 424.
Figu r e 4 - 2 4 . Se t t in g u p a sla ve d D N S syst e m
4 . Also as shown in Figure 4- 24, ent er " 5" in t he " Num ber of seconds before forward queries t im e out " field. Five seconds is a st andard num ber t hat ensures efficient nam e resolut ion if t he forwarders som ehow fail at t heir t ask.
5 . Now, check t he " Do not use recursion for t his dom ain box" at t he bot t om of t he screen. This slaves t he server t o t he forwarders list ed in t he box above.
6 . Click Apply, and t hen OK, t o com plet e t he process.
4 .9 .2 . Con dit ion a l For w a r din g There m ight be occasions, especially when using t he split DNS archit ect ure t echnique t hat I 'll cover in t he next sect ion, where you want t o assign cert ain nam eservers t o answer queries for specific dom ains t hat your users ask for. Condit ional forwarding can be useful for m any reasons, including increasing t he speed of nam e resolut ion for client s t o effect a st ruct ural DNS change in a case of com pany acquisit ions or divest it ures.
Condit ional forwarding is support ed only in Windows Server 2003 and Windows Server 2008.
The Forwarders t ab inside t he DNS Managem ent snap- in holds m ult iple list s of dom ains and t heir associat ed forwarders specifically t o accom m odat e t he condit ional forwarding feat ure. To set up condit ional forwarding, follow t hese st eps:
1 . Open t he DNS Managem ent snap- in on t he m achine you want t o set up for condit ional forwarding.
2 . Right - click t he server nam e and choose Propert ies from t he cont ext m enu.
3 . Navigat e t o t he Forwarders t ab, and t hen click t he New but t on t o t he right of t he DNS dom ain box.
4 . I n t he New Forwarder box, ent er t he nam e of t he DNS dom ain t o configure forwarding for, and t hen press OK.
5 . Click t he new dom ain wit hin t he DNS dom ain list , and t hen in t he " Select ed dom ain's forwarder I P address list " field, ent er t he I P address t o which request s should be forwarded. This is shown in Figure 4- 25.
6 . I n t he " Num ber of seconds before forward queries t im e out " field, ent er " 5" .
Figu r e 4 - 2 5 . Se t t in g u p a con dit ion a lly for w a r de d D N S syst e m
7 . Leave t he " Do not use recursion for t his dom ain box" at t he bot t om of t he screen unchecked because you don't want t o slave your nam eserver perm anent ly t o a forwarder for only cert ain dom ains.
8 . Click Apply, and t hen OK, t o com plet e t he process.
4 .1 0 . Th e Split D N S Ar ch it e ct u r e Now t hat you have a good background on t he special DNS t echniques you can use, let 's discuss a very com m on and fairly secure way t o deploy DNS wit hin your organizat ion: using t he split DNS archit ect ure. As I 've briefly m ent ioned previously in t his chapt er, t he split DNS archit ect ure scenario consist s of a set of int ernal nam eservers t hat are used wit hin t he corporat e com put ing environm ent in daily operat ions. There are also one or m ore nam eservers facing ext ernally t o t he I nt ernet t hat out siders use t o connect t o your corporat ion's elect ronic services, but t hat are separat ed from t he int ernal nam eservers for securit y purposes. Out siders who query for inform at ion from your ext ernal nam eservers won't be able t o obt ain inform at ion on your int ernal net work st ruct ure and com posit ion because t he ext ernal nam eserver is com plet ely separat e from t he int ernal nam eservers t hat hold t his dat a. The ext ernal nam eservers hold records only for ext ernally facing servers and not for your ent ire int ernal dom ain. This t echnique is called t he split DNS archit ect ure because DNS inform at ion is split bet ween t he inside and t he out side of an organizat ion.
Split DNS is a great way t o deploy Act ive Direct ory- com pat ible DNS services wit hin your organizat ion, but it isn't t he only way t o deploy DNS.
4 .1 0 .1 . St u b Zon e s Now is t he t im e t o int roduce a new t ype of zone, int roduced in Windows Server 2003, called t he st ub zone. St ub zones cont ain only a subset of t he inform at ion cont ained in a regular forward or reverse lookup zone. Specifically, a st ub zone cont ains t he SOA record, any pert inent NS records, and t he A records for t he nam eservers t hat are aut horit at ive for t hat zone, and not hing m ore. St ub zones are useful for creat ing split DNS infrast ruct ures, where int ernal m achines service int ernal DNS request s and ext ernal DNS request s are serviced elsewhere, perhaps at a dat acent er or I nt ernet service provider. Now, how do st ub zones and condit ional forwarding play int o t he split DNS archit ect ure? I n a couple of ways: for one, you m ight do business wit h an organizat ion t hat occasionally needs t o access syst em s t hat reside wit hin your corporat e firewall, not out side of it . Because t he ext ernal nam eservers have no inform at ion on your int ernal syst em s, t here's no default way t o use split DNS t o allow out siders t o resolve canonical nam es wit hin your firewall. To resolve t his, you use st ub zones, placed on t he int ernal nam eserver of t he corporat ion wit h whom you're doing business, which again cont ain only NS and SOA records of your int ernal nam eservers. That way, when people query for resources t hat you host , t hey go t o t heir local nam eservers, and t heir local nam eservers see t he st ub zones placed t here about your organizat ion wit h t he proper nam e and I P address for your nam eservers. I n essence, any organizat ion t hat host s a st ub zone for your dom ain always will know t he nam es and addresses of your nam eservers. Best of all, regular zone t ransfers will m ake sure t he inform at ion inside t hese st ub zones is kept up- t o- dat e, but of course you m ust have perm ission t o conduct t hese zone t ransfers. Condit ional forwarding operat es very sim ilarly t o st ub zones, except t hat where st ub zones sim ply cont ain inform at ion about a foreign dom ain's nam eservers, condit ional forwarding is used on t he local nam eserver t o direct ly forward request s for inform at ion t o t he foreign nam eserver. Unlike st ub zones, condit ional forwarders don't aut om at ically updat e when inform at ion changes, so m anual int ervent ion is required if you need t o change t he addresses or nam es of t he foreign nam eserver; however, you don't need any special perm issions on t he foreign nam eserver t o use condit ional forwarding because no zone t ransfers are involved. Som e overhead is involved wit h condit ional forwarding, however, if you have a large list of nam es t o forward; t he server has t o check each and every request against t his list , and if you have a large load on t he server, t his can slow down response t im e considerably for everyone hit t ing t hat part icular server. For j ust a few zones, however, condit ional forwarding can be t he best solut ion, and it can be done wit hout t he foreign DNS host m ast er or adm inist rat or knowing or approving.
Bot h of t hese t echniques are a m aj or part of t he split DNS archit ect ure st rat egy. Let 's t ake an exam ple corporat ion—one t hat int ends t o use Act ive Direct ory and is deploying DNS wit h t hat in m ind—wit h a prim ary and secondary nam eserver for t he ext ernal side of t he infrast ruct ure and a second set of prim ary and secondary nam eservers for t he int ernal side. A basic diagram of t his infrast ruct ure is shown in Figure 4- 26.
Figu r e 4 - 2 6 . H ow split D N S a r ch it e ct u r e is la id ou t
Not e t hat t he first set of prim ary and secondary nam eservers is out side t he corporat e firewall, and t hey t ake care of any ext ernal request s t hat com e for t he dom ain. I n fact , t he regist rar t hat has t he corporat ion's dom ain regist rat ion list s t hese t wo nam eservers as aut horit at ive for t hat dom ain. However, t he zone files on t hese servers are st at ic—t hey list only a few, rarely changing it em s, which could be web, FTP, and m ail servers. This is really all t he public needs t o know. There are t wo point s t o not e about t his port ion of t he scenario:
The ext ernal nam eservers are not aut horit at ive for t he int ernal, Act ive Direct ory- based DNS st ruct ure. They are aut horit at ive only for ext ernal, I nt ernet - based request s.
I f your I SP has been providing host ing for your nam eservers, t here's no reason it can't cont inue doing so. I n fact , t his is sim pler t o adm inist er t han host ing bot h set s of nam eservers on your own prem ises.
Now let 's focus on t he int ernal nam eservers for t his corporat ion. The prim ary nam eserver on t he int ernal side is configured as t he prim ary nam eserver for t he int ernal zone and is inst ruct ed t o accept dynam ic DNS updat es from int ernal workst at ions and servers. However, t hese int ernal servers are blind ( at t his point ) t o t he fact t hat out side t he firewall, anot her set of nam eservers is holding t he sam e zone nam e wit h different records. I n addit ion, t he workst at ions wit hin t he business are configured t o t hink of t he aut horit at ive nam eservers for t he dom ain as t he int ernal servers; t his is where t hey will regist er t hem selves via dynam ic DNS, and also where t hey will first look t o resolve I nt ernet nam es. So, how do int ernal users resolve nam es on t he I nt ernet if t hey can't see t he ext ernal set of nam eservers? I t 's easy—t he int ernal prim ary and secondary nam eservers are configured t o forward I nt ernet request s t o t he
ext ernal prim ary nam eserver. So, if t he address being request ed by t he client isn't in t he int ernal nam eserver's cache ( m eaning it hasn't been request ed recent ly by anot her client ) , it will ask t he ext ernal nam eserver for t he answer. No zone t ransfers are involved—it 's j ust st raight forwarding, as I covered earlier in t his chapt er. But how m ight ext ernal users resolve int ernal DNS nam es? The short answer is: t hey won't . That 's a securit y feat ure. Because t he ext ernal users know only about t he ext ernal nam eservers, and t he ext ernal nam eservers know only about t hem selves and not t he int ernal nam eservers, t here's no way for t he ext ernal nam eservers t o report any inform at ion about int ernal DNS records inside t he firewall. The only problem you m ight run int o is when int ernal users at t em pt t o access t he com pany's own resources on t he ext ernal side of t he firewall; t o allow t his, sim ply add a st at ic record t o t he int ernal nam eservers t hat point s t o t he correct ext ernal resource. You don't int roduce any securit y problem s t hat way because t here's st ill no " window" for ext ernal users t o see int o your int ernal st ruct ure. So, in essence, you have a DNS archit ect ure " split " bet ween int ernal and ext ernal nam eservers. I f you're looking t o reproduce t his archit ect ure, t he following sum m arizes t he correct procedure:
1 . Creat e t wo set s of servers—one for in front of t he firewall, and one for behind it . I nst all t he DNS service on bot h.
2 . Make every nam eserver point t o it self for it s own DNS inform at ion; you do t his wit hin t he net work card propert ies where you indicat e t he I P address. There's no need t o configure a secondary nam eserver for each of t hese.
3 . Copy any ext ernal records your int ernal users m ight need t o t he int ernal zone. This includes web, m ail, and FTP servers. Rem em ber, if you don't do t his, your users won't be able t o resolve t he nam es of anyt hing out side t he firewall.
4 . Configure ext ernal forwarders—t hese are t he m achines t o which your int ernal nam eservers will forward request s so t hat your int ernal users can resolve I nt ernet nam es.
5 . Slave t he int ernal set of nam eservers t o t hese ext ernal forwarders you creat ed in t he previous st ep. This shields t hem from t he I nt ernet 's blinding eye.
6 . Configure all m achines on t he int ernal net work t o use only t he int ernal nam eservers. This allows t hem t o regist er wit h Act ive Direct ory if appropriat e and t o find int ernal resources, which t hey couldn't find if direct ed t o t he ext ernal nam eservers out side t he firewall.
4 .1 0 .2 . Se cu r it y Con side r a t ion s Split DNS archit ect ure is im plem ent ed wit h securit y in m ind, but you can always t ake m ore st eps t o harden t hose DNS syst em s. You've already t aken t wo st eps in t his process: for one, slaving t he int ernal nam eservers t o t he ext ernal forwarders elim inat es t he possibilit y t hat if t he firewall of som e ot her t ransm ission problem prevent s t he ext ernal forwarder from responding, t he int ernal nam eserver will conduct it s own search of t he I nt ernet . You obviously don't want your int ernal nam eservers t ouching anyt hing on t he out side of t he firewall except t hose ext ernal forwarders. The ot her st ep is t he use of t he firewall t o separat e t he t wo set s of nam eservers from each ot her. You need t o ensure t hat t he firewall t hat prot ect s t he perim et er of your corporat e net work from t he I nt ernet is configured correct ly and locked down as t ight ly as possible. I recom m end Building I nt ernet Firewalls, Second Edit ion
( O'Reilly) , by Zwicky et al., for det ailed and t horough guidance on t his t opic. You'll especially want t o ensure t hat only a few port s—such as t he DNS port , 53—are open. Ot her t han t hat , t his archit ect ure is fairly secure right aft er im plem ent at ion.
4 .1 1 . Ba ck u p a n d Re cove r y I f you t hought configuring DNS in t he first place was difficult , you'll find t he backup and recovery procedures refreshingly sim ple. There are t wo locat ions in t he Regist ry t o back up t he DNS service and one direct ory on t he physical filesyst em .
The following procedure won't work wit h Act ive Direct ory- int egrat ed zones, as t he zone files are wit hin t he direct ory service and are not available on t he filesyst em .
To back up a server t hat 's host ing one or m ore prim ary or secondary DNS zones, follow t hese st eps:
1 . On t he nam eserver, st op t he DNS service using t he Services applet in t he Cont rol Panel or t hrough t he com m and line.
2 . Open t he Regist ry Edit or ( select St art / Run, t ype regedit, and press Ent er) .
3 . Navigat e t o t he HKEY_LOCAL_MACHI NE\ Syst em \ Current Cont rolSet \ Services\ DNS key.
4 . Right - click t he DNS folder, and from t he cont ext m enu, choose Export .
5 . When prom pt ed for a filenam e, ent er DNS-CCS, and choose an appropriat e locat ion t hat is off t he server.
6 . Now, navigat e t o t he HKEY_LOCAL_MACHI NE\ SOFTWARE\ Microsoft \ Windows NT\ Current Version\ DNS server key.
7 . Right - click t he DNS Server folder, and from t he cont ext m enu, choose Export .
8 . Nam e t his file DNS-CV, and again choose a locat ion t hat is not on t he current server. These t wo files will be DNS- CCS.REG and DNS- CV.REG.
9 . Now, using Windows Explorer, navigat e t o t he % Syst em Root % \ Syst em 32\ dns direct ory on t he boot drive.
1 0 . Find all files wit h t he .DNS ext ension, select t hem , and t hen copy t hem t o t he sam e locat ion t hat you export ed DNS- CCS.REG and DNS- CV.REG.
Your DNS service is now com plet ely backed up. Rest art t he DNS service t o cont inue using it .
To rest ore a set of DNS configurat ion files, inst all a Windows Server 2008 m achine and use t he sam e com put er nam e, DNS suffix, and I P address. Be sure t o inst all t he DNS service. Then copy all of t he .DNS files from your backup t o t he % Syst em Root % \ Syst em 32\ dns direct ory, and st op t he DNS service. Double- click DNS- CCS.REG and confirm t hat you want it s cont ent s im port ed int o t he Regist ry; do t he sam e for DNS- CV.REG. Finally, rest art t he DNS service, and your replacem ent server should funct ion norm ally.
I f you want t o m ove only t he prim ary role for a part icular zone from one nam eserver t o anot her, sim ply copy t he .DNS file for t hat zone t o t he t arget com put er. Run t he New Zone Wizard as described earlier in t his chapt er, and t hen inst ruct it t o use a preexist ing zone file.
4 .1 2 . Com m a n d- Lin e Ut ilit ie s I n t his sect ion, I 'll describe som e useful program s designed t o run from a com m and line t hat you can use t o aut om at e your DNS set up and configurat ion processes.
4 .1 2 .1 . D N SCm d The Windows Server 2008 Support Tools collect ion, described earlier in t he book, cont ains t he DNSCm d ut ilit y, which is a great way t o access som e com m and DNS configurat ion- relat ed funct ions t hrough t he power and speed of t he com m and prom pt . To get t o DNSCm d, look in t he Support \ Tools direct ory on t he Windows Server 2008 dist ribut ion CD for t he file support .cab. I nside, copy and past e DNSCm d t o a convenient locat ion. DNSCm d displays and changes t he propert ies of DNS servers, zones, and resource records. Som e operat ions of t his t ool work at t he DNS server level while ot hers work at t he zone level. You can use DNSCm d on any Windows 2000 or XP com put er, as long as t he user t hat is running t he applicat ion is a m em ber in t he Adm inist rat ors or Server Operat ors group on t he t arget com put er. Bot h t he user account and t he server com put er m ust be m em bers of t he sam e dom ain or reside wit hin t rust ed dom ains. DNSCm d can be used in any of t he following sit uat ions, in which you want t o:
Ret rieve inform at ion about a DNS server
Begin t he scavenging process
View inform at ion and cont ent s of a DNS zone
Creat e, rem ove, or " pause" zones
Change t he propert ies of a zone
Add, delet e, and enum erat e records in a zone
You use DNSCm d sim ply by specifying at t ribut es and t heir values as part of a com m and. For exam ple, t o creat e a new st andard prim ary zone called corp.hassellt ech.local on a server nam ed dc1.corp.hassellt ech.local and st ored in corp.hassellt ech.local.dns files, use t he following synt ax: Code View: dnscmd dc1.corp.hasselltech.local /ZoneAdd corp.hasselltech.local /Primary /file corp.hasselltech.local.dns
I could have also chosen t o m ake corp.hassellt ech.local a secondary zone by replacing t he /Primary swit ch wit h /Secondary.
To creat e a new A record, I could issue t he following com m and, which adds a record for a m achine nam ed www t o t he zone wit h an I P address of 192.168.1.23 t o t he sam e DNS server as in t he previous exam ple: Code View: Dnscmd dc1.corp.hasselltech.local /RecordAdd corp.hasselltech.local www A 192.168.1.23
You can see all of t he zones on a t arget server by ent ering t he following com m and:
dnscmd dc1.corp.hasselltech.local /enumzones
I f you're experiencing som e problem s wit h replicat ion and want t o t rigger t he process m anually, you can st art it wit h t he following com m and ( assum ing you want t o use t he sam e server t o begin t he process as in t he previous exam ples) :
Dnscmd dc1.corp.hasselltech.local /ZoneRefresh corp.hasselltech.local
Likewise, you m ight find yourself needing t o m anually age all of t he records on a part icular m achine. You can easily do so t hrough DNSCm d using t he following:
dnscmd corp.hasselltech.local /ageallrecords dc1.corp.hasselltech.local
You'll need t o confirm your choice, and t hen t he current t im e will be applied t o all records on t hat m achine. You m ight also need t o clear t he DNS cache on a t arget server, which can be done using t his com m and:
Dnscmd dc1.corp.hasselltech.local /clearcache
To quickly st op and st art t he DNS process on t he t arget com put er, use t he following com m and:
Dnscmd dc1.corp.hasselltech.local /restart
I f you want t o export a part icular zone t o a file, you can issue t he following com m and:
dnscmd /zoneexport corp.hasselltech.local corp.hasselltech.local.dns
And finally, t o delet e a zone from a t arget server, use t he following com m and:
dnscmd dc1.corp.hasselltech.local /zonedelete corp.hasselltech.local
4 .1 2 .2 . D N SLin t DNSLint is also on t he dist ribut ion CD in support t ools. DNSLint is a ut ilit y born out of t he desire t o aut om at e t he process of t roubleshoot ing lam e delegat ion issues and problem s wit h AD replicat ion because of fault y DNS records. DNSLint is a great t ool t o m ake sure t hat every DNS server t hat has records on your services has correct records and t hat t here are no issues wit h t hose DNS servers' dat a. ( And in case you're wondering, t he nam e DNSLint com es from t he idea t hat lint is som et hing you find in your blue j eans aft er t hey com e out of t he dryer. When you find lint , it is useless and perhaps even em barrassing, m eaning you probably quickly discard it . You should do t he sam e wit h out dat ed or inaccurat e DNS records for crit ical m achines on your net work.) The best t hing t o do from t he st art is t o creat e a st andard report on any given DNS dom ain, using t he following:
dnslint /d hasselltech.local /v
DNSLint produces an HTML- based report and t hen st art s I nt ernet Explorer t o display t he result . The result s are color- coded wit h warnings in am ber and errors in red for easy scanning. ( You can elect t o get a t ext - based report , if you prefer.) The report generat ed by t he previous com m and will show a det ailed list ing of each DNS server for t he corp.hassellt ech.local dom ain and indicat e whet her t he server responds t o a query on port 53, which is t he st andard DNS port . I t will t ell you how it found each server, and it will also list each server t hat report s aut horit at ively. You will also see Mail Exchanger records in t he zone, which is useful for t roubleshoot ing SMTP rout ing problem s. I f you are specifically having em ail difficult ies, you can use DNSLint t o det erm ine whet her a designat ed em ail server list ens on t he correct port . Use t he following com m and:
dnslint /d domainname.tld /c
The report generat ed by t hat com m and list s whet her a server indicat ed in an MX record is list ening for SMTP, POP3, and I MAP4 request s, and will also show t he SMTP header ret urned by t he server t o help in diagnost ics. To assist in t roubleshoot ing, t he following funct ions are available in DNSLint :
dnslint /d domainname
This diagnoses pot ent ial causes of " lam e delegat ion," covered earlier in t his chapt er, and ot her relat ed DNS problem s. You'll receive an HTML- based report once t he checking diagnosis is com plet e. Add /v for m ore inform at ion about how t he DNS servers list ed in t he report were found. I f you get errors saying t hat t he dom ain specified is not list ed wit h I nt erNI C, sim ply add t he /s opt ion.
dnslint /ql mylist.txt
This verifies a user- defined set of DNS records on m ult iple DNS servers. You can specify in a sim ple t ext file t he set s of records you'd like t o t est . For exam ple, t he following t est s A, PTR, CNAME, and MX records for t he dom ain nam e and I P address of a fairly well- known com pany:
microsoft.com,a,r 207.46.197.100,ptr,r microsoft.com,cname,r microsoft.com,mx,r
;A record ;PTR record ;CNAME record ;MX record
dnslint /ad localhost
This verifies t he DNS records on a specific host ( in t his case, t he current m achine) specifically used for Act ive Direct ory replicat ion. I f you get errors saying t hat t he dom ain specified is not list ed wit h I nt erNI C, sim ply add t he /s opt ion.
4 .1 3 . Th e La st W or d I n t his chapt er, you saw how DNS is crucial t o net work com m unicat ions am ong m achines, and part icularly t o t hose who part icipat e in Windows dom ains. DNS is such a core com ponent of Act ive Direct ory t hat it was im port ant t o learn about it in dept h before int roducing Act ive Direct ory it self. I n t he next chapt er, I 'll look at how Act ive Direct ory works and how it relies on DNS as it s foundat ion.
Ch a pt e r 5 . Act ive D ir e ct or y I n Windows NT, adm inist rat ors were int roduced t o t he concept of dom ains. Act ive Direct ory Dom ain Services ( AD DS) builds on t hat concept by creat ing a dynam ic, easily accessible st ruct ure t hrough which direct ory and m anagem ent inform at ion can be st ored and accessed cent rally t hroughout an organizat ion. By using AD DS, you creat e a st ruct ure for m anaging your equipm ent and t he people who use t hat equipm ent , which is a helpful feat ure for all but t he sm allest of operat ions. By using Act ive Direct ory as a whole, you have access t o several cool m anagem ent t ools, including Group Policy ( GP) , t he abilit y t o put groups inside groups m ult iple t im es, and an online direct ory of users, com put ers, print ers, and cont act s t hat you can access easily t hrough t he Windows user int erface. Alt hough you cert ainly can operat e a Windows- based net work wit hout Act ive Direct ory deployed in som e form , you lose out on a lot of funct ionalit y. You will learn about t hese t ools in t his chapt er and t he next . I n t his chapt er, I 'll int roduce you t o Act ive Direct ory and it s concept s, walk you t hrough t he process of building an AD DS dom ain and t ree st ruct ure, guide you t hrough t he process of m anaging dom ain users and groups, and discuss in det ail t he process of direct ory cont ent replicat ion. I 'll also discuss different roles t hat dom ain cont rollers t ake in an AD DS environm ent , t he im port ance of t im e synchronizat ion and how t o accom plish it , and how t o keep your AD DS deploym ent in t ipt op shape t hrough regular m aint enance. There's a lot t o cover in t his chapt er, so let 's dig in.
5 .1 . Act ive D ir e ct or y D om a in Se r vice s Obj e ct s a n d Con ce pt s First it 's im port ant t o learn t hat you can divide AD DS com ponent s int o t wo " st at es of being" —physical com ponent s, which include dom ain cont rollers, sit es, and subnet s; and logical com ponent s, which include forest s, t rees, dom ains, and organizat ional unit s. Physical and logical com ponent s of AD DS don't necessarily have t o correlat e wit h each ot her: for exam ple, a dom ain cont roller can be a m em ber of a forest based in Rom e, while act ually sit t ing in a m achine room in Chicago. Keep t hat fram e of reference in m ind. Now, before diving in any furt her, let m e int roduce a few com m on t erm s:
Direct ory
A direct ory is a single reposit ory for inform at ion about users and resources wit hin an organizat ion. Act ive Direct ory is a t ype of direct ory t hat holds t he propert ies and cont act inform at ion for a variet y of resources wit hin a net work so t hat users and adm inist rat ors alike can find t hem wit h ease.
Dom ain
A dom ain is a collect ion of obj ect s wit hin t he direct ory t hat form s a m anagem ent boundary. Mult iple dom ains can exist wit hin a forest ( defined lat er in t his list ) , each wit h it s own collect ion of obj ect s and organizat ional unit s ( also defined lat er in t his list ) . Dom ains are nam ed using t he indust ry- st andard DNS prot ocol, covered in det ail in t he previous chapt er.
Dom ain cont roller
A dom ain cont roller holds t he securit y inform at ion and direct ory obj ect dat abase for a part icular dom ain and is responsible for aut hent icat ing obj ect s wit hin t heir sphere of cont rol. Mult iple dom ain cont rollers can be associat ed wit h a given dom ain, and each dom ain cont roller holds cert ain roles wit hin t he direct ory, alt hough for all int ent s and purposes all dom ain cont rollers wit hin a dom ain are " equal" in power. This is unlike t he prim ary and backup labels assigned t o dom ain cont rollers in Windows NT.
For est
A forest is t he largest logical cont ainer wit hin AD DS and encom passes all dom ains wit hin it s purview, all linked t oget her via t ransit ive t rust s t hat are const ruct ed aut om at ically. This way, all dom ains in a part icular forest aut om at ically t rust all ot her dom ains wit hin t he forest .
Organizat ional unit
An organizat ional unit ( OU) is a cont ainer wit h obj ect s ( discussed next ) cont ained wit hin it . You can arrange OUs in a hierarchical, t ree- like fashion and design t hem in a st ruct ure t hat best fit s your organizat ion for boundary delineat ion or ease of adm inist rat ion.
Obj ect
Wit hin AD DS, an obj ect is anyt hing t hat can be part of t he direct ory—t hat is, an obj ect can be a user, a group, a shared folder, a print er, a cont act , and even an OU. Obj ect s are unique physical " t hings" wit hin your direct ory and you can m anage t hem direct ly.
Schem a
The schem a in AD DS is t he act ual st ruct ure of t he dat abase—t he " fields," t o use a not - quit e- applicable analogy. The different t ypes of inform at ion st ored in AD DS are referred t o as at t r ibut es. AD DS's schem a also support s a st andard set of classes, or t ypes of obj ect s. Classes describe an obj ect and t he associat ed propert ies t hat are required t o creat e an inst ance of t he obj ect . For exam ple, user obj ect s are " inst ances" of t he user class; com put er obj ect s are " inst ances" of t he com put er class; and so on. Think of classes as guideline t em plat es describing different t ypes of obj ect s.
Sit e
A sit e is a collect ion of com put ers t hat are in dist inct geographical locat ions—or at least are connect ed via a perm anent , adequat e- speed net work link. Sit es are generally used t o det erm ine how dom ain cont rollers are kept up- t o- dat e; AD DS will select it s m et hodology for dist ribut ing t hose updat es ( a process called replicat ion ) based on how you configure a sit e t o keep t raffic over an expensive WAN link down t o a m inim um .
Tree
A t ree is sim ply a collect ion of dom ains t hat begins at a single root and branches out int o peripheral, " child" dom ains. Trees can be linked t oget her wit hin forest s as well, and t rees also share an unbroken DNS nam espace—t hat is, hassellt ech.local and am erica.hassellt ech.local are part of t he sam e t ree, but m y cor p.com and hassellt ech.local are not .
Trust
A t rust in t erm s of AD DS is a secure m et hod of com m unicat ing bet ween dom ains, t rees, and forest s. Much like t hey worked in Windows NT, t rust s allow users in one AD DS dom ain t o aut hent icat e t o ot her dom ain cont rollers wit hin anot her, dist inct dom ain wit hin t he direct ory. Trust s can be one- way ( A t o B only, not B t o A) , t ransit ive ( A t rust s B and B t rust s C, so A t rust s C) , or cross- linked ( A t o C and B t o D) .
5 .1 .1 . D om a in s When exam ining AD DS for t he first t im e, it 's easiest t o exam ine t he dom ain first because so m uch of t he basis of AD DS is derived from t he dom ain. I t 's adequat e t o boil down t he funct ion of dom ains int o t hree basic areas:
Consolidat ing list s of usernam es and passwords for all m achines wit hin a dom ain and providing an infrast ruct ure for using t hat consolidat ed list
Providing a m et hod of subdividing obj ect s wit hin a dom ain for easier adm inist rat ion ( int o OUs, as described earlier)
Offering a cent ralized, searchable list of resources wit hin t he dom ain so t hat users and adm inist rat ors can easily query t hat list t o find obj ect s t hey need
Dom ains, at a m inim um , keep a list of all aut horized users and t heir passwords on a m achine or groups of m achines called dom ain cont rollers. This list is st ored in AD DS. However, m any ot her obj ect s are st ored wit hin t he direct ory—which is act ually a file on a dom ain cont roller's hard drive called NTDS.DI T—including sit es, OUs, groups of users, groups of com put ers, GPOs ( described in Chapt er 6 ) , and cont act s, j ust t o nam e a few. The engine t hat drives t his dat abase of inform at ion is t he sam e engine wit hin Microsoft 's powerhouse Exchange Server product , and it support s t he t ransm ission of dat abase cont ent s t o m ult iple dom ain cont rollers over net work links—a process called replicat ion . Replicat ion answers t he quest ion of how m ult iple dom ain cont rollers wit hin a dom ain can cont ain t he sam e inform at ion. For exam ple, if you have a dom ain cont roller in Seat t le and anot her in Charlot t e, and you were t o add a user in Charlot t e, what if t hat user t ried t o log on t o a com put er in Seat t le? How would t he Seat t le dom ain cont roller know about t he user added in Charlot t e? Replicat ion allows AD DS t o t ransm it changed dat a across a dom ain t o all relevant dom ain cont rollers so t hat t he cont ent s of t he direct ory are always up- t o- dat e on each dom ain cont roller. At t his point , ast ut e readers who are fam iliar wit h t he dom ain st ruct ure of Microsoft 's Windows NT product s surely are asking, " What about PDCs and BDCs?" For t he m ost part , Microsoft has rem oved t hat designat ion from dom ain cont rollers in AD DS environm ent s, m eaning t hat wit h only a couple of m inor except ions, all dom ain cont rollers are equal. This is referred t o as a m ult im ast er environm ent .
Because a dom ain cont roller holds a large dat abase of inform at ion, AD DS has som e int erest ing charact erist ics t hat weren't necessarily t rue of NT 4.0's Securit y Account s Manager ( SAM) - based list of account s. For inst ance, program m ers can writ e code t o int erface direct ly wit h AD DS and run queries t o pull dat a from t he dat abase. These program m ers can use eit her t he Light weight Direct ory Access Prot ocol ( LDAP) , an indust ry- st andard prot ocol for accessing any sort of direct ory, or t he Microsoft - specific Act ive Direct ory Services I nt erface ( ADSI ) for t aking advant age of AD DS feat ures not support ed direct ly wit hin t he LDAP specificat ion. Addit ionally, AD DS doesn't have t he sam e size lim it at ions t hat t he SAM had. AD DS easily can handle up t o a few m illion obj ect s, as com pared t o t he SAM's abilit y t o handle no m ore t han about 5,000 account s. ( That 's scalabilit y, folks! ) AD DS is also fast when handling large am ount s of dat a, so you won't get bogged down when your direct ory grows.
5 .1 .2 . Or ga n iza t ion a l Un it s A dom ain can be an awfully big, com prehensive unit t o m anage, and m ost environm ent s benefit from som e m echanism t o separat e t hat large, unit ary dom ain int o sm aller, m ore m anageable chunks. An organizat ional unit is AD DS's way of doing t hat . Organizat ional unit s, or OUs, act like folders on a regular client 's operat ing syst em , cont aining every t ype of obj ect t hat AD DS support s. You m ight choose t o separat e your dom ain int o OUs in one of t hese ways:
A universit y m ight creat e a dom ain wit h a nam e corresponding t o t he ent ire universit y ( ncsu.edu, for exam ple) , wit h each college in t hat inst it ut ion get t ing an OU ( biology, physics, m at hem at ics, et c.) .
A m edium - size business m ight use one dom ain for all of it s AD DS needs, but segregat e obj ect s int o t heir geographical locat ions—an OU for t he Los Angeles office, an OU for t he Birm ingham office, and an OU for t he Richm ond office.
Larger corporat ions m ight want t o divide t heir dom ain by depart m ent . Wit hin business.com , for exam ple, an OU could be creat ed each for Sales, Support , Market ing, Developm ent , and Q/ A.
An adm inist rat or also could decide t o creat e OUs based on t he t ype of obj ect s cont ained t herein—for exam ple, a Com put ers OU, a Print ers OU, and so on.
A part icularly int erest ing feat ure of OUs is t he abilit y t o delegat e adm inist rat ive cont rol over t hem t o a subset of users in AD DS. Take, for inst ance, t he t hird exam ple in t he previous list . Perhaps you, as t he dom ain adm inist rat or, want t o designat e one t echnically savvy person in each depart m ent as t he official Password Change Adm inist rat or, t o reduce your adm inist rat ive load. You can delegat e t he aut horit y t o m odify users' passwords t o each user over only t heir respect ive OU, t hereby bot h allowing t hem power but finely cont rolling it over cert ain areas of your AD DS infrast ruct ure. This abilit y is called delegat ion , and you'll find an ent ire sect ion devot ed t o it lat er in t his chapt er. OUs are designed t o be cont ainer s in AD DS—t heir purpose is t o hold obj ect s and t o have cont ent s. You can apply GPs t o t he obj ect s wit hin a specific OU ( as you'll see in Chapt er 6 ) , cont rolling users' deskt ops, locking t hem out of pot ent ially dangerous syst em m odificat ion set t ings, and creat ing a consist ent user experience across your dom ain.
5 .1 .3 . Sit e s Sit es are great ways t o m anage t he use of bandwidt h for AD DS replicat ion across WAN links. All dom ain cont rollers in an AD DS dom ain m ust st ay in cont act wit h one anot her at regular int ervals t o acquire and t ransm it t he changes t hat have occurred t o t heir dat abases since t he last updat e. Ot herwise, inform at ion becom es " st ale" and t he direct ory is no good t o anyone. However, t his replicat ion t raffic can be cost ly if you have dom ain cont rollers in different count ries and you use slow WAN links t o keep in cont act wit h your various offices.
By designat ing different sit es wit h AD DS, a process we'll cover lat er in t he replicat ion sect ion of t his chapt er, you can t ell AD DS t o com press t he replicat ion t raffic t o allow it t o be t ransm it t ed m ore quickly, and you can give preferences t o cert ain WAN links over ot hers by using t he " cost " feat ure, specifying a higher value for a connect ion you want t o use less oft en and a lower value for a connect ion you'd like t o use t he m ost oft en. I t 's a great way t o m anage your t elecom m unicat ions expenses while st ill t aking advant age of t he bet t er m anagem ent feat ures of AD DS. I n a dom ain environm ent , t he Dist ribut ed File Syst em , which you learned about in Chapt er 3 , also uses AD DS's sit e st ruct ure t o cont rol file replicat ion t raffic.
5 .1 .4 . Gr ou ps The point of groups is t o m ake assigning at t ribut es t o larger set s of users easier on adm inist rat ors. Pict ure a direct ory wit h 2,500 users. You creat e a new file share and need t o give cert ain em ployees perm issions t o t hat file share—for exam ple, all account ing users. Do you want t o t ake a hard- copy list of all m em bers of t he account ing depart m ent and hand- pick t he appropriat e users from your list of 2,500? Of course you don't . Groups allow you t o creat e an obj ect called Account ing and insert all t he appropriat e users int o t hat group. So, inst ead of select ing each individual user from a large list , you can pick t he Account ing group, and all m em bers of t hat group will have t he sam e perm issions on t he file share. There are four different scopes of groups wit hin Windows Server 2008 and AD DS, and each scope can nest groups different ly. Let 's out line t he group scopes first , and t hen bear wit h m e as I explain t he concept s of each:
Machine local groups
Machine local groups cont ain obj ect s t hat pert ain only t o t he local com put er ( or m ore specifically, t o obj ect s cont ained wit hin t he local com put er's SAM dat abase) . These t ypes of groups can have m em bers t hat are global groups, dom ain local groups from t heir own dom ain, and universal or global groups from t heir own dom ain or any ot her dom ain t hat t hey t rust .
Dom ain local groups
Dom ain local groups can be creat ed only on a dom ain cont roller, so ordinary client com put ers or m em ber servers of a dom ain cannot host dom ain local groups. Dom ain local groups can be put inside m achine local groups wit hin t he sam e dom ain ( t his is a process called nest ing) . They can cont ain global groups from a dom ain t hat t rust s t he current dom ain and ot her dom ain local groups from t he sam e dom ain. As you will see lat er in t he chapt er, t hey are of lim it ed ut ilit y unless you are working in a larger, m ult idom ain environm ent .
Dom ain global groups
Like dom ain local groups, dom ain global groups can be creat ed only on a dom ain cont roller, but dom ain global groups can be put int o any local group of any m achine t hat is a m em ber of t he current dom ain or a t rust ed dom ain. Dom ain global groups can also be nest ed in ot her global groups; however, all nest ed dom ain global groups m ust be from t he sam e dom ain. Dom ain global groups are great t ools t hat cont ain all t he funct ionalit y of dom ain local groups, and m ore, and t hey are t he m ost com m on t ype of group used across a dom ain.
Universal groups
Universal groups are a sort of " do- it - all" t ype of group. Universal groups can cont ain global and universal groups, and t hose nest ed groups can be from any dom ain in your AD DS forest .
Briefly, I 'll also m ent ion t hat t here are t wo t ypes of groups: a securit y group is used for t he purposes of assigning or denying right s and perm issions, and a dist ribut ion group is used for t he sole purpose of sending em ail. A securit y group, t hough, can also act as a dist ribut ion group.
5 .1 .4 .1 . N e st in g Nest ing is a useful abilit y t hat has been around in lim it ed form since Windows NT. By nest ing groups, you achieve t he abilit y t o quickly and painlessly assign perm issions and right s t o different users. For exam ple, let 's say you have a resource called COLORLASER and you want all full- t im e em ployees t o be able t o access t hat resource. You don't have a group called FTEs t hat cont ains all your full- t im ers t hroughout your organizat ion, but your depart m ent al adm inist rat ors have set up a st ruct ure wherein full- t im e em ployees are put int o groups and part - t im ers are in anot her. To quickly creat e your overall FTE group, you can t ake your different groups of users from each depart m ent ( ACCTG_FTE, ADMI N_FTE, PRODUCTI ON_FTE, and SALES_FTE, for exam ple) and put t hem wit hin a new group you creat e called ALL_FTE. Then, you can quickly assign access right s t o COLORLASER by giving t he ALL_FTE group perm ission t o use t he resource. You have " nest ed" t he depart m ent al groups wit hin one big group. Different t ypes of groups, as you saw in t he previous list of groups, support different m et hods of nest ing. Table 5- 1 shows t he relat ionships bet ween t he t ypes of groups and t he respect ive abilit ies t o nest .
Ta ble 5 - 1 . N e st in g by gr ou p t ype Type of n e st in g
M a ch in e loca l D om a in loca l
D om a in globa l
Un ive r sa l
Wit hin t hem selves Yes
Yes ( from t he sam e dom ain) Yes ( from t he sam e dom ain) Yes
Wit hin ot her t ypes None
Machine local
Machine local
Machine local
Dom ain local
Dom ain local
Universal
Dom ain global
You should rem em ber a couple of im port ant issues regarding backward com pat ibilit y wit h Windows NT 4.0 and Windows 2000 and t he t ypes of group capabilit ies available:
AD DS cannot support universal groups unt il you operat e at least in Windows 2000 Nat ive funct ional level, as NT 4.0 support s only one level of group nest ing.
A group cannot have m ore t han 5,000 m em bers unt il your forest is operat ing in t he Windows Server 2003 forest - funct ional level or higher. Funct ional levels are covered lat er in t his chapt er, but for now, be aware of t his lim it at ion.
5 .1 .5 . Tr e e s
Trees refer t o t he hierarchies of dom ains you creat e wit hin AD DS. The first AD DS dom ain you creat e is aut om at ically designat ed t he root of your first t ree, and any dom ains aft er t hat are considered child dom ains unless you choose t o creat e a dom ain at t he root of a new t ree. Child dom ains always have t he root dom ain in t heir nam e—for exam ple, if I creat e t he hassellt ech.local dom ain, any child dom ains m ust be in t he form at of newdom ainnam e.hassellt ech.local. I n effect , you are creat ing what are referred t o as subdom ains in DNS parlance. You can creat e as m any child dom ain levels as you need; children can be children of ot her children of ot her children, and so on, as long as it m akes sense t o you. A neat feat ure of AD DS is t hat it aut om at ically creat es t wo- way t rust relat ionships bet ween parent and child dom ains, so you don't need t o m anually t rust t he dom ains you creat e. As such, m y new child dom ain from our earlier exam ple will aut om at ically t rust it s parent dom ain, hassellt ech.local, and t he parent will t rust t he child—t he t ransit ive t rust is creat ed aut om at ically. This t ype of t rust is passed along t he child dom ain chain, so a dom ain like charlot t e.east coast .us.nort ham erica.ent erprise.com will aut om at ically t rust east coast .us.nort ham erica.ent erprise.com , us.nort ham erica.ent erprise.com , nort ham erica.ent erprise.com , and ent erprise.com .
5 .1 .6 . For e st s Forest s, in t he sim plest t erm s, are j ust groups of t rees. All t rees in a forest t rust each ot her aut om at ically. Think of a forest as an ext ended fam ily, and individual dom ain t rees as brot hers. I f you have five brot hers in a fam ily, each child of t hose brot hers t rust s his im m ediat e brot hers, and ( usually! ) each brot her's fam ily t rust s t he ot her brot her's fam ily—cousins t ypically get along. Forest s j ust refer t o collect ions of dom ain t rees t hat t rust one anot her. There are t wo caveat s, t hough, which are fairly significant and bear m ent ioning:
The only way t o add a dom ain t o a t ree is t o creat e it com plet ely from scrat ch, adding it t o an exist ing t ree at t hat t im e. I t 's t he sam e wit h t rees—you can't direct ly add an exist ing t ree t o an exist ing forest wit hout delet ing and subsequent ly re- creat ing it .
Likewise, t wo exist ing, separat e dom ains can't be linked t oget her as parent and child. For exam ple, hassellt ech.local creat ed on one net work and charlot t e.hassellt ech.local creat ed on anot her, separat e net work cannot be j oined lat er as parent and child. The child would need t o be re- creat ed or m igrat ed.
5 .1 .6 .1 . Tr a n sit ive for e st r oot t r u st s The lat t er of t he preceding t wo lim it at ions m ight be frust rat ing for you, and you're not alone. Fort unat ely, what expert s m ight t erm an " official hack" is available t o effect ively graft exist ing dom ains t oget her int o a t ree- like st ruct ure so t hat t rust s are est ablished. Alt hough it 's not as easy and not as flexible as a forest —AD DS m akes t hings slick and easy when you do t hings it s way—it will work, wit h effort and m aybe a bit of luck. The t ool is called a t ransit ive forest root t rust , and wit h it , you can m ake t wo disparat e forest s t rust each ot her. Let 's say I have a forest called businessone.com . Business One purchases anot her organizat ion wit h an AD DS forest creat ed already, known as businesst wo.net . Recall t hat I can't j ust graft businesst wo.net ont o t he already exist ing forest at Business One. However, wit h a t ransit ive forest root t rust , I can m ake it so t hat businessone.com t rust s businesst wo.net , achieving som e of t he benefit s of one unified forest . However, t here are lim it at ions and disadvant ages:
Each forest m ust be operat ing in at least t he Windows Server 2003 forest funct ional level. Alt hough I will cover t his lat er, suffice it t o say t hat all dom ain cont rollers in each dom ain in each forest m ust be running Windows Server 2003, if not Windows Server 2008. This m ight be a prohibit ive expense.
You'll learn m ore about t his feat ure lat er in t his chapt er, but keep t his in m ind for now: a t ransit ive forest root t rust does not aut om at ically m ake one, unified global cat alog. Two separat e forest s st ill equals t wo separat e global cat alogs.
Transit ive forest root t rust s do not flow t hrough. For exam ple, businessone.com and businesst wo.net t rust each ot her. But if businessone.com buys businesst hree.org and a t rust is set up t here, businesst wo.net will not t rust businesst hree.org aut om at ically—anot her t rust will need t o be set up. Wit h t hat , we're back t o t he kludgy t rust process found in Windows NT 4.0.
So, t ransit ive forest root t rust s aren't t he answer t o everyt hing, but t hey are a reasonably effect ive way t o creat e a " pseudoforest " wit hin already exist ing t rees.
5 .1 .6 .2 . Th e de dica t e d for e st r oot m ode l You also can creat e a hedge against fut ure AD DS changes if you are deploying Act ive Direct ory for t he first t im e. I f a depart m ent in your organizat ion deploys AD DS ahead of ot her depart m ent s, as t he ot her groups com e on board, t hey effect ively becom e subordinat es of t hat first dom ain. How does a sm art adm inist rat or get around t hat problem ? The dedicat ed forest root m odel provides a way t o m aint ain t he aut onom y of m ult iple dom ains t hat you creat e. Figure 5- 1 shows how t his is achieved.
Figu r e 5 - 1 . H ow t h e de dica t e d for e st r oot m ode l e n a ble s se pa r a t e N T dom a in s t o be se pa r a t e in AD DS
A dedicat ed forest root dom ain can be eit her an " em pt y dom ain," which cont ains only a sm all num ber of
universal users and resources, or a norm al product ion dom ain t hat j ust happens t o be at t he root of a forest . The lat t er is not recom m ended. An em pt y forest root dom ain t hat does not serve as a product ion dom ain is advant ageous for several reasons. For one, t he dom ain adm inist rat ors group in t he root dom ain has power over t he forest , which is som et hing you m ight not want . Keeping t he root em pt y allows you t o delegat e adm inist rat ive aut horit y t o individual dom ains wit hout giving everyt hing away, a securit y prot ect ion t hat keeps honest adm inist rat ors honest . I t also helps you t o st ruct ure your AD DS environm ent ; a const ant root m akes furt her changes logical and easy t o im plem ent and m anage—for inst ance, if you acquire a new com pany or build a new office. The forest root dom ain, if kept em pt y, is very easy t o replicat e and t o back up. And if you ever m ake changes t o t he adm inist rat ive aut horit y in your business, you can t ransfer t he keys t o t he kingdom t o ot hers wit hout affect ing t he adm inist rat ors' aut onom y of your child dom ains.
You can nam e t he em pt y forest root dom ain anyt hing you want —even em pt yroot .local. I t is only a placeholder. However, m ost client s use a dom ain nam e based on t heir com pany's dom ain nam e.
However, t he key t o t he em pt y root st rat egy is t o keep t he root em pt y: have it cont ain only one adm inist rat ive account —t he Ent erprise Adm inist rat or, which is, of course, creat ed by default when you creat e t he first dom ain in a new forest —and use t hat only when absolut ely necessary. Then, creat e all t he dom ains you need under t hat first dom ain and you won't have one part icular dom ain in your organizat ion unnecessarily holding Ent erprise Adm in- st yle account s. Of course, t his m et hod has it s downsides. Cost s definit ely are involved: for one, you need a separat e license of Windows Server 2008 for your dedicat ed forest root dom ain cont roller, and you have t he burden of adm inist rat ive responsibilit y in ensuring t hat t he root dom ain is kept up, pat ched, and t he like. However, if you are in a high- growt h indust ry and your organizat ion is likely t o m ake acquisit ions and divest it ures wit hin t he near fut ure, it 's best t o use t his m et hod t o hedge against m aj or changes t o AD DS st ruct ure.
5 .1 .7 . Sh a r e d Folde r s a n d Pr in t e r s As you saw in Chapt er 3 , t he concept of shared folders and print ers wit hin AD DS m erely relat es t o a " point er" residing wit hin t he direct ory, guiding users t o t he real locat ion on a physical filesyst em of a server for a part icular shared direct ory, or t he locat ion of a print share on a print server. This process is known as publishing a share ( or publishing a print er) . The point of publishing shares and print ers in AD DS is t o m ake t hem available for searching, eit her t hrough AD Search or St art Find for client users. You DS Users and Com put ers for adm inist rat ors or t hrough St art can search for shared folder or print er nam es cont aining t arget keywords, and t heir locat ions will be populat ed wit hin t he result s box.
5 .1 .8 . Con t a ct s Cont act s are sim ply obj ect s in t he direct ory t hat represent people and cont ain at t ribut es wit h indicat ors as t o how t o cont act t hem . Cont act s neit her represent users of any direct ory, nor convey any privileges t o log on t o t he net work or use any net work or dom ain resources. The point of t he cont act s obj ect is t o creat e wit hin AD DS a phonebook of sort s, wit h nam es of vit al business cont act s t hat reside out side your organizat ion—part ners, cust om ers, vendors, and t he like. Because AD DS as a direct ory can be queried by t he LDAP prot ocol, which m ost groupware applicat ions support , t he cont ent s of cont act s obj ect s likely can be accessed direct ly wit hin t hat applicat ion.
5 .1 .9 . Globa l Ca t a log
The global cat alog, in an AD DS environm ent , act s as a sort of subset direct ory t hat is passed am ong all dom ains in a part icular forest . Consider t hat AD DS gives you t he abilit y t o connect t o any com put er in your part icular AD DS t ree. I f you have a sm all organizat ion, t his isn't m uch of a problem , but in a large organizat ion wit h m any dom ains, can you im agine t he perform ance lag while AD DS t ries t o ( a) find t he correct dom ain where your account resides, t hen ( b) com m unicat e wit h it , and finally ( c) log you in? You would be wait ing for a significant am ount of t im e for all t he pieces of t he puzzle t o com e t oget her in a com plex AD DS im plem ent at ion. For t hat reason, AD DS const ruct s a subset of all t he dom ains in a forest and put s it int o what 's called t he global cat alog ( GC) . The GC cont ains a list of all dom ains in t he forest and a list of all t he obj ect s in t hose dom ains, but only a subset of t he at t ribut es for each obj ect . This is a fairly sm all bit of inform at ion com pared t o t he rest of t he direct ory, and because of it s reduced size, it is easy t o pass on t o given dom ain cont rollers in t he forest . As a result , when a user connect s t o a com put er in any given dom ain in a forest , t he nearest dom ain cont roller checks t he usernam e against t he GC and inst ant ly finds t he correct " hom e" dom ain for a user and t he aut hent icat ion process can begin. Think of t he GC, t herefore, as an index of your direct ory, m uch like t he index of t his book helps you t o see which pages cover a t opic in which you're int erest ed. The GC also cont ains t he nam e of each global group for every dom ain in t he forest , and it cont ains t he nam e and t he com plet e m em bership list of every universal group in t he forest ( recall t hat universal groups can cont ain users and ot her groups from any dom ain in t he forest ) . So, lim it your use of universal groups, lest you decrease t he perform ance of your users' logins.
Ch a pt e r 5 . Act ive D ir e ct or y I n Windows NT, adm inist rat ors were int roduced t o t he concept of dom ains. Act ive Direct ory Dom ain Services ( AD DS) builds on t hat concept by creat ing a dynam ic, easily accessible st ruct ure t hrough which direct ory and m anagem ent inform at ion can be st ored and accessed cent rally t hroughout an organizat ion. By using AD DS, you creat e a st ruct ure for m anaging your equipm ent and t he people who use t hat equipm ent , which is a helpful feat ure for all but t he sm allest of operat ions. By using Act ive Direct ory as a whole, you have access t o several cool m anagem ent t ools, including Group Policy ( GP) , t he abilit y t o put groups inside groups m ult iple t im es, and an online direct ory of users, com put ers, print ers, and cont act s t hat you can access easily t hrough t he Windows user int erface. Alt hough you cert ainly can operat e a Windows- based net work wit hout Act ive Direct ory deployed in som e form , you lose out on a lot of funct ionalit y. You will learn about t hese t ools in t his chapt er and t he next . I n t his chapt er, I 'll int roduce you t o Act ive Direct ory and it s concept s, walk you t hrough t he process of building an AD DS dom ain and t ree st ruct ure, guide you t hrough t he process of m anaging dom ain users and groups, and discuss in det ail t he process of direct ory cont ent replicat ion. I 'll also discuss different roles t hat dom ain cont rollers t ake in an AD DS environm ent , t he im port ance of t im e synchronizat ion and how t o accom plish it , and how t o keep your AD DS deploym ent in t ipt op shape t hrough regular m aint enance. There's a lot t o cover in t his chapt er, so let 's dig in.
5 .1 . Act ive D ir e ct or y D om a in Se r vice s Obj e ct s a n d Con ce pt s First it 's im port ant t o learn t hat you can divide AD DS com ponent s int o t wo " st at es of being" —physical com ponent s, which include dom ain cont rollers, sit es, and subnet s; and logical com ponent s, which include forest s, t rees, dom ains, and organizat ional unit s. Physical and logical com ponent s of AD DS don't necessarily have t o correlat e wit h each ot her: for exam ple, a dom ain cont roller can be a m em ber of a forest based in Rom e, while act ually sit t ing in a m achine room in Chicago. Keep t hat fram e of reference in m ind. Now, before diving in any furt her, let m e int roduce a few com m on t erm s:
Direct ory
A direct ory is a single reposit ory for inform at ion about users and resources wit hin an organizat ion. Act ive Direct ory is a t ype of direct ory t hat holds t he propert ies and cont act inform at ion for a variet y of resources wit hin a net work so t hat users and adm inist rat ors alike can find t hem wit h ease.
Dom ain
A dom ain is a collect ion of obj ect s wit hin t he direct ory t hat form s a m anagem ent boundary. Mult iple dom ains can exist wit hin a forest ( defined lat er in t his list ) , each wit h it s own collect ion of obj ect s and organizat ional unit s ( also defined lat er in t his list ) . Dom ains are nam ed using t he indust ry- st andard DNS prot ocol, covered in det ail in t he previous chapt er.
Dom ain cont roller
A dom ain cont roller holds t he securit y inform at ion and direct ory obj ect dat abase for a part icular dom ain and is responsible for aut hent icat ing obj ect s wit hin t heir sphere of cont rol. Mult iple dom ain cont rollers can be associat ed wit h a given dom ain, and each dom ain cont roller holds cert ain roles wit hin t he direct ory, alt hough for all int ent s and purposes all dom ain cont rollers wit hin a dom ain are " equal" in power. This is unlike t he prim ary and backup labels assigned t o dom ain cont rollers in Windows NT.
For est
A forest is t he largest logical cont ainer wit hin AD DS and encom passes all dom ains wit hin it s purview, all linked t oget her via t ransit ive t rust s t hat are const ruct ed aut om at ically. This way, all dom ains in a part icular forest aut om at ically t rust all ot her dom ains wit hin t he forest .
Organizat ional unit
An organizat ional unit ( OU) is a cont ainer wit h obj ect s ( discussed next ) cont ained wit hin it . You can arrange OUs in a hierarchical, t ree- like fashion and design t hem in a st ruct ure t hat best fit s your organizat ion for boundary delineat ion or ease of adm inist rat ion.
Obj ect
Wit hin AD DS, an obj ect is anyt hing t hat can be part of t he direct ory—t hat is, an obj ect can be a user, a group, a shared folder, a print er, a cont act , and even an OU. Obj ect s are unique physical " t hings" wit hin your direct ory and you can m anage t hem direct ly.
Schem a
The schem a in AD DS is t he act ual st ruct ure of t he dat abase—t he " fields," t o use a not - quit e- applicable analogy. The different t ypes of inform at ion st ored in AD DS are referred t o as at t r ibut es. AD DS's schem a also support s a st andard set of classes, or t ypes of obj ect s. Classes describe an obj ect and t he associat ed propert ies t hat are required t o creat e an inst ance of t he obj ect . For exam ple, user obj ect s are " inst ances" of t he user class; com put er obj ect s are " inst ances" of t he com put er class; and so on. Think of classes as guideline t em plat es describing different t ypes of obj ect s.
Sit e
A sit e is a collect ion of com put ers t hat are in dist inct geographical locat ions—or at least are connect ed via a perm anent , adequat e- speed net work link. Sit es are generally used t o det erm ine how dom ain cont rollers are kept up- t o- dat e; AD DS will select it s m et hodology for dist ribut ing t hose updat es ( a process called replicat ion ) based on how you configure a sit e t o keep t raffic over an expensive WAN link down t o a m inim um .
Tree
A t ree is sim ply a collect ion of dom ains t hat begins at a single root and branches out int o peripheral, " child" dom ains. Trees can be linked t oget her wit hin forest s as well, and t rees also share an unbroken DNS nam espace—t hat is, hassellt ech.local and am erica.hassellt ech.local are part of t he sam e t ree, but m y cor p.com and hassellt ech.local are not .
Trust
A t rust in t erm s of AD DS is a secure m et hod of com m unicat ing bet ween dom ains, t rees, and forest s. Much like t hey worked in Windows NT, t rust s allow users in one AD DS dom ain t o aut hent icat e t o ot her dom ain cont rollers wit hin anot her, dist inct dom ain wit hin t he direct ory. Trust s can be one- way ( A t o B only, not B t o A) , t ransit ive ( A t rust s B and B t rust s C, so A t rust s C) , or cross- linked ( A t o C and B t o D) .
5 .1 .1 . D om a in s When exam ining AD DS for t he first t im e, it 's easiest t o exam ine t he dom ain first because so m uch of t he basis of AD DS is derived from t he dom ain. I t 's adequat e t o boil down t he funct ion of dom ains int o t hree basic areas:
Consolidat ing list s of usernam es and passwords for all m achines wit hin a dom ain and providing an infrast ruct ure for using t hat consolidat ed list
Providing a m et hod of subdividing obj ect s wit hin a dom ain for easier adm inist rat ion ( int o OUs, as described earlier)
Offering a cent ralized, searchable list of resources wit hin t he dom ain so t hat users and adm inist rat ors can easily query t hat list t o find obj ect s t hey need
Dom ains, at a m inim um , keep a list of all aut horized users and t heir passwords on a m achine or groups of m achines called dom ain cont rollers. This list is st ored in AD DS. However, m any ot her obj ect s are st ored wit hin t he direct ory—which is act ually a file on a dom ain cont roller's hard drive called NTDS.DI T—including sit es, OUs, groups of users, groups of com put ers, GPOs ( described in Chapt er 6 ) , and cont act s, j ust t o nam e a few. The engine t hat drives t his dat abase of inform at ion is t he sam e engine wit hin Microsoft 's powerhouse Exchange Server product , and it support s t he t ransm ission of dat abase cont ent s t o m ult iple dom ain cont rollers over net work links—a process called replicat ion . Replicat ion answers t he quest ion of how m ult iple dom ain cont rollers wit hin a dom ain can cont ain t he sam e inform at ion. For exam ple, if you have a dom ain cont roller in Seat t le and anot her in Charlot t e, and you were t o add a user in Charlot t e, what if t hat user t ried t o log on t o a com put er in Seat t le? How would t he Seat t le dom ain cont roller know about t he user added in Charlot t e? Replicat ion allows AD DS t o t ransm it changed dat a across a dom ain t o all relevant dom ain cont rollers so t hat t he cont ent s of t he direct ory are always up- t o- dat e on each dom ain cont roller. At t his point , ast ut e readers who are fam iliar wit h t he dom ain st ruct ure of Microsoft 's Windows NT product s surely are asking, " What about PDCs and BDCs?" For t he m ost part , Microsoft has rem oved t hat designat ion from dom ain cont rollers in AD DS environm ent s, m eaning t hat wit h only a couple of m inor except ions, all dom ain cont rollers are equal. This is referred t o as a m ult im ast er environm ent .
Because a dom ain cont roller holds a large dat abase of inform at ion, AD DS has som e int erest ing charact erist ics t hat weren't necessarily t rue of NT 4.0's Securit y Account s Manager ( SAM) - based list of account s. For inst ance, program m ers can writ e code t o int erface direct ly wit h AD DS and run queries t o pull dat a from t he dat abase. These program m ers can use eit her t he Light weight Direct ory Access Prot ocol ( LDAP) , an indust ry- st andard prot ocol for accessing any sort of direct ory, or t he Microsoft - specific Act ive Direct ory Services I nt erface ( ADSI ) for t aking advant age of AD DS feat ures not support ed direct ly wit hin t he LDAP specificat ion. Addit ionally, AD DS doesn't have t he sam e size lim it at ions t hat t he SAM had. AD DS easily can handle up t o a few m illion obj ect s, as com pared t o t he SAM's abilit y t o handle no m ore t han about 5,000 account s. ( That 's scalabilit y, folks! ) AD DS is also fast when handling large am ount s of dat a, so you won't get bogged down when your direct ory grows.
5 .1 .2 . Or ga n iza t ion a l Un it s A dom ain can be an awfully big, com prehensive unit t o m anage, and m ost environm ent s benefit from som e m echanism t o separat e t hat large, unit ary dom ain int o sm aller, m ore m anageable chunks. An organizat ional unit is AD DS's way of doing t hat . Organizat ional unit s, or OUs, act like folders on a regular client 's operat ing syst em , cont aining every t ype of obj ect t hat AD DS support s. You m ight choose t o separat e your dom ain int o OUs in one of t hese ways:
A universit y m ight creat e a dom ain wit h a nam e corresponding t o t he ent ire universit y ( ncsu.edu, for exam ple) , wit h each college in t hat inst it ut ion get t ing an OU ( biology, physics, m at hem at ics, et c.) .
A m edium - size business m ight use one dom ain for all of it s AD DS needs, but segregat e obj ect s int o t heir geographical locat ions—an OU for t he Los Angeles office, an OU for t he Birm ingham office, and an OU for t he Richm ond office.
Larger corporat ions m ight want t o divide t heir dom ain by depart m ent . Wit hin business.com , for exam ple, an OU could be creat ed each for Sales, Support , Market ing, Developm ent , and Q/ A.
An adm inist rat or also could decide t o creat e OUs based on t he t ype of obj ect s cont ained t herein—for exam ple, a Com put ers OU, a Print ers OU, and so on.
A part icularly int erest ing feat ure of OUs is t he abilit y t o delegat e adm inist rat ive cont rol over t hem t o a subset of users in AD DS. Take, for inst ance, t he t hird exam ple in t he previous list . Perhaps you, as t he dom ain adm inist rat or, want t o designat e one t echnically savvy person in each depart m ent as t he official Password Change Adm inist rat or, t o reduce your adm inist rat ive load. You can delegat e t he aut horit y t o m odify users' passwords t o each user over only t heir respect ive OU, t hereby bot h allowing t hem power but finely cont rolling it over cert ain areas of your AD DS infrast ruct ure. This abilit y is called delegat ion , and you'll find an ent ire sect ion devot ed t o it lat er in t his chapt er. OUs are designed t o be cont ainer s in AD DS—t heir purpose is t o hold obj ect s and t o have cont ent s. You can apply GPs t o t he obj ect s wit hin a specific OU ( as you'll see in Chapt er 6 ) , cont rolling users' deskt ops, locking t hem out of pot ent ially dangerous syst em m odificat ion set t ings, and creat ing a consist ent user experience across your dom ain.
5 .1 .3 . Sit e s Sit es are great ways t o m anage t he use of bandwidt h for AD DS replicat ion across WAN links. All dom ain cont rollers in an AD DS dom ain m ust st ay in cont act wit h one anot her at regular int ervals t o acquire and t ransm it t he changes t hat have occurred t o t heir dat abases since t he last updat e. Ot herwise, inform at ion becom es " st ale" and t he direct ory is no good t o anyone. However, t his replicat ion t raffic can be cost ly if you have dom ain cont rollers in different count ries and you use slow WAN links t o keep in cont act wit h your various offices.
By designat ing different sit es wit h AD DS, a process we'll cover lat er in t he replicat ion sect ion of t his chapt er, you can t ell AD DS t o com press t he replicat ion t raffic t o allow it t o be t ransm it t ed m ore quickly, and you can give preferences t o cert ain WAN links over ot hers by using t he " cost " feat ure, specifying a higher value for a connect ion you want t o use less oft en and a lower value for a connect ion you'd like t o use t he m ost oft en. I t 's a great way t o m anage your t elecom m unicat ions expenses while st ill t aking advant age of t he bet t er m anagem ent feat ures of AD DS. I n a dom ain environm ent , t he Dist ribut ed File Syst em , which you learned about in Chapt er 3 , also uses AD DS's sit e st ruct ure t o cont rol file replicat ion t raffic.
5 .1 .4 . Gr ou ps The point of groups is t o m ake assigning at t ribut es t o larger set s of users easier on adm inist rat ors. Pict ure a direct ory wit h 2,500 users. You creat e a new file share and need t o give cert ain em ployees perm issions t o t hat file share—for exam ple, all account ing users. Do you want t o t ake a hard- copy list of all m em bers of t he account ing depart m ent and hand- pick t he appropriat e users from your list of 2,500? Of course you don't . Groups allow you t o creat e an obj ect called Account ing and insert all t he appropriat e users int o t hat group. So, inst ead of select ing each individual user from a large list , you can pick t he Account ing group, and all m em bers of t hat group will have t he sam e perm issions on t he file share. There are four different scopes of groups wit hin Windows Server 2008 and AD DS, and each scope can nest groups different ly. Let 's out line t he group scopes first , and t hen bear wit h m e as I explain t he concept s of each:
Machine local groups
Machine local groups cont ain obj ect s t hat pert ain only t o t he local com put er ( or m ore specifically, t o obj ect s cont ained wit hin t he local com put er's SAM dat abase) . These t ypes of groups can have m em bers t hat are global groups, dom ain local groups from t heir own dom ain, and universal or global groups from t heir own dom ain or any ot her dom ain t hat t hey t rust .
Dom ain local groups
Dom ain local groups can be creat ed only on a dom ain cont roller, so ordinary client com put ers or m em ber servers of a dom ain cannot host dom ain local groups. Dom ain local groups can be put inside m achine local groups wit hin t he sam e dom ain ( t his is a process called nest ing) . They can cont ain global groups from a dom ain t hat t rust s t he current dom ain and ot her dom ain local groups from t he sam e dom ain. As you will see lat er in t he chapt er, t hey are of lim it ed ut ilit y unless you are working in a larger, m ult idom ain environm ent .
Dom ain global groups
Like dom ain local groups, dom ain global groups can be creat ed only on a dom ain cont roller, but dom ain global groups can be put int o any local group of any m achine t hat is a m em ber of t he current dom ain or a t rust ed dom ain. Dom ain global groups can also be nest ed in ot her global groups; however, all nest ed dom ain global groups m ust be from t he sam e dom ain. Dom ain global groups are great t ools t hat cont ain all t he funct ionalit y of dom ain local groups, and m ore, and t hey are t he m ost com m on t ype of group used across a dom ain.
Universal groups
Universal groups are a sort of " do- it - all" t ype of group. Universal groups can cont ain global and universal groups, and t hose nest ed groups can be from any dom ain in your AD DS forest .
Briefly, I 'll also m ent ion t hat t here are t wo t ypes of groups: a securit y group is used for t he purposes of assigning or denying right s and perm issions, and a dist ribut ion group is used for t he sole purpose of sending em ail. A securit y group, t hough, can also act as a dist ribut ion group.
5 .1 .4 .1 . N e st in g Nest ing is a useful abilit y t hat has been around in lim it ed form since Windows NT. By nest ing groups, you achieve t he abilit y t o quickly and painlessly assign perm issions and right s t o different users. For exam ple, let 's say you have a resource called COLORLASER and you want all full- t im e em ployees t o be able t o access t hat resource. You don't have a group called FTEs t hat cont ains all your full- t im ers t hroughout your organizat ion, but your depart m ent al adm inist rat ors have set up a st ruct ure wherein full- t im e em ployees are put int o groups and part - t im ers are in anot her. To quickly creat e your overall FTE group, you can t ake your different groups of users from each depart m ent ( ACCTG_FTE, ADMI N_FTE, PRODUCTI ON_FTE, and SALES_FTE, for exam ple) and put t hem wit hin a new group you creat e called ALL_FTE. Then, you can quickly assign access right s t o COLORLASER by giving t he ALL_FTE group perm ission t o use t he resource. You have " nest ed" t he depart m ent al groups wit hin one big group. Different t ypes of groups, as you saw in t he previous list of groups, support different m et hods of nest ing. Table 5- 1 shows t he relat ionships bet ween t he t ypes of groups and t he respect ive abilit ies t o nest .
Ta ble 5 - 1 . N e st in g by gr ou p t ype Type of n e st in g
M a ch in e loca l D om a in loca l
D om a in globa l
Un ive r sa l
Wit hin t hem selves Yes
Yes ( from t he sam e dom ain) Yes ( from t he sam e dom ain) Yes
Wit hin ot her t ypes None
Machine local
Machine local
Machine local
Dom ain local
Dom ain local
Universal
Dom ain global
You should rem em ber a couple of im port ant issues regarding backward com pat ibilit y wit h Windows NT 4.0 and Windows 2000 and t he t ypes of group capabilit ies available:
AD DS cannot support universal groups unt il you operat e at least in Windows 2000 Nat ive funct ional level, as NT 4.0 support s only one level of group nest ing.
A group cannot have m ore t han 5,000 m em bers unt il your forest is operat ing in t he Windows Server 2003 forest - funct ional level or higher. Funct ional levels are covered lat er in t his chapt er, but for now, be aware of t his lim it at ion.
5 .1 .5 . Tr e e s
Trees refer t o t he hierarchies of dom ains you creat e wit hin AD DS. The first AD DS dom ain you creat e is aut om at ically designat ed t he root of your first t ree, and any dom ains aft er t hat are considered child dom ains unless you choose t o creat e a dom ain at t he root of a new t ree. Child dom ains always have t he root dom ain in t heir nam e—for exam ple, if I creat e t he hassellt ech.local dom ain, any child dom ains m ust be in t he form at of newdom ainnam e.hassellt ech.local. I n effect , you are creat ing what are referred t o as subdom ains in DNS parlance. You can creat e as m any child dom ain levels as you need; children can be children of ot her children of ot her children, and so on, as long as it m akes sense t o you. A neat feat ure of AD DS is t hat it aut om at ically creat es t wo- way t rust relat ionships bet ween parent and child dom ains, so you don't need t o m anually t rust t he dom ains you creat e. As such, m y new child dom ain from our earlier exam ple will aut om at ically t rust it s parent dom ain, hassellt ech.local, and t he parent will t rust t he child—t he t ransit ive t rust is creat ed aut om at ically. This t ype of t rust is passed along t he child dom ain chain, so a dom ain like charlot t e.east coast .us.nort ham erica.ent erprise.com will aut om at ically t rust east coast .us.nort ham erica.ent erprise.com , us.nort ham erica.ent erprise.com , nort ham erica.ent erprise.com , and ent erprise.com .
5 .1 .6 . For e st s Forest s, in t he sim plest t erm s, are j ust groups of t rees. All t rees in a forest t rust each ot her aut om at ically. Think of a forest as an ext ended fam ily, and individual dom ain t rees as brot hers. I f you have five brot hers in a fam ily, each child of t hose brot hers t rust s his im m ediat e brot hers, and ( usually! ) each brot her's fam ily t rust s t he ot her brot her's fam ily—cousins t ypically get along. Forest s j ust refer t o collect ions of dom ain t rees t hat t rust one anot her. There are t wo caveat s, t hough, which are fairly significant and bear m ent ioning:
The only way t o add a dom ain t o a t ree is t o creat e it com plet ely from scrat ch, adding it t o an exist ing t ree at t hat t im e. I t 's t he sam e wit h t rees—you can't direct ly add an exist ing t ree t o an exist ing forest wit hout delet ing and subsequent ly re- creat ing it .
Likewise, t wo exist ing, separat e dom ains can't be linked t oget her as parent and child. For exam ple, hassellt ech.local creat ed on one net work and charlot t e.hassellt ech.local creat ed on anot her, separat e net work cannot be j oined lat er as parent and child. The child would need t o be re- creat ed or m igrat ed.
5 .1 .6 .1 . Tr a n sit ive for e st r oot t r u st s The lat t er of t he preceding t wo lim it at ions m ight be frust rat ing for you, and you're not alone. Fort unat ely, what expert s m ight t erm an " official hack" is available t o effect ively graft exist ing dom ains t oget her int o a t ree- like st ruct ure so t hat t rust s are est ablished. Alt hough it 's not as easy and not as flexible as a forest —AD DS m akes t hings slick and easy when you do t hings it s way—it will work, wit h effort and m aybe a bit of luck. The t ool is called a t ransit ive forest root t rust , and wit h it , you can m ake t wo disparat e forest s t rust each ot her. Let 's say I have a forest called businessone.com . Business One purchases anot her organizat ion wit h an AD DS forest creat ed already, known as businesst wo.net . Recall t hat I can't j ust graft businesst wo.net ont o t he already exist ing forest at Business One. However, wit h a t ransit ive forest root t rust , I can m ake it so t hat businessone.com t rust s businesst wo.net , achieving som e of t he benefit s of one unified forest . However, t here are lim it at ions and disadvant ages:
Each forest m ust be operat ing in at least t he Windows Server 2003 forest funct ional level. Alt hough I will cover t his lat er, suffice it t o say t hat all dom ain cont rollers in each dom ain in each forest m ust be running Windows Server 2003, if not Windows Server 2008. This m ight be a prohibit ive expense.
You'll learn m ore about t his feat ure lat er in t his chapt er, but keep t his in m ind for now: a t ransit ive forest root t rust does not aut om at ically m ake one, unified global cat alog. Two separat e forest s st ill equals t wo separat e global cat alogs.
Transit ive forest root t rust s do not flow t hrough. For exam ple, businessone.com and businesst wo.net t rust each ot her. But if businessone.com buys businesst hree.org and a t rust is set up t here, businesst wo.net will not t rust businesst hree.org aut om at ically—anot her t rust will need t o be set up. Wit h t hat , we're back t o t he kludgy t rust process found in Windows NT 4.0.
So, t ransit ive forest root t rust s aren't t he answer t o everyt hing, but t hey are a reasonably effect ive way t o creat e a " pseudoforest " wit hin already exist ing t rees.
5 .1 .6 .2 . Th e de dica t e d for e st r oot m ode l You also can creat e a hedge against fut ure AD DS changes if you are deploying Act ive Direct ory for t he first t im e. I f a depart m ent in your organizat ion deploys AD DS ahead of ot her depart m ent s, as t he ot her groups com e on board, t hey effect ively becom e subordinat es of t hat first dom ain. How does a sm art adm inist rat or get around t hat problem ? The dedicat ed forest root m odel provides a way t o m aint ain t he aut onom y of m ult iple dom ains t hat you creat e. Figure 5- 1 shows how t his is achieved.
Figu r e 5 - 1 . H ow t h e de dica t e d for e st r oot m ode l e n a ble s se pa r a t e N T dom a in s t o be se pa r a t e in AD DS
A dedicat ed forest root dom ain can be eit her an " em pt y dom ain," which cont ains only a sm all num ber of
universal users and resources, or a norm al product ion dom ain t hat j ust happens t o be at t he root of a forest . The lat t er is not recom m ended. An em pt y forest root dom ain t hat does not serve as a product ion dom ain is advant ageous for several reasons. For one, t he dom ain adm inist rat ors group in t he root dom ain has power over t he forest , which is som et hing you m ight not want . Keeping t he root em pt y allows you t o delegat e adm inist rat ive aut horit y t o individual dom ains wit hout giving everyt hing away, a securit y prot ect ion t hat keeps honest adm inist rat ors honest . I t also helps you t o st ruct ure your AD DS environm ent ; a const ant root m akes furt her changes logical and easy t o im plem ent and m anage—for inst ance, if you acquire a new com pany or build a new office. The forest root dom ain, if kept em pt y, is very easy t o replicat e and t o back up. And if you ever m ake changes t o t he adm inist rat ive aut horit y in your business, you can t ransfer t he keys t o t he kingdom t o ot hers wit hout affect ing t he adm inist rat ors' aut onom y of your child dom ains.
You can nam e t he em pt y forest root dom ain anyt hing you want —even em pt yroot .local. I t is only a placeholder. However, m ost client s use a dom ain nam e based on t heir com pany's dom ain nam e.
However, t he key t o t he em pt y root st rat egy is t o keep t he root em pt y: have it cont ain only one adm inist rat ive account —t he Ent erprise Adm inist rat or, which is, of course, creat ed by default when you creat e t he first dom ain in a new forest —and use t hat only when absolut ely necessary. Then, creat e all t he dom ains you need under t hat first dom ain and you won't have one part icular dom ain in your organizat ion unnecessarily holding Ent erprise Adm in- st yle account s. Of course, t his m et hod has it s downsides. Cost s definit ely are involved: for one, you need a separat e license of Windows Server 2008 for your dedicat ed forest root dom ain cont roller, and you have t he burden of adm inist rat ive responsibilit y in ensuring t hat t he root dom ain is kept up, pat ched, and t he like. However, if you are in a high- growt h indust ry and your organizat ion is likely t o m ake acquisit ions and divest it ures wit hin t he near fut ure, it 's best t o use t his m et hod t o hedge against m aj or changes t o AD DS st ruct ure.
5 .1 .7 . Sh a r e d Folde r s a n d Pr in t e r s As you saw in Chapt er 3 , t he concept of shared folders and print ers wit hin AD DS m erely relat es t o a " point er" residing wit hin t he direct ory, guiding users t o t he real locat ion on a physical filesyst em of a server for a part icular shared direct ory, or t he locat ion of a print share on a print server. This process is known as publishing a share ( or publishing a print er) . The point of publishing shares and print ers in AD DS is t o m ake t hem available for searching, eit her t hrough AD Search or St art Find for client users. You DS Users and Com put ers for adm inist rat ors or t hrough St art can search for shared folder or print er nam es cont aining t arget keywords, and t heir locat ions will be populat ed wit hin t he result s box.
5 .1 .8 . Con t a ct s Cont act s are sim ply obj ect s in t he direct ory t hat represent people and cont ain at t ribut es wit h indicat ors as t o how t o cont act t hem . Cont act s neit her represent users of any direct ory, nor convey any privileges t o log on t o t he net work or use any net work or dom ain resources. The point of t he cont act s obj ect is t o creat e wit hin AD DS a phonebook of sort s, wit h nam es of vit al business cont act s t hat reside out side your organizat ion—part ners, cust om ers, vendors, and t he like. Because AD DS as a direct ory can be queried by t he LDAP prot ocol, which m ost groupware applicat ions support , t he cont ent s of cont act s obj ect s likely can be accessed direct ly wit hin t hat applicat ion.
5 .1 .9 . Globa l Ca t a log
The global cat alog, in an AD DS environm ent , act s as a sort of subset direct ory t hat is passed am ong all dom ains in a part icular forest . Consider t hat AD DS gives you t he abilit y t o connect t o any com put er in your part icular AD DS t ree. I f you have a sm all organizat ion, t his isn't m uch of a problem , but in a large organizat ion wit h m any dom ains, can you im agine t he perform ance lag while AD DS t ries t o ( a) find t he correct dom ain where your account resides, t hen ( b) com m unicat e wit h it , and finally ( c) log you in? You would be wait ing for a significant am ount of t im e for all t he pieces of t he puzzle t o com e t oget her in a com plex AD DS im plem ent at ion. For t hat reason, AD DS const ruct s a subset of all t he dom ains in a forest and put s it int o what 's called t he global cat alog ( GC) . The GC cont ains a list of all dom ains in t he forest and a list of all t he obj ect s in t hose dom ains, but only a subset of t he at t ribut es for each obj ect . This is a fairly sm all bit of inform at ion com pared t o t he rest of t he direct ory, and because of it s reduced size, it is easy t o pass on t o given dom ain cont rollers in t he forest . As a result , when a user connect s t o a com put er in any given dom ain in a forest , t he nearest dom ain cont roller checks t he usernam e against t he GC and inst ant ly finds t he correct " hom e" dom ain for a user and t he aut hent icat ion process can begin. Think of t he GC, t herefore, as an index of your direct ory, m uch like t he index of t his book helps you t o see which pages cover a t opic in which you're int erest ed. The GC also cont ains t he nam e of each global group for every dom ain in t he forest , and it cont ains t he nam e and t he com plet e m em bership list of every universal group in t he forest ( recall t hat universal groups can cont ain users and ot her groups from any dom ain in t he forest ) . So, lim it your use of universal groups, lest you decrease t he perform ance of your users' logins.
5 .2 . Bu ildin g a n AD D S St r u ct u r e To get t he best foundat ion for t he rest of t his chapt er, m uch as we did in Chapt er 4 , let 's act ually build an AD DS forest , t ree, and dom ain. I n t his sect ion, I 'll walk you t hrough t he process of creat ing a dom ain, prom ot ing a dom ain cont roller, adding anot her dom ain cont roller t o t he dom ain, adding a second child dom ain, and t hen adding a few users and groups t o t he m ix.
5 .2 .1 . Th e Fir st D om a in The first dom ain in an AD DS set up is special for a few reasons. For one, t he set up process for a new dom ain aut om at ically adds t he first dom ain cont roller t o t hat dom ain—t he m achine on which you run t he Act ive Direct ory Dom ain Services I nst allat ion Wizard becom es t he first dom ain cont roller for t he new dom ain. Second, t his new dom ain becom es t he root of t he ent ire forest , m eaning t hat it has special powers over ot her dom ains you creat e wit hin t he forest , even if t heir nam es aren't t he sam e. We'll go over t hat in a bit . To st art t he process, from t he m achine you want t o becom e t he first dom ain cont roller for t he new dom ain, select Run from t he St art m enu, t ype DCPROMO, and click OK. You m ight also access t his screen aft er adding t he AD DS role wit hin Server Manager; t here is a link on t he final screen t o launch wizard. The Act ive Direct ory Dom ain Services I nst allat ion Wizard st art s, as shown in Figure 5- 2.
Figu r e 5 - 2 . Be gin n in g AD D S in st a lla t ion
Click Next , and you'll see t he Choose a Deploym ent Configurat ion screen. Here, you can choose whet her t o inst all t his m achine as a dom ain cont roller in an exist ing forest by adding it t o an exist ing dom ain or creat ing a new dom ain inside an exist ing forest , or t o inst all t his m achine in a new dom ain in a new forest . For t his exam ple, select t he lat t er opt ion, and click Next . You t hen see t he Nam e t he Forest Root Dom ain screen. Here, you t ype t he fully qualified dom ain nam e of t he forest root 's dom ain. We'll use corp.windowsservernet .com here and click Next . The wizard will check t o see whet her t he forest nam e is in use; if not , DCPROMO will cont inue. The Set Forest Funct ional Level screen appears. Here, you can choose t he com pat ibilit y level at which t his new forest will funct ion. There are several choices:
Windows 2000 forest funct ional level
This m ode support s all t ypes of dom ain cont rollers ( NT, 2000, Windows Server 2003, and Windows Server 2008) , support s only 5,000 m em bers t o a single, individual group, and only offers im proved global cat alog replicat ion benefit s when all dom ain cont rollers in t he dom ain are running Windows Server 2003 or Windows Server 2008.
Windows Server 2003 forest funct ional level
I n t his level, you lose support for Windows NT and Windows 2000 dom ain cont rollers, but you gain support for renam ing exist ing dom ains, m ore efficient AD DS replicat ion, and t ransit ive forest t rust s.
Windows Server 2008 forest funct ional level
Curiously, t his level doesn't act ually provide any addit ional feat ures over t he Windows Server 2003 forest funct ional level, but it allows new dom ains in t his forest t o operat e at t he Windows Server 2008 dom ain funct ional level, which is indeed equipped wit h new capabilit ies.
Choose t he opt ion you desire; for our purposes, let 's creat e a forest at t he Windows Server 2008 level, so select t he t hird opt ion from t he drop- down box and click Next . DCPROMO will t rundle for a while and look at t he current m achine's DNS configurat ion. I f it doesn't det ect a DNS service, it will prom pt you t o inst all one on t he next screen you see, t he Addit ional Dom ain Cont roller Opt ions page. You can choose t o inst all t he DNS server, a global cat alog server ( m ore on t his soon) , and a readonly dom ain cont roller opt ion ( see lat er in t he chapt er for m ore on t his opt ion) . DNS is required, and as t his is t he first server in a new forest , it is required t o be a global cat alog server and cannot be a read- only dom ain cont roller. Let 's inst all DNS, so m ake sure t he first box is select ed and t hen click Next .
You m ay get a couple of warnings aft er m oving t o t he next phase. First , Windows Server 2008 will alert you if your m achine is current ly configured t o use a dynam ic I P address. For best result s, DNS servers should use st at ic I P addresses, so it gives you a chance t o use a st at ic I P address. Next , you m ay get a warning about DNS not being able t o find an aut horit at ive parent zone. This is only relevant t o you if you are inst alling a dom ain cont roller in an environm ent where DNS is already set up. Since we're inst alling DNS from scrat ch in t his procedure, we can ignore it ( as t he m essage im plies) .
The Dat abase and Log Folders screen appears, prom pt ing you t o choose where you want t he AD DS dat abase ( recall t hat t his is t he NTDS.DI T file on all dom ain cont rollers' hard drives) and where you want t he t ransact ion log t hat keeps t rack of changes t o t he direct ory. I f possible, place t he dat abase on one drive and t he logfile on anot her drive. This ensures t he best perform ance in product ion environm ent s. You can use t he Browse but t ons t o choose a locat ion on t he physical filesyst em , or you can sim ply t ype a pat h int o t he boxes. Once you've finished choosing a locat ion, click Next t o cont inue. The Direct ory Services Rest ore Mode Adm inist rat or Password screen appears. On t his screen you can choose t he password t hat will be required of anyone at t em pt ing t o access t he AD DS rest ore m ode t ools before Windows boot s. Set t his password t o som et hing t hat is secure and different from all your ot her adm inist rat or passwords, and t hen lock it away in a safe place. You probably won't need it very oft en. Once you've set t he password, click Next .
Let m e explain a bit about t his special password. The AD DS Rest ore Mode password is act ually a password t hat is st ored in t he SAM dat abase for a dom ain cont roller, accessible only t hrough specific m et hods, one being AD DS Rest ore Mode. Even m ore int erest ing, Direct ory Services Rest ore Mode is in fact a single- user m ode of Windows Server 2008. So, t he password for a direct ory services rest ore is not st ored in t he direct ory at all, m eaning it is not replicat ed t o ot her dom ain cont rollers.
Click Next t o cont inue, and finally, t he Sum m ary screen appears. Ensure t he choices you select ed are t he ones you want ed, and t hen click Next t o begin t he procedure t o inst all AD DS and prom ot e t he current m achine t o a dom ain cont roller wit hin your new dom ain. The inst allat ion process will t rundle along, unt il you receive t he success not ificat ion pict ured in Figure 5- 3.
Figu r e 5 - 3 . Su cce ssfu l AD D S in st a lla t ion
Congrat ulat ions! You've built a new dom ain and prom ot ed your m achine t o a dom ain cont roller. You'll need t o rest art your m achine t o cont inue.
5 .2 .2 . Usin g AD D S Tools Before we go any furt her, I 'd like t o discuss t he t hree m ost com m on t ools you will find yourself using as an AD DS adm inist rat or. All of t hese t ools, of course, can be found in Server Manager under t he appropriat ely nam ed role. The first of t hese t ools is Act ive Direct ory Users and Com put ers, t he t ool t hat allows you t o creat e your AD DS st ruct ure wit hin a dom ain, add users and groups, adj ust account propert ies, and generally adm inist er t he dayt o- day operat ions of your direct ory. Figure 5- 4 shows t he default screen for Act ive Direct ory Users and Com put ers.
Figu r e 5 - 4 . Act ive D ir e ct or y Use r s a n d Com pu t e r s
Next , t here's Act ive Direct ory Dom ains and Trust s, a ut ilit y you can use t o creat e t rust s bet ween dom ains and t o event ually raise t he dom ain funct ional level t o enable new feat ures for Act ive Direct ory. Figure 5- 5 shows t he default screen for Act ive Direct ory Dom ains and Trust s.
Figu r e 5 - 5 . Act ive D ir e ct or y D om a in s a n d Tr u st s
Finally, let 's glance at Act ive Direct ory Sit es and Services, a graphical t ool t hat allows you t o design your AD DS st ruct ure around how your business is geographically dispersed, m aking AD DS replicat ion t raffic go across links
t hat cost t he least and are t he fast est . You can also delineat e how your organizat ion's com put ers are addressed via out lining different subnet s, t hereby increasing t he likelihood t hat client s will log on t o dom ain cont rollers t hat are t he closest t o t hem . Figure 5- 6 shows t he default screen for Act ive Direct ory Sit es and Services.
Figu r e 5 - 6 . Act ive D ir e ct or y Sit e s a n d Se r vice s
We'll use each t ool in t im e as we proceed t hrough t he rem ainder of t his chapt er. For now, let 's m ove on.
5 .2 .3 . Addin g An ot h e r D om a in Con t r olle r t o a D om a in Prom ot ing anot her m achine t o dom ain cont roller st at us wit hin an exist ing dom ain is even easier t han prom ot ing t he first m achine in a new dom ain. You can use t he DCPROMO Wizard t o do t he j ob for you in t his case, as well. To begin, st art up DCPROMO as before, and on t he screen asking you what act ion you want t o perform , select " Addit ional dom ain cont roller for an exist ing dom ain," and click Next . The Net work Credent ials screen will appear, asking you t o t ype in t he usernam e and password for a dom ain adm inist rat or account . Do so, and t hen click Next . Ent er t he full DNS canonical nam e of t he dom ain for which you want t his m achine t o becom e a dom ain cont roller, and t hen click Next . From t here, proceed t hrough t he wizard st art ing from t he Dat abase and Log Files screen as indicat ed in t he previous sect ion. Once t he wizard is finished and your m achine has rest art ed, it is an official dom ain cont roller for your dom ain.
5 .2 .4 . Addin g An ot h e r D om a in Adding a child dom ain is equally sim ple: you use DCPROMO and you t ell it t o creat e a new dom ain, but not a new forest . This will add a subdom ain t o t he exist ing dom ain t ree. Then t he Net work Credent ials screen will appear, asking for a dom ain adm inist rat or account for any dom ain locat ed in t he forest wit hin which you want t o set up t he new dom ain. Aft er t hat , t he Nam e t he New Dom ain screen will appear, as shown in Figure 5- 7.
Figu r e 5 - 7 . Pr ovidin g a n a m e for t h e n e w ch ild dom a in
Here, you need t o t ell AD DS which dom ain you want t o add on t o, and t hen t he nam e of t he child dom ain t o add on t o t he parent t ree. You can use t he Browse but t on t o scroll around t he direct ory or sim ply t ype t he nam e in. I n t he second box, ent er j ust t he first port ion of t he new child dom ain's nam e. The box at t he bot t om will adj ust aut om at ically t o show t he full nam e of t he new child dom ain. Click Next when finished. Next , you m ight receive an error depending on t he t ype of forest int o which you are t rying t o inst all t his new dom ain cont roller ( see Figure 5- 8) . You m ay need t o run t he Act ive Direct ory preparat ion t ool, which you can find on t he Windows Server 2008 DVD in t he \ sources\ adprep folder. Sim ply run adprep /forestprep at t he com m and line and t he script will aut om at ically t ake care of any needed forest changes. Once t he script com plet es, you can rerun DCPROMO, re- ent er t he dom ain inform at ion and new set t ings, and proceed t hrough t he wizard.
Figu r e 5 - 8 . Er r or pr ovide d by t h e w iza r d in dica t in g a n u n pr e pa r e d for e st
Now you can proceed t hrough t he wizard, as shown in t he previous sect ion. One not e of int erest , t hough: if t he dom ain has a lot of inform at ion t o replicat e out t o it s new dom ain cont roller, t his prom ot ion process can t ake a long t im e. An opt ion is available on t he final screen of t his wizard t hat allows you t o finish replicat ion lat er, and you m ight be t em pt ed t o t ake advant age of it . Alt hough t his opt ion does decrease t he am ount of t im e it t akes t o bring a new dom ain cont roller in an exist ing dom ain online, I prefer t o let replicat ion happen im m ediat ely. The only inst ance in which I wouldn't want t o do t his is if I were bringing up a new dom ain cont roller in a branch office wit h a very slow connect ion t o t he hom e office. I n t hat case, it 's OK t o wait unt il off hours and let t he replicat ion happen t hen. I n all ot her cases, I recom m end m oving ahead wit h replicat ion and sim ply wait ing it out .
5 .2 .5 . M a n a gin g Use r s a n d Gr ou ps Of course, crit ical t o a m ult iuser syst em are user account s and groups, which you can creat e wit hin AD DS using t he Act ive Direct ory Users and Com put ers t ool and which we previewed t wo sect ions ago. ( I n t his sect ion, I 'll use t he acronym ADUC t o save m e from having t o t ype out Act ive Direct ory Users and Com put ers over and over.) Wit hin ADUC, you can creat e, change, and delet e user account s; m anage groups and t heir m em bers; and configure Group Policies. The lat t er is a t opic I 'll save for Chapt er 6 .
5 .2 .5 .1 . Cr e a t in g u se r s a n d gr ou ps Let 's look at creat ing users and groups wit hin ADUC. I t 's a sim ple process. First , you decide on a usernam e or group nam e. You can select alm ost any usernam e or group nam e for a part icular person or group in Windows Server 2008, but you m ust keep t hese rest rict ions in m ind:
The nam e m ust be unique wit hin a dom ain ( if you are creat ing a dom ain user) or on a m achine ( if you are creat ing a local user)
The nam e can be a m axim um of 20 charact ers
The nam e cannot cont ain any of t he following charact ers: " / \ [ ] : ; | = , + * ? < >
The nam e cannot consist of all spaces or all periods, t hough individual spaces or periods wit hin a nam e are accept able
Group nam es have t he sam e rest rict ions.
Follow t hese st eps t o creat e a user:
1 . Open ADUC.
2 . I n t he left pane, select t he cont ainer in which you want t he new user t o reside. Right - click it and select User from t he New m enu.
3 . The New Obj ect - User screen appears, as shown in Figure 5- 9. Ent er t he user's first nam e, m iddle nam e, and last nam e in t he appropriat e boxes, and t he Full nam e field will populat e aut om at ically. Ent er t he user's preferred logon nam e in t he " User logon nam e" box, and t hen click Next .
Figu r e 5 - 9 . En t e r in g a n e w u se r
4.
4 . The next screen is where you ent er t he user's init ial password and a few propert ies for his account . This is shown in Figure 5- 10. Ent er and confirm t he password, and t hen decide whet her t he new user will be prom pt ed t o change t his password when he logs on, whet her he can change his password at all, whet her t he password will follow t he dom ain's expirat ion policy, and finally, whet her t he account is disabled. ( Disabled account s cannot log in.) Click Next .
Figu r e 5 - 1 0 . En t e r in g a n e w u se r 's pa ssw or d
5 . Confirm t he inform at ion you have j ust ent ered, and click OK t o creat e t he user.
To creat e a new group, follow t hese st eps:
1 . Open ADUC.
2 . I n t he left pane, select t he cont ainer in which you want t he new user t o reside. Right - click it and select Group from t he New m enu.
3 . The New Obj ect - Group screen appears, as shown in Figure 5- 11. Ent er a nam e from t he group, it s scope as a dom ain local, global, or universal group, and t he t ype of group ( eit her securit y or dist ribut ion) . Click OK.
Figu r e 5 - 1 1 . Cr e a t in g a n e w gr ou p
That 's it ! You've creat ed a new group. I f you are creat ing a user, your work is not done yet . You need t o configure several addit ional propert ies before t he user account is ready for use. Right - click t he new user wit hin ADUC and select Propert ies from t he cont ext m enu. Here's a rundown of each opt ion on t he Propert ies sheet 's various t abs.
General
On t he General t ab, you can input inform at ion such as t he user's first , m iddle, and last nam e; a descript ion of t he user; and her office locat ion, m ain t elephone num ber, em ail address, and hom e page. The General t ab is shown in Figure 5- 12.
Figu r e 5 - 1 2 . Th e Ge n e r a l t a b
Address
The Address t ab allows you t o ent er t he user's post al service address inform at ion and his geographic locat ion. Figure 5- 13 shows t he Address t ab.
Figu r e 5 - 1 3 . Th e Addr e ss t a b
Account
On t he Account t ab, you can m odify t he user's logon nam e, t he suffix for her principal nam e ( a concept which I 'll explain in a bit ) , logon hours, and t he workst at ions she is perm it t ed t o use. To set logon hours, click t he Logon Hours but t on and t hen select t he block of t im e you want t o eit her perm it or deny. To set perm it t ed workst at ions, click t he Logon To but t on—but not e t hat you need t o have t he Net BI OS prot ocol on your net work for t hat rest rict ion t o be enforced. You also see several opt ions. You can specify t hat a user m ust change her password t he next t im e she logs in, t hat she cannot change her password, t hat her password never expires, t hat Windows should st ore her password using a weaker, reversible encrypt ion schem e, t hat her account is disabled, t hat a sm art card m ust be used in conj unct ion wit h her password t o log on, t hat t he account is t o be used for a soft ware service such as Exchange and ought t o be able t o access ot her syst em resources, t hat t he account is not t rust ed, t hat DES encrypt ion should be used for t he account , or t hat an alt ernat e im plem ent at ion of t he Kerberos prot ocol can be used. The Account t ab is shown in Figure 5- 14.
Figu r e 5 - 1 4 . Th e Accou n t t a b
Profile
On t he Profile t ab, you can specify t he pat h t o t he user's profile. A user's profile cont ains t he cont ent s of his Deskt op and St art m enu and ot her cust om izat ions ( such as wallpaper and color schem e) . You can specify where t hat profile is st ored wit h t he Profile Pat h opt ion. You also can designat e t he pat h t o t he user's hom e folder, which is t he default locat ion wit hin m ost Windows applicat ions for a part icular user's dat a t o be st ored. Plus, you can choose t o aut om at ically m ap a specific drive let t er t o t he user's hom e
folder t hat you have set up. Figure 5- 15 shows t he Profile t ab.
Figu r e 5 - 1 5 . Th e Pr ofile t a b
Telephones
On t he Telephones t ab, you can ent er different num bers corresponding t o t his part icular user's hom e, pager, m obile, fax, and I P t elephones. The Telephones t ab is shown in Figure 5- 16.
Figu r e 5 - 1 6 . Th e Te le ph on e s t a b
Organizat ion
The Organizat ion t ab gives you a place t o specify t he user's official t it le, t he depart m ent in which he works, t he nam e of t he com pany where he works, his direct report s, and his m anager's nam e. The Organizat ion t ab is shown in Figure 5- 17.
Figu r e 5 - 1 7 . Th e Or ga n iza t ion t a b
Rem ot e cont rol
This t ab specifies Term inal Services propert ies. See Chapt er 9 for a det ailed walkt hrough of t he opt ions on t his t ab. The " Rem ot e cont rol" t ab is shown in Figure 5- 18.
Figu r e 5 - 1 8 . Th e Re m ot e con t r ol t a b
Term inal Services Profile
This t ab specifies Term inal Services propert ies. See Chapt er 9 for a det ailed walkt hrough of t he opt ions on t his t ab. The Term inal Services Profile t ab is shown in Figure 5- 19.
Figu r e 5 - 1 9 . Th e Te r m in a l Se r vice s Pr ofile t a b
COM+
On t he COM+ t ab, you can assign users t o applicat ions on COM+ part it ions t hat you have set up on different servers. The COM+ t ab is shown in Figure 5- 20.
Figu r e 5 - 2 0 . Th e COM + t a b
Mem ber Of
The Mem ber Of t ab shows a user's group m em berships. By default , all users are m em bers of t he Dom ain Users group. You can click t he Add but t on t o add groups t o which a user is a m em ber. To rem ove a user from a current group m em bership, click Rem ove. The Mem ber Of t ab is shown in Figure 5- 21.
Figu r e 5 - 2 1 . Th e M e m be r Of t a b
Dial- in
The Dial- in t ab is where you configure several rem ot e access opt ions and propert ies for t he user. Rout ing and rem ot e access are covered in det ail in Chapt er 11. The Dial- in t ab is shown in Figure 5- 22.
Figu r e 5 - 2 2 . Th e D ia l- in t a b
Environm ent
This t ab specifies Term inal Services propert ies. See Chapt er 9 for a det ailed walkt hrough of t he opt ions on t his t ab. The Environm ent t ab is shown in Figure 5- 23.
Figu r e 5 - 2 3 . Th e En vir on m e n t t a b
Sessions
This t ab specifies Term inal Services propert ies. See Chapt er 9 for a det ailed walkt hrough of t he opt ions on t his t ab. The Sessions t ab is shown in Figure 5- 24.
Figu r e 5 - 2 4 . Th e Se ssion s t a b
You have fewer propert ies t o configure when you creat e a new group. Those group- specific propert ies are profiled in t he next sect ion.
General
On t he General t ab, you can specify t he nam e of t he group, a friendly descript ion of it , it s em ail address, it s scope and t ype, and any not es you want t o writ e t o yourself or t o ot her adm inist rat ors. Figure 5- 25 shows t he General t ab.
Figu r e 5 - 2 5 . Th e Ge n e r a l t a b
Mem bers
The Mem bers t ab shows t he current m em bers of t he group. Click t he Add and Rem ove but t ons t o add and rem ove m em bers from t he group, respect ively. Figure 5- 26 shows t he Mem bers t ab.
Figu r e 5 - 2 6 . Th e M e m be r s t a b
5 .2 .5 .2 . Pe r for m in g com m on a dm in ist r a t ive t a sk s You can accom plish a couple of neat t ricks using ADUC on m ult iple account s at once, reducing som e of t he t edium involved in m aking repet it ive changes. For one, you can select m ult iple account s wit hin ADUC by clicking one account and eit her:
Holding down t he Shift key and select ing anot her account t o com plet ely select t he range of account s wit hin your t wo init ial select ions
Holding down t he Ct rl key and clicking individual account s t o select t hem independent ly
Then you can right - click t he group of account s and perform act ions such as changing com m on propert ies or sending em ail. When you right - click m ult iple account s and select Propert ies, t he screen in Figure 5- 27 appears.
Figu r e 5 - 2 7 . Ch a n gin g t h e pr ope r t ie s of m u lt iple a ccou n t s
On t his screen, you can m ake changes t o m ult iple account s at t he sam e t im e. A subset of t he opt ions available on individual account s is accessible, but such com m on t asks as changing t he UPN suffix of an account , specifying t hat a user m ust change her password, or requiring a sm art card for logon are easy t o accom plish wit h t his screen.
5 .2 .5 .3 . Usin g LD AP t o cr e a t e u se r s LDAP is t he foundat ion prot ocol for accessing and m odifying t he cont ent s of AD DS. You can use LDAP- st yle st rings in conj unct ion wit h a couple of com m and- line t ools t o aut om at e t he creat ion of users and groups. First let 's look at what m akes an LDAP ident ifier. For inst ance, let 's say m y full nam e is Jonat han Hassell, and I 'm in t he cont ainer SBSUsers wit hin t he hassellt ech.local dom ain. My LDAP nam e, t herefore, is:
Cn="Jonathan Hassell",cn=SBSUsers,dc=hasselltech,dc=local
The abbreviat ion CN refers t o t he cont ainer, and DC refers t o t he com ponent s of a dom ain nam e. Likewise, Lisa Johnson in t he Market ing cont ainer wit hin t he Charlot t e cont ainer of ent erprise.com would have an LDAP nam e of:
Cn="Lisa Johnson",cn=Marketing,cn=Charlotte,dc=enterprise,dc=com
Usernam es in t he direct ory are represent ed by a user principal nam e, or UPN. UPNs look like em ail addresses, and in som e cases act ually can be em ail addresses, but wit hin t he cont ext of LDAP t hey serve t o ident ify and select a specific user in t he direct ory. So, if m y usernam e were j hassell, m y UPN would be:
[email protected]
And if Lisa Johnson's usernam e were lj ohnson, her UPN would be:
[email protected]
Now t hat we know how t o specify som e propert ies in LDAP, we can use t he DSADD ut ilit y t o creat e users from t he com m and line. The advant age t o using DSADD is t hat you can script t hese com m ands t o aut om at e t he creat ion and provision of user account s. DSADD adds a user t o AD DS. For exam ple, t o add a com put er nam ed JH- WXP- DSK t o t he Adm in OU while aut hent icat ing as t he dom ain adm inist rat or account , ent er t he following:
dsadd computer CN=JH-WXP-DSK,OU=Admin,DC=hasselltech,dc=local -u administrator -p
You will be prom pt ed for a password. Here's anot her exam ple: t o add user sj ohnson ( for Scot t Johnson, em ail address sj ohnson@hassellt ech.local wit h init ial password " changem e" ) t o t he Sales OU and m ake him a m em ber of t he Presales group, use t he following com m and:
dsadd user cn=sjohnson,ou=sales,dc=hasselltech,dc=local -upn [email protected] -fn Scott -ln Johnson -display "Scott Johnson" -password changeme -email [email protected] -memberof cn=presales,ou=sales,dc=hasselltech,dc=local
Again you will be prom pt ed for a password.
You're get t ing t he pict ure now. You can also add OUs wit h DSADD. To add an OU called " support ," use t his com m and:
dsadd ou cn=support,dc=hasselltech,dc=local
5 .2 .5 .4 . D e le ga t ion One of t he absolut e best feat ures wit hin AD DS is t he abilit y t o allow ot her users t o t ake part ial adm inist rat ive cont rol over a subset of your direct ory—a process known as delegat ion . By delegat ing adm inist rat ive aut horit y, you can t ake som e of t he I T person's burden and place it elsewhere. For exam ple, you m ight want t o give one person in your depart m ent t he power t o reset passwords for ot her em ployees in a depart m ent . Or you m ight want t o em ploy som e part - t im e college st udent s t o st aff a helpdesk and you want t o give t hem t he abilit y t o creat e new users and t o help ot her em ployees wit h lost passwords. You can accom plish t his easily t hrough AD DS delegat ion. There's even a wizard t o help you do it . The ent ire process works som et hing like t his:
1 . Choose an AD DS cont ainer over which you want t o delegat e adm inist rat ive aut horit y.
2 . Creat e a group of users ( or ident ify an already exist ing one) t hat will have t hose new, delegat ed adm inist rat ive powers.
3 . Use t he Delegat ion of Cont rol Wizard t o act ually grant t he powers.
Let 's get st art ed. Wit hin ADUC, select t he organizat ional unit over which you want t o delegat e powers t o ot hers. Right - click it , and select Delegat e Cont rol from t he pop- up cont ext m enu. The Delegat ion of Cont rol Wizard appears. Click Next off t he int roduct ory screen, and t he Users or Groups screen appears, as shown in Figure 528.
Figu r e 5 - 2 8 . Th e Use r s or Gr ou ps scr e e n
On t his screen, click Add, and ident ify t he users or groups t o which you want t o have t he powers assigned. Click Next when you've added t he users, and t he Tasks t o Delegat e screen appears, as shown in Figure 5- 29.
Figu r e 5 - 2 9 . Th e Ta sk s t o D e le ga t e scr e e n
This screen list s t he m ost com m on t asks you want t o delegat e, including such opt ions as m anaging user account s, reset t ing passwords, m anaging groups, and adm inist ering GP. For our exam ple, let 's select t he second opt ion ( t o reset user passwords) , and click Next . On t he final screen of t he wizard, you're asked t o confirm your choices. Click Finish t o do so, and t he delegat ion is com plet e.
Unfort unat ely, t here is no m echanism t o log what delegat ions have been configured. Be sure t o keep a very det ailed and accurat e j ournal of t he delegat ions you creat e, as t here is no way t o t rack t his wit hin t he user int erface. However, t he new DSREVOKE t ool can offer a bit of assist ance. This t ool can report all perm issions for a part icular user or group on a set of OUs and, opt ionally, rem ove all perm issions for t hat user or group from t he ACLs on t hose OUs. This effect ively provides t he abilit y t o revoke delegat ed adm inist rat ive aut horit y, alt hough it 's not as int uit ive as a graphical ut ilit y m ight be. You can find m ore inform at ion at ht t p: / / download.m icrosoft .com / download/ b/ 1/ f/ b1f527a9- 5980- 41b0- b38e6d1a52a93da5/ Dsrevoke.doc.
5 .3 . Un de r st a n din g Ope r a t ion s M a st e r Role s As I m ent ioned earlier, all dom ain cont rollers are nearly equal in AD DS—t hat is, any one of t hem can be updat ed and can replicat e changes t o t he ot hers. This decent ralizat ion is in direct cont rast t o Windows NT 4.0st yle dom ains, which had only one PDC t hat accept ed direct ory obj ect m odificat ions and any num ber of BDCs t hat held read- only copies of t he account s dat abase. BDCs could aut hent icat e users, but any changes t o any at t ribut es of dom ain account s had t o t ake place in direct com m unicat ion wit h t he PDC. Because t he PDC pushed out copies of t he account s dat abase, known as t he SAM dat abase, t o t he BDCs for a dom ain, t his sort of replicat ion was known as single- m ast er replicat ion because one m ast er com put er com m unicat ed changes t o slaved, less- capable com put ers. Ent er AD DS ont o t he scene, where t here are effect ively no dist inct ions bet ween dom ain cont rollers in m ost operat ions. Unless your dom ain is funct ioning at t he NT int erim funct ional level ( m ore on t hat in t he m igrat ion sect ion lat er in t his chapt er) , all dom ain cont rollers for a dom ain can accept changes for dat a in t heir dom ain, and dom ain cont rollers have peers t o which t hey replicat e changes t o t hose obj ect s. This sort of set up t ypically is called m ult im ast er replicat ion because each dom ain cont roller act s as a m ast er, passing changes t o ot her dom ain cont rollers unt il t hose changes are replicat ed fully. Replicat ion is covered in det ail in t he next sect ion, but t hat int roduct ion serves as an adequat e segue t o a fundam ent al issue: t his decent ralized approach has problem s. Som e act ions t aken wit hin forest s and dom ains could cause havoc if perform ed sim ult aneously on t wo separat e dom ain cont rollers before replicat ion has occurred. What if:
Two people m ade changes t o t he at t ribut es of t he AD DS schem a on t wo separat e dom ain cont rollers and creat ed an at t ribut e nam ed CC—one person want ed t hat at t ribut e t o be for credit card num bers, and anot her want ed it t o be for calling card num bers. Which would be which, and under what circum st ances?
An adm inist rat or in one locat ion, geographically separat e from his com pany's headquart ers, creat ed a new dom ain, and t hen eight hours lat er at t he headquart ers com plex ( before replicat ion t ook place) som eone else creat ed t he sam e dom ain, t hinking it hadn't been done yet . Which dom ain wins?
Two dist inct dom ain cont rollers were doling out securit y I Ds ( SI Ds) t o new obj ect s, and by chance one obj ect on one dom ain cont roller was assigned t he sam e SI D as anot her obj ect on t he ot her dom ain cont roller. How would AD DS keep t rack of t hese t wo unique obj ect s if t hey have t he sam e SI D?
You st ill have NT dom ain cont rollers act ing as BDCs on your net work. ( This is very, very com m on now.) As you know, t hose NT dom ain cont rollers aren't capable of m ult im ast er replicat ion, so all of t hem need t o agree on one place from which t hey can get updat es t o t heir SAMs. Which Windows Server 2008- based dom ain cont roller would perform t his role?
You renam ed a user or m ade a user a m em ber of a cert ain group, and you were at t ached t o one dom ain cont roller but t hat change needed t o replicat e t o t he dom ain cont roller t hat 's local t o t he user whom you're adm inist ering. How m ight you speed up replicat ion for t hose essent ial at t ribut es—how can t hey t ake priorit y over, say, changes t o phone num bers for a user in AD DS?
Clearly, som e dom ain cont rollers need t o have great er cont rol over ot hers, sim ply because som et im es, all com put ers need a bit of aut horit y. AD DS is not ent irely self- governing. Microsoft t ook care of t his problem by im plem ent ing special roles for som e dom ain cont rollers in AD DS, called operat ions m ast er roles. ( These roles can also be called flexible single m ast er of operat ions roles, pronounced " fizz- m oh," but t he proper t erm is
operat ions m ast ers.) There are five specific operat ions m ast er roles, list ed here in t he order in which each corresponds wit h t he scenarios discussed earlier:
Schem a m ast er ( one per forest )
Dom ain nam ing ( one per forest )
RI D pool ( one per dom ain)
PDC em ulat or ( one per dom ain)
I nfrast ruct ure ( one per dom ain)
These roles are dist ribut ed one per dom ain, except for t he schem a and dom ain- nam ing roles, which are allot t ed one per forest . Aft er all, schem a changes affect t he forest - wide AD DS, and you shouldn't have t wo dom ains nam ed exact ly t he sam e t hing wit hin t he sam e AD DS forest . However, RI Ds are specific t o dom ains, PDCs are specific t o individual dom ains, and infrast ruct ure m ast ers account for changes wit hin dom ains only, not t he whole forest .
The first dom ain cont roller in a forest assum es all five roles sim ult aneously. The first dom ain cont roller in t he second dom ain of a forest assum es all t hree dom ain- specific roles sim ult aneously. Organizat ions wit h only one dom ain cont roller have all five roles on t hat one dom ain cont roller.
5 .3 .1 . Sch e m a M a st e r The schem a m ast er in a forest carries out a very im port ant funct ion—ensuring t hat changes t o t he schem a, or t o t he act ual st ruct ure of t he AD DS dat abase, are m ade in a consist ent m anner. The schem a m ast er prevent s change collisions across t he forest , which is a bigger problem t han you m ight im agine and one t hat grows wit h t he size of your AD DS- based net work. Alt hough you m ight not t hink t he schem a would change oft en, a few operat ions act ually do t his: for one, inst alling Exchange 2000 or 2003 int o a dom ain will ext end t he forest - wide schem a even if som e dom ains are not using Exchange. Ot her AD DS- aware applicat ions are likely t o m odify t he schem a as well, such as Microsoft 's I SA Server firewall and som e net work and user m anagem ent applicat ions, such as t hose from Net I Q. Also rem em ber t hat t he forest AD DS schem a and t he global cat alog are int ert wined. Recall t oo t hat t he global cat alog cont ains a subset of inform at ion from all dom ains wit hin a forest . I f you added new at t ribut es t o t he schem a and want ed t o include t hose in t he global cat alog, all your dom ain cont rollers t hat act as global cat alog servers will need t o receive t he change. For Windows 2000- based dom ain cont rollers, t he ent ire global cat alog m ust be flushed and rebuilt on each dom ain cont roller; for Windows Server 2008- based dom ain cont rollers, only t he change needs t o be propagat ed. For large organizat ions, t his is a big bandwidt h saver if m ost of your GCbased dom ain cont rollers are on Windows Server 2008. I t is j ust som et hing t o keep in m ind. To ident ify t he schem a m ast er in Windows Server 2008, com put ers use t he Schem a Managem ent console. You will find t he DLL t hat enables t he Schem a MMC snap- in—called schm m gm t .dll—under t he \ WI NDOWS\ syst em 32 direct ory. Open a com m and- line window, navigat e t o t hat direct ory, and t hen do t he following:
1 . Regist er t he COM obj ect by running regsvr32 schmmgmt.dll. Once t his has com plet ed, Windows should raise a dialog box t o not ify you.
2 . Open t he MMC—using t he Run opt ion on t he St art m enu and t yping mmc always works if you don't have a short cut handy.
3 . Select Add/ Rem ove Snap- I n from t he File Menu.
4 . I n t he result ing dialog box, t he list of available MMC snap- ins will appear. Select Act ive Direct ory Schem a, and t hen click Add.
5 . Close t he dialogs t o apply changes.
6 . Right - click t he root node of t he MMC in t he left pane, and t hen select Operat ions Mast er from t he cont ext m enu.
7 . The Change Schem a Mast er dialog box will appear, and on t he first line t he full nam e of t he current schem a m ast er is revealed. I n sm aller dom ains, t his will be t he first dom ain cont roller inst alled, but in larger dom ains, som eone could have m oved t he role t o anot her dom ain cont roller. This is shown in Figure 5- 30.
Figu r e 5 - 3 0 . Th e Ch a n ge Sch e m a M a st e r scr e e n
To change t he schem a m ast er ( you m ust be a m em ber of t he Schem a Adm ins group t o do t his) from wit hin t he Schem a Managem ent console you loaded in t he previous procedure, right - click t he root node labeled Act ive Direct ory Schem a in t he left pane, and select Change Dom ain Cont roller from t he cont ext m enu. I n t he dialog box t hat appears, t ype t he nam e of t he dom ain cont roller t o which you want t o m ove t he schem a m ast er role, and t hen click OK. Then, proceed from st ep 7 in t he previous exercise, and click t he Change but t on in t he Change Schem a Mast er dialog box. Confirm your choice, and once t he processing is com plet e, click Close. The schem a m ast er role has been m oved.
5 .3 .2 . D om a in N a m in g M a st e r The dom ain nam ing m ast er role is one of t he forest - specific roles, m eaning t hat only one dom ain cont roller in t he ent ire forest has t his role. This role prot ect s against t he creat ion of ident ically nam ed dom ains in t he sam e forest —if t his were t o happen, AD DS could not cope wit h t he sam e nam es and panic would result . Keep in m ind t hat t his role is designed t o be placed on a global cat alog server, and not j ust a st andalone server. I t would seem t hat t his role uses som e inform at ion cont ained in t he GC ( excerpt s of t he direct ories of ot her dom ains in t he forest ) t o fulfill it s responsibilit ies. However, if you are operat ing in t he Windows Server 2003 or Windows Server 2008 forest funct ional level, t his placem ent is unnecessary. To change t he dom ain nam ing m ast er role ( you m ust be a m em ber of t he Ent erprise Adm ins group t o do t his) , use t he Act ive Direct ory Dom ains and Trust s t ool. Open it from t he Adm inist rat ive Tools m enu and t hen:
1 . Right - click t he root node in t he left pane, and select Operat ions Mast er.
2 . Click Change t o m ove t he role.
5 .3 .3 . RI D M a st e r The RI D m ast er role handles t he assignm ent and dist ribut ion of t he lat t er port ion of SI Ds for obj ect s wit hin AD DS. You know t hat when an obj ect is creat ed in Windows, a unique SI D is assigned t o it . The SI D com es in t he form of S- 1- 5- 21- A- B- C- RI D, where t he S- 1- 5- 21 is com m on t o all SI Ds. The " A," " B," and " C" part s of t he num ber are random ly generat ed 32- bit num bers t hat are specific t o a dom ain, or t o a part icular m achine ( if AD DS is not inst alled on t he server or if a workst at ion isn't j oined t o a dom ain) . The RI D, or relat ive ident ifier, part of t he SI D is anot her 32- bit num ber t hat is t he unique part of t he SI D and ident ifies a dist inct obj ect in t he direct ory. The dom ain cont roller wit h t he RI D m ast er role dist ribut es groups of 500 unique RI Ds t o it s brot her and sist er dom ain cont rollers wit h t he dom ain, so t hat when t hey creat e unique obj ect s, t he SI Ds t hey assign t o t hose unique obj ect s should also be unique. Much like DHCP ensures t hat no t wo workst at ions have t he sam e I P address, dist ribut ing pools of RI Ds in t his way ensures t hat no t wo dom ain cont rollers have t he sam e groups of RI Ds t o assign. To m ove t he RI D m ast er role t o anot her dom ain cont roller in a dom ain, follow t hese st eps:
1 . Open Act ive Direct ory Users and Com put ers.
2 . I n t he left pane, right - click t he dom ain nam e, and t hen select Operat ions Mast ers.
3 . Click t he RI D t ab, and not e t he nam e of t he RI D m ast er. This is shown in Figure 5- 31.
Figu r e 5 - 3 1 . I de n t ifyin g t h e RI D pool m a st e r
4 . Click Change t o m ove t he role.
5 .3 .4 . PD C Em u la t or The PDC em ulat or operat ions m ast er role serves a very im port ant funct ion for m ixed Windows NT Server, 2000 Server, Windows Server 2003, and Windows Server 2008 dom ains. As I m ent ioned at t he beginning of t his sect ion, NT dom ain cont rollers—whet her prim ary or backup—don't support m ult im ast er replicat ion, so if your PDC has been upgraded t o Windows 2000 or Windows Server 2003, obviously t here is no com put er from which your BDCs can get updat es, or at least none t hey can underst and. Those of you fam iliar wit h Microsoft 's older net working prot ocols know t hat t he Mast er Browser service, t he ut ilit y t hat populat es Net work Neighborhood and My Net work Places on workst at ions and servers, t ypically runs on t he PDC in an NT dom ain. Syst em policies for Windows 95 are st ored on t he PDC, not on any BDCs. And t rust s bet ween NT dom ains and AD DS dom ains require a PDC, or a PDC em ulat or, because NT t hinks only one com put er has t he read/ writ e copy of t he SAM dat abase. The PDC em ulat or runs on one dom ain cont roller in a dom ain t o perform t hese funct ions. I t also helps speed up propagat ion and replicat ion of changes t o t wo specific at t ribut es of a user obj ect in AD DS: t he password and t he account lockout at t ribut e. Think about large organizat ions, and t he t im e it can t ake for changes m ade at one dom ain cont roller t o filt er out . ( I 'll cover replicat ion in a lot m ore det ail in t he next sect ion, but know for now t hat replicat ion can involve a considerable am ount of t im e if you have m any dom ain cont rollers handling AD DS responsibilit ies in your environm ent .) I f a user called t o reset a password and t he help desk personnel
responding t o t hat call were in anot her sit e, t he password change would t ake effect first on t he dom ain cont roller local t o t he help desk personnel, not necessarily local t o t he person whose password was being changed. Do you really want t o wait t he hours it m ight t ake for t hat change t o t ake effect ? Of course not , so t he dom ain cont roller for t he help desk personnel im m ediat ely cont act s t he dom ain cont roller holding t he PDC em ulat or role for t he dom ain, and it get s t hat updat ed password, t hus avoiding replicat ion delays. So, alt hough t he local dom ain cont roller for t he user m ight not have t he new password, t he local dom ain cont roller will look at t he PDC em ulat or dom ain cont roller t o check whet her t he password m at ches t here. I f it does, t he user get s a green light t o log in. ( Of course, password changes aren't act ually im m ediat e—t here is st ill lag t im e.) This policy st ret ches t o one ot her at t ribut e as well. I f you use account lockout s—when a password is ent ered incorrect ly for x num ber of t im es, t he account becom es t em porarily disabled for a period of t im e—it probably wouldn't do a lot of good for only t he password t o be passed quickly t o t he PDC em ulat or role. The user would have t he right password, but neit her t he PDC em ulat or nor t he local dom ain cont roller for t he user would know t he account act ually wasn't locked out anym ore. So, t he account lockout at t ribut e is passed at t he sam e t im e as a password reset , t o m ake sure users aren't sit t ing, t widdling t heir t hum bs wit hout access t o t heir dom ain user account s while t he dom ain cont rollers wait for replicat ed changes t o arrive. Finally, t he PDC em ulat or handles t im e synchronizat ion in a dom ain. I deally, t he PDC em ulat or role should be on t he sam e dom ain cont roller as t he RI D m ast er role. To m ove t he PDC em ulat or role, use Act ive Direct ory Users and Com put ers, as follows:
1 . Open Act ive Direct ory Users and Com put ers.
2 . I n t he left pane, right - click t he dom ain nam e, and t hen select Connect t o Dom ain Cont roller.
3 . Ent er t he nam e of t he dom ain cont roller t o which you want t o swit ch t he role.
4 . Then, right - click t he dom ain nam e in t he left pane again, and select Operat ions Mast ers from t he cont ext m enu.
5 . Click t he PDC t ab, and not e t he nam e of t he PDC em ulat or m ast er. This is shown in Figure 5- 32.
6 . Click Change t o m ove t he role.
Figu r e 5 - 3 2 . I de n t ifyin g t h e PD C e m u la t ion m a st e r
5 .3 .5 . I n fr a st r u ct u r e M a st e r The infrast ruct ure m ast er also helps t o speed up propagat ion and replicat ion of cert ain pieces of inform at ion am ong dom ain cont rollers. The infrast ruct ure m ast er role is designed t o not be on a dom ain cont roller funct ioning as a GC server—t hat is, unless every dom ain cont roller in your dom ain is a GC server as well, or if you have only one dom ain. To find out and change which dom ain cont roller holds t he infrast ruct ure m ast er role, use t he Act ive Direct ory Users and Com put ers t ool. As before, if you have only one dom ain cont roller in your dom ain, t hat is obviously t he infrast ruct ure m ast er. I n larger dom ains, t o ident ify and/ or change t his m achine, follow t hese st eps:
1 . Open Act ive Direct ory Users and Com put ers.
2 . I n t he left pane, right - click t he dom ain nam e, and t hen select Connect t o Dom ain Cont roller.
3 . Ent er t he nam e of t he dom ain cont roller t o which you want t o swit ch t he role.
4 . Then, right - click t he dom ain nam e in t he left pane again, and select Operat ions Mast ers from t he cont ext m enu.
5 . Click t he I nfrast ruct ure t ab, and not e t he nam e of t he infrast ruct ure m ast er. This is shown in Figure 5- 33.
6 . Click Change t o m ove t he role t o t he dom ain cont roller of focus.
Figu r e 5 - 3 3 . Ch a n gin g t h e in fr a st r u ct u r e m a st e r
5 .3 .6 . Tr a n sfe r r in g a n d Se izin g Role s M a n u a lly Som et im es you m ight need t o change t he operat ions m ast er roles t hat dom ain cont rollers are playing wit hout necessarily using t he graphical int erface. I t m ight be t hat you inadvert ent ly unplugged and reform at t ed your first dom ain cont roller in your dom ain t oo early, wit hout t ransferring it s roles elsewhere. Or m aybe your specific server is t em porarily offline but you really need a role t ransferred as soon as possible.
I f your PDC em ulat or dom ain cont roller or infrast ruct ure m ast ers are offline, it is OK t o t ransfer t hese roles t hrough t he GUI using t he aforem ent ioned procedures. You'll need t o confirm t he offline t ransfer a couple of t im es before it will go t hrough, but event ually it will succeed.
Windows Server 2008 com es wit h t he NTDSUt il t ool, a com m and- line ut ilit y t hat allows you t o perform AD DS m aint enance t hat goes above and beyond what t he GUI t ools allow. I n t his case, you m ight need t o t ransfer t he schem a m ast er, dom ain nam ing m ast er, or RI D m ast er roles—or you m ight need t o force t hat t ransfer if t he original holder of t hose roles is unavailable. To t ransfer a role using NTDSUt il, open a com m and prom pt and run NTDSUTI L. Then follow t hese st eps:
1 . Ent er roles t o swit ch int o FSMO Maint enance m ode.
2 . Ent er connections t o ent er t he Server Connect ions cont ext .
3 . Ent er connect to , where is t he com put er t o which you want t o t ransfer t he role.
4 . Ent er quit t o leave t he Server Connect ions cont ext .
5 . Ent er transfer schema master, transfer domain naming master, or transfer rid master, whichever is appropriat e, t o t ransfer t he role you want . NTDSUt il will at t em pt t o cont act t he current holder of t hat operat ions m ast er role. I f it can, and t hat m achine approves t he t ransfer, your operat ion is com plet e. However, if for som e reason t he ut ilit y can't cont act t hat com put er, error m essages will result .
I f you find error m essages when you're sim ply at t em pt ing a t ransfer, you can force t he role t ransfer by using t he SEIZE com m and. Aft er st ep 4 in t he previous procedure, st art t he following:
1 . Ent er seize schema master, seize domain naming master, or seize rid master t o force t he t ransfer of t he role t o t he t arget com put er.
2 . Type quit t o leave NTDSUt il once t he seizure is com plet e.
Once you have seized a role, never let t he previous holder of t hat role back ont o t he net work unless you've reform at t ed t he m achine. I repeat : never, ever do t his. The previous holder doesn't know t he roles were t ransferred and is not able t o figure it out for it self. Pict ure a bit t er cust ody bat t le.
5 .4 . Un de r st a n din g D ir e ct or y Re plica t ion At it s foundat ion, t he replicat ion process is sim ply an effort t o keep t he copy of t he AD DS dat abase ident ical on all dom ain cont rollers for a part icular dom ain. For exam ple, if an adm inist rat or rem oves a user from a group, t he change is m ade on t he dom ain cont roller t hat t he adm inist rat or is current ly logged int o. For t hose few seconds aft er t he change, t hat dom ain cont roller alone has t he m ost current copy of t he dat abase. Event ually, t hough, aft er replicat ion t akes place, all dom ain cont rollers will have exact replicas of t he dat abase, including t he change in group m em bership.
5 .4 .1 . W it h in a Sit e : Loops a n d M e sh e s AD DS replicat es inform at ion bet ween dom ain cont rollers using different m et hods, depending on t he t opology of your net work—in part icular, how m any sit es you have configured wit hin AD DS. I n a single- sit e sit uat ion, all dom ain cont rollers in a dom ain will discover one anot her t hrough published records in bot h AD DS and t he DNS syst em for t he dom ain. But t o cut down on net work t raffic, not every dom ain cont roller needs t o act ually replicat e wit h every ot her dom ain cont roller. AD DS uses a " loop" m et hod. Take, for inst ance, four dom ain cont rollers—A, B, C, and D, as shown in Figure 5- 34.
Figu r e 5 - 3 4 . Sin gle sit e w it h fou r dom a in con t r olle r s
I n t his exam ple, AD DS will replicat e using t wo loops. Let 's assum e t hat a change was m ade on dom ain cont roller A. A will t ell B and C t hat it has new inform at ion, and event ually B and C will ask A for t hat inform at ion. Once t he inform at ion is received, bot h B and C will at t em pt t o t ell D about t heir new inform at ion. D will ask for t he new inform at ion from t he first dom ain cont roller t hat reaches it —t here isn't a good way t o det erm ine whet her t hat would be server B or C in our case—but when t he second " m essage" t elling D t hat it has new inform at ion arrives, server D will sim ply respond, acknowledging t hat it already has t hat inform at ion, and t hat will be t he end of t he t ransm issions because all dom ain cont rollers now have t he m ost up- t o- dat e inform at ion. I n cont rast , consider using only one loop and not t wo. I n t hat case, A would t ell B, B would t ell C, C
would t ell D, and D would t hen t ell A again. That doesn't happen. I n t he act ual case, news is spread m ore quickly and net work t raffic is reduced, m aking t he ent ire process m ore efficient . I n fact , t his ent ire process t riggers every five m inut es, and if t here's new inform at ion, t he process will engage. I f t here is no new inform at ion, t he dom ain cont rollers won't t ransm it anyt hing; however, if 60 m inut es pass wit hout any new inform at ion, each dom ain cont roller will send a m essage t o it s part ners, m aking sure t here's no new inform at ion.
I n sim ple net works, you usually find each dom ain cont roller has t wo replicat ion part ners. However, in m ore com plex environm ent s, dom ain cont rollers can have m ore t han t wo part ners. To see a dom ain cont roller's replicat ion part ners, open Act ive Direct ory Sit es and Services, expand t he sit e in quest ion in t he left pane, and expand each dom ain cont roller's node. Click NTDS Set t ings in t he left pane, and in t he right pane, not e t he t wo servers list ed in t he From Server colum n.
You m ight wonder how t his loop is designed. The Knowledge Consist ency Checker, or KCC, wakes up approxim at ely every 15 m inut es and t ries t o det ect changes in it s idea of how m any dom ain cont rollers t here are and where t hey're locat ed. The KCC will look at any changes t hat have occurred—you m ight have t aken a dom ain cont roller offline for m aint enance, for exam ple, or even added a new dom ain cont roller for load cont rol purposes. Then it adj ust s t he loop for best perform ance. I n larger sit es, t he KCC m ight find it necessary t o add m ore t han t wo replicat ion part ners for each dom ain cont roller, or it m ight do so for t raffic cont rol purposes. I n st ill larger sit es, even t hose wit h only t wo replicat ion part ners per dom ain cont roller, it can t ake m ore t han t hree hops t o t ransm it replicat ion inform at ion com plet ely. The KCC looks for t his sit uat ion and, if it det ect s it , sim ply adds m ore links bet ween dom ain cont rollers, changing t he sim ple " loop" st ruct ure int o m ore of a " m esh" st ruct ure.
5 .4 .2 . Tim e Syn ch r on iza t ion For replicat ion t o funct ion properly, it is crucial for all dom ain cont rollers in a dom ain and/ or forest t o be in sync in t erm s of t he current t im e. The reason point s t o Kerberos, t he underlying aut hent icat ion schem e for t he ent ire AD DS: if any dom ain cont roller is m ore t han five m inut es out of synchronizat ion, aut hent icat ion will fail. The Windows Tim e Service is t he t ool Microsoft provides t o consist ent ly keep your ent ire dom ain or forest at t he sam e m om ent in t im e. Windows Tim e Service offers a hierarchy for m em bers of AD DS dom ains and forest s, wit h t he m achine holding t he PDC em ulat or operat ions m ast er role as t he " big kahuna" of sort s, holding t he t rust ed t im e. The t rust ed t im e at t he very t op level does not need t o be synchronized from anywhere—synchronizat ion m at t ers only wit hin t he dom ain, as all m em bers m ust t hink it is t he sam e t im e, regardless of whet her t hat t im e is t he act ual t im e. I n ot her words, everyone has t o be t he sam e, but it doesn't m at t er if everyone is wrong. From t he bot t om up, t he rest of t he hierarchy looks som et hing like t his:
Workst at ions and servers t hat are not dom ain cont rollers will synchronize t heir t im e wit h t he dom ain cont roller t hat logged t hem in.
Dom ain cont rollers will cont act t he dom ain cont roller for t heir dom ain wit h t he PDC em ulat or operat ions m ast er role for t he current t im e.
Each dom ain in a forest wit h m ult iple dom ains will look t o t he PDC em ulat or operat ions m ast er- holding dom ain cont roller in t he forest root —t he first dom ain in t he forest —t o keep t he ot her PDC em ulat or dom ain cont rollers in ot her dom ains in check.
You can synchronize t he dom ain cont roller at t he PDC em ulat or operat ions m ast er role in a few ways, t hrough t he com m and line. First , t hough, you m ust choose a t im e source. Microsoft provides t he host t im e.windows.com , synchronized t o t he U.S. Arm y's At om ic Clock, which is as good a choice as any. Once you have select ed a t im e source, run t he following from t he com m and line of t he PDC em ulat or dom ain cont roller:
net time /setsntp:
Replace wit h t he full DNS nam e of t he t im e source you have select ed. For exam ple, if I were using t im e.windows.com as m y t im e source, I 'd run:
net time /setsntp:time.windows.com
Once you have set t he t im e source for t he PDC em ulat or dom ain cont roller, it will at t em pt t o synchronize it s t im e wit h t he t im e source. I t will t ry once every 45 m inut es unt il it has successfully synchronized t hree t im es in a row. Once it has done so, it pings t he t im e server only once every eight hours. I f you want t o t rigger t im e synchronizat ion m anually, run:
w32tm /resync
The Windows Tim e Service requires out bound UDP port 123 t o be open on your firewall for t im e synchronizat ions t o occur.
Tim e zones also play a role. Windows operat es int ernally at Greenwich Mean Tim e, and alt hough each server can be set t o a different t im e zone depending upon eit her it s physical locat ion or t he locat ion of t he adm inist rat or who m anages t he box, wit hin Windows it self t he current t im e is t ranslat ed t o GMT. Be wary of t his, and ensure t hat t im e zones are set correct ly on all your servers. The obj ect is t o get Windows' int ernal clocks t o synchronize—even t hough t he t im e m ight seem right t o t he naked eye, if t he t im e zone is set incorrect ly, Windows is unforgiving when it com es t o AD DS operat ions in t hat st at e.
5 .4 .3 . Re plica t ion Topologie s Loops and m eshes are j ust t wo exam ples of what Microsoft t erm s replicat ion t opologies—essent ially, m aps of t he ways dom ain cont rollers replicat e t o one anot her. And t o confuse t hings, t here is alm ost always m ore t han one replicat ion t opology exist ing sim ult aneously wit hin any part icular forest . Let 's t ake a closer look at t hat . Four t ypes of dat a need t o be replicat ed am ong dom ain cont rollers:
Updat es t hat st ay wit hin a part icular dom ain—usernam e and password changes, and ot her user account inform at ion
Updat es t o t he schem a nam ing cont ext and configurat ion nam ing cont ext , which are specific t o all dom ains wit h a forest , as you saw previously in t his chapt er
Updat es t o t he GC, which replicat e t o all dom ain cont rollers t hat funct ion as GC servers
Updat es t o DNS part it ions and cust om applicat ion part it ions
Wit h m any dom ain cont rollers in a forest , you can see where one replicat ion t opology m ight eit her not suffice or not be t he m ost efficient way t o t ransm it inform at ion bet ween t hese select ed subgroups of dom ain cont rollers. Figure 5- 35 shows t his scenario graphically.
Figu r e 5 - 3 5 . Look in g a t a ll r e plica t ion t opologie s in a for e st
The Act ive Direct ory Sit es and Services console again com es t o your aid if you want t o t ry t o piece t oget her all t hese replicat ion t opologies for your environm ent . Open t he console, expand t he sit e in quest ion in t he left pane, and expand each dom ain cont roller's node. Click NTDS Set t ings in t he left pane, and in t he right pane double- click t he " < aut om at ically generat ed> " obj ect s. I f you see < Ent erprise Configurat ion> in one of t he fields at t he bot t om of t he screen indicat ing replicat ed nam ing cont ext s, it shows t hat t hat part icular link replicat es t he schem a and configurat ion nam ing cont ext s. I n t he Part ially Replicat ed Nam ing Cont ext field, if you see a server nam e, t his indicat es t hat your server is a GC server and is receiving updat es from t he GC server list ed in t he field. I t is perfect ly accept able for t his field t o be em pt y on servers not act ing as GCs.
5 .4 .4 . H a n dlin g Upda t e Con flict s Replicat ion is great in and of it self, but t here it has one m aj or, inherent problem —each dom ain cont roller uses it s own copy of t he dat abase and, no m at t er how oft en each copy is updat ed, for a few m om ent s in t im e each copy is unaware of act ions t aken on ot her copies of t he dat abase around t he net work. How m ight t his design sit uat ion m anifest it self as a problem ? Consider a large sit e, wit h branch offices in Sydney, Bost on, and Los Angeles. An em ployee, Robert Sm it h, is being t ransferred t o t he Sydney office from L.A. because of personnel reorganizat ion. The com pany uses groups wit hin AD DS, SYDUSERS and LAUSERS, for dist ribut ion list purposes and ot her securit y boundary assignm ent s.
On Robert 's last day in t he L.A. office, his m anager changes Robert 's group m em bership, m oving him from LAUSERS t o SYDUSERS in ant icipat ion of his t ransfer. The Los Angeles dom ain cont roller not es t his change and creat es a record looking roughly like t his:
Object: LAUSERS Change: Remove RSMITH Version: 1 Timestamp: 30 June 2004 5:30:01 PM GMT Object: SYDUSERS Change: Add RSMITH Version: 1 Timestamp: 30 June 2004 5:30:02 PM GMT
Look closely at t hese records. They denot e changes t o at t r ibut es of obj ect s—in t his case, t he m em ber list is an at t ribut e of a part icular group obj ect —not changes t o t he ent ire obj ect . This is im port ant for net work t raffic reduct ion reasons; if t he LAUSERS group com prised 2,000 m em bers, it 's good t o t ransm it only t he rem oval of RSMI TH and not t he ent ire m em bership list . Also, not e t he version num bers: t he field is very sim ple and is designed t o be used whenever dom ain cont rollers updat e an at t ribut e for a part icular obj ect . Each t im e a change is m ade t o a part icular obj ect at t ribut e, t he num eral in t he version num ber field is increm ent ed by 1. So, one obj ect can have m any version num bers, each represent ing t he at t ribut es of t hat obj ect . Wit h t hat background out of t he way, let 's ret urn t o our fict ional sit uat ion. Perhaps t here was a m iscom m unicat ion bet ween Robert 's old m anager in Los Angeles and his new m anager in Sydney, and each incorrect ly t hought she was supposed t o m ake t he change in group m em bership wit h AD DS. So, at alm ost exact ly t he sam e t im e ( we'll ignore t im e zone differences for t he purposes of t his dem onst rat ion) , Robert 's new m anager m akes t he previously described change, which is recorded on t he Sydney dom ain cont roller as follows:
Object: LAUSERS Change: Remove RSMITH Version: 1 Timestamp: 30 June 2004 5:32:08 PM GMT Object: SYDUSERS Change: Add RSMITH Version: 1 Timestamp: 30 June 2004 5:32:10 PM PT
There are t wo t hings t o not e about t his record: one is t he closeness of t he t im est am ps. They seem t o indicat e t hat t he L.A. and Sydney dom ain cont rollers haven't replicat ed yet . The second it em of int erest is t he version num ber field in each record, which does not appear t o have been increm ent ed. The reason for t his is sim ple: version num bers are increm ent ed on t he local dom ain cont roller. I f a dom ain cont roller doesn't know about any changes t o an at t ribut e, t here is no need t o furt her increm ent t he version num ber on t hat record. Because L.A. and Sydney haven't passed changes bet ween each ot her yet , t he Sydney dom ain cont roller doesn't know t hat a sim ilar change has processed on t he L.A. dom ain cont roller and t herefore doesn't know t o increm ent t he version num ber field from 1 t o 2. This sit uat ion m ight seem harm less because alt hough t he changes are different only in t im e, t he net effect is t he sam e; on bot h dom ain cont rollers, RSMI TH is a m em ber of t he correct group and not a m em ber of t he form er group. But in realit y t here ar e t wo changes. Which one is accept ed by AD DS? And t o ask a m ore specific quest ion, when bot h t he L.A. and Sydney dom ain cont rollers replicat e t o t heir part ner, t he Bost on dom ain cont roller, which change will Bost on accept ? When changes t o t he sam e obj ect com pet e, t he t ie is broken t wo ways:
First , t he at t ribut e change wit h t he highest version num ber is t he change form ally accept ed.
I f t he version num ber of each at t ribut e change is t he sam e, t he change m ade at t he m ost recent t im e is accept ed.
I n our case, t he change m ade on t he Sydney dom ain cont roller would be t he one form ally accept ed in AD DS, and t he L.A. m anager's m odificat ion, alt hough it s int ent was t he sam e, would be rej ect ed because it was m ade at 5: 30 p.m . and not at 5: 32 p.m .
5 .4 .5 . Upda t e Se qu e n ce N u m be r s Version num bers have siblings, called updat e sequence num bers ( USNs) , which m easure t he increm ent s of every change t o every at t ribut e of every obj ect wit hin AD DS. That is t o say, whenever any change is m ade wit hin AD DS, a dom ain cont roller increm ent s it s current USN by 1. For exam ple, if you have a prist ine dom ain cont roller and you add a user wit h an init ial password ( updat e 1) , change his password ( updat e 2) , add anot her user ( updat e 3) , creat e a new group ( updat e 4) , and put t he first user in t hat group ( updat e 5) , t he USN for t hat dom ain cont roller would be 5. Keep in m ind t hat version num bers coexist wit h USNs; let 's look at t he inform at ion in Table 5- 2 t o see how USNs and version num bers int eract in t he preceding exam ple. ( Not e t hat t he t able assum es we're t alking about a dom ain wit h only one dom ain cont roller; it get s a bit m ore com plicat ed when you add m ore dom ain cont rollers, and I 'll discuss t hat lat er in t his sect ion.)
Ta ble 5 - 2 . Ex a m in in g ve r sion n u m be r s a n d USN s in AD D S Act ion
At t r ibu t e ve r sion n u m be r
Upda t e se qu e n ce n u m be r ( U SN )
Creat e New User
All at t ribut es are 1 because t he operat ion is seen as one cohesive change.
0
Change Password
Password at t ribut e for t hat user is 2.
1
Creat e New User
All at t ribut es are 1.
2
Creat e New Group
All at t ribut es are 1.
3
Add User t o Group
Group m em bership at t ribut e is 2.
4
From t his t able, you can glean t hat version num bers are increm ent ed only when at t ribut es change. We changed t he password for our first user, so t he version num ber for t hat at t ribut e becam e 2, and we added t hat user t o our newly creat ed group, so t he version num ber for t he at t ribut e cont aining t he m em ber list for t hat group increased t o 2. But all t he while, t he USNs were increm ent ing because USNs m easure every individual change. Our USNs went from 0 t o 4 because ( a) USNs st art at 0, not 1, and ( b) 5 individual changes were m ade. Not e t hat earlier I said t his scenario revolved around a single dom ain cont roller. Let 's change t hat now: if we were t o add a dom ain cont roller t o t his exam ple dom ain, t he dom ain cont rollers would at t em pt t o replicat e wit h each ot her. Let 's assum e t hat once a dom ain cont roller is added, our t wo account s and one group are t ransm it t ed im m ediat ely. The version num bers and USNs, as seen on t he new dom ain cont roller, would shape up as shown in Table 5- 3.
Ta ble 5 - 3 . Ex a m in in g ve r sion n u m be r s a n d USN s w it h t w o dom a in con t r olle r s Obj e ct At t r ibu t e ve r sion n u m be r
Upda t e se qu e n ce n u m be r ( U SN )
User 1
All at t ribut es are 1 except for t he Password at t ribut e, which is 2.
0
User 2
All at t ribut es are 1.
1
Group
All at t ribut es are 1 except for t he m em bership list at t ribut e, which is 2.
2
We learn t wo t hings from t his t able:
Version num bers of at t ribut es are ret ained across replicat ions, so around t he direct ory, no m at t er which dom ain cont roller you access, version num bers for at t ribut es are t he sam e. This is crit ical t o t he funct ioning of replicat ion in AD DS.
USNs are independent t o each dom ain cont roller. I n our first exam ple, t here were five changes because we were adding and changing t hings individually on t hat first dom ain cont roller. Because t he second dom ain cont roller was brand new, it creat ed t he user account s and groups from t he up- t o- dat e and already changed inform at ion on t he first dom ain cont roller; as a result , it needed t o denot e only t hree changes ( t he creat ion of each account and t he creat ion of t he group) .
USNs really act as " signat ures" showing t he t im eliness of inform at ion in each dom ain cont roller's copy of t he direct ory, and essent ially guide a dom ain cont roller's replicat ion part ners as t o exact ly how m uch updat ing is needed t o fully replicat e. Each dom ain cont roller t ells it s replicat ion part ners t he USNs it has assigned t o each piece of dat a, and t he part ner dom ain cont rollers keep t rack of t hat inform at ion. The part ners t hen know t hat t he last piece of dat a t hey received—for exam ple, from dom ain cont roller X—had a USN of 6093, and t hey can t hen t ell dom ain cont roller X upon t he next replicat ion t o st art t ransm it t ing dat a wit h a USN of 6094 ( one num ber higher t han t he last USN) or m ore. There is no need t o send USNs 1- 6093 again, as t hey already possess t hat dat a. I f t he USNs haven't changed on dom ain cont rollers during t he regular five- m inut e breaks from replicat ion, dom ain cont rollers assum e t hat no new inform at ion is available, and t hey go back t o " sleep" for anot her five m inut es. On t he ot her hand, if dom ain cont roller X's replicat ion part ners cont act dom ain cont roller X and ask for it s highest USN, and it replies wit h 7000, t he part ners know t hey need t he last six pieces of inform at ion, and t hose will t hen be replicat ed. Then t he part ners would m ake a not e t hat dom ain cont roller X's highest USN is now 7000, and everyone is secure in t he knowledge t hat t hey have t he m ost current direct ory possible for at least t he next five m inut es. So, let 's ret urn t o t he exam ple and see where we are wit h version num bers and USNs. Table 5- 4 sum s t hat up.
Ta ble 5 - 4 . USN s a n d ve r sion n u m be r s D om a in Con t r olle r 1
D om a in Con t r olle r 2
Obj e ct At t r ibu t e ve r sion n u m be r s
H igh e st USN
Obj e ct At t r ibu t e ve r sion n u m be r s
H igh e st USN
User 1
All at t ribut es are 1 except for t he Password at t ribut e, which is 2.
4
User 1
All at t ribut es are 1 except for t he Password at t ribut e, which is 2.
2
User 2
All at t ribut es are 1.
User 2
All at t ribut es are 1.
D om a in Con t r olle r 1
D om a in Con t r olle r 2
Obj e ct At t r ibu t e ve r sion n u m be r s Group
H igh e st USN
All at t ribut es are 1 except for t he m em bership list at t ribut e, which is 2.
Obj e ct At t r ibu t e ve r sion n u m be r s Group
H igh e st USN
All at t ribut es are 1 except for t he m em bership list at t ribut e, which is 2.
Now consider t his scenario: an adm inist rat or changes t he password for User 2, and t hat adm inist rat or is current ly using dom ain cont roller 1. That change would be assigned USN 5 because it 's t he sixt h change t hat dom ain cont roller has seen. Five m inut es lat er, replicat ion is init iat ed, and dom ain cont roller 2 queries dom ain cont roller 1 for it s highest USN, which it t ells dom ain cont roller 2 is 5. Because dom ain cont roller 2 t hinks t he highest USN for dom ain cont roller 1 is 4, it knows it has m issed a change, so it asks for t he new inform at ion. The new password is pushed along, and t he change on dom ain cont roller 2 is assigned a USN of 3 ( it is a unique change, aft er all) . Then dom ain cont roller 2 m akes a not e of dom ain cont roller 1's new highest USN, dom ain cont roller 2 is up- t o- dat e, and everyone is happy. They're happy, t hat is, unt il a few m inut es lat er, when dom ain cont roller 1 asks dom ain cont roller 2 what it s highest USN is. Dom ain cont roller 2 will fait hfully reply t hat it is 3, and dom ain cont roller 1 will know t hat figure is higher t han it s recorded high USN for dom ain cont roller 2 ( which is 2, as shown in Table 5- 4) . However, t hat change is t he original change pushed t hrough from dom ain cont roller 1 t o dom ain cont roller 2. The dom ain cont rollers don't know t hat , however, j ust from looking at USNs, so t hey push t hrough t he replicat ion, and dom ain cont roller 1's highest USN now becom es 6 because of t his " change." Five m inut es lat er, t he ent ire process st art s again, wit h t his one change being propagat ed over and over and over again, in an infinit e loop.
5 .4 .5 .1 . Br e a k in g t h e loop: or igin a t in g USN s a n d UTD ve ct or s Microsoft ident ified t his problem and int roduced t wo ot her values t o t he m ix, called originat ing USNs and up- t odat e vect ors, specifically t o prevent t his sit uat ion from occurring. Originat ing USNs sim ply keep t rack of t he dom ain cont roller from which a change was init ially t ransm it t ed, and t he USN on t hat dom ain cont roller. So, when we first int roduced t he brand- new dom ain cont roller int o our exam ple dom ain and a copy of t he direct ory was first replicat ed, m ore inform at ion was t ransm it t ed t han I discussed earlier. Table 5- 5 cont ains a m ore det ailed represent at ion of t he result s of t hat replicat ion t han Table 5- 4 does because it includes originat ing USNs.
Ta ble 5 - 5 . Ex a m in in g ve r sion n u m be r s, USN s, a n d or igin a t in g USN s Obj e ct At t r ibu t e ve r sion n u m be r
Upda t e sequence n u m be r ( USN )
Or igin a t in g dom a in cont roller
Or igin a t in g dom a in con t r olle r 's USN
User 1
All at t ribut es are 1 except for t he Password at t ribut e, which is 2.
0
Dom ain cont roller 1
All at t ribut es except for Password 0; Password 1.
User 2
All at t ribut es are 1.
1
Dom ain cont roller 1
All at t ribut es 2.
Group
All at t ribut es are 1 except for t he m em bership list at t ribut e, which is 2.
2
Dom ain cont roller 1
All at t ribut es except for m em bership list 3; m em bership list 4.
I n essence, originat ing USNs t ell all dom ain cont rollers where inform at ion first cam e from and what USN t hat first dom ain cont roller assigned t o each piece of dat a. But j ust as dom ain cont rollers keep t rack of t he highest
USNs for t heir replicat ion part ners, t hey also keep t rack of t he highest originat ing USN t hey have ever com e across from any and all dom ain cont rollers. This t able of m axim um originat ing USNs is known as t he up- t o- dat e vect ors. Let 's look at t his m ore closely. Our sit uat ion now is shown in Table 5- 6.
Ta ble 5 - 6 . Ex a m ple USN s, or igin a t in g USN s, a n d UTD ve ct or s Dom ain cont roller
H igh e st USN
Pa r t n e r 's h igh e st USN
Up- t o- da t e ve ct or s Se lf Pa r t n e r
1
4
2
4 ( from dom ain cont roller 2 ( from dom ain cont roller 1) 2)
2
2
4
2 ( from dom ain cont roller 4 ( from dom ain cont roller 2) 1)
I j ust form ulat ed t he up- t o- dat e vect ors shown in Table 5- 6; all t hey represent is t he lat est originat ing USN t hat each dom ain cont roller knows from t he ot her dom ain cont roller. Now, flip back a couple of pages and refresh yourself on t he scenario t hat previously would have creat ed an infinit e loop: a change of User 2's password, m ade by an adm inist rat or at t ached t o dom ain cont roller 1. Dom ain cont roller 1 gives t his change a USN of 5, and consequent ly dom ain cont roller 1 updat es it s t able of up- t o- dat e vect ors wit h t he highest originat ing USN t hat it knows from it self—so, it changes from 1 ( our arbit rary first num ber) t o 5. Replicat ion is init iat ed once again, and dom ain cont roller 2 asks dom ain cont roller 1 if it has any new inform at ion higher t han USN 4, which it knows is it s part ner's highest USN, and whet her t he originat ing USNs are higher t han 1 for dom ain cont roller 1, and 1 for dom ain cont roller 2. Dom ain cont roller 1 checks it s copy of t he direct ory and finds t he password change, and t hen sees t hat it originat ed t he change it self, wit h an originat ing USN of 5. However, dom ain cont roller 2 asked for any inform at ion from dom ain cont roller 1 wit h an originat ing USN higher t han 1, so now dom ain cont roller 1 knows t hat dom ain cont roller 2 has no idea of t his new inform at ion and it passes it along. Dom ain cont roller 2 records t he change and assigns a USN of 3, and t hen m akes a not e t hat it s part ner's highest USN is 5 and t he highest originat ing USN it has seen from dom ain cont roller 1 is 5. Our values, aft er t hat process, are shown in Table 5- 7.
Ta ble 5 - 7 . Ex a m ple USN s, or igin a t in g USN s, a n d UTD ve ct or s a ft e r e x a m ple r e plica t ion Dom ain cont roller
H igh e st USN
Pa r t n e r 's h igh e st USN
Up- t o- da t e ve ct or s Se lf Pa r t n e r
1
5
2
5 ( from dom ain cont roller 2 ( from dom ain cont roller 1) 2)
2
3
5
3 ( from dom ain cont roller 5 ( from dom ain cont roller 2) 1)
Let 's go a bit furt her. Replicat ion kicks off again, and t his t im e dom ain cont roller 1 cont act s dom ain cont roller 2 and asks whet her it has any new inform at ion higher t han USN 2, which it knows is it s part ner's highest USN, and whet her t he originat ing USNs are higher t han 5 for dom ain cont roller 1, and 2 for dom ain cont roller 2. Dom ain cont roller 2 checks it s copy of t he direct ory and sees t hat it has a change t o which it assigned a USN of 3, but it also checks t o see where t hat change cam e from —and it sees t hat t he change cam e from dom ain cont roller 1 and t hat dom ain cont roller 1 assigned a USN of 5 t o it . Dom ain cont roller 2 decides t hat even t hough t he change was new t o it , dom ain cont roller 1 clearly already knows about it and t herefore doesn't need t hat change replicat ed. Dom ain cont roller 2 t ells dom ain cont roller 1 about it s current ly highest USN ( 3) , and dom ain cont roller 1 m akes a not e of t hat . What does t his ent ire process accom plish? I t ensures t hat a change is replicat ed only bet ween part ners, because each part ner can figure out who knows about what changes and
when t hey were m ade by looking at USNs and up- t o- dat e vect ors. So, now everyone is happy—really, t his t im e—as shown in Table 5- 8.
Ta ble 5 - 8 . Fin a l r e plica t ion r e su lt s Dom ain cont roller
H igh e st USN
Pa r t n e r 's h igh e st USN
Up- t o- da t e ve ct or s Se lf Pa r t n e r
1
5
3
5 ( from dom ain cont roller 2 ( from dom ain cont roller 1) 2)
2
3
5
3 ( from dom ain cont roller 5 ( from dom ain cont roller 2) 1)
I n sum m ary, dom ain cont rollers use t his up- t o- dat e vect or t able and t he originat ing USN dat a fundam ent ally t o const ruct a m ore specific replicat ion request . So, inst ead of sim ply asking a replicat ion part ner for any dat a higher t han t he highest USN a request or knows, it asks for any dat a higher t han t he highest USN it knows is also higher t han t he ones for each dom ain cont roller in it s up- t o- dat e vect or t able.
5 .4 .6 . M a n a gin g Re plica t ion Usin g REPAD M I N Replicat ion Adm inist rat or, or REPADMI N, is a com m and- line ut ilit y t hat can cont rol a lot of aspect s and behaviors of AD DS replicat ion. I n case you're wondering why you've never seen t he ut ilit y, REPADMI N is part of t he Windows Server 2008 Resource Kit Tools—not t he st andard kit —and you can find it on t he dist ribut ion CD wit hin t he SUPPTOOLS.MSI inst aller file in t he \ SUPPORT\ TOOLS folder.
5 .4 .6 .1 . Ru n n in g t h e KCC Recall from earlier in t his chapt er t hat t he KCC det ect s t he net work environm ent and adj ust s t he st ruct ure of replicat ion part ners am ong dom ain cont rollers. I t does t his by default every 15 m inut es, but if you want it t o updat e earlier, you can t rigger t he KCC m anually from t he com m and line by running repadmin /kcc.
5 .4 .6 .2 . Vie w in g u p- t o- da t e ve ct or s On product ion m achines, you can view t he up- t o- dat e vect ors on a part icular m achine using REPADMI N. From a com m and line, run repadmin /showutdvec servername . To fill in t he lat t er part of t he com m and, exam ine t he nam e of your AD DS st ruct ure, and divide t he part s from each ot her and include " DC= " in front of each. Separat e t he DC part s wit h com m as. For exam ple, if I have a dom ain j onat hanhassell.com , I would use DC= j onat hanhassell,DC= com , and m y REPADMI N com m and looking at a m achine nam ed SERVER1 would be:
repadmin /showutdvec server1 dc=jonathanhassell.com,dc=com
A sam ple result looks like t he following:
Caching GUIDs. .. Default-First-Site-Name\SERVER3 @ USN 8404 @ Time 2004-06-10 12:24:30 Default-First-Site-Name\SERVER2 @ USN 8038 @ Time 2004-06-10 11:12:57 Default-First-Site-Name\SERVER1 @ USN 9374 @ Time 2004-06-10 12:27:23
Of course, t he num bers aft er t he USN const it ut e t he up- t o- dat e vect or for each list ed dom ain cont roller.
5 .4 .6 .3 . Vie w in g r e plica t ion pa r t n e r s REPADMI N gives you a way t o view replicat ion part ners out side of t he GUI m et hod discussed earlier in t his sect ion. Use t he com m and repadmin /showrepl servername t o do so. For exam ple:
repadmin /showrepl server1 dc=jonathanhassell.com,dc=com
5 .4 .6 .4 . Vie w in g h igh e st USN s By sim ply adding t he /verbose swit ch t o t he com m and t o view replicat ion part ners, you can see what t he current server t hinks is t he highest USN for each part ner. For exam ple:
repadmin /showrepl /verbose server1 dc=jonathanhassell.com,dc=com
For each replicat ion part ner, t he num ber before t he /OU indicat or is t he highest USN from t hat part icular part ner t hat t he current server has encount ered.
5 .4 .6 .5 . Pr e ssin g t h e " Big Re d Bu t t on " I f you want t o replicat e now, not lat er, you can use one of t wo opt ions wit h REPADMI N. To force replicat ion am ong any t wo dom ain cont rollers, use t he com m and repadmin /replicate targetcomputer sourcecomputer . For exam ple, t o force replicat ion from SERVER3 t o SERVER2, issue t his com m and:
repadmin /replicate server2 server3 dc=jonathanhassell.com,dc=com
To init iat e replicat ion am ong all part ners, use repadmin /syncall servername . So, if I want ed t o force replicat ion am ong all SERVER2's part ners in t he j onat hanhassell.com dom ain, I 'd use t he following com m and:
repadmin /syncall server2 dc=jonathanhassell,dc=com
5 .4 .7 . Am on g Sit e s: Spa n n in g Tr e e s a n d Sit e Lin k s Alt hough AD DS uses loops and m eshes t o creat e and m anage replicat ion t opologies wit hin a part icular sit e, using t hat m any links across an expensive WAN connect ion can cost you dearly as well as t ake a lot of t im e. For t hat reason, when AD DS replicat es bet ween sit es, it uses a m inim al spanning t ree—in ot her words, a t ree wit h as few branches as possible t o span t he link bet ween m ult iple sit es. Let 's use an exam ple environm ent , wit h t wo servers in a sit e called MAI N ( represent ing t he headquart ers in Charlot t e) and a single dom ain cont roller in anot her sit e, called WEST ( locat ed in San Francisco) . Recall t hat t he KCC facilit y creat es replicat ion t opologies wit hin sit es aut om at ically—you, t he adm inist rat or, do not have t o
int ervene. Replicat ion bet ween sit es isn't as sim ple; AD DS needs t o know several t hings about your individual sit es before it can figure out how t o replicat e t raffic am ong t hem .
5 .4 .7 .1 . Sit e lin k s By creat ing sit e links, you give AD DS t hree key pieces of inform at ion it m ust have before it can det erm ine t he m ost efficient way t o force replicat ion t raffic across your sit es:
Which connect ion, if t here is m ore t han one, t o use for replicat ion t o t he dest inat ion sit e
The persist ency of t hat connect ion
How t he replicat ion should t ake place—eit her using RPC in real t im e, or t hrough SMTP
Let 's discuss t he t hird bit of inform at ion first : AD DS will allow you t o creat e links based over I P ( using RPC calls) or via SMTP for less reliable or less secure connect ions. Unfort unat ely, SMTP- based sit e links are ext rem ely lim it ed in funct ionalit y. For one, SMTP links will only t ransfer updat es t o t he forest schem a nam ing cont ext and configurat ion nam ing cont ext ; it will not perform cross- sit e dom ain cont roller inform at ion updat es. Also, you need a secure m ail server, hardened against out side int ercept ion using encrypt ion and cert ificat es, t o t ransfer even t hat bit of inform at ion. For t hese reasons, t he vast m aj orit y of sit e links you creat e will be I Pbased links. Ret urning t o our exam ple, let 's creat e a sit e link bet ween MAI N and WEST. To do so, follow t hese st eps:
1 . Open Act ive Direct ory Sit es and Services.
2 . Expand t he MAI N node in t he left pane, and t hen expand t he I nt er- Sit e Transport s folder.
3 . Right - click I P, and select Sit e Link from t he New m enu.
4 . The screen in Figure 5- 36 appears.
Figu r e 5 - 3 6 . Con figu r in g a n e w sit e lin k
5 . Ent er a friendly nam e for t he sit e in t he Nam e box.
6 . Choose t he sit es you want t o include in t his link. A link m ust include t wo or m ore sit es, and you can shift sit es back and fort h using t he Add and Rem ove but t ons in t he m iddle of t he screen. For our purposes, m ake sure MAI N and WEST are in t he box labeled Sit es in t his sit e link. Click OK.
To furt her configure t he sit e link, right - click t he new link in t he I P folder of t he left pane of Act ive Direct ory Sit es and Services. Choose Propert ies, and t he screen in Figure 5- 37 will appear.
Figu r e 5 - 3 7 . Ch a n gin g t h e sch e du le for a sit e lin k
This screen cont ains t wo crit ical it em s. First , t he Cost field allows you t o det erm ine a cost quot ient —in essence, an index of t he expense of using a connect ion—for each sit e link you creat e. I f you have m ore t han one sit e link, AD DS will choose t he lowest - cost link t o perform t he replicat ion. Unfort unat ely, Microsoft doesn't give you m uch guidance on how t o arrive at your cost quot ient figure; I recom m end t aking int o account t he base link cost , rat es for prim e and overnight periods, t raffic lim it s, and link availabilit y. Second, t he " Replicat e every" box allows you t o specify how oft en AD DS will at t em pt t o init iat e replicat ion over t his specific sit e link. You can set t he short est replicat ion int erval t o 15 m inut es, and t here is no funct ional m axim um value ( alt hough all AD DS sit es m ust replicat e at least once every 60 days) . Click t he Change Schedule but t on t o see t he screen depict ed in Figure 5- 38.
Figu r e 5 - 3 8 . Th e Sch e du le for N e w Sit e Lin k scr e e n
Use t he m ouse t o select t he hours during which t he link will not be available; AD DS will use t his inform at ion and not even at t em pt replicat ion during t hat t im e period. Click OK t o exit t hat dialog, and t hen click OK t o finish configuring t he link. Once you have specified t he inform at ion for t he sit e, t he Sit es and Services equivalent of t he KCC, called t he I nt er- Sit e Topology Generat or ( I STG) , will begin developing t he m inim al spanning t ree needed t o pass replicat ion t raffic am ong sit es. And t hat 's a basic but t horough t reat m ent of AD DS replicat ion.
5 .4 .8 . Re a d- On ly D om a in Con t r olle r s Think back t o t he days of Windows NT 4.0, when t here was one king of t he hill, t he prim ary dom ain cont roller ( PDC) , and t hen any num ber of subservient princes below t hat king on t he sam e hill—t he backup dom ain cont rollers, or BDCs. I t was easy t o see t he flow of inform at ion—changes were m ade t o t he m ast er copy of t he dom ain securit y inform at ion on t he PDC, and from t here it flowed out ward, unidirect ionally, t o t he BDCs. When AD DS cam e around, however, t his dist inct ion was elim inat ed, and in pract ice a dom ain cont roller becam e equal t o any ot her dom ain cont roller, wit hout any designat ion of prim ary, backup, or so on. ( Well, in act ualit y, som e DCs are a lit t le m ore equal t han ot hers when you fact or operat ions m ast er roles int o t he equat ion, but t hat 's not relevant t o t his discussion.) While t his new design increased t he fault t olerance and dist ribut ed deploym ent capabilit ies of t he operat ing syst em , it 's som ewhat of an issue if a dom ain cont roller anywhere on t he net work pushes corrupt or ot herwise incorrect dat a t o ot her DCs; how would you prevent t hat ? I n branch office scenarios, t his issue is part icularly serious, since t he designat ed adm inist rat or in a branch office needs Dom ain Adm in credent ials t o adm inist er t he DC in her office; t his act ually gives her t he right t o adm inist er any DC, not j ust t he one she's responsible for looking aft er. I t 's not t he best securit y sit uat ion. While t his equalit y of dom ain cont rollers is st ill t he case in Windows Server 2008's AD DS im plem ent at ion, t here is now t he concept of a read- only dom ain cont roller. A read- only dom ain cont roller ( RODC) is j ust t hat —it receives inform at ion replicat ed t o it from full dom ain cont rollers, but it doesn't perm it any changes t o be m ade t o it s own copy of t he direct ory dat abase, and t hus no inform at ion can be replicat ed back t o t he full DCs in t he dom ain of which it 's a m em ber. This is a great win for branch offices whose com panies are large enough t o have a com prehensive AD DS st ruct ure. Now, you don't have t o deploy a full- blown dom ain cont roller t o your rem ot e locat ions—you can sim ply place a RODC t here. The benefit s are significant and include t he following:
You reduce t he risk of som eone at t acking a branch office locat ion and sending poisoned dat a t hroughout t he ent ire AD DS dat abase.
The RODC caches only t he credent ials of users and com put ers who have aut hent icat ed t o t he RODC and whom t he Password Replicat ion Policy allows t o have credent ials cached, which reduces t he possibilit y t hat account s can be cracked from a st olen branch office dom ain cont roller.
By default , t he RODC does not cache dom ain adm inist rat or credent ials, so t he keys t o t he kingdom are m ore fully prot ect ed.
The Kerberos aut hent icat ion t icket s issued by t he RODC will only be valid for syst em s wit hin it s scope, so it can't issue falsified t okens t o get nefarious users ont o t he full net work.
The RODC is a Server Core- designat ed role, which m eans t here's hardly any need for adm inist rat ion locally. No GUI also m eans a sm aller at t ack surface. To set up a read- only dom ain cont roller, run DCPROMO and select t he opt ion on t he Addit ional Dom ain Cont roller Opt ions screen t o m ake your new dom ain cont roller a read- only dom ain cont roller.
5 .4 .8 .1 . D N S con side r a t ion s for r e a d- on ly dom a in con t r olle r s During t he Act ive Direct ory Dom ain Services I nst allat ion Wizard, when you're first deploying a RODC, DCPROMO recom m ends t hat you inst all a DNS server locally on t he RODC. That server is fed zones from t he AD DS infrast ruct ure, and t he process will add t he RODC's local I P address t o t he RODC's local DNS client propert ies, so queries will be direct ed aut om at ically t o t he AD- int egrat ed zone on t he m achine it self. However, for m axim um fault t olerance, if t here is only one DNS server and RODC ( for inst ance, if t he t wo services are running on t he sam e m achine) at a branch office, Microsoft recom m ends using t he opt ions in your DHCP scope—assum ing you are using dynam ic I P addresses at your branch office—t o include not only t he local RODC- based DNS server, but also a DNS server at t he m ain office, where your ot her AD servers are cent rally locat ed. Make sure t he local RODC- based DNS server is first on t he list , so t hat only queries t hat fail t o get a response from your local server are direct ed over t he wire t o your hub sit e. I f you have a larger branch office cont ingent , and you have m ult iple RODCs deployed at one branch office, you can inst all a DNS server inst ance on each RODC. Rem em ber t hat since RODCs are indeed read- only, any dynam ic updat e request s from your client s have t o go direct ly t o a writ eable dom ain cont roller at your cent ral office. The DNS server inst ances on RODCs will not at t em pt t o replicat e wit h one anot her; rat her, t hey will receive all updat es direct ly from t he cent ral AD DS infrast ruct ure, so t here m ay indeed be cert ain t im es wherein one local RODC has received an updat ed DNS ent ry for a client , but anot her has not . This issue resolves it self ( no pun int ended) wit hin a replicat ion cycle, but t o avoid it , m ake sure t he client s t hem selves have ident ical DNS server list s—use DHCP opt ions t o assist wit h t his—and only inst all one DNS server inst ance per sit e.
5 .5 . Act ive D ir e ct or y Tr ou ble sh oot in g a n d M a in t e n a n ce Things will inevit ably break in your net work—t his is a given. Addit ionally, you'll need t o perform a few t asks on a regular basis t o keep your AD DS inst allat ion running at m axim um perform ance and efficiency. I n t his sect ion, I 'll t ake a look at t roubleshoot ing and m aint enance, and show you how t o bot h keep your net work in t ip- t op shape and how t o figure out what 's wrong when t hings go awry.
5 .5 .1 . Au dit in g Act ivit ie s in Act ive D ir e ct or y D om a in Se r vice s Windows Server 2008 and AD DS include an im proved audit ing infrast ruct ure t hat let s you m ore easily see t he act ivit ies wit hin your dom ain. By enabling audit ing t hrough Group Policy for your dom ain cont rollers, you can see success and failure at t em pt s for specific obj ect s wit hin your direct ory t ree when t hose obj ect s t ry t o access or change set t ings on your dom ain. Audit ing in Windows Server 2008's im plem ent at ion of Act ive Direct ory has four subcat egories:
Direct ory Service Access
The inform at ion in t his audit event is essent ially t he sam e as what you received in Windows Server 2003, but t he event I D changes t o 4662.
Direct ory Service Changes
This event is new and records bot h t he previous and t he new, current value of what ever in t he direct ory changed t o t he Securit y event log. Obj ect s wit h propert ies t hat changed will have t he old and new values logged ( event 5136) . New obj ect s will have all of t heir init ial set t ings logged ( event 5137) , and obj ect s t hat are m oved will have t heir old and current locat ions writ t en t o t he event log ( event 5139) . Finally, undelet ed obj ect s will have t heir new dest inat ion logged as event 5138.
Direct ory Service Replicat ion
This audit s event s regarding successes and failures wit h replicat ion.
Det ailed Direct ory Service Replicat ion
This digs deeper int o replicat ion t o provide ot her inform at ion ( t his is st ill up in t he air and will flesh out during t he bet a period) .
To enable audit ing, first open Server Manager, and under Feat ures, expand Group Policy Managem ent , your forest , and t he act ive dom ain. Click on Dom ain Cont rollers, and in t he right pane, right - click on Default Dom ain Cont roller Policy and click Edit . Wit hin t he Group Policy Managem ent Edit or window t hat appears, drill down
t hrough Com put er Configurat ion, Windows Set t ings, Securit y Set t ings, and Local Policy, and select Audit Policy. I n t he right pane, double- click on " Audit direct ory service access" t o configure t he policy. Check t he " Define t hese policy set t ings" box, select whet her t o audit successes, failures, or bot h, and t hen click OK. At t his point , you have enabled t he audit ing policy. Now, you can specify what should be writ t en on t he ACLs of each obj ect you want t o audit . From Server Manager, drill down t o Act ive Direct ory Users and Com put ers, and select Advanced Feat ures from t he View m enu. Now, right - click on t he organizat ional unit for which you want audit ing t o be configured, and select Propert ies. Navigat e t o t he Securit y t ab and click t he Advanced but t on. On t he Advanced Securit y Set t ings screen, navigat e t o t he Audit t ab, and click Add. Add your users as necessary, and t hen on t he result ing Audit ing Ent ry dialog box, select Descendant User Obj ect s from t he " Apply ont o" dropdown list box; choose t he fourt h ent ry on t he list , " Writ e all propert ies" ; and select whet her t o audit upon success or failure in t he respect ive colum ns. Click OK, and OK again, and go back t o t he Server Manager. Audit ing is now enabled on your dom ain cont rollers, and any change t o t he OU you select ed will be logged t o t he Securit y event log.
5 .5 .2 . Re st a r t in g AD D om a in Se r vice s Windows Server 2008 now allows you t o rest art AD DS wit hout necessarily having t o reboot your ent ire dom ain cont roller int o Direct ory Services Rest ore Mode. This is possible because of a re- archit ect uring of AD services t hat allows t he Dom ain Services com ponent t o have t hree possible st at es:
St art ed
The nom inal st at e.
St opped
A newly support ed st at e t hat in effect t urns a dom ain cont roller m achine int o a m em ber server connect ed t o a dom ain, but wit h t he repair funct ionalit y of Direct ory Services Rest ore Mode, covered next .
Direct ory Services Rest ore Mode
Available aft er a reboot ( st rike t he F8 key on your keyboard during boot and select t his m ode from t he t ext - based st art up m enu) and allows you t o perform offline m aint enance on m any aspect s of t he AD dat abase, NTDS.DI T, it self. More on t his m ode lat er in t his chapt er.
You can sim ply st op t he Dom ain Cont roller service t hrough t he Services console. Alt ernat ively, t ry t he following from t he com m and line. To st op AD DS, issue t his com m and:
net stop ntds
To st art AD DS, issue t his com m and:
net start ntds
5 .5 .3 . Tr ou ble sh oot in g AD w it h D N SLin t Recall DNSLint from Chapt er 4 ? Well, since AD is based on DNS, t here are som e specific scenarios in which DNSLint can be a lifesaver in t erm s of ident ifying and solving a quirky problem wit h your AD infrast ruct ure. I n fact , DNS problem s are t he m ost com m on pit falls t hat keep AD from working correct ly. DNSLint can help you figure out when t he following issues are occurring:
A net work adapt er whose TCP/ I P configurat ion doesn't refer t o an aut horit at ive DNS server for t he zone t hat works wit h t he AD dom ain.
A DNS zone file wit hout a CNAME record wit h t he globally unique ident ifier ( GUI D) of each dom ain cont roller along wit h t he A records t hat act as glue records. ( Check out Chapt er 4 for a refresher on what t hose t erm s m ean.)
Lam e delegat ions t o child zones where t he NS records specified for t he delegat ion eit her do not have corresponding glue records or point t o servers t hat are offline or not responding.
The DNS zone corresponding t o an AD dom ain does not cont ain t he necessary SRV records, including t he _ldap service on TCP port 389 and t he _kerberos service on TCP and UDP port 88. GC servers need a SRV record for t he _gc service on TCP port 3268.
The PDC Em ulat or FSMO role m ast er does not have a required SRV record for t he _ldap service.
Even bet t er, you can use DNSLint wit h Dcdiag, anot her program t hat can be found in t he Support Tools on t he Windows Server 2008 CD, t o perform m any t est s and checks prior t o prom ot ing a m achine t o a DC role. You can also probe a current DC j ust t o m ake sure it 's configured correct ly. Specifically, t he / dcprom o swit ch for Dcdiag t est s t o verify t hat you have t he correct DNS set t ings for prom ot ing a m achine t o a DC, and it will list t he problem s and solut ions if t here are any. To check t he m achine JH- W2K3- DC2 t o ensure t hat it 's ready t o be prom ot ed t o a DC in t he corp.hassellt ech.local dom ain, use t he following com m and:
dcdiag /s:jh-w2k3-dc2 /dcpromo /dnsdomain:corp.hasselltech.local /replicadc
5 .5 .4 . Offlin e D e fr a gm e n t in g of N TD S D a t a ba se Like a hard disk, t he dat abase cont aining all t he obj ect s and inform at ion wit hin AD DS can becom e fragm ent ed at t im es on dom ain cont rollers because different part s of t he direct ory are being writ t en t o oft en, and ot her part s are being rearranged t o be read less oft en. Alt hough you m ight t hink t hat defragging your hard drive will defragm ent t he NTDS.DI T file on your dom ain cont roller's hard disk aut om at ically, t his j ust isn't t he case. AD DS handles online defragm ent ing it self, and it does an adequat e j ob. To really clean out t he dat abase,
however, and defrag it for t he m axim um possible gain in efficiency, you need t o t ake t he dom ain cont roller offline so t hat t he defragm ent ing process can have exclusive use of t he dat abase file. This requires four st eps: first , reboot t he dom ain cont roller in quest ion and get it int o direct ory services rest ore m ode; second, perform t he act ual defragm ent at ion; t hird, copy t he defragm ent ed dat abase back int o t he product ion direct ory; and fourt h, reboot t he m achine. ( Replicat ion t o ot her dom ain cont rollers in AD DS won't be affect ed, as AD DS is sm art enough t o work around t he downed dom ain cont roller. I t will receive changes when it is brought back online.) Let 's go t hrough t hese st eps now:
1 . Reboot your dom ain cont roller.
2 . As t he dom ain cont roller begins t o boot , press F8 t o m ake t he St art up m enu appear.
3 . Select Direct ory Services Rest ore Mode.
4 . When t he syst em prom pt s you t o log in, use t he dom ain adm inist rat or account , but use t he rest ore m ode password you creat ed when you first prom ot ed t his dom ain cont roller t o a dom ain cont roller role.
5 . Open a com m and prom pt .
6 . Ent er ntdsutil at t he com m and prom pt t o st art t he offline NTDSUt il t ool.
7 . Ent er file t o ent er t he file m aint enance cont ext .
8 . Type compact to , where signifies t he pat h t o t he place you want t he defragm ent ed copy of t he direct ory st ored. When defragm ent ed, AD DS m akes a copy of t he dat abase so t hat if som et hing goes wrong, you haven't m essed up t he product ion copy of t he direct ory.
9 . Look for t he line " Operat ion com plet ed successfully in x seconds." I f you see t his, t ype quit t o exit NTDSUt il.
1 0 . At t he regular com m and prom pt , copy t he file NTDS.DI T from t he locat ion you select ed in st ep 8 t o \ Windows\ NTDS. Feel free t o overwrit e t he current file at t hat locat ion—it is t he fragm ent ed version.
1 1 . Delet e any files wit h t he ext ension .LOG in t hat sam e direct ory.
1 2 . Rest art your dom ain cont roller norm ally, and boot Windows Server 2003 as norm al.
Your dat abase is now defragm ent ed.
5 .5 .5 . Cle a n in g D ir e ct or y M e t a da t a As your AD DS im plem ent at ion ages, you'll probably be left wit h som e j unk: old com put er account s t hat refer t o PCs you dum ped a long t im e ago, dom ain cont rollers you rem oved from service wit hout first decom m issioning t hem wit hin AD DS, and ot her det rit us. Every so oft en, it 's a good idea t o clean out t his old dat a so bugs t hat are hard t o t rack ( and t herefore are hard t o t roubleshoot ) don't pop up, and so fut ure m aj or AD DS act ions, such as renam ing or rem oving a dom ain, aren't held up because of a j unked- up direct ory. Let 's say we have a child dom ain, called clust er.hassellt ech.local, which we want rem oved. To do t his, we again will use t he NTDSUt il t ool and it s m et adat a cleanup feat ure. To begin, go t o a dom ain cont roller and log in as an ent erprise adm inist rat or. Then follow t hese st eps:
1 . Open a com m and prom pt .
2 . Type ntdsutil t o open t he program .
3 . Type metadata cleanup t o ent er t hat part of t he program .
4 . Type connections t o receive t he Server Connect ions prom pt .
5 . Ent er connect to server localhost t o init iat e a connect ion wit h t he current dom ain cont roller.
6 . Type quit t o exit t hat m odule.
7 . Now, t ype select operation target and press Ent er.
8 . Type list domains t o get a list of dom ains.
9 . NTDSUt il will bring up a list of dom ains in your syst em . I n our exam ple, clust er.hassellt ech.local com es up as dom ain 2. So, t o set t he dom ain in our sight s t o dest roy, t ype select domain 2 and press Ent er.
1 0 . Next , you'll need t o det erm ine t he sit e in which clust er.hassellt ech.local resides. Type list sites t o bring up a list like you saw in st eps 8 and 9.
1 1 . I n our case, clust er.hassellt ech.local resides in sit e CHARLOTTE, which com es up as sit e 3 in our list . So, t ype select site 3 and press Ent er.
1 2 . Now you need t o get rid of t he dom ain cont rollers in t hat dom ain. Find out what t hose m achines are by t yping list servers for dom ain in sit e and pressing Ent er.
1 3 . There are t wo dom ain cont rollers, num bered 0 and 1. You need t o get rid of bot h, so t ype select server
0 and press Ent er.
1 4 . Type quit, and t hen t ype remove selected server. Confirm your choice.
1 5 . Type select server 1 and press Ent er.
1 6 . Type remove selected server, and again confirm your choice.
1 7 . Finally, t ype remove selected domain and press Ent er.
1 8 . Type quit t o exit out of NTDSUt il.
5 .6 . Th e La st W or d We've covered a lot of m at erial in t his chapt er—perhaps t he m ost com plex com ponent of Windows Server 2008, Act ive Direct ory Dom ain Services. I n t he next chapt er, we'll look at t he wonderful com ponent of Group Policy, which allows you t o m anage groups of syst em s wit h rem arkable ease and consist ency. GP's foundat ion is in Act ive Direct ory, as you will see.
Ch a pt e r 6 . Gr ou p Policy a n d I n t e lliM ir r or Windows Server 2008 offers a m arvelous com m and and cont rol syst em for your organizat ion's com put ers called Group Policy ( GP) . Wit h GP, you can m anage user- and com put er- based configurat ions, which you can apply en m asse t o com put ers in a part icular Act ive Direct ory sit e, OU, or dom ain. I n t his chapt er, I 'll int roduce you t o GP and it s feat ures and funct ions. I 'll t ake you t hrough creat ing and edit ing GPs and expanding or refining t heir scope. I 'll show you how inherit ance and overriding work, and I 'll look at using t he Windows Managem ent I nst rum ent at ion ( WMI ) int erface and t he new Result ant Set of Policy ( RSoP) t ools in Windows Server 2008 t o filt er and furt her granulat e policy applicat ion. Then, you'll see t he sim ilarit ies and differences bet ween local and dom ain GP. Finally, I 'll review t roubleshoot ing st rat egies and considerat ions for wide- scale GP deploym ent .
6 .1 . An I n t r odu ct ion t o Gr ou p Policy Group policies consist of five dist inct com ponent s:
Adm inist rat ive t em plat es
Configure Regist ry- based policies. You'll see what t his really ent ails in a bit .
Folder redirect ion
Alt ers t he t arget locat ion of various elem ent s in t he UI , such as My Docum ent s, t o ot her places on t he net work.
Script s
Execut e when com put ers are first boot ed and shut down. They also can run during user logon and logoff.
Securit y set t ings
Configure perm issions, right s, and rest rict ions for com put ers, dom ains, and users.
Soft ware policies
Assign applicat ion packages t o users and com put ers.
The dat a for each com ponent is st ored in a Group Policy Obj ect ( GPO) . I n dom ain- based GPs, GPOs are st ored at various levels in Act ive Direct ory, but t hey're always associat ed wit h a dom ain. GPOs are affiliat ed wit h a variet y of obj ect s wit hin Act ive Direct ory, including sit es, dom ains, dom ain cont rollers, and OUs, and t hey can be linked t o m ult iple sit es, t o t he dom ains t hem selves, and t o OUs. For non- dom ain- based ( i.e., local) GPs, you sim ply configure t hose set t ings on individual servers. Local com put er policies are st ored in t he % Syst em Root % \ Syst em 32\ GroupPolicy direct ory because t hey apply only t o t he com put er on which t hey're st ored and t hey need not be replicat ed. Local policies are also m ore lim it ed in scope and abilit y, as you'll see lat er in t his chapt er. When you first set up an Act ive Direct ory dom ain, t wo default GPOs are creat ed: one t hat is linked t o t he dom ain it self, and t herefore affect s all users and com put ers wit hin t he dom ain; and one t hat is linked t o t he Dom ain Cont rollers OU, which affect s all dom ain cont rollers wit hin a dom ain.
Ch a pt e r 6 . Gr ou p Policy a n d I n t e lliM ir r or Windows Server 2008 offers a m arvelous com m and and cont rol syst em for your organizat ion's com put ers called Group Policy ( GP) . Wit h GP, you can m anage user- and com put er- based configurat ions, which you can apply en m asse t o com put ers in a part icular Act ive Direct ory sit e, OU, or dom ain. I n t his chapt er, I 'll int roduce you t o GP and it s feat ures and funct ions. I 'll t ake you t hrough creat ing and edit ing GPs and expanding or refining t heir scope. I 'll show you how inherit ance and overriding work, and I 'll look at using t he Windows Managem ent I nst rum ent at ion ( WMI ) int erface and t he new Result ant Set of Policy ( RSoP) t ools in Windows Server 2008 t o filt er and furt her granulat e policy applicat ion. Then, you'll see t he sim ilarit ies and differences bet ween local and dom ain GP. Finally, I 'll review t roubleshoot ing st rat egies and considerat ions for wide- scale GP deploym ent .
6 .1 . An I n t r odu ct ion t o Gr ou p Policy Group policies consist of five dist inct com ponent s:
Adm inist rat ive t em plat es
Configure Regist ry- based policies. You'll see what t his really ent ails in a bit .
Folder redirect ion
Alt ers t he t arget locat ion of various elem ent s in t he UI , such as My Docum ent s, t o ot her places on t he net work.
Script s
Execut e when com put ers are first boot ed and shut down. They also can run during user logon and logoff.
Securit y set t ings
Configure perm issions, right s, and rest rict ions for com put ers, dom ains, and users.
Soft ware policies
Assign applicat ion packages t o users and com put ers.
The dat a for each com ponent is st ored in a Group Policy Obj ect ( GPO) . I n dom ain- based GPs, GPOs are st ored at various levels in Act ive Direct ory, but t hey're always associat ed wit h a dom ain. GPOs are affiliat ed wit h a variet y of obj ect s wit hin Act ive Direct ory, including sit es, dom ains, dom ain cont rollers, and OUs, and t hey can be linked t o m ult iple sit es, t o t he dom ains t hem selves, and t o OUs. For non- dom ain- based ( i.e., local) GPs, you sim ply configure t hose set t ings on individual servers. Local com put er policies are st ored in t he % Syst em Root % \ Syst em 32\ GroupPolicy direct ory because t hey apply only t o t he com put er on which t hey're st ored and t hey need not be replicat ed. Local policies are also m ore lim it ed in scope and abilit y, as you'll see lat er in t his chapt er. When you first set up an Act ive Direct ory dom ain, t wo default GPOs are creat ed: one t hat is linked t o t he dom ain it self, and t herefore affect s all users and com put ers wit hin t he dom ain; and one t hat is linked t o t he Dom ain Cont rollers OU, which affect s all dom ain cont rollers wit hin a dom ain.
6 .2 . Gr ou p Policy I m ple m e n t a t ion Now t hat you know t he com ponent s of GP, let 's look at how t hey are im plem ent ed. Like NTFS perm issions, GPs are cum ulat ive and inherit ed—cum ulat ive in t hat t he set t ings m odified by a policy can build upon ot her policies and " am ass" configurat ion changes, and inherit ed in t hat obj ect s below ot her obj ect s in Act ive Direct ory can have any GPs t hat are applied t o t heir parent obj ect be applied t o t hem selves aut om at ically. GPOs are associat ed wit h, or linked, t o any num ber of obj ect s, eit her wit hin a direct ory or local t o a specific m achine. To im plem ent a GP on a specific t ype of obj ect , follow t hese guidelines.
Local com put er
Use t he Local Securit y Policy snap- in inside Cont rol Panel Run gpedit.msc. com plet e look, use St art
Adm inist rat ive Tools. Or, for a m ore
A specific com put er
Load t he MMC, and t hen select Add Snap- in from t he File m enu. Browse in t he list and add t he Group Policy Obj ect Edit or t o t he console. On t he Select Group Policy Obj ect screen, peruse t he list t o find t he specific obj ect you want .
Ent ire dom ain
I nst all and launch t he Group Policy Managem ent Console, and t hen right - click on t he dom ain and creat e or edit a policy from t here.
OU wit hin Act ive Direct ory
I nst all and launch t he Group Policy Managem ent Console, right - click on t he OU, and creat e or edit a policy from t here.
Act ive Direct ory sit e
Launch Act ive Direct ory Sit es and Services, right - click t he sit e's nam e, and select Propert ies from t he cont ext m enu. Navigat e t o t he Group Policy t ab, and creat e or edit a policy from t here.
Windows applies GPs in t he following order, which you can rem em ber wit h t he acronym of " LSDOU" :
1 . Local GPOs
2 . Sit e- specific GPOs, in an order which t he sit e adm inist rat or configures
3 . Dom ain- specific GPOs, in an order which t he dom ain adm inist rat or configures
4 . OU- specific GPOs, from t he parent OU down t hrough t he ranks t o t he child OU
The only except ion t o t his rule occurs when you're using NT 4.0 syst em policies t hat are creat ed and set wit h t he NT Syst em Policy Edit or. Recall from NT adm inist rat ion days t hat t he syst em policies are called NTCONFI G.POL, so if Windows finds t hat file present , it applies t hese policies before t he local GPO. Of course, t hese policies can be overwrit t en by policies t hat com e fart her down in t he applicat ion chain.
Here's an easy rule of t hum b t o rem em ber: for dom ain- based GPs, t he lowest - level Act ive Direct ory cont ainer has t he last opport unit y t o override inherit ed policies. For exam ple, a policy applied t o a sit e will be overwrit t en by a policy applied t o an OU, and a local policy will be overwrit t en by an Act ive Direct ory obj ect - based policy.
6 .2 .1 . I n t r odu cin g t h e Gr ou p Policy M a n a ge m e n t Con sole You'll find t hat GPOs t hem selves are m uch easier t o creat e and edit using Microsoft 's Group Policy Managem ent Console ( GPMC) , a drop- in replacem ent for t he m ore lim it ed Group Policy Obj ect Edit or t hat you m ight know from previous versions of Windows Server. While it 's cert ainly possible t o perform t he act ions I 'll describe in t his chapt er wit h t he nat ive Group Policy Obj ect Edit or, t he t ool has lim it at ions: t he biggest by far being t he lack of abilit y t o see t he exact scope of a GPO's applicat ion, m aking t roubleshoot ing very difficult . The GPMC fixes t his and also offers a cleaner int erface, script ing funct ionalit y, and enhancem ent s t o t roubleshoot ing and m odeling feat ures. Launch t he Group Policy Managem ent Console from t he Server Manager; you'll see a screen m uch like Figure 61.
Figu r e 6 - 1 . Th e Gr ou p Policy M a n a ge m e n t Con sole
To navigat e around in t he GPMC, you need t o expand t he forest you want t o m anage in t he left pane. Then you can select specific dom ains and sit es wit hin t hat forest , and OUs wit hin individual dom ains. When you expand, for exam ple, a part icular dom ain, links t o t he GPOs t hat exist are list ed wit hin t heir respect ive OUs. They also are list ed under t he Group Policy Obj ect s folder. Clicking on a GPO brings up a four- t abbed screen in t he right pane. The first t ab is t he Scope t ab, which exam ines how far- reaching t he effect s of t his GPO are. Sit es, dom ains, and OUs t hat are linked t o t he GPO you've select ed are list ed at t he t op of t he window. You can change t he list ing of pert inent links using t he drop- down box, where you can choose t o list links at t he current dom ain, t he ent ire forest , or all sit es. At t he bot t om of t he window, any securit y filt ering done by ACLs is list ed. Clicking t he Add but t on brings up t he st andard perm issions window, as you would expect from t he Group Policy Obj ect Edit or. At t he very bot t om , you can see any WMI filt ers t o which t his GPO is linked. You can choose t o open t he WMI filt er for edit ing by clicking t he Open but t on. You can associat e only one WMI filt er wit h any part icular GPO, and WMI filt ers work only wit h Windows XP, Windows Vist a, Windows Server 2003, and Windows Server 2008. We'll get t o t hese in a bit —for now, let 's m ove on. The next t ab, Det ails, sim ply shows t he dom ain in which t he current GPO is locat ed, t he owner of t he GPO, when t he GPO was creat ed and m odified, t he version num bers for t he user and com put er port ions, t he GUI D of t he obj ect , and whet her t he GPO is fully enabled or fully disabled or whet her j ust t he com put er or user configurat ion port ions are enabled. Of part icular int erest is t he Set t ings t ab, as shown in Figure 6- 2.
Figu r e 6 - 2 . Ex a m in in g a st a n da r d GPO via t h e Se t t in gs t a b
The Set t ings t ab is one of t he m ost useful t abs in t he GPMC. The GPMC will generat e HTML- based report s of all t he set t ings in a part icular GPO, and you can condense and expand port ions of t he report easily for unclut t ered viewing. You can print t he report for furt her reference, or save t he report for post ing t o an int ernal web sit e for your I T adm inist rat ors. I t 's a m uch, m uch easier way t o discern which set t ings a GPO m odifies t han t he Group Policy Obj ect Edit or. To edit t he GPO t hat is displayed in t he report , sim ply right - click it and select Edit . To print t he HTML report , right - click it and select Print ; t o save t he report , right - click it and select Save Report . Finally, t he Delegat ion t ab list s in a t abular form at t he users and groups t hat have specific perm issions for t he select ed GPO, what t hose perm issions are, and whet her t hey're inherit ed from a parent obj ect . Clicking Add brings up t he com m on Select User, Com put er, or Group dialog box t hat you are fam iliar wit h from reading t his chapt er. You can rem ove a delegat ed perm ission by clicking t he appropriat e user or group in t he list and t hen clicking t he Rem ove but t on. The Propert ies but t on will bring up t he st andard Act ive Direct ory Users and Com put ers view of t he select ed user and group. You'll see m ore of t his int erface in act ion as we proceed t hrough t he chapt er.
6 .2 .1 .1 . Cr e a t in g a n d e dit in g Gr ou p Policy Obj e ct s To st art off, you need som e GPOs t o work wit h. Use t he t ree in t he left pane t o navigat e t hrough t he various forest s and dom ains on your net work. Then, when you've set t led on a locat ion, right - click on t hat locat ion and select " Creat e and Link a GPO Here." I n t he New GPO box, ent er a nam e for t he obj ect , and t hen click OK. You'll see t he new GPO list ed in t he right hand pane; t he GPO creat ion process is finished. To edit t he obj ect , right - click t he obj ect and select Edit . You're present ed wit h a screen m uch like t hat shown in Figure 6- 3.
Figu r e 6 - 3 . Th e Gr ou p Policy Obj e ct Edit or scr e e n
You'll not e t hat t here are t wo branches t o each GPO: Com put er Configurat ion and User Configurat ion. Each cont ains t he sam e subt rees under t he Policies node: Soft ware Set t ings, Windows Set t ings, and Adm inist rat ive Tem plat es. The Com put er Configurat ion t ree is used t o cust om ize m achine- specific set t ings, which becom e effect ive when a com put er first boot s. These policies are applied across any users t hat log on t o t he syst em , independent of t heir own individual policies. Using com put er policies, you can lock down a group of com put ers in a lab or kiosk sit uat ion while st ill m aint aining an independent set of user policies. The User Configurat ion t ree, as you m ight suspect , cont ains user- specific set t ings t hat apply only t o t hat user regardless of where she is on t he net work.
6 .2 .1 .2 . Gr ou p Policy Pr e fe r e n ce s You m ight have also not iced t he Preferences node in t he Group Policy Obj ect Edit or ( see Figure 6- 3 for a refresher) . Windows Server 2008 incorporat es a feat ure called Group Policy Preferences, which is essent ially t he old product s PolicyMaker St andard Edit ion and Policy Share Manager in new form , direct ly int o t he Group Policy Managem ent Console ( GPMC) . I n a nut shell, preferences allow you t o " suggest " an init ial configurat ion t o your users while st ill giving t hem t he abilit y t o change t hem . Let 's delve a lit t le deeper int o t his. Group Policy it self was designed so t hat an adm inist rat or det erm ines and set s up his m andat ory environm ent , configures it appropriat ely for t he organizat ion's needs, and t hen leaves it up t o Windows t o st rict ly enforce t hose set t ings. GP generally overrides any user- provided set t ings in t he event of a conflict , and it t ypically disables any user int erface funct ions t hat could be used t o change t hose set t ings. And while one can lim it or ot herwise affect t he scope of a GPO, it essent ially can t ouch every m achine t hat is a m em ber of any given Windows dom ain. Machines and set t ings cont rolled by Group Policy are t erm ed " m anaged" m achines and set t ings. Group Policy preferences t ake a light er approach. While GP preferences st ill are set up by an adm inist rat or and filt er down t o m anaged client s, GP writ es preferences t o t he sam e places in t he Regist ry where applicat ions st ore t heir dat a about t hat specific set t ing. This let s GP address set t ings and swit ches in applicat ions t hat don't by default know about Group Policy. I n addit ion, t here isn't a rest rict ion on t he user int erface of t he soft ware, so if t he adm inist rat or- defined preferences don't m eet a user's working st yle or in som e ot her way aren't what a user wishes, she is free t o change t hem . You can also define t he schedule at which Group Policy refreshes preference inform at ion—it can eit her be done at t he sam e int erval t hat GP refreshes policy ( t he m andat ory set t ings) , or you can set it once and t hen prohibit Windows from refreshing t hat preference again. Support ing Group Policy preferences is also light weight . You can creat e GPOs t hat cont ain preference inform at ion right out of t he box. On t he client , you'll need t o inst all—via a separat e download—a client - side ext ension; t his will need t o be deployed t o any com put er t hat is a t arget of your preference set t ings. The client side ext ension will support Windows XP Service Pack 2 and lat er, Windows Vist a, and Windows Server 2003 wit h Service Pack 1 and lat er. ( I f you inst all Windows Server 2008, you already get t he CSE.) You can creat e preference ent ries by right - clicking on t he appropriat e preference it em in t he left pane of t he Group Policy Managem ent Edit or and select ing New from t he cont ext m enu. The sam e breakdown for regular
GPOs applies for GP preferences: Com put er Configurat ion is used t o cust om ize m achine- specific set t ings, which becom e effect ive when a com put er first boot s, and User Configurat ion is used t o configure set t ings t hat apply only t o t hat user regardless of where she is on t he net work.
6 .2 .1 .3 . St a r t e r Gr ou p Policy Obj e ct s St art er Group Policy Obj ect s are designed t o get you st art ed deploying GPOs based on com m only used configurat ions. These st art er obj ect s have preconfigured set t ings t hat are well com m ent ed- upon wit hin each set t ing, m aking it very easy t o deploy a consist ent set of baseline configurat ions. Think of st art er GPOs as quick- st art t em plat es, which you can build on t o creat e your cust om set of GPOs specific t o your environm ent . You'll need t o creat e t he St art er GPOs folder in each dom ain; fort unat ely, t his is an easy process. I n t he Group Policy Managem ent Console, expand t he appropriat e forest and dom ain, click St art er GPOs, and in t he right pane, click t he Creat e St art er GPOs folder. You'll only need t o do t his once per dom ain. Essent ially, t his st ep creat es a folder called St art erGPOs inside t he SYSVOL folder at t his pat h: \ \ dom ain.com \ SYSVOL\ dom ain.com \ St art erGPOs. To creat e a new st art er GPO ( akin t o creat ing t he " t em plat e" from which your fut ure GPOs will originat e) , right click on t he St art er GPOs and choose New from t he cont ext m enu. Ent er a nam e for t he GPO and a descript ion, which will also m igrat e t o fut ure GPOs, and t hen click OK. To creat e a GPO based on t hese st art er GPOs, when you st art t o creat e a new GPO, choose t he appropriat e st art er GPO from t he " Source St art er GPO" list in t he New Group Policy Obj ect window. The set t ings will aut om at ically drop down t o your new GPO from t he st art er GPO at t hat point .
6 .2 .1 .4 . Filt e r in g a n d com m e n t in g The m yriad am ount of set t ings available in Group Policy can be overwhelm ing, and accordingly Windows Server 2008 now offers t he abilit y t o filt er t hrough t he available swit ches in Group Policy t o find t he obj ect you're looking for. I n t he t oolbar, click t he Filt er but t on, or right - click on Adm inist rat ive Tem plat es under Com put er Configurat ion or User Configurat ion and select Filt er Opt ions. You can choose t o display any m anaged set t ing, set t ings t hat have already been configured, or set t ings t hat have an adm inist rat or- appended com m ent on t hem . You can also filt er by keyword, like a Google search, or filt er by syst em requirem ent —if you want t o, for exam ple, show set t ings t hat apply t o syst em s wit h I nt ernet Explorer 6.0. Of course, if you work as a t eam of adm inist rat ors lording over an ent erprise- wide Group Policy deploym ent , you m ight want t o com m ent or ot herwise docum ent direct ly in t he syst em what cert ain configurat ions you've set up act ually do. Ent er t he com m ent ing feat ure, which allows you t o docum ent right on a set t ing what t hat funct ion is int ended t o accom plish. Your peers can also search on your com m ent s using t he com m ent as t he crit eria in t heir query. To ent er a com m ent :
1 . Open t he Group Policy Managem ent Console.
2 . I n t he left pane, find t he GPO in quest ion and right - click on it t o bring up t he cont ext m enu; select Edit .
3 . Right - click on t he very t op- m ost node in t he left pane ( it should be t he nam e of t he GPO) and select Propert ies.
4 . Navigat e t o t he Com m ent t ab.
5 . Ent er t he com m ent as you wish, and t hen click OK.
6 .2 .1 .5 . D isa blin g por t ion s of policie s A GPO has t he pot ent ial t o be large because it can cont ain num erous com put er and user set t ings. I f you don't int end t o populat e eit her your com put er or user set t ings, you can disable t hat port ion of t he GPO. By doing t his, you're speeding up propagat ion t im e over t he net work and processing t im e on t he com put ers t hat need t o load t he set t ings in t he obj ect . So, if you have a GPO t hat applies only t o com put ers, you can disable t he user configurat ion branch of t he policy and significant ly im prove t he perform ance of your net work. To do so, follow t hese st eps:
1 . Open t he Group Policy Managem ent Console.
2 . I n t he left pane, find t he GPO in quest ion and click on it t o select it .
3 . I n t he right pane, navigat e t o t he Det ails t ab, and under t he GPO St at us dropdown box ( shown in Figure 6- 4 ) , select " User configurat ion set t ings disabled."
4 . Click OK.
Figu r e 6 - 4 . D isa blin g a por t ion of a policy
The port ion of t he policy you select ed is now disabled. ( Of course, you can disable t he com put er port ion of
policies using t he sam e m et hod.)
6 .2 .1 .6 . Re fr e sh in g com pu t e r policie s Speaking of changes t o policies, it can t ake som e t im e for m odificat ions t o propagat e across dom ain cont rollers wit hin a dom ain and finally t o t he obj ect s for which t hey're dest ined. Policies are refreshed on a client when t he com put er is t urned on, a user logs on, an applicat ion request s a policy refresh, a user request s a policy refresh, or t he int erval bet ween refreshes has elapsed. The lat t er part of t hat sent ence is key: t here's a GPO you can enable t hat will allow you t o cust om ize t he int erval at which com put er and dom ain cont roller policies refresh. I t 's best t o m ake t his change at eit her a dom ain or OU level for consist ency. To enable t he policy refresh int erval, follow t hese st eps ( I 'll assum e you're changing t his on a dom ain- wide basis) :
1 . Wit hin t he Group Policy Managem ent Console, find t he Default Dom ain Policy in t he left pane.
2 . Right - click on Default Dom ain Policy, and choose Edit .
3 . The Group Policy Obj ect Edit or window appears. I n t he Com put er Configurat ion t ree, navigat e t hrough Policies, Adm inist rat ive Tem plat es, and Syst em .
4 . Click Group Policy.
5 . I n t he right pane, double- click t he set t ing Group Policy refresh int erval for com put ers, or Group Policy refresh int erval for dom ain cont rollers, whichever is applicable.
6 . Select Enabled, and t hen ent er an int erval for t he refresh. Be sure t o m ake t his a healt hy int erval; ot herwise, you will degrade your net work's perform ance wit h const ant t raffic updat ing policies across t he dom ain. For sm aller net works, 15 m inut es should be an accept able t im efram e. Allow 30 t o 45 m inut es for larger net works.
7 . Click OK.
You also can also m anually force a policy refresh from t he com m and line on client com put ers wit h t he gpupdate com m and. To refresh all part s of a policy, issue t his com m and:
gpupdate /force
To refresh j ust t he Com put er Configurat ion node of t he policy:
gpupdate /target:computer /force
To refresh j ust t he User Configurat ion node of t he policy:
gpupdate /target:user /force
Dom ain cont rollers m ake refresh request s every five m inut es by default .
To m anually refresh GPOs on Windows 2000, t he synt ax is a lit t le different . To refresh only t he com put er policy:
secedit /refreshpolicy machine_policy
To refresh only t he user policy:
secedit /refreshpolicy user_policy
You can force updat es of obj ect s, even if t hey haven't been m odified since t he last updat e, by adding t he /enforce swit ch at t he end of t he com m and. Then Windows will enforce all policies, regardless of whet her t he act ual policy obj ect s have changed. This is useful if you are having net work difficult ies and want t o ensure t hat every com put er has a fresh applicat ion of policy, or if you have a large cont ingent of m obile users t hat connect t o t he net work briefly and unpredict ably. For eit her client s or dom ain cont rollers, exercise ext rem e caut ion when m odifying t he default refresh int erval. On large net works, alt ering t he refresh int erval can cause hellish am ount s of t raffic t o be unleashed over your net work—a cost ly m ove t hat 's unnecessary for 95% of sit es wit h dom ains inst alled. Alt hough client s will pull down new policies only if t hose policies have changed, t he increased t raffic result s from client s j ust cont act ing a dom ain cont roller every x m inut es t o get new policies and updat es. There's very lit t le reason t o alt er t his value. Here's a good rule of t hum b: if you don't know of a good j ust ificat ion t o increase t he refresh int erval, it isn't necessary for your sit e.
Folder redirect ion and soft ware inst allat ion policies are not processed during a background policy refresh.
I f you want , you can also elect t o disable background policy refreshing com plet ely. You m ight do t his if you're having t rouble t racking down an int erm it t ent GPO problem , or if you don't want t o have a GP applied during t he m iddle of a client session because it m ight disrupt an applicat ion. Again, it 's best t o do t his on a dom ain- wide or OU- wide basis for consist ency and best perform ance. To disable background processing, follow t hese st eps:
1.
1 . Wit hin t he Group Policy Managem ent Console, find t he Default Dom ain Policy in t he left pane.
2 . Right - click on Default Dom ain Policy, and choose Edit .
3 . The Group Policy Obj ect Edit or screen appears. I n t he Com put er Configurat ion t ree, navigat e t hrough Policies, Adm inist rat ive Tem plat es, and Syst em .
4 . Click Group Policy.
5 . I n t he right pane, double- click t he set t ing " Turn off background refresh of Group Policy."
6 . Select Enabled.
7 . Click OK.
I n som e sit uat ions, you m ight want a policy set t ing t o be applied, even if no set t ing has changed. This goes against default GPO behavior because usually, only changes t rigger a policy refresh and reapplicat ion. For exam ple, a user m ight change som e I nt ernet Explorer set t ings wit hin his session. You m ight want t hat change t o be reversed, but Windows won't t rigger a refresh because t he policy it self hasn't changed. To prevent t his, you can use t he configurat ion opt ion called " Process even if t he Group Policy Obj ect has not changed." ( This is like t he /enforce swit ch described a bit earlier.) You've probably caught on by now t hat it 's best t o do t his on a dom ain- wide or OU- wide basis for consist ency and best perform ance. To do so, follow t hese st eps:
1 . Wit hin t he Group Policy Managem ent Console, find t he Default Dom ain Policy in t he left pane.
2 . Right - click on t he Default Dom ain Policy GPO and choose Edit .
3 . I n t he Com put er Configurat ion t ree, navigat e t hrough Policies, Adm inist rat ive Tem plat es, Syst em , and Group Policy.
4 . You'll see a list of opt ions ending in " policy processing," such as " Script s policy processing" and " Wireless policy processing." These GPOs exist t o allow you t o t weak t he funct ionalit y of t hese t ypes of policies. Open t he appropriat e policy up ( which one is best for you depends on t he t ype of policy t hat you're t rying t o t rigger t o change) t o view it s Propert ies.
5 . Click t he Enabled but t on.
6 . Finally, check t he " Process even if t he Group Policy Obj ect has not changed" checkbox.
Checking t he box in st ep 6 provides t he sam e funct ionalit y as issuing t he com m and gpupdate /enforce from t he com m and line.
Policy set t ings relat ed t o com put er securit y follow a refresh policy t hat is a bit different from norm al GPOs. The client com put er st ill refreshes securit y policy set t ings even if t he GPO has not been changed or m odified. There are Regist ry set t ings whose values indicat e t he m axim um accept able t im e a user or client com put er can wait before reapplying GPOs, regardless of whet her t hey are changed. They are as follows:
To change t he refresh int erval for com put ers, set HKEY_LOCAL_MACHI NE\ Soft ware\ Policies\ Microsoft \ Windows\ Syst em \ GroupPolicyRefreshTim e. The t ype is REG_DWORD and t he valid range for dat a ( in m inut es) is 0 t o 64,800.
To change t he offset int erval for com put ers, set HKEY_LOCAL_MACHI NE\ Soft ware\ Policies\ Microsoft \ Windows\ Syst em \ GroupPolicyRefreshTim eOffset . The t ype is REG_DWORD and t he valid range for dat a ( in m inut es) is 0 t o 1,440.
To change t he dom ain cont roller refresh int erval, set HKEY_LOCAL_MACHI NE\ Soft ware\ Policies\ Microsoft \ Windows\ Syst em \ GroupPolicyRefreshTim eDC. The t ype is REG_DWORD and t he valid range for dat a ( in m inut es) is 0 t o 64,800.
To change t he dom ain cont roller offset int erval, set HKEY_LOCAL_MACHI NE\ Soft ware\ Policies\ Microsoft \ Windows\ Syst em \ GroupPolicyRefreshTim eOffset DC. The t ype is REG_DWORD and t he valid range for dat a ( in m inut es) is 0 t o 1,440.
To change t he refresh int erval for users, set HKEY_CURRENT_USER\ Soft ware\ Policies\ Microsoft \ Windows\ Syst em \ GroupPolicyRefreshTim e. The t ype is REG_DWORD and t he valid range for dat a ( in m inut es) is 0 t o 64,800.
To change t he offset int erval for users, set HKEY_CURRENT_USER\ Soft ware\ Policies\ Microsoft \ Windows\ Syst em \ GroupPolicyRefreshTim e. The t ype is REG_DWORD and t he valid range for dat a ( in m inut es) is 0 t o 1,440.
6 .2 .1 .7 . Policy e n for ce m e n t ove r slow n e t w or k con n e ct ion s Windows Server 2008 will det ect t he speed of a client 's connect ion t o t he net work and, based on it s m easurem ent s, disable enforcem ent of cert ain policies t hat would bog down a slow connect ion. Policies t hat Windows will disable include disk quot as, folder redirect ion, script s, and soft ware inst allat ion and m aint enance. By default , Windows considers a speed of less t han 500 Kbps a slow link, but you can change t his on a per- GPO basis. To change t he slow link t hreshold, follow t hese st eps:
1 . Edit t he GPO for which you want t o change t he t hreshold in t he Group Policy Managem ent Console.
2 . Navigat e t hrough Com put er Configurat ion or User Configurat ion, as well as t hrough Policies, Adm inist rat ive Tem plat es, Syst em , and Group Policy.
3 . Double- click t he Group Policy Slow Link Det ect ion policy in t he right hand pane.
4 . Click t he Enabled opt ion, and ent er t he connect ion speed you want t o be t he new t hreshold. Ent er 0 t o sim ply disable slow link det ect ion.
5 . Click OK when you're finished.
6 .2 .2 . Th e Scope of Gr ou p Policy Obj e ct s So, how far do t hese GPOs go? What t ypes of obj ect s can GPOs affect ? To deploy a GP t o a set of users, you " associat e" a GPO t o a cont ainer wit hin Act ive Direct ory t hat cont ains t hose users. By default , all obj ect s wit hin a cont ainer wit h an associat ed GPO have t hat GPO applied t o t hem . I f you have a large num ber of GPOs or Act ive Direct ory obj ect s, it can be confusing t o t rack t he scope and applicat ion of GPOs. Luckily, you can find out which cont ainers a specific policy is applied t o by select ing t he GPO in t he Group Policy Managem ent Console and looking in t he right pane at t he Scope t ab. The Links sect ion will reveal t he sit es, dom ains, and OUs t hat are affect ed by t he GPO. To adj ust t he view of links, you can use t he drop- down list box under t he Links sect ion and choose t he sit es and dom ains you wish t o see. You can see t his sect ion in Figure 6- 5. Of course, in pract ice t here are always except ions t o any rule; for exam ple, m ost likely t here will be som e com put ers wit hin a cont ainer t hat shouldn't have a policy applied t o t hem . The m ost st raight forward way t o lim it t he scope of a GPO wit hin a specific cont ainer is t o creat e securit y groups t hat cont ain only t he obj ect s t hat are t o be included in t he policy applicat ion. Once you've creat ed t he necessary groups, follow t hese st eps:
1 . Select t he GPO you want t o adm inist er in t he left pane of t he Group Policy Managem ent Console.
2 . On t he Scope t ab in t he right pane, click t he Add but t on under Securit y Filt ering, and t hen add t he groups t hat do not need t he policy applied.
3 . Verify t hat t he group was added t o t he Securit y Filt ering list , as shown in Figure 6- 5.
Figu r e 6 - 5 . En a blin g se cu r it y gr ou p filt e r in g
The GPMC m akes it st raight forward t o lim it t he applicat ion of a GPO t o a specific group, as you j ust saw. But what if you want m ore granular cont rol t han t his? You also can play m ore t ricks wit h groups and GPO ACLs t o furt her lim it t he effect s of policy applicat ion t o obj ect s, but you'll need t o dive int o t he advanced securit y set t ings of t he obj ect it self t o get m ore com plex operat ions done. To get t here, navigat e t o t he Delegat ion t ab in t he right pane of t he GPMC and click t he Advanced but t on in t he lower- right corner. The screen shown in Figure 6- 6 will appear.
Figu r e 6 - 6 . M a n u a lly se t t in g se cu r it y gr ou p filt e r in g
The following is a list of appropriat e ACL perm issions t o grant t o obt ain t he desired result :
I f you do not want t he policy t o be applied t o all m em bers of a cert ain securit y group, add all t he m em bers t o a group, add t he group t o t he ACL for t he obj ect , and set t he following perm issions for t he group: Apply Group Policy, deny; Read, deny. All m em bers of t he group will not have t he policy applied, regardless of t heir exist ing m em berships t o ot her groups.
I f group m em bership ( at least in a specific group) shouldn't play a part in t he applicat ion of t his policy, leave perm issions alone.
6 .2 .3 . En for ce m e n t a n d I n h e r it a n ce Policies applied t o parent obj ect s are inherit ed aut om at ically by child obj ect s unless t here are conflict s; if a child's direct ly applied policy conflict s wit h a general inherit ed policy from a parent , t he child's policy will prevail, on t he assum pt ion t hat t he adm inist rat or really want ed t he result of t he specifically applied policy and not one t hat is grant ed indirect ly because of direct ory t ree posit ion. Policy set t ings t hat are current ly disabled m igrat e t o child obj ect s in t he disabled st at e as well, and policy set t ings t hat rem ain in t he " not configured" st at e do not propagat e at all. Addit ionally, if t here are no conflict s, t wo policies can coexist peacefully, regardless of where t he init ial applicat ion occurred. As wit h perm issions, you can block GPO inherit ance by using t wo opt ions available wit hin t he user int erface: Enforced, which inst ruct s child cont ainers t o not replace any set t ing placed higher on t he t ree t han t hey are; and Block Policy I nherit ance, which sim ply elim inat es any inherit ance of parent obj ect policies by child obj ect s. I f bot h of t hese opt ions are set , t he Enforced opt ion always t rum ps t he Block Policy I nherit ance feat ure.
Explicit perm issions, be t hey Allow or Deny perm issions, will always t rum p inherit ed perm issions, even if Deny perm issions on an obj ect are inherit ed from a parent . Explicit ly grant ing access t o an obj ect cannot be overridden by an inherit ed denial.
To set a GPO t o not override parent GPO set t ings, you need t o set t he GPO st at us t o Enforced. Follow t hese st eps:
1 . I n t he GPMC, select t he dom ain in which t he GPO resides in t he left pane.
2 . I n t he right - pane, navigat e t o t he Linked Group Policy Obj ect s t ab.
3 . Right - click t he obj ect and select Enforced from t he pop- up cont ext m enu. You'll receive a confirm at ion not ice, which is shown in Figure 6- 7.
4 . Click OK t o apply t he changes.
Figu r e 6 - 7 . Se t t in g t h e En for ce d opt ion on a GPO
To block any inherit ance of parent policy set t ings for t he current adm inist rat ive cont ainer, first double- click t he forest cont aining t he dom ain or organizat ional unit for which you want t o block inherit ance for GPOs, and t hen do one of t he following:
To block inherit ance of GPOs for an ent ire dom ain, double- click Dom ains, and t hen right - click t he dom ain.
To block inherit ance for an OU, double- click Dom ains, double- click t he dom ain cont aining OU, and t hen right - click on t he OU.
Finally, click Block I nherit ance, as shown in Figure 6- 8.
Figu r e 6 - 8 . Se t t in g t h e Block I n h e r it a n ce opt ion
You'll see a sm all blue exclam at ion point in t he icon beside t he dom ain or OU for which you've blocked inherit ance, indicat ing t he operat ion was successful. To rem ove t he inherit ance block, use t he aforem ent ioned procedure, and sim ply uncheck Block I nherit ance on t he cont ext m enu.
I f m ult iple GPOs are assigned t o an obj ect , GPOs at t he bot t om of t he list in t he right pane of t he GPMC are applied first , and obj ect s at t he t op are applied last . Therefore, GPOs t hat are higher in t he list have higher priorit ies.
6 .2 .4 . W M I Filt e r s Windows Server 2008 can filt er how Group Policy is applied based on Windows Managem ent I nst rum ent at ion ( WMI ) dat a. Using WMI filt ers, you can const ruct a query wit h WMI Query Language ( WQL) t hat will ret urn various result s ont o which you can apply a GP. WMI allows you t o pull various charact erist ics ot herwise unavailable t hrough t he GPMC, such as a com put er's m anufact urer and m odel num ber, t he inst allat ion of cert ain soft ware packages, and ot her inform at ion. You m ight use WMI when applying policies using t hese crit eria. To creat e a WMI filt er in t he GPMC, right - click on t he WMI Filt ers link in t he left pane and select New. The New WMI Filt er is shown, as depict ed in Figure 6- 9. Ent er a nam e and descript ion for t he filt er; t hen creat e t he query t hat will represent t he dat aset against which t he GPO will be filt ered by clicking Add, select ing t he nam espace, and t hen ent ering t he synt ax of t he query. Not e t hat you can add m ore t han one query t o a filt er. While const ruct ing WMI queries is out side t he scope of t his book, you'll find t hat such queries are very sim ilar in form at t o SQL queries. For t his exam ple, I 'll use a sim ple query t hat ret rieves m achines running Windows XP on t he net work, as shown in t he figure.
Figu r e 6 - 9 . Cr e a t in g a n e w W M I filt e r
Once you've ent ered t he query and are sat isfied wit h it , click Save. To enable a WMI filt er on a part icular GPO, click t he GPO in t he GPMC and look at t he bot t om of t he Scope t ab in t he right pane. There, you can select t he WMI filt er t o apply t o t he GPO, as shown in Figure 6- 10.
Figu r e 6 - 1 0 . Addin g a W M I filt e r t o a GPO
Keep in m ind t hat if you set a WMI filt er for a GPO, it 's an all- or- not hing affair: you can't individually select cert ain policy set t ings t o apply only t o t he filt ered obj ect s. Eit her t he ent ire policy applies t o t he list of filt ered obj ect s, or t he ent ire policy doesn't apply. Unfort unat ely, t his m ight result in an inordinat e num ber of GPOs in your direct ory, each servicing a different list of filt ered obj ect s. Keep t his in m ind when st ruct uring policies. Also be aware t hat you can apply only one WMI filt er per GPO, alt hough each WMI filt er can cont ain m ult iple WMI queries, as I not ed before. I f you're not fam iliar wit h WMI , Microsoft has provided a ut ilit y called Script om at ic, which, alt hough unsupport ed by Microsoft , helps you const ruct and use WMI queries for m any different Windows adm inist rat ion t asks. You can find t he Script om at ic ut ilit y at ht t p: / / www.m icrosoft .com / downloads/ det ails.aspx?Fam ilyI D= 9ef05cbd- c1c541e7- 9da8- 212c414a7ab0&displaylang= en. I f you're curious, here is a brief sam ple WMI filt er t hat can reside as a sim ple XML file on a hard drive; t hese t ypes of filt ers use a .MOF ext ension. This will give you an idea of t he st ruct ure of a filt er and how t o creat e one:
XP Machines MYDOMAIN\Windows XP Computers
SELECT * FROM Win32_OperatingSystem WHERE Version = 5.1.2600
I f you have a lot of WMI filt ers in separat e files, you can im port t hem by right - clicking on WMI Filt ers in t he left pane of t he GPMC and select ing I m port . You can browse for your MOF files and t hen im port t hem for use in filt ering.
6 .2 .5 . Re su lt a n t Se t of Policy I n Windows 2000, t here was no easy way t o see all t he policies applied t o a specific obj ect , nor was t here a way t o easily proj ect t he pot ent ial changes t o an obj ect t hat a policy m odificat ion would m ake. However, Windows Server 2008 includes t he Result ant Set of Policy ( RSoP) t ool, which can enum erat e t he following sit uat ions:
Show policies in effect , in t he " logging" m ode. I n t he GPMC, t his is called " result s."
Show t he result s of a proposed policy addit ion or change, in t he " planning" m ode. I n t he GPMC, t his is called " m odeling."
You can access each using t he Group Policy Modeling and Group Policy Result s it em s in t he left pane of t he GPMC. Right - click on t he appropriat e it em and select t he opt ion t hat runs each wizard.
6 .2 .5 .1 . Pla n n in g m ode I n RSoP planning m ode, accessed t hrough Group Policy Modeling, you can sim ulat e t he effect s of t he deploym ent of GPOs, change t he GPO in accordance wit h t hose result s, and t hen re- t est . You can specify a part icular dom ain cont roller, users, securit y groups, and user m em berships wit hin, t he locat ion of a m achine or sit e, and any applicable WMI filt ers, and t hen m odel t he result s of applying a specific GPO. To get st art ed in planning m ode, right - click Group Policy Modeling and, from t he cont ext m enu, select Group Policy Modeling Wizard. Click Next from t he int roduct ory screen. The Dom ain Cont roller Select ion screen appears, as shown in Figure 6- 11.
Figu r e 6 - 1 1 . M ode lin g Gr ou p Policy: se le ct in g a dom a in con t r olle r
Here, select t he dom ain cont roller t o use when processing t he RSoP request . This dom ain cont roller m ust be running at least Windows Server 2003, if not Windows Server 2008. You can choose a specific dom ain cont roller from t he list , or let Windows choose a dom ain cont roller. You can also select a given dom ain t o use it s respect ive dom ain cont rollers using t he " Show dom ain cont rollers in t his dom ain: " drop- down list . Click Next t o cont inue. The User and Com put er Select ion screen appears, as shown in Figure 6- 12.
Figu r e 6 - 1 2 . Th e Use r a n d Com pu t e r Se le ct ion scr e e n
On t his screen, you specify t he user and com put er set t ings you want t o have analyzed when you apply GP. You can also choose a cont ainer if you want t o analyze Group Policy obj ect s t hat have been linked t o a part icular sit e, dom ain, or OU. Not e also at t he bot t om of t he screen t he opt ion t o skip t o t he end of t he wizard. I f you have a sim ple query t hat is com plet e at any point during t he wizard, sim ply select t his opt ion t o bypass t he rem aining screens and go st raight t o t he result s of t he query. Click Next t o cont inue. The Advanced Sim ulat ion Opt ions screen appears, as shown in Figure 6- 13.
Figu r e 6 - 1 3 . Th e Adva n ce d Sim u la t ion Opt ion s scr e e n
On t his screen, you can t ell Windows t o sim ulat e a very slow link bet ween dom ain cont rollers and client s, whet her t o m erge or replace loopback processing, and t he sit e t o which t hese set t ings should apply. This is a very useful algorit hm for t est ing real- world condit ions. Click Next t o cont inue. You'll next see t he Alt ernat e Act ive Direct ory Pat hs screen, as shown in Figure 6- 14.
Figu r e 6 - 1 4 . Th e Alt e r n a t e Act ive D ir e ct or y Pa t h s scr e e n
On t his screen, you can sim ulat e t he effect s of m oving your t arget s t o different locat ions wit hin your AD st ruct ure. You can use t he default ent ries, which reflect t he current locat ion of t he t arget obj ect s, or change t hem using t he Browse but t on t o see what would happen if you m oved t he t arget t o a new locat ion. Click Next t o cont inue. Next com es t he User Securit y Groups screen. On t his screen, you can see t he result s of applying Group Policy if you change t he exist ing user or com put er's securit y group m em berships. The current group m em berships are list ed in t he box, and you can add and rem ove t hem using t he Add and Rem ove but t ons. To undo your changes, j ust click Rest ore Default s. Click Next when you have t he list as you want it . I f you have select ed a com put er or cont ainer of com put ers in t he init ial st ep of t he wizard, t he Com put er Securit y Groups screen will appear next , as depict ed in Figure 6- 15. I t operat es exact ly like t he User Securit y Groups screen does, as j ust described. Click Next t o cont inue.
Figu r e 6 - 1 5 . Th e Com pu t e r Se cu r it y Gr ou ps scr e e n
The WMI Filt ers for Users ( or Com put ers, depending on your init ial RSoP query) screen appears next , as shown in Figure 6- 16.
Figu r e 6 - 1 6 . Th e W M I Filt e r s for Com pu t e r s scr e e n
Here, you inst ruct Windows t o assum e t hat t he user ( or cont ainer of users) you've select ed m eet s eit her all configured WMI filt ers or t he specified WMI filt er as shown in t he box. Click Next when you've select ed t he appropriat e filt ers. The next screen is a sum m ary of your select ions. Confirm t hat all is well, and t hen click Next t o begin t he sim ulat ion. When t he process is com plet e, t he wizard will let you know. When you click Finish, t he result s will appear. A sam ple result s screen is shown in Figure 6- 17.
Figu r e 6 - 1 7 . Gr ou p Policy M ode lin g r e su lt s
The result is an HTML file t hat you can collapse and expand as needed. You can see each com put er configurat ion and user configurat ion result , including GPOs t hat would be applied and denied, any WMI filt ers t hat would be used, how each GP com ponent would survive t he deploym ent , and general inform at ion about t he query. You can right - click t he report and eit her print or save it . And, if you change your GP set t ings and want t o rerun t he sam e query on t he new set t ings, sim ply right - click t he result s page wit hin t he GPMC and select Rerun Query.
6 .2 .5 .2 . Loggin g m ode The RSoP logging m ode wit h t he GPMC, called Group Policy Result s, operat es in m uch t he sam e way as t he planning m ode does. To get st art ed, right - click Group Policy Result s in t he left pane of t he GPMC and select Group Policy Result s Wizard from t he cont ext m enu. Click away from t he int roduct ory screen in t he wizard, and t he Com put er Select ion screen appears, as shown in Figure 6- 18.
Figu r e 6 - 1 8 . Th e Com pu t e r Se le ct ion scr e e n
Here, select t he com put er for which you want t o obt ain result s. You can analyze t he current com put er or anot her com put er on t he net work. You also can lim it t he result s t o only t he User Configurat ion port ion of GP using t he checkbox in t he m iddle of t he screen. Click Next t o cont inue. The User Select ion screen appears next . This is reproduced in Figure 6- 19.
Figu r e 6 - 1 9 . Th e Use r Se le ct ion scr e e n
On t his screen, you can select which user t o report t he result s of t he User Configurat ion sect ion for. The list is lim it ed t o t hose who have logged on t o t he com put er at som e point in t im e and for whom you have perm ission t o read t he result s. You also can lim it t he result s displayed t o com put er configurat ion inform at ion only by using t he radio but t on at t he bot t om of t he screen. Click Next t o cont inue. The Sum m ary of Select ions screen appears. Confirm your choices, and click Next t o perform t he query. When t he process is com plet e, t he wizard will not ify you. Click Finish t o view t he result s; a sam ple result screen is shown in Figure 6- 20.
Figu r e 6 - 2 0 . Re su lt s fr om t h e Gr ou p Policy Re su lt s W iza r d
Like t he ot her GPMC report s, t his one is HTML- based and can be saved and print ed by right - clicking anywhere in t he report and select ing t he appropriat e opt ion. For each of t he Com put er Configurat ion and User Configurat ion port ions of GP, t he report shows t he following:
General inform at ion about t he query
GPOs t hat were applied and GPOs t hat were denied
The user and/ or com put er's m em bership in securit y groups when GP was applied
WMI filt ers t hat " cat ch" t he user or com put er
The st at us of each com ponent of GP, including GPOs t hem selves, EFS recovery, t he Regist ry, and securit y ( perm issions)
6 .2 .5 .3 . Usin g RSoP w it h ou t t h e GUI You also can script som e funct ions using t he RSoP API s. The sam ple script provided in Exam ple 6- 1, court esy of ht t p: / / Act iveDir.org ( wit h som e m odificat ions) , logs t he user and com put er obj ect s being applied t o a part icular set of obj ect s wit hin Act ive Direct ory. To use it , copy and past e t he following t ext int o your favorit e t ext edit or, and save it using a .vbs ext ension. Then, run it from t he com m and line using t he following:
Cscript filename.vbs
Ex a m ple 6 - 1 . Cr e a t in g a n RSoP r e por t w it h VBScr ipt
'-----------------------------------------------------------------------ComputerName = InputBox("Enter the name of a computer running " & _ "Windows XP, Windows Server 2003, or Windows Server 2008", _ "Information","") UserName = InputBox("Enter a user name under which to run the report", _ "Information","") resultpath = InputBox("Enter a location to store the report", _ "Information", "c:\temp") resultpath = resultpath&"\"&UserName&".HTML" Set GPMC = CreateObject("GPMgmt.GPM") Set Constants = GPMC.GetConstants( ) Set RSOP= GPMC.GetRSOP(Constants.RSOPModeLogging,"",0) RSOP.LoggingComputer=ComputerName RSOP.LoggingUser=UserName RSOP.CreateQueryResults( ) RSOP.GenerateReportToFile Constants.ReportHTML, resultpath msgbox("RSoP report complete! A full report has been placed at " & _ resultpath) '-----------------------------------------------------------------------
You can ret rieve inform at ion on t he RSoP applicat ion in a few ot her ways as well. Microsoft includes a t ool wit h t he Windows 2000 Resource Kit , called GPRESULT.EXE, which you can run on a client com put er. ( Lat er versions of Windows have t his ut ilit y inst alled by default .) GPRESULT will ret urn a list ing of all policies applied t o a user and com put er, t he OUs in which t he com put er and user are locat ed, t he sit e t hey are in, and a lot m ore inform at ion. You can find t he GPRESULT execut able and t echnical inform at ion on t he t ool at ht t p: / / www.m icrosoft .com / windows2000/ t echinfo/ reskit / t ools/ exist ing/ gpresult - o.asp. The rem ot e com put ers need t o run at least Windows XP or Server 2003, however, for GPRESULT t o ret urn accurat e inform at ion. For exam ple, t o get inform at ion for t he user j hassell on t he rem ot e workst at ion JH- WNXP- LTP using GPRESULT, run:
gpresult /s JH-WNXP-LTP /USER jhassell
Likewise, t o get inform at ion for t he user lj ohnson on t he rem ot e workst at ion LJ- WNXP- DSK, run:
gpresult /s LJ-WNXP-DSK /USER ljohnson
You also can add t he /V opt ion t o enable verbose logging, which will display det ailed inform at ion and not j ust a sum m ary view, or /Z, t o enable ext ended verbose logging ( even m ore det ails) . Use t he /SCOPE MACHINE opt ion wit h /Z t o look at only com put er configurat ion policies; sim ilarly, use /SCOPE USER t o look at user configurat ion policies. You can redirect t he out put of GPRESULT t o a t ext file using t he st andard > DOS redirect operat or.
The Windows Server 2003 Resource Kit cont ains WI NPOLI CI ES.EXE, a syst em t ray t ool t hat can show and t roubleshoot client - side GPO processing.
6 .2 .6 . Ot h e r Adm in ist r a t ive Ta sk s The GPMC also support s a few m ore funct ions, which I 'll describe in t his sect ion.
6 .2 .6 .1 . Se a r ch in g for GPOs Using t he GPMC, you can search for specific GPOs or for t he values of propert ies of som e GPOs. To do so, right click a forest in t he left hand pane of t he GPMC and select Search from t he cont ext m enu. The Search for Group Policy Obj ect s screen appears, as shown in Figure 6- 21.
Figu r e 6 - 2 1 . Se a r ch in g for GPOs
You can select t he scope of your search t o be all dom ains wit hin a forest , or wit hin a specific dom ain t hat you select from t he drop- down list at t he t op of t he screen. Then you specify your search crit eria by select ing t he it em t o search, t he condit ion t o m at ch, and t he value t hat
t he condit ion should m at ch. The possible search t erm s are:
GPO nam e " cont ains," " does not cont ain," or " is exact ly" your value.
GPO links " exist in" or " do not exist in" cert ain sit es or all sit es.
Securit y group: you sim ply select one or m ore securit y groups using t he st andard select ion dialog.
User configurat ion " cont ains" or " does not cont ain" folder redirect ion, I nt ernet Explorer branding, Regist ry, script s, or soft ware inst allat ion values.
Com put er configurat ion " cont ains" or " does not cont ain" EFS recovery, I P securit y, Microsoft disk quot a, QoS packet scheduler, Regist ry, script s, soft ware inst allat ion, or wireless GP values.
GUI D " equals" your value.
You can st ack crit eria t o have m ult iple condit ions in your search by select ing t he appropriat e query and clicking Add t o add t he current crit eria t o t he query list . Then you can select m ore crit eria and add t hem t o creat e m ore com plex searches. You can rem ove select ed crit eria from t he query list by clicking t he Rem ove but t on. Click Search t o st art t he search, and St op Search t o st op it before it has finished. The result s of t he search appear at t he bot t om of t he screen. You can select a part icular GPO t hat result s from t he search and go direct ly t o edit ing it by select ing it and clicking t he Edit but t on. You also can save t he set of result s by clicking t he Save Result s but t on, which put s t he result s in a t ext file of com m a- separat ed values ( CSVs) . Finally, t o clear t he current result s and perform a new search, click t he Clear but t on.
6 .2 .6 .2 . Ba ck in g u p, copyin g, im por t in g, a n d e x por t in g GPOs The GPMC also support s copying, im port ing, backing up, and rest oring GPO inform at ion. Previously, GPO backups were not possible unless you perform ed a syst em st at e backup of a dom ain cont roller. When you back up a GPO using t he GPMC, only dat a pert inent t o t hat part icular GPO is backed up. Linked obj ect s are not backed up because rest oring t hat inform at ion becom es t roublesom e. However, when you rest ore, Windows aut om at ically assigns t he previous GUI D of t he backed- up GPO, which is wonderful for sim ply resurrect ing an inadvert ent ly delet ed GPO. I t is not uncom m on for adm inist rat ors t o spend a great deal of t im e configuring GPOs exact ly as needed and t hen t o find t hem selves having t o repeat t he process m anually on several ot her OUs for which t hey are responsible. The GPMC can save hours upon hours wit h it s copy capabilit y. You can sim ply copy a GPO or set of GPOs and t hen past e t hem elsewhere int o anot her OU. However, a copy isn't t he sam e as a backup because t he copy process doesn't replicat e t he inform at ion in a file t hat can be m oved elsewhere for safekeeping. Also, a copy of a GPO has a different GUI D t han t he original GPO. To perform a GPO copy, you need right s t o creat e GPOs in t he dest inat ion locat ion and read access t o t he GPOs in t he original locat ion. The GPMC also support s t he abilit y t o im port and export GPOs—even t o a separat e dom ain wit h which no t rust exist s t o t he original dom ain. This is useful when you need t o copy t he sam e GPO set t ings t o m ult iple dom ains or when m oving bet ween developm ent and product ions forest s. You don't need t o m et iculously re- creat e all your GPOs on t he ot her dom ains; sim ply export t hem using t he GPMC and im port t hem on t he new dom ain. I t 's a fast er and less error- prone procedure. I m port ing GPOs across dom ains can be a bit com plex because you'll need t o creat e a m igrat ion t able t o specify
how t he GPMC should t ranslat e dom ain- specific dat a from one dom ain int o t he ot her. Most GPOs cont ain inform at ion such as users, groups, com put ers, and UNC pat hs t hat refer t o obj ect s available in a specific dom ain. These m ight not be applicable in t he new dom ain, so you'll need t o t ell Windows how t o t ranslat e t hese obj ect s st ored wit hin t he source GPO t o ot her obj ect s applicable t o t he dest inat ion GPO's locat ion. Here's a m ore specific list of GPO aspect s you can m odify wit hin t he m igrat ion process:
Securit y policy set t ings, including user right s assignm ent s, rest rict ed groups, services, filesyst em ent ries, and Regist ry keys and values
Advanced folder redirect ion policies
The ACL on a GPO it self, which can be preserved or discarded at your discret ion
The ACL on soft ware inst allat ion GPOs ( soft ware inst allat ion is covered lat er in t his chapt er) , which relies on your select ing t he opt ion im m ediat ely preceding t his one
Let 's walk t hrough several exam ples for backing up, copying, export ing, and im port ing GPOs wit h t he GPMC. To back up a specific GPO, follow t hese st eps:
1 . Open t he GPMC.
2 . Expand t he Forest and Dom ain t rees in t he left pane, and t hen select Group Policy Obj ect s under your dom ain.
3 . I n t he right pane, select t he GPO you want t o back up.
4 . Right - click t he GPO and select Back Up.
5 . The Back Up Group Policy Obj ect dialog box appears, as shown in Figure 6- 22. Ent er t he locat ion where you want t o st ore t he backed- up GPO files in t he first box, and t hen ent er a helpful descript ion for yourself so t hat you can ident ify t he backed- up files lat er.
Figu r e 6 - 2 2 . Ba ck in g u p GPOs
6 . A progress box will appear, indicat ing how far Windows has progressed in t he backup procedure. A m essage in t he St at us box will appear not ing a successful backup when t he procedure is finished.
7 . Click OK t o finish.
To copy a specific GPO, follow t hese st eps:
1 . Open t he GPMC.
2 . Expand t he Forest and Dom ain t rees in t he left pane, and t hen select Group Policy Obj ect s under your dom ain.
3 . I n t he right pane, select t he GPO you want t o copy.
4.
4 . Right - click t he GPO and select Copy.
5 . Find t he OU wit hin Act ive Direct ory t o which you want t o past e t he copied GPO and select it .
6 . Right - click t he OU and select Past e from t he cont ext m enu. A m essage, shown in Figure 6- 23, will appear asking you whet her you want t o link t he GPOs you copied t o t he dest inat ion OU. Click OK t o cont inue.
Figu r e 6 - 2 3 . Copyin g GPOs
Your GPO has been copied. To im port a specific GPO, you need t o creat e a new GPO in t he locat ion t o which you want t o im port set t ings. For exam ple, if you want t o im port t he lockout policy from one dom ain int o a new dom ain, you'll need t o creat e a new GPO in t he new dom ain. Then, follow t hese st eps:
1 . Open t he GPMC.
2 . Expand t he Forest and Dom ain t rees in t he left pane, and t hen select Group Policy Obj ect s under t he new dom ain.
3 . I n t he right pane, select t he GPO you want t o use.
4 . Right - click t he GPO and select I m port Set t ings. The I m port Set t ings Wizard appears.
5 . The wizard will prom pt you t o back up t he set t ings current ly wit hin t he dest inat ion GPO. Click t he Backup but t on t o do so, and follow t he procedure earlier in t his sect ion t o st ep t hrough t hat process. When you are done, click Next .
6 . Select t he locat ion where t he GPO t hat you want t o im port is locat ed. Then, click Next .
7 . The Source GPO screen appears. All t he GPOs t hat are st ored in t he locat ion you input in st ep 6 are list ed on t his screen. You can select an individual GPO and click View Set t ings t o refresh your m em ory as t o t he set t ings t he GPO cont ains. Select t he GPO you want t o use, and t hen click Next .
8 . The Migrat ing References screen m ay appear ( if not , skip t o st ep 13) . Depending on t he set t ings cont ained wit hin t he GPO, you m ight need t o " m ap" ent ries using a m igrat ion t able. You can select t o copy t he exist ing ent ries direct ly from t he source ( using t he first bullet ed opt ion) , or you can creat e a new m igrat ion t able by clicking New. This result s in t he Migrat ion Table Edit or window appearing.
9 . From t he Tools m enu, select " Populat e from Backup," and t hen select t he source GPO you are im port ing. Windows will populat e t he obj ect s t hat need t o be ret ranslat ed aut om at ically.
1 0 . I n t he Dest inat ion Nam e colum n, sim ply ent er t he correct nam e for t he source propert y in it s new locat ion. Be sure t hese propert ies already exist wit hin t he dest inat ion locat ion; t he GPMC can't creat e t hem on t he fly. Also, if som e propert ies don't need t o be changed, sim ply ent er in t he Dest inat ion Nam e colum n.
1 1 . You can save t his m igrat ion t able for use in ot her GPO im port procedures by select ing Save from t he File m enu and specifying a locat ion. This can be anywhere on your filesyst em .
1 2 . Close t he Migrat ion Table Edit or. The Migrat ing References screen will reappear, and t he m igrat ion t able you j ust creat ed will appear. Click Next t o cont inue.
1 3 . The " Com plet ing t he I m port Set t ings Wizard" screen will appear. Confirm t hat your set t ings are correct , and t hen click Finish. Your set t ings will be im port ed.
6 .2 .6 .3 . M a n a gin g GP a cr oss m u lt iple for e st s Using t he GPMC, you can quit e easily browse and set up GPOs in several dist inct forest s and dom ains. I n fact , even t he default set up of t he GPMC allows you t o select Add Forest from t he Act ion m enu and t hen t o t ype t he nam e of a forest you want t o m anage. The GPMC will add t hat t o t he list of available forest s in t he left pane. Managing GP for m ult iple forest s com es wit h a few requirem ent s:
To m ake everyt hing work out of t he box, you need t o have a t wo- way t rust bet ween t he t arget forest and t he forest cont aining t he m achine on which you are running t he GPMC.
I f you have only a one- way t rust , choose Opt ions from t he View m enu, and t hen on t he General Tab uncheck Enable Trust Delegat ion, a feat ure t hat allows perm issions for m anaging GPOs t o be assigned t o t he ot her forest for reciprocal m anagem ent .
I f you don't have a t rust , you'll need t o use t he St ored User Nam es and Passwords applet in t he Cont rol Panel of Windows Server 2003 or t he User Account s applet in Windows XP t o keep your login inform at ion for t he rem ot e forest .
Most likely you will need Ent erprise Adm inist rat or credent ials t o m anage GP in ot her forest s.
6 .2 .6 .4 . D e le ga t in g a dm in ist r a t ion of GPs Windows 2000 int roduced a feat ure t hat allowed you t o delegat e adm inist rat ive aut horit y for any num ber of privileges t o cert ain users; t his was an ext rem ely useful and cost - effect ive way t o spread out t he workload and increase business unit responsibilit y for t heir own I T cost s. Windows Server 2008 ext ends t his abilit y t o GPOs, allowing an adm inist rat or t o ext end supervisory privileges ( t o use old Net ware t erm inology) over som e act ions wit h regard t o GPOs. Here's how it works. By default , t he creat ion of GPOs is rest rict ed t o m em bers of t he Dom ain Adm inist rat ors or Ent erprise Adm inist rat ors groups or t o t hose users who belong t o t he Group Policy Creat or Owners group. The key dist inct ion bet ween t hose securit y groups is t hat alt hough t hose in an adm inist rat or group can creat e and edit any and all GPOs in a direct ory, t he m em bers of t he Group Policy Creat or Owners group ( referred t o from now on as t he GPCO group) can edit only t hose policies t hey creat ed t hem selves. ( I f you are fam iliar wit h LDAP t erm inology, t his is t he managedBy concept .) I n addit ion, m em bers of t he GPCO group cannot link GPOs t o cont ainers wit hin a direct ory unless a special perm ission, known as Manage Policy Links, has been explicit ly grant ed t o t hem . I f you t ake advant age of delegat ion in your organizat ion and em power group or depart m ent m anagers t o adm inist er I T asset s wit hin t heir own scope of cont rol, you m ight want t o enable t hem t o adm inist er som e GPOs for t heir group. I t 's likely t hat t hese m anagers aren't m em bers of t he Dom ain Adm inist rat ors, Ent erprise Adm inist rat ors, or Group Policy Adm inist rat ors groups, so you'll need t o delegat e individual privileges—eit her t he abilit y t o creat e and edit GPOs t hem selves, or t he abilit y t o link GPOs t o obj ect s wit hin Act ive Direct ory. The t wo privileges are independent ; t hey are not required in t andem . To delegat e t he abilit y t o creat e and edit GPOs t o a user or group, follow t hese st eps:
1 . Open t he GPMC.
2 . I n t he Tree view, select Group Policy Obj ect s.
3 . Navigat e t o t he Delegat ion t ab in t he right hand pane.
4 . Add t he user or group t o whom you want t o delegat e t he privilege.
To delegat e t he abilit y t o link GPOs t o obj ect s, follow t hese st eps:
1 . Open t he GPMC.
2 . Select t he OU or ot her obj ect for which you want t o give t he abilit y t o link GPOs.
3 . Navigat e t o t he Delegat ion t ab in t he right hand pane.
4.
4 . Add t he user or group t o whom you want t o delegat e t he privilege.
I f you prefer t o do t his via script ing, a couple of sam ple script s are included wit h a default GPMC inst allat ion, locat ed in t he Program Files\ Group Policy Managem ent Console\ Script s direct ory, t hat can delegat e t hese t wo abilit ies. You can delegat e GPO creat ion and ownership wit h t he SetGPOCreationPermissions.wsf script , and you can link wit h t he SetSOMPermissions.wsf script .
6 .3 . Loca l Gr ou p Policy Now let 's exam ine t he t wo different t ypes of GP, st art ing wit h local GP and m oving t o dom ain- based GP. Alt hough local policies don't have t he flexibilit y of dom ain- based GPs, as you will see, t hey are st ill a valuable t ool for creat ing a deployable set of st andards for com put ers in your organizat ion. Local policies are m ost useful for creat ing a securit y configurat ion for eit her client s or servers t hat is appropriat e for your com pany. Wit h t he Securit y Tem plat es snap- in, you can creat e role- based t em plat es t hat configure m ost securit y- relat ed set t ings on your m achines. And wit h t he Securit y Configurat ion and Analysis Tool snap- in ( covered in det ail in Chapt er 7 ) , you can creat e a dat abase of roles and policies for your organizat ion's m achines. I n t his sect ion, I 'll look at local securit y policy and using t he securit y t em plat es feat ures t o creat e a consist ent securit y configurat ion.
6 .3 .1 . Se cu r it y Te m pla t e s Microsoft wisely decided t o ship Windows wit h a few predefined securit y set t ings files, hereaft er referred t o as " securit y t em plat es." These files cont ain what are essent ially recipes for configuring a m achine's securit y policy based on it s daily role. These t em plat es, designed t o be applied t o new Windows inst allat ions t hat already have had a basic t em plat e applied, m ust be used on syst em s form at t ed wit h NTFS, at least on t he boot part it ion ( t he one cont aining t he operat ing syst em files) . The increm ent al securit y t em plat es are as follows:
For workst at ions or servers in which users ought t o be prevent ed from being in t he Power Users group, apply t he com pat ws.inf t em plat e. This t em plat e com pensat es for t he lack of addit ional privileges afforded t o m em bers of t he Power Users group by relaxing t he right s rest rict ions on t he norm al Users group. But be careful: you should only use t his t em plat e if you're dealing wit h noncert ified soft ware ( program s t hat don't have t he Windows logo affixed t o t hem ) t hat won't ot herwise run.
To furt her secure workst at ions or servers, t he securews.inf t em plat e increases t he overall securit y level of a m achine by t ight ening areas of t he OS not under t he purvey of right s and rest rict ions. Areas t hat are m ore secure using t his t em plat e include account policy set t ings, audit ing cont rols, and Regist ry keys t hat are prom inent in securit y policy. The appropriat e version of t his t em plat e for Windows dom ain cont rollers is securedc.inf.
For t he ult ra- paranoid and for t hose wit h t he m ost st ringent securit y requirem ent s, t he hisecws.inf ( and for dom ain cont rollers, t he hisecdc.inf file) can be used; however, because all net work t ransm issions m ust be signed and encrypt ed by Windows m achines, t his t em plat e is appropriat e only in pure Windows 2000 or great er environm ent s.
Set up securit y.inf rest ores t he securit y set t ings of a m achine t o t heir default , out - of- t he- box configurat ion. Use t his if you have m ade m odificat ions and want t o com plet ely reverse t hem and " wipe t he slat e clean," as it were.
Root sec.inf specifies t he newer, m ore secure perm issions for t he root of t he syst em drive. Most significant ly, t his rem oves t he full cont rol perm issions from Everyone on t he syst em drive. You also can use t his t em plat e t o reapply t he m ore st ringent root direct ory securit y on syst em s where t he baseline securit y set t ings have been m odified.
DC securit y.inf refers t o t he default securit y t em plat e for dom ain cont rollers, which im poses m ore st ringent requirem ent s on net work t ransm issions and secures m ore port ions of t he filesyst em and
Regist ry. This t em plat e is creat ed when a server is prom ot ed t o dom ain cont roller st at us.
I esacls.inf provides a t ight er securit y configurat ion for I nt ernet Explorer, rest rict ing script ing act ivit y in cert ain unt rust ed zones and providing a m ore st ringent , but secure, web browsing at m osphere.
These convenient t em plat es are designed t o be used wit h t he Securit y Tem plat es snap- in. Using t he snap- in, you can apply t he basic and increm ent al securit y t em plat es included wit h t he product , or you can m odify t he t em plat es t o creat e your own easily dist ribut able t em plat es. To begin using t he Securit y Tem plat es snap- in, follow t his procedure:
1 . Run mmc /s from a com m and line. This loads t he MMC in aut hor m ode, allowing you t o add a snap- in.
2 . From t he Console m enu, select Add/ Rem ove Snap- in. Then select Add. This raises a dialog box ent it led Add St andalone Snap- in.
3 . From t he list , select Securit y Tem plat es, click Add, and t hen click Close.
4 . Click OK in t he next box t o confirm t he addit ion of t he snap- in.
Now you have t he Securit y Tem plat es snap- in added t o a console. From t his snap- in, you can expand t he Securit y Tem plat es sect ion in t he console t ree on t he left , and t hen expand t he C: \ Windows\ securit y\ t em plat es folder t o view t he predefined securit y t em plat es discussed earlier.
6 .3 .2 . Cr e a t in g a Cu st om Se cu r it y Te m pla t e You m ight want t o m ake your own cust om ized policy m odificat ions t hat go above and beyond t hose m ade in t he t em plat es shipped wit h Windows. Creat ing a cust om securit y t em plat e affords you an easy way t o package, deploy, and apply t hese m odificat ions wit h a m inim um of adm inist rat ive headache. Best of all, you can use t hese t em plat es in conj unct ion wit h a ut ilit y called t he Securit y Configurat ion and Analysis Tool t o assess t he overall " hardness," or st at e of securit y, of your m achines. To creat e your own securit y t em plat e, follow t hese st eps:
1 . I n t he Securit y Tem plat es console, expand Securit y Tem plat es in t he t ree pane on t he left , and right - click C: \ Windows\ securit y\ t em plat es ( t his is t he default t em plat es folder in t he syst em ) .
2 . Select New Tem plat e from t he cont ext m enu t hat appears.
Now you can m ake any policy m odificat ions you want in any one of t he policy areas support ed by t he t ool: account policies, local policies, t he event log, rest rict ed groups, syst em services, t he Regist ry, and t he filesyst em . Your addit ions, delet ions, and ot her changes are saved direct ly int o t he t em plat e as t hey are m ade.
To t ake t his one st ep furt her, you m ight decide t o build on t he basic policy set t ings provided by t he basic and increm ent al t em plat es shipped wit h Windows. I n t hat case, it 's quit e sim ple t o open t he basic or increm ent al t em plat es, resave t o a different nam e, and m ake furt her m odificat ions t o creat e your own cust om t em plat e. To do so, follow t hese st eps:
1 . Select an exist ing t em plat e inside t he Securit y Tem plat es console. I n t his exam ple, I 'll use t he securews.inf file.
2 . Right - click t he exist ing t em plat e, and click Save as ... from t he cont ext m enu.
3 . Give t he new t em plat e a nam e.
4 . Click OK. The new t em plat e is creat ed wit h t he set t ings from t he old basic t em plat e.
6 .3 .3 . Com pilin g t h e Se cu r it y D a t a ba se The next st ep is t o com pile your t em plat es int o a securit y dat abase using t he Securit y Configurat ion and Analysis ( SCA) t ool. From wit hin t he MMC, add t he SCA t ool t o t he console. Then do t he following:
1 . Right - click Securit y Configurat ion and Analysis and select Open Dat abase.
2 . From t he Open Dat abase dialog, t ype t he nam e of a new dat abase.
3 . Because no dat abase exist s wit h t hat nam e, you'll be prom pt ed for t he specific securit y t em plat e from which t he dat abase should be built . The choices in t his box com e from t he C: \ Windows\ Securit y\ Tem plat es folder. Choose t he t em plat e and click OK.
Alt hough you won't get any confirm at ion from t he user int erface, t he t em plat e has been added t o t he dat abase. Now you can right - click t he SCA t ool in t he left pane and choose eit her Analyze Com put er Now or Configure Com put er Now. When you select Analyze Com put er Now, t he SCA t ool looks at t he new securit y configurat ion wit hin t he dat abase, com pares it wit h t he current st at e of t he com put er, and report s on t he differences; t he report also is saved t o a logfile in \ My Docum ent s\ Securit y\ Logs. Alt ernat ively, when you select Configure Com put er Now, t he changes will act ually be com m it t ed t o your syst em . You want t o avoid using t hat opt ion unless you're absolut ely sure you want t he result s in product ion wit hout seeing t hem first . You also can script t he applicat ion of t em plat es across m ult iple com put ers, using a login script , Telnet server, or som e ot her m eans, by t aking advant age of t he SECEDI T ut ilit y. SECEDI T t akes a t em plat e file, adds it t o t he SCA dat abase, and t hen applies t he securit y set t ings t o t he m achine on which SECEDI T is being run. To im port a t em plat e nam ed Hassell- secure.inf, com pile it int o SCA int o a dat abase called securepcs and overwrit e any dat a already in t he dat abase, apply it t o t he current com put er, and creat e a log for all of t hese act ions nam ed apply.log, for exam ple, issue t he following com m and:
secedit /configure /cfg Hassell-secure.inf /db securepcs /overwrite /log apply.log
I f you've already im port ed t he t em plat e int o SCA m anually, and you j ust need t o apply t he set t ings t o a com put er, issue t he following com m and:
secedit /configure /db securepcs /overwrite /log apply.log
6 .4 . D om a in Gr ou p Policy Dom ain- based GPs offer a m uch m ore flexible and configurable set of st andards and set t ings for your organizat ion t han local GPs. I n t his sect ion, I 'll discuss t he four m ost com m on m et hods of m anaging your I T asset s cent rally using dom ain GP: configuring a securit y st andard, inst alling soft ware using t he I nt elliMirror t echnology found in Windows Server 2008, redirect ing folders present in t he user int erface t o net work locat ions, and writ ing and launching script s t riggered by event s such as logons and logoffs.
6 .4 .1 . Se cu r it y Se t t in gs As discussed earlier, one of t he m ost useful aspect s of GP is it s abilit y t o cont rol securit y set t ings and configurat ion from a cent ral locat ion wit hin t he organizat ion. Securit y policy com prises t hree key com ponent s: rest rict ed groups, Regist ry set t ings, and filesyst em set t ings. I n t his sect ion, I 'll t ake a look at each of t hem .
6 .4 .1 .1 . Re st r ict e d gr ou ps The rest rict ed groups opt ion allows you t o m odify t he current group configurat ion and m em bership on your client com put ers. When t his policy is applied t o workst at ions and servers, t heir individual group configurat ions are m odified t o m at ch t hat configured inside t he policy. The policy cont ains m em bers and m em bers of list s t hat overwrit e any configurat ion on t he t arget com put ers. For exam ple, if you were t o add t he Adm inist rat or group t o t he policy but not add any users t o t he m em bers of t his group list , and t hen you applied t he policy, Windows would rem ove any users current ly in t hose groups on t he client com put ers. However, t he ot her facet of t he policy, groups of which t he added group is current ly a m em ber, is only addit ive: if t he list is em pt y, no m odificat ions are m ade t o t he client com put ers. Only addit ions are processed and changed. Only t he groups list ed inside t he Det ails window of t he Rest rict ed Groups policy branch can be m odified using t he policy, but it 's a great way t o keep individual users from m odifying powerful groups on t heir own syst em s. To m odify t he rest rict ed groups policy, do t he following:
1 . Launch t he GPMC, and t hen right - click on your t arget GPO in t he left pane and select Edit .
2 . I nside t he Group Policy Obj ect Edit or, navigat e t hrough Com put er Configurat ion, Policies, Windows Set t ings, and Securit y Set t ings.
3 . Right - click t he Rest rict ed Group branch and select Add Group from t he cont ext m enu.
4 . Click t he Browse but t on, and select any group current ly inside your direct ory. Click OK.
5 . Now, right - click t he newly added group, and select Propert ies from t he cont ext m enu.
6 . Add t he users t hat belong t o t his group t o t he " Mem bers of t his group" list , and add t he groups wit hin which t his group is nest ed t o t he " This group is a m em ber of" list . Use t he Add but t on in bot h cases. Figure 6- 24 shows t his screen.
7 . When you're finished, click OK t o close out t he boxes.
Figu r e 6 - 2 4 . Th e Re st r ict e d Gr ou ps list scr e e n
6 .4 .1 .2 . File syst e m a n d Re gist r y policy You also can use GPs t o configure perm issions on filesyst em obj ect s and Regist ry keys. You can set ent ries on t he ACLs of individual files, folders, and Regist ry keys from a cent ral locat ion. I f you m ake t his change at t he dom ain- wide level—one of t he few changes I recom m end and endorse at t hat level—regist ries are prot ect ed against m eddling users all over t he ent erprise, which is definit ely a benefit . To add a Regist ry key t o be prot ect ed t o a GPO, follow t hese st eps:
1 . Launch t he GPMC, and t hen right - click on your t arget GPO in t he left pane and select Edit .
2 . I nside t he Group Policy Obj ect Edit or, navigat e t hrough t he Com put er Configurat ion, Policies, Windows Set t ings, Securit y Set t ings, and Regist ry. Right - click Regist ry and select Add Key from t he cont ext m enu.
3 . You can add one Regist ry key at a t im e, and you can select ively apply perm issions t o each key. Figure 625 shows t he screen.
Figu r e 6 - 2 5 . Th e Re gist r y Ke y ACL e dit or scr e e n
To add a file or folder t o be prot ect ed t o a GPO, follow t hese st eps:
1 . Launch t he GPMC, and t hen right - click on your t arget GPO in t he left pane and select Edit .
2 . I nside t he Group Policy Obj ect Edit or, navigat e t hrough t he Com put er Configurat ion, Policies, Windows Set t ings, Securit y Set t ings, and File Syst em . Right - click File Syst em and select Add File from t he cont ext m enu.
3 . You can explore t he ent ire direct ory st ruct ure, select a file, and t hen select ively assign perm issions t o files and folders. Figure 6- 26 shows t he screen.
Figu r e 6 - 2 6 . Th e File Syst e m ACL e dit or scr e e n
Once you've select ed t he obj ect s in quest ion, you'll be prom pt ed for t heir perm issions j ust like I discussed in Chapt er 3 . Aft er you ent er t he appropriat e perm issions, you'll be prom pt ed t o configure t he propert ies of inherit ance for t hese new perm issions. This is shown in Figure 6- 27.
Figu r e 6 - 2 7 . Con figu r in g in h e r it a n ce on pr ot e ct e d file syst e m or Re gist r y obj e ct s
I f you select t he configure opt ion, you also will need t o select how perm issions are applied. I f you choose t o apply inherit able securit y t o t his file or folder and t o it s subfolders, t he new perm issions are applied t o all child obj ect s t hat do not have a perm ission or ACL ent ry explicit ly set . This preserves your cust om perm issions on a t ree but also aut om at ically overwrit es perm issions sim ply inherit ed by default . I f you choose t o replace exist ing securit y for t his file or folder and it s subfolders, you overwrit e all perm issions on any child folders, including t hose perm issions explicit ly set . I f you'd rat her not have any of t hese m et hods used t o apply perm issions, sim ply choose t he following opt ion: " Prevent t he applicat ion of securit y policies t o t his file or folder and it s subfolders." Doing so will m ake child files and folders im m une t o t he perm issions assigned by t his new policy.
6 .4 .2 . I n t e lliM ir r or : Soft w a r e I n st a lla t ion
I n m y opinion, soft ware inst allat ion is one of t he coolest and m ost useful feat ures of GP, and I know m any adm inist rat ors who agree wit h m e. Using Microsoft 's I nt elliMirror t echnology int roduced in Windows 2000, adm inist rat ors using GP can dist ribut e soft ware applicat ions init ially, using a push or pull m et hod, and t hen upgrade, redeploy, or rem ove t hat soft ware eit her wholesale or when cert ain condit ions apply. I nt elliMirror also offers int elligent applicat ion repair feat ures so t hat when crit ical files for an applicat ion deployed t hrough I nt elliMirror are corrupt ed or delet ed, Windows t akes over and fixes t he problem so t hat t he applicat ion will st ill st art and funct ion correct ly. This is a big t im esaver. You can dist ribut e and inst all applicat ions in your organizat ion in t wo ways. You can assign a soft ware package, which places a short cut on t he user's St art m enu and loads t he advert isem ent for t he package int o t he com put er's Regist ry. Or you can publish an applicat ion, which sim ply places t he program wit h t he Add/ Rem ove Program s applet in t he Cont rol Panel. The user can elect t o inst all t he soft ware at his discret ion and at a convenient t im e. You also can dist ribut e applicat ions via t he assign and publish funct ionalit y t o a com put er or a user. I f you assign a package t o a user, t he applicat ion is inst alled on t he local syst em t he first t im e t he user runs t he soft ware. I ncident ally, you can also elect t o inst all such an applicat ion when t he user logs on, alt hough t his can m ake for long boot t im es and calls t o t he help desk. These user- assigned applicat ions follow a user around t he net work t o each com put er t o ensure t hat she has all t he applicat ions she should on each com put er. I f you assign a package t o a com put er, t he applicat ion is inst alled on t hat syst em when boot ed up, and t he soft ware is inst alled only on t he com put er defined in t he policy. Applicat ions don't necessarily follow a user around. I f you use t he publish funct ionalit y of I nt elliMirror, you can publish t o only a specific user because com put ers can't choose how and where t o inst all soft ware. Published applicat ions also are not quit e as robust as assigned applicat ions, and t he repair funct ionalit y of published applicat ions is lim it ed.
Soft ware inst allat ion cannot be accom plished using local policies.
6 .4 .2 .1 . Pa ck a gin g soft w a r e The easiest way t o publish and assign soft ware is wit h Microsoft I nst aller packages, or MSI files. Applicat ions packaged in I nst aller form at include a dat abase of changes t o m ake t o files and Regist ry keys, inst ruct ions on rem oving previous or out dat ed version of soft ware, and st rat egies t o inst all on m ult iple versions of Windows wit hin one file. MSI files also allow int elligent repair funct ionalit y for use if inst allat ions becom e corrupt ed on individual com put ers, and t heir rollback funct ion for rem oving or redeploying an applicat ion is useful as well. I nt elliMirror and GP- based soft ware dist ribut ion are designed t o work wit h applicat ions t hat inst all using an MSI package. But all is not lost if your soft ware isn't offered in MSI form at . First , you can use t he ZAP file m et hod. You can use a ZAP file when soft ware isn't available wit h an MSI package t o publish ( but not assign) t he applicat ion. A ZAP file is not hing m ore t han a descript ion of an applicat ion, it s set up program , and any associat ed file ext ensions. A sam ple ZAP file for Adobe's Acrobat Reader 5.0 is shown here:
Line Line Line Line Line Line Line Line Line
1: 2: 3: 4: 5: 6: 7: 8: 9:
[Application] FriendlyName = Adobe Acrobat Reader 5.0 SetupCommand = \\deploy\adobe\rp505enu.exe DisplayVersion = 5.0 Publisher = Adobe Corporation URL = http://www.adobe.com [Ext] PDF=
A few not es about t his ZAP file: t he FriendlyName sect ion shows t he applicat ion nam e, which will appear in t he Add/ Rem ove Program s applet wit hin t he Cont rol Panel on t he com put ers t o which t he package is published. I t also cont ains t he Setup direct ive, which t ells Windows t he net work pat h of t he file t o inst all t he package. The ot her t ags, alt hough offering m ore inform at ion on t he version, m anufact urer, and I nt ernet address of t he m anufact urer, are opt ional. The Ext sect ion list s file ext ensions t o be associat ed wit h t he program , each followed by an equals sign. The ZAP file m et hod has a few caveat s. First and forem ost , because ZAP file inst allat ions can only be published, you lose t he robust ness and int elligent repair feat ures of soft ware applicat ions assigned t o com put ers and users. You also can't set an applicat ion deployed via a ZAP file t o inst all aut om at ically on first use, and you can't upgrade or rem ove an applicat ion deployed via a ZAP file using a GPO. I n addit ion, a specific user m ust have appropriat e perm issions t o run t he package's inst aller execut able and t o access t he source files for t he inst allat ion. And, t he inst allat ion probably is not very aut om at ed, so t he process likely would require user int ervent ion t o answer prom pt s such as t he dest inat ion direct ory, inst allat ion opt ions, and so fort h, which is som et hing we all t ry t o avoid when possible. Finally, because t he inst aller isn't grant ed sweeping adm inist rat ive privileges during t he set up process like an MSI inst aller is, you m ight have conflict s and problem s t o t roubleshoot wit h a m ass package deploym ent .
I f a program you want t o deploy uses t he I nst allShield inst allat ion soft ware, you can run setup /r t o aut om at ically m ake a script ed inst allat ion file, called set up.iss. Copy t he set up.iss file t o what ever deploym ent share you have set up ( m ore on t hat in a bit ) , and t hen m odify t he ZAP file t o cont ain t he following set up com m and:
setup /r /setup.iss
I f t he ZAP file m et hod doesn't appeal t o you, you can use a repacking t ool, such as Verit as WinI nst all LE or t he I nst allShield deploym ent t ools. These t ools will t ake a snapshot of your current syst em configurat ion and prom pt you t o inst all t he soft ware you want t o package. Once t he inst allat ion is com plet e, t hese t ools will t ake anot her snapshot , record what changed on t he filesyst em and Regist ry, and prom pt you wit h a list of what it det ect ed. You go t hrough t he list , m ake sure t he changes list ed were due t o inst alling t he soft ware and not t o errant behavior on t he part of Windows, and t hen confirm t he list . The soft ware will creat e an MSI wit h t he program 's inst aller and a dat abase of filesyst em and Regist ry changes. Using t his m et hod, you gain t he robust ness and rollback feat ures of using an MSI inst aller as opposed t o ZAP files. However, t he repackaging t ools can t end t o be a bit flaky, and som et im es you'll have difficult y inst alling t hem on m ult iple plat form s. There's not a good way around t hat , ot her t han obt aining an MSI direct ly from t he soft ware vendor, but it 's som ewhat of a m iddle ground bet ween t he inflexible ZAP files and a t rue MSI from t he m anufact urer.
I f you st ill have a copy of a Windows 2000 dist ribut ion CD, you can find a lim it ed version of WinI nst all LE on t hat CD. However, for som e reason Microsoft seem s t o have rem oved t his program from t he m ore recent versions of Windows, so if you don't have t he Windows 2000 CD, you are unfort unat ely out of luck.
6 .4 .2 .2 . An e x a m ple de ploym e n t I n t his sect ion, I 'll st ep t hrough an act ual soft ware deploym ent using GP, publishing an applicat ion for a user:
1 . Copy t he MSI file and ot her necessary files t o a net work share. This m ight require an adm inist rat ive inst allat ion, if your soft ware has one available. Consult t he docum ent at ion and deploym ent inst ruct ions for m ore on t his. The net work share should have t hese perm issions:
Aut hent icat ed Users should have Read perm issions.
Dom ain Com put ers should have Read perm issions.
Adm inist rat ors should have Read, Change, and Full Cont rol perm issions.
2 . Creat e a new GPO and open it , or edit an exist ing GPO t hat you've creat ed for t he purposes of dist ribut ing t his soft ware, using t he Group Policy Managem ent Console and Obj ect Edit or.
3 . Wit hin t he Group Policy Obj ect Edit or, navigat e t hrough t he User Configurat ion, Policies, and Soft ware Set t ings nodes in t he left pane.
4 . Right - click Soft ware I nst allat ion, and select Package from t he New m enu.
5 . I n t he Find File window, use t he Browse but t on t o find t he package you copied t o t he net work share. You can select eit her an MSI file or a ZAP file in t his st ep; if you select a ZAP file, you need t o ensure t hat it s relat ed inst aller file is locat ed in t he sam e folder as t he ZAP file.
I f you are using a ZAP file, m ake sure t he SetupCommand direct ive in t he files point s t o t he net work pat h t hat cont ains t he set up file and not t o t he local pat h. Ot herwise, Windows won't t ranslat e t he pat h t o t he file correct ly, and if t he soft ware isn't present at t he sam e local pat h on t arget syst em s, t he inst allat ion will fail.
6 . On t he Deploy Soft ware screen, select whet her t o publish t he soft ware or assign t he soft ware. ( Skip t he Advanced Publish and Assign opt ion at t his point , which allows you t o use t ransform files t o m odify t he inst allat ion process for an applicat ion. This is covered a bit lat er in t his chapt er.) For t his exam ple, I 'll publish t he soft ware.
7 . Click OK, and t he soft ware is added t o t he policy obj ect and is saved t o t he direct ory.
Of course, t o assign an applicat ion t o a user, you can sim ply follow t he preceding st eps and select Assign inst ead of Publish in st ep 6. To assign an applicat ion t o a com put er, use t he sam e process, but use Com put er Configurat ion inst ead of User Configurat ion in st ep 3 and select Assign inst ead of Publish in st ep 6.
6 .4 .2 .3 . D e ploym e n t pr ope r t ie s
You'll probably want t o fine- t une t he set t ings for deploym ent , and you can do t his t hrough t he propert ies box for t he soft ware. Right - click t he nam e of t he soft ware package inside t he Group Policy Obj ect Edit or and t hen select Propert ies. The policy propert ies box cont ains t he following six t abs:
General
On t his t ab, you can m odify t he nam e of t he package t hat will be displayed in Add/ Rem ove Program s. You also can view t he version, publisher, language, and plat form of t he soft ware. Figure 6- 28 shows t he General t ab.
Figu r e 6 - 2 8 . Th e Ge n e r a l t a b
Deploym ent
The Deploym ent t ab let s you configure t he deploym ent t ype and user int eract ion m et hods for t he soft ware. Under Deploym ent Type, you can select whet her t o publish or assign t his soft ware. Under Deploym ent Opt ions, you can choose t o " Aut o- inst all t his applicat ion by file ext ension act ivat ion," which prevent s or allows applicat ion inst allat ion when a user at t em pt s t o open a file wit h an ext ension associat ed wit h t he applicat ion. You also can elect t o " Uninst all t his applicat ion when it falls out of t he scope of m anagem ent ," which dict at es whet her t o rem ove t he applicat ion when t he user or com put er leaves t he scope of t he current GPO. Addit ionally, you can choose " Do not display t his package in t he Add/ Rem ove Program s cont rol panel," which sim ply hides t he applicat ion's availabilit y. The applicat ion st ill will be inst alled when t he user opens a file wit h t he associat ed ext ension. The " I nst all t his applicat ion at logon" opt ion will allow applicat ions assigned t o com put ers t o be inst alled once a user logs in t o t he com put er and not during t he com put er's boot process, which is t he default behavior. Finally, under t he I nst allat ion user int erface opt ions, you can choose whet her t o elim inat e m ost user int ervent ion by inst alling t he applicat ion using default values ( wit h t he Basic opt ion) or t o prom pt t he user for inst allat ion preferences and inst ruct ions ( wit h t he Maxim um opt ion) . Figure 6- 29 shows t he Deploym ent t ab.
Figu r e 6 - 2 9 . Th e D e ploym e n t t a b
Upgrades
On t his t ab you can specify t hat t his new package will upgrade an exist ing inst alled package. You can m ake t hat m andat ory by checking t he " Required upgrade for exist ing packages" checkbox. To add a package t o be upgraded, click t he Add but t on and find t he package t o upgrade wit hin t he current obj ect ; alt ernat ively, browse t hrough your Act ive Direct ory st ruct ure by clicking " A specific GPO" and choosing a different GPO and soft ware package. Then you can elect t o uninst all t he exist ing package and inst all t he new package, or upgrade over t he exist ing package. Figure 6- 30 shows t he Upgrades t ab.
Figu r e 6 - 3 0 . Th e Upgr a de s t a b
Cat egories
I n t his t ab you can creat e cat egories t hat will sort and filt er t he applicat ions available t hrough t he Add/ Rem ove Program s applet wit hin t he Cont rol Panel. Users can m ore easily find t he published applicat ion t hey want t o inst all if t hey can click t he t ype of soft ware t hey need, rat her t han wading t hrough a list of 100 possible applicat ions. To add cat egories, sim ply click t he Add but t on and ent er a new cat egory nam e. Once you've added t he cat egory, you can add packages under it . Choose a cat egory from t he Available cat egories pane and click Select t o add t he current package t o it . Do t his for each package you want t o cat egorize. Figure 6- 31 shows t he Cat egories t ab.
Figu r e 6 - 3 1 . Th e Ca t e gor ie s t a b
Modificat ions
You can use a t ransform file ( also called an MST file) t o cust om ize an MSI applicat ion's inst allat ion procedure; t hrough t he Modificat ions t ab, you can use m ult iple MST files t o ensure t hat various users, groups, and com put ers receive cust om ized versions of a soft ware package. To use a t ransform file for a part icular GPO, click Add on t his t ab and browse on t he filesyst em for t he MST file t o apply. There are t wo caveat s: you m ust have deployed an applicat ion using t he " Advanced Publish or Assign" m et hod, select ed when creat ing t he soft ware inst allat ion GPO. Also, once an MST has been applied and t he soft ware has been deployed, m odificat ions cannot be added or rem oved. Figure 6- 32 shows t he Modificat ions t ab.
Figu r e 6 - 3 2 . Th e M odifica t ion s t a b
Securit y
The Securit y t ab, very sim ilar t o ot her ACLs on ot her obj ect s wit hin Windows Server 2008, allows you t o specify perm issions on t he soft ware inst allat ion package port ion of t he GPO for users, com put ers, and groups. You can use t his t ab in conj unct ion wit h t he securit y group filt ering st rat egy, discussed earlier in t his chapt er, t o lim it t he scope of an applied GPO. For exam ple, one policy assigning Office t o com put ers m ight apply only t o sales, but a policy publishing Windows adm inist rat ive t ools m ight apply only t o adm inist rat ors. I f you want t o assign applicat ions t o com put ers, you need t o add t he Dom ain Com put ers group here, unless you already have a securit y group cont aining t he com put ers you want . Figure 6- 33 shows t he Securit y t ab.
Figu r e 6 - 3 3 . Th e Se cu r it y t a b
Rem em ber t he following securit y set t ing guidelines when deploying soft ware via securit y group filt ering:
I f you want t he policy t o be applied t o all m em bers of a cert ain securit y group, t hen creat e securit y groups t hat cont ain only t he obj ect s t hat are t o be included in t he policy applicat ion. Then select t he GPO you want t o adm inist er in t he left pane of t he Group Policy Managem ent Console. Next , on t he Scope t ab in t he right pane, click t he Add but t on under Securit y Filt ering, and t hen add t he groups t hat do not need t he policy applied. Verify t hat t he group was added t o t he Securit y Filt ering list .
I f you do not want t he policy t o be applied t o all m em bers of a cert ain securit y group, add all t he m em bers t o a group, add t he group t o t he ACL for t he obj ect by edit ing t he GPO wit hin t he GPMC and accessing t he ACL from wit hin Group Policy Obj ect Edit or, and set t he following perm issions for t he group: Apply Group Policy, deny; Read, deny. All m em bers of t he group will not have t he policy applied, regardless of t heir exist ing m em berships t o ot her groups.
I f group m em bership ( at least in a specific group) shouldn't play a part in t he applicat ion of t his policy, leave perm issions alone.
Look back earlier in t his chapt er t o t he sect ion " Sect ion 6.2.2" for a refresher on t his. You also can det erm ine t he order in which applicat ions will be inst alled for a given file ext ension, a useful feat ure if your organizat ion associat es one file ext ension wit h m ult iple soft ware packages. To do so, right - click t he Soft ware I nst allat ion node wit hin t he Group Policy Obj ect Edit or ( in t he left hand pane) and select Propert ies. From t here, navigat e t o t he File Ext ensions t ab. Select an ext ension from t he drop- down list box, and t hen adj ust t he priorit y, from highest t o lowest , of each applicat ion in t he list box using t he Up and Down but t ons. I f only one applicat ion in GP is associat ed wit h an ext ension, t his feat ure will be grayed out because no priorit y needs t o be est ablished. You can configure ot her deploym ent opt ions on t his propert y sheet , using t hese t abs:
General
Here, you can set t he default act ion when adding new packages t o t his GPO—whet her t o assign t hem , publish t hem , or display a dialog asking which act ion t o t ake. You can also set t he default user int erface opt ions. Plus, you can indicat e t he pat h t hat will serve as t he default locat ion for new packages added t o t his GPO.
Advanced
On t his t ab, you can indicat e t hat soft ware packages should be uninst alled when t hey fall out of t he scope of m anagem ent . You also can allow 64- bit Windows client workst at ions t o inst all 32- bit Windows applicat ions, and ext end t his capabilit y t o applicat ions deployed via a ZAP file.
Cat egories
The Cat egories t ab was discussed a bit earlier in t his sect ion.
6 .4 .2 .4 . Re de ployin g a n d r e m ovin g soft w a r e I f you need t o pat ch an exist ing soft ware deploym ent t hat uses an MSI file, you can t ake advant age of t he redeploym ent funct ionalit y of I nt elliMirror. Sim ply copy t he new MSI and associat ed files over t he exist ing copies on t he net work share. Then, inside t he GPO t hat cont ains t he deploym ent configurat ion for t he exist ing package, right - click t he package in t he det ails window inside t he Group Policy Obj ect Edit or and select Redeploy from t he All Tasks m enu. Click t he Yes but t on t o confirm your choice. The first t im e t he applicat ion is st art ed on client com put ers, regardless of whet her t he package was assigned or published, t he new MSI will be inst alled. Along t he sam e lines, if you need t o rem ove inst alled soft ware, you can right - click t he package inside t he Group Policy Obj ect Edit or and select Rem ove from t he All Tasks m enu. You'll be present ed wit h t he window shown in Figure 6- 34.
Figu r e 6 - 3 4 . Th e Re m ove Soft w a r e dia log box
You can choose t o eit her forcibly rem ove t he soft ware im m ediat ely, which will uninst all t he applicat ion no m at t er what , or sim ply rem ove t he soft ware from t he list of available soft ware, which will allow current inst allat ions t o cont inue t o use t he soft ware, but will prevent new com put ers from obt aining t he soft ware t hrough GP.
6 .4 .2 .5 . D e ployin g se r vice pa ck s u sin g GP You also can dist ribut e service packs for Windows 2000, XP, Windows Server 2003, and Windows Server 2008 t hrough t he I nt elliMirror soft ware inst allat ion feat ures of GPOs. Doing so can go a long way t oward elim inat ing a t edious and t im e- consum ing adm inist rat ive t ask. You can assign t he service pack t o com put ers for m andat ory deploym ent , or you can publish t he service pack t o a user so t hat he can choose t o inst all it if his sit uat ion warrant s it . I f you are assigning t he service pack t o com put ers, you can sim ply point a GPO t o t he UPDATE.MSI file included in t he ext ract ed port ion of all current service packs from Microsoft . However, if you're publishing t he service pack, you'll need t o creat e a ZAP file and t hen point t he soft ware inst allat ion GPO t o t hat ZAP file. Again, you can't publish MSI files. To deploy a service pack using I nt elliMirror, follow t hese st eps:
1 . Creat e a dist ribut ion share for t he service pack and ext ract it s cont ent s t here. This process is described in Chapt er 2 , or you can consult t he readm e files wit hin t he service pack dist ribut ion file for inform at ion.
2 . I f you are publishing t he service pack t o users, creat e a ZAP file point ing t o UPDATE.EXE inside t he folder cont aining t he ext ract ed service pack files.
3 . Creat e a new GPO for t he service pack. This isn't required—you can assign t he service pack as part of default dom ain policy or any ot her level of policy—but it 's best t o keep soft ware inst allat ions t o t heir own GPOs so t hat changes can be reversed easily.
4.
4 . I n t he Group Policy Obj ect Edit or window for t hat GPO, navigat e t hrough Com put er Configurat ion or User Configurat ion and t hen choose Policies, Soft ware I nst allat ion.
5 . Right - click Soft ware I nst allat ion and choose Package from t he New m enu.
6 . Find t he net work pat h t o t he service pack files and select eit her UPDATE.MSI if you're assigning t o com put ers, or t he UPDATE.ZAP file you creat ed earlier if you're publishing t o users.
7 . Choose Assigned or Published in t he Deploy Soft ware dialog box.
8 . Click OK.
The policy is set and t he service pack will eit her be assigned or published, depending on your choices. Keep in m ind t hat service packs are t ypically large files, so you should deploy t hem aft er considering t he effect t hat process would have on bot h your net work bandwidt h and t he t im e it would t ake t o inst all locally on t he client m achines. Addit ionally, I would avoid aut om at ically deploying service packs on your dom ain cont rollers. These m achines are sensit ive beast s t hat hold t he keys t o your Act ive Direct ory; m anually inst all service packs on t hese m achines one by one and t est t hem t o m ake sure t here are no ill effect s.
I n environm ent s where you have m ult iple file servers, it also m akes sense t o use DFS as a m et hod t o st ore soft ware inst allat ion point s. Not only do you get fault t olerance t hrough t he use of DFS, but you can also change t he locat ion of soft ware inst allat ion point s t hrough DFS wit hout needing t o change t he configurat ion of t he GPO. DFS is covered in det ail in Chapt er 3 .
6 .4 .3 . I n t e lliM ir r or : Folde r Re dir e ct ion You can use t he folder redirect ion funct ionalit y of GP t o change t he t arget locat ion of m any folders wit hin a part icular user's Windows int erface. For exam ple, you can specify cust om locat ions for t he Applicat ion Dat a, Deskt op, Docum ent s ( including t he Pict ures, Music, and Videos subfolders) , Favorit es, Cont act s, Downloads, Links, Searches, Saved Gam es, and St art Menu folders. Using folder redirect ion circum vent s t he nast y problem of roam ing profiles: severe net work t raffic hikes caused by copying large My Docum ent s and Deskt op folders t o workst at ions around t he net work when users log on. You also can back up t he share where t he folders are redirect ed using a norm al net work backup procedure, aut om at ically prot ect ing t he cont ent s. To access t he folder redirect ion funct ionalit y, launch t he Group Policy Obj ect Edit or for a part icular GPO and navigat e t hrough User Configurat ion, Policies, Windows Set t ings, and Folder Redirect ion. I n t he right hand pane, you'll see t he folders you can redirect . Right - click each folder t o bring up t he Propert ies window. Figure 6- 35 shows t his screen.
Figu r e 6 - 3 5 . Th e folde r r e dir e ct ion in t e r fa ce
On t he Target t ab, you can choose t he t ype of redirect ion for t his policy. For t his exam ple, choose t he basic m et hod, which sim ply redirect s all users' folders t o t he sam e locat ion. Next , ent er t he t arget folder at t he bot t om of t he screen under Root Pat h, and select t he opt ion t o creat e a new folder for each user underneat h t he root pat h. Then, m ove t o t he Set t ings t ab, and choose t he following set t ings:
Grant t he user exclusive right s t o My Docum ent s
I f t his set t ing is enabled, t he user t o whom t he folder belongs and t he local com put er have adm inist rat ive and exclusive right s t o t he folder, t o t he exclusion of all ot her obj ect s. I f t his set t ing is disabled, t he current perm issions on t he folder are kept .
Move t he cont ent s of My Docum ent s t o t he new locat ion
I f t his set t ing is enabled, everyt hing in t he current My Docum ent s folder will be m oved t o t he new, redirect ed locat ion. I f t his opt ion is disabled, not hing will be m oved and t he new My Docum ent s folder will be em pt y.
Policy rem oval
You can adj ust t he Windows default set t ing, which is t o leave t he folder in t he redirect ed locat ion if t he redirect ion policy it self is rem oved. You also can choose t o m ove t he folder back t o it s init ial locat ion.
My Pict ures preferences
The default act ion for t he My Pict ures subfolder is t o follow t he My Docum ent s folder t o wherever it
resides.
6 .4 .3 .1 . Re dir e ct in g folde r s ba se d on gr ou p m e m be r sh ip I f you want t o redirect som e profile folders t o different locat ions based on t he different groups t o which a user belongs, you can use t he Advanced m et hod of redirect ion inside t he redirect policy propert ies page, on t he Target t ab. When you select Advanced from t he drop- down set t ing box indicat ing t he t ype of redirect ion ( shown in Figure 6- 36) , click t he Add but t on. The Specify Group and Locat ion box will appear.
Figu r e 6 - 3 6 . Re dir e ct in g folde r s ba se d on gr ou p m e m be r sh ip
Ent er t he nam e of a securit y group, and t hen ent er t he net work pat h t o t he folders. Always use a UNC pat h, even if t he folders are local t o your m achine, so t hat users t aking advant age of roam ing profiles will see t he correct folders in an absolut e pat h and not wrongly t ranslat e a local, relat ive pat h. Click OK when you're done, and t hen repeat t he process for as m any groups as you need. I f your users are creat ures of habit , you can even t urn on t he Offline Files and Folders feat ure on t he share where you've st ored t he redirect ed folders. This way, Windows will cont inue t o display and use a cust om ized environm ent even when t he net work is down and t he share can't be reached.
6 .4 .3 .2 . Re m ovin g a r e dir e ct ion policy I t can be a bit difficult t o t rack what happens t o redirect ed folders if you decide t o rem ove a redirect ion policy. I t really depends on t he appropriat e set t ing on t he Set t ings t ab of t he redirect ed folder's policy propert ies sheet .
Folder Redirect ion and Windows Client s As I point ed out earlier in t his chapt er, folder redirect ion policies are not updat ed in t he background, for obvious reasons—for one, how would you feel if suddenly your My Docum ent s folder point ed it self som ewhere else? Folder redirect ion policies are updat ed asynchronously, according t o Microsoft , and only synchronous updat es are allowed in t he background. Microsoft int roduced a feat ure in Windows XP called fast logon opt im izat ion, which allows t he user t o see a logon box m uch fast er t han wit h Windows 2000 client s. This is done by using a set of cached credent ials and not wait ing for a net work connect ion t o boot . When a connect ion is found, GPs are applied in t he expect ed fashion, but t his, t oo, is asynchronous updat ing—of course, t his m eans folder redirect ion policies again will not be applied. Fast logon opt im izat ion is designed t o cause a norm al reboot , wit hout t he opt im izat ion, if a GPO change is det ect ed when t he com put er is logged on and connect ed t o t he dom ain wit hin t wo reboot s ( for com put er set t ings) or t wo logoffs ( for user set t ings) . However, you can t urn off fast logon opt im izat ion t o m ake an XP or Vist a client m im ic a Windows 2000 client by enabling t he Com put er Configurat ion\ Policies\ Adm inist rat ive Tem plat es\ Syst em \ Logon\ Always wait for t he net work at com put er set t ing.
I f you've elect ed t o redirect t he folder back t o t he local user profile when t he policy is rem oved, and t he opt ion t o m ove t he cont ent s of t he local folder t o a new locat ion is enabled, t he folder will ret urn t o it s original locat ion and t he cont ent s of t he folder will be copied back t o t he original locat ion but not delet ed from t he redirect ed locat ion. I f t he opt ion t o m ove t he cont ent s of t he folder t o a new locat ion is disabled, t he folder will revert t o it s original locat ion, but t he cont ent s of t he folder will not be copied or m oved t o t he original locat ion. This m eans t he user is unable t o access t he cont ent s of t he redirect ed folder from t he special folder's UI wit hin t he shell, but using a UNC pat h, she st ill can access t he redirect ed folder and ret rieve it s cont ent s m anually. I f you've select ed t o leave t he folder in t he new locat ion when t he policy is rem oved, t he folder and it s cont ent s will rem ain at t he redirect ed locat ion, and t he user will have access t o it , regardless of whet her t he opt ion t o m ove t he cont ent s of t he folder t o t he new locat ion is enabled or disabled.
I t also is wise t o use DFS in conj unct ion wit h folder redirect ion t o m ake background changes t o t he locat ion of files t ransparent t o bot h t he user and t he GPO it self. DFS is covered in dept h in Chapt er 3 .
6 .4 .4 . Soft w a r e Re st r ict ion Policie s Soft ware Rest rict ion Policies allow you t o cont rol t he execut ion of cert ain program s. I t 's an excellent feat ure t o use on t erm inal servers or m achines serving as a public kiosk, so users are locked int o one specific funct ion and can't m ess wit h adm inist rat ive t ools or I nt ernet applicat ions and ut ilit ies. Windows can ident ify soft ware t o eit her rest rict or allow in several different ways. For one, it can use hash rules, which are m ade by ident ifying charact erist ics of files and execut ables t hat com e wit h a program and generat ing an algorit hm ic hash from t hem . Hashes are great for ident ifying specific versions of program s because t he hash
value would change when different files are used t o com put e t he hash ( which is a near cert aint y wit h newer version of a program ) . Cert ificat e rules can ident ify soft ware via a digit al signat ure, which is a useful m et hod t o secure aut horized script s. Windows also can ident ify soft ware via it s pat h and t he I nt ernet zone ( inside I nt ernet Explorer) from which a part icular piece of soft ware is downloaded. Finally, Windows can creat e a rule t hat cat ches any soft ware not explicit ly ident ified eit her in a list or by any ot her rule. ( Cont rol for program s execut ed wit hin a browser is lacking from t he GP st andpoint , but im provem ent s t o I nt ernet Explorer in Windows XP Service Pack 2 pick up a bit of t his slack.) Windows m at ches program s t o rules in t he order in which t hey're list ed in t he soft ware rest rict ion GPO, and if m ore t han one rule ident ifies t he sam e program , t he rule t hat cat ches t he program m ost specifically will t rum p any ot her rule. You m ight be t em pt ed t o creat e a rule t hat disallows program s from running by default aside from t hose explicit ly placed in an except ion list . This seem s like an easy way out , but it really can lobot om ize a syst em unless you t ake great care t o creat e an except ion for every Windows execut able a user m ight need, including his applicat ion program s. I t can also st ep on t he t oes of any user logon script s t hat m ight be necessary t o creat e a secure environm ent . I f you decide t o go t his rout e, it 's im perat ive t hat you ext ensively t est any rest rict ion policies and except ion list s in a lab. Also, when you do creat e t he act ual soft ware rest rict ion GPO, m ake sure t o add t he Dom ain Adm inist rat ors group t o t he GPO's ACL and explicit ly deny t he Apply Group Policy perm ission t o t he GPO—t his will enable an adm inist rat or t o reverse t he policy and not lock him self out . Once you're ready t o creat e t he policy, follow t his procedure:
1 . Creat e a new GPO for each rest rict ion policy. This m akes it easier t o disable a policy t hat m ight be overly rest rict ive.
2 . Choose Com put er Configurat ion or User Configurat ion t o apply t he rest rict ions t o m achines or users, and t hen navigat e t hrough Policies Windows Set t ings Securit y Set t ings Soft ware Rest rict ion Policies.
3 . Right - click Soft ware Rest rict ion Policies and choose New Soft ware Rest rict ion Policy from t he cont ext m enu.
4 . Set a default ident ifier rule: in t he left pane, click Securit y Levels, and t hen right - click a specific securit y level and choose Set as Default from t he pop- up cont ext m enu.
5 . Now, creat e t he act ual rules t hat will cat ch soft ware on which t o enforce a rest rict ion. Right - click Addit ional Rules in t he left hand pane. Choose New Cert ificat e Rule and select t he cert ificat e t o require or block, New Hash Rule and t he file t o allow or block, New I nt ernet Zone Rule and t he zone from which t o allow or block program s, or New Pat h Rule and t he file or Regist ry key t o allow or rest rict .
6 . I n t he right hand pane, double- click Enforcem ent . Here, indicat e how t hese rest rict ions should be enforced. Use of t he following opt ions is recom m ended:
" All soft ware files except libraries" will help you avoid blocking crit ical syst em and applicat ion funct ion files.
" All users except local adm inist rat ors" indicat es t hat Windows should enforce t he policy for everyone except t hose in t he local adm inist rat or group.
7.
7 . Next , in t he right hand pane, double- click Designat ed File Types. On t his sheet , review and add file ext ensions associat ed wit h applicat ions included in t he soft ware rest rict ion policies. The list should be fairly com plet e, but ensure t hat any script ing languages you use in your organizat ion have t heir associat ed file ext ensions included.
8 . Finally, in t he right hand pane, double- click Trust ed Publishers. Here you can specify whet her norm al users, local adm inist rat ors, or ent erprise adm inist rat ors are allowed t o decide what cert ificat es t o t rust when opening digit ally signed program s and cont rols.
6 .4 .5 . Scr ipt s Using GP, you can assign script s t o ent ire dom ains, organizat ional unit s, sit es, and groups inst ead of repeat edly ent ering t he sam e login script int o m ult iple users' profiles. You can launch four t ypes of script s using a GPO: logon and logoff script s, which apply t o users, and st art up and shut down script s, which apply t o com put ers. St art up script s are execut ed before logon script s, and logoff script s are execut ed before shut down script s. You can writ e script s in any num ber of languages. Windows Server 2008 is prepared t o accept Jscript ( .JS) and Visual Basic Script ing Edit ion ( .VBS) files in addit ion t o bat ch ( .BAT) , com piled com m and script s ( .COM) , and applicat ion execut ables (.EXE) . Script s t o be run t hrough GP are st ored on dom ain cont rollers in % Syst em Root % \ SYSVOL\ yourdom ain.com \ Policies\ script s, wit h yourdom ain.com replaced wit h your fully qualified dom ain nam e. You can assign st art up and shut down script s in GP using t he following procedure:
1 . I n t he Group Policy Obj ect Edit or, navigat e in t he left hand pane t hrough Com put er Configurat ion, Policies, Windows Set t ings, and Script s ( St art up/ Shut down) .
2 . I n t he right hand pane, click St art up and Shut down t o m odify t he script s assigned t o each.
You can assign logon and logoff script s in GP using t he following procedure:
1 . I n t he Group Policy Obj ect Edit or, navigat e in t he left hand pane t hrough User Configurat ion, Policies, Windows Set t ings, and Script s ( Logon/ Logoff) .
2 . I n t he right hand pane, click Logon and Logoff t o m odify t he script s assigned t o each.
You can furt her define propert ies for t hese script s under t he Com put er Configurat ion/ Policies/ Adm inist rat ive Tem plat es/ Syst em / Script s and User Configurat ion/ Adm inist rat ive Tem plat es/ Syst em / Script s nodes in t he Group Policy Obj ect Edit or. For users running script s, you have t he following opt ions ( see Figure 6- 37) :
" Run legacy logon script s hidden" t ells Windows not t o display t he DOS window when using a .COM or .BAT logon or logoff script .
" Run logoff script s visible" indicat es whet her t he act ions and result s of t he logoff script 's execut ion should be displayed t o t he user.
" Run logon script s synchronously" allows you t o specify m ult iple script s and have t hem run at t he sam e t im e rat her t han in sequence as t he default dict at es.
" Run logon script s visible" indicat es whet her t he act ions and result s of t he logon script 's execut ion should be displayed t o t he user.
Figu r e 6 - 3 7 . Logon a n d logoff scr ipt opt ion s
For com put ers running script s, you can configure t he following opt ions ( see Figure 6- 38) :
" Allow logon script s when Net BI OS or WI NS is disabled" inst ruct s Windows t o eit her run or ignore logon script s depending on where you have enabled t he old legacy- com pat ible Net BI OS and WI NS nam ing schem es.
" Maxim um wait t im e for Group Policy script s" set s a cut off t im e for t he execut ion of script s specified in GP before Windows sim ply cut s t hem off and cont inues wit h t he process at hand.
" Run logon script s synchronously" allows you t o specify m ult iple script s and have t hem run at t he sam e t im e, rat her t han in sequence as t he default dict at es, on a per- com put er rat her t han a per- user basis.
" Run shut down script s visible" indicat es whet her t he act ions and result s of t he shut down script 's execut ion should be displayed t o t he user.
" Run st art up script s asynchronously" allows t o you t o specify m ult iple script s and have t hem run in sequence, rat her t han at t he sam e t im e, as t he default dict at es.
" Run st art up script s visible" indicat es whet her t he act ions and result s of t he st art up script 's execut ion should be displayed t o t he user.
Figu r e 6 - 3 8 . Scr ipt opt ion s
6 .5 . D e ploym e n t Con side r a t ion s You've learned a lot in t his chapt er about GP and how it works. Along wit h t he exact m echanism s behind GP's m agic, t here is also an art t o properly deploying it . You m ust account for several issues when using GP. I n t his sect ion, I 'll t ake a look at som e com m on issues, and I 'll offer suggest ions about how best t o deploy ( in general t erm s) GPs in your organizat ion. First , you should keep t he Default Dom ain Policy GPO clear of special except ions. Rem em ber t hat t his policy is m eant only for dom ain- wide, all- com put er set t ings, and is not m eant as a launching point for m yriad policies of your own. Don't apply different set t ings t o t his policy and expect t o use t he inherit ance blocking and securit y group filt ering capabilit ies t o lim it t he scope of a set t ing locat ed here. I t 's a recipe for a t roubleshoot ing night m are. I nst ead, creat e individual GPOs applied t o different cont ainers, where your changes, even if blocked by cert ain propert ies of t he GPOs, aren't as widespread and sweeping. Also, t ry t o favor creat ing several sm aller GPOs rat her t han fewer large GPOs. Alt hough t he processing t im e will suffer, it won't suffer m uch; t he benefit is t hat a GPO's scope is m uch easier t o ident ify on cert ain com put ers when you have sm aller GPOs affect ing only a few obj ect s. Const ruct a nam ing st ruct ure for your GPOs t hat is clear and descript ive. Hardly anyt hing is worse, especially during GP t roubleshoot ing, t han seeing a GPO called " Office" and not knowing whet her it defines who receives Microsoft Office t hrough I nt elliMirror, who doesn't get Office, or whet her t he GPO cont ains securit y set t ings for t he office worker com put ers and not for t he fact ory floor. Of course, you want t o docum ent t his in a safe place, t oo. Mem ories t end t o fail us at t he m ost inopport une t im es. Design your direct ory st ruct ure int elligent ly. Make separat e OUs t o cont ain obj ect s perform ing sim ilar roles, and m ake different OUs for different t ypes of users on your net work. Separat e client workst at ions from server com put ers, and different iat e norm al users from power users and adm inist rat ors t hrough a logical, flowing direct ory. This m akes it m uch easier t o deploy GPOs effect ively wit hout a lot of inherit ance " black m agic." By t he sam e t oken, however, m ake sure you have room for except ions t o t his schem e—som e client s m ight be servers and som e servers m ight be client s, so it 's best t o have a plan for t hese oddballs. And along t he sam e lines, t ry t o creat e a shallow Act ive Direct ory st ruct ure t o elim inat e m any levels of policies being applied t o nest ed OUs. Also, when looking at your direct ory, assess how you can use groups placed in different OUs t o furt her define GPO scope t hrough t he securit y group filt ering funct ion. Placing groups in cert ain OUs can m ore clearly ident ify t heir funct ion and m em bers, and can cut down on processing and applicat ion t im e because policy scope is m ore refined and less inclusive. At t he sam e t im e, look at how WMI filt ering can be used wit hin t he exist ing group and OU st ruct ure, and m ake m odificat ions t o st ream line t he effect iveness of RSoP and policy applicat ion funct ions. Oh, and don't forget t o docum ent your GPOs and t heir links. What m ore needs t o be said about t hat ?
6 .6 . Tr ou ble sh oot in g Gr ou p Policy The process of diagnosing what is going on wit h GP and why it 's not doing what you want it t o do can be infuriat ing at t im es. Use t he st eps recom m ended in t he following sect ions t o assist you in t racking down where your problem lies.
6 .6 .1 . Re solvin g D N S Pr oble m s DNS problem s can plague your net work and m ake it nearly im possible for GPOs t o be applied. This problem m anifest s it self prim arily in t he requirem ent s for logging on t o a dom ain; wit hout DNS, you st ill m ight be able t o aut hent icat e t o a dom ain cont roller, but GPOs will sim ply break. That 's because t hey require various t ypes of DNS SRV records t o know which com put er has which service t o m anage. This is a good place t o st art looking if GP sim ply doesn't funct ion.
6 .6 .2 . An a lyzin g I n h e r it a n ce I f you are a seasoned net work professional, you'll be fam iliar wit h t he concept of inherit ance. This also can be a st um bling block wit h GP. Beware of a couple of opt ions. The first is t he No Override funct ion, which does not hing m ore t han cease t he processing of any GPOs under t he obj ect on which t he opt ion is set . Conversely, also be wary of t he Block I nherit ance funct ion, which st ops t he processing of GPOs t hat reside higher in t he GPO processing hierarchy. This is a case of knowing what you set and properly docum ent ing it , but it st ill can eat up hours upon hours of t roubleshoot ing t im e.
6 .6 .3 . GPO D ist r ibu t ion a n d Syn ch r on iza t ion Anot her issue you m ight see is t hat of GP dist ribut ion and synchronizat ion. Dist ribut ion and synchronizat ion bot h rely on a versioning syst em m anaged int ernally by Windows t hat keeps t rack of unique revisions of t he t wo part s of a GPO: t he GPC, which is associat ed wit h a part icular organizat ional st ruct ure in Act ive Direct ory, and t he Group Policy Tem plat e, which is a file locat ed in t he C: \ WI NDOWS\ SYSVOL\ Policies direct ory on dom ain cont rollers. Usually, t hese are pushed out from t he dom ain cont roller t hat is in t he PDC em ulat or role t o all t he ot her dom ain cont rollers in a given dom ain, but if t he versioning syst em is wrong or som ehow corrupt ed, t his dist ribut ion m ight not finish com plet ely, or it m ight not occur at all. Windows com es wit h a couple of t ools t hat will help you fish out t he nonst andard GPOs: GPOTOOL, REPLMON, and t he GPMC, which I covered earlier. Look at logs on t he affect ed dom ain cont rollers and see whet her any errors can help you det erm ine t he cause. See t he next sect ion for m ore inform at ion on t he GP logs. Along t he sam e lines is act ually realizing when GPOs are dist ribut ed, ret rieved, and applied. Earlier in t his chapt er I point ed out t hat t he int erval Windows Server 2008 uses t o push out new GPOs is 90 m inut es for workst at ions and regular m em ber servers, and 5 m inut es for dom ain cont rollers. But t his is only for new or revised GPOs. I f GP has not changed, not hing is pushed unless you m anually push it , eit her from t he com m and line or t hrough anot her syst em - wide GPO t hat pushes policy regardless of whet her a change has occurred. So, rem em ber t hat GP won't necessarily correct local configurat ion changes unless t he dom ain GPO changes or you force a refresh.
6 .6 .4 . Ge t t in g M or e D e t a ile d Logs To t roubleshoot GPOs m ore effect ively, you can enable verbose logging, which will give you m ore dat a about how GPOs are ret rieved and applied t o a specific obj ect . This does require a Regist ry change on t he client you're t roubleshoot ing. I nside a Regist ry edit or, navigat e t o HKEY_LOCAL_MACHI NE\ Soft ware\ Microsoft \ Windows NT\ Current Version\ Winlogon . Select t he value UserenvDebugLevel, of t ype REG_DWORD, and change t he value of t he key t o 0x10002. Rest art your syst em t o m ake sure t he change t akes effect . Now, any GPO act ivit ies will be logged t o a file called userenv.log in t he % Syst em Root % \ Debug\ Userm ode direct ory.
You also can enable direct logging t o t he applicat ion event log in m uch t he sam e way. I nside your favorit e Regist ry edit or, navigat e t o HKEY_LOCAL_MACHI NE\ Soft ware\ Microsoft \ Windows NT\ Current Version\ Diagnost ics. Select t he value RunDiagnosticLoggingGroupPolicy, of t ype DWORD, and change t he value on t he client you're t roubleshoot ing of t he key t o 1. Rest art t o apply your changes, and GPO act ivit ies will be logged in t he applicat ion log.
6 .6 .5 . I de n t ifyin g Clie n t Side Ex t e n sion GUI D s To t roubleshoot problem s pert aining t o folder redirect ion, soft ware inst allat ion, and ot her client - side difficult ies, it can be useful t o det erm ine t he GUI D of t he client - side ext ensions ( CSEs) on each com put er. The CSEs are sim ply " cat egories" for GPOs pert aining t o different areas of t he user int erface. You can view all of t hese in one place inside t he Regist ry, under HKEY_LOCAL_MACHI NE\ Soft ware\ Microsoft \ WindowsNT\ Current Version\ WinLogon\ GPExt ensions. For reference, som e com m on GUI Ds for CSEs are included in Table 6- 1. You can use t hese t o m at ch up inform at ion t hat you find in logfiles.
Ta ble 6 - 1 . Com m on CSE GUI D s CSE
GUI D
Applicat ion Managem ent
C6DC5466-785A-11D2-84D0-00C04FB169F7
Folder Redirect ion
25537BA6-77A8-11D2-9B6C-0000F8080861
I P Securit y
E437BC1C-AA7D-11D2-A382-00C04F991E27
Script s
42B5FAAE-6536-11D2-AE5A-0000F87571E3
Securit y
827D319E-6EAC-11D2-A4EA-00C04F79F83A
6 .6 .6 . Loca t in g GPT File s on D om a in Con t r olle r s For various reasons—for exam ple, t o diagnose a problem wit h available GPOs propagat ing in your dom ain t o adm inist rat ive workst at ions—you m ight want t o inspect t he direct ory st ruct ure of t he GPTs for cert ain GPOs. First , you need t o ret rieve t he specific GUI D for t he policy, and t hen you can find t he folder t hat cont ains t he hard files associat ed wit h t hat policy. To act ually m at ch a specific policy wit hin Act ive Direct ory t o t he specific GPT files on a dom ain cont roller inside it s SYSVOL share, first you need t o locat e t he GUI D on t he cont ainer in Act ive Direct ory where t he GPO is applied. Using t he GPMC, select t he appropriat e GPO, and t hen select t he Det ails t ab in t he right hand pane. Copy t he GUI D from t here. Then open Explorer and navigat e t o \ \ dom ainnam e.com \ sysvol, which will open t he SYSVOL share on t he nearest dom ain cont roller. Open t he Policies direct ory, and t hen open t he folder whose nam e m at ches t he GUI D of t he GPO you select ed wit hin t he GPMC. Luckily, you probably will not need t o do t his very oft en, as t he int erface and propagat ion t echniques for GP in Windows Server 2008 are resilient and efficient . But t he inform at ion is indeed here, j ust in case.
6 .7 . Ot h e r Gr ou p Policy M a n a ge m e n t Tools I t 's im port ant t o not e t hat t here are several paid t hird- part y t ools available t o help you m anage GPOs, t heir scope and effect , and t heir applicat ion, including t he following:
FAZAM
FAZAM t racks changes t o GPOs, provides version cont rol for GPOs, allows new or changed GPOs t o m ove int o product ion only aft er being t est ed and approved, elim inat es t he risk of m aking changes t o a live product ion environm ent , handles m ult iple users m aking sim ult aneous changes, and enhances GPO adm inist rat ion delegat ion. However, t here are report s t hat t his t ool does not work well wit h Windows 2000 and is fully funct ional only on Windows Server 2003 and lat er. FAZAM is available at ht t p: / / www2.fullarm or.com / solut ions/ group.
Net I Q Group Policy Adm inist rat or
Net I Q Group Policy Adm inist rat or handles change and release m anagem ent t o keep bet t er t rack of GPO m odificat ion, creat ion, and delet ion, and enhances change sim ulat ion and analysis of hypot het ical GPO deploym ent s above and beyond what Windows Server 2008 provides. Net I Q Group Policy Adm inist rat or is available at ht t p: / / www.net iq.com / product s/ gpa/ default .asp.
Quest Act iveRoles
Quest Act iveRoles allows j unior- level adm inist rat ors t o securely m ake changes t o im port ant elem ent s of Act ive Direct ory, including GP. Quest Act iveRoles is available at ht t p: / / www.quest .com / fast lane/ act iveroles/ .
6 .8 . Com m a n d- Lin e Ut ilit ie s Before we close up t he chapt er, I want ed t o t alk about t he t wo m ost popular com m and- line m anagem ent t ools for GP. Alt hough I 've m ent ioned bot h of t hese ut ilit ies earlier in t his chapt er, I want ed t o give each of t hem a t horough t reat m ent in t his sect ion for easier reference and use.
6 .8 .1 . GPUpda t e GPUPDATE will refresh Group Policy set t ings t hat are st ored eit her on individual m achines or t hrough Act ive Direct ory. I t 's fairly st raight forward t o use. To refresh t he GP set t ings on t he current workst at ion, j ust issue t he GPUPDATE com m and it self:
gpupdate
You can t arget eit her com put er or user set t ings using t he /target swit ch. I f t he swit ch is om it t ed, bot h com put er and user set t ings are refreshed. To refresh com put er set t ings on t he current m achine:
gpupdate /target:computer
You can force t he refresh of GP set t ings wit h t he /force swit ch:
gpupdate /target:computer /force
Finally, you can force a logoff and/ or a reboot wit h t he /logoff and /boot swit ches, respect ively:
gpupdate /logoff gpupdate /boot
6 .8 .2 . GPRe su lt GPRESULT will ret urn a list ing of all policies applied t o a user and com put er, t he OUs in which t he com put er and user are locat ed, t he sit e t hey are in, and a lot m ore inform at ion. The rem ot e com put ers need t o run at least Windows XP or Server 2003 for GPRESULT t o ret urn accurat e inform at ion. You can ret urn a sim ple report using t he current ly logged on user at your workst at ion by sim ply issuing t he com m and it self wit hout any swit ches:
gpresult
The following is a sam ple of t he report you'll receive: Code View: Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0 Copyright (C) Microsoft Corp. 1981-2001 Created On 5/9/2005 at 12:15:16 PM
RSOP data for R2TEST\Administrator on R2B2SRV1 : Logging Mode -------------------------------------------------------------OS Type: OS Configuration: OS Version: Terminal Server Mode: Site Name: Roaming Profile: Local Profile: Connected over a slow link?:
Microsoft(R) Windows(R) Server 2003, Enterprise Edition Primary Domain Controller 5.2.3790 Remote Administration Default-First-Site-Name C:\Documents and Settings\Administrator No
COMPUTER SETTINGS -----------------CN=R2B2SRV1,OU=Domain Controllers,DC=r2test,DC=corp,DC=hasselltech,DC=local Last time Group Policy was applied: 5/9/2005 at 12:12:31 PM Group Policy was applied from: r2b2srv1.r2test.corp.hasselltech.local Group Policy slow link threshold: 500 kbps Domain Name: R2TEST Domain Type: Windows 2000 Applied Group Policy Objects ----------------------------Default Domain Controllers Policy Default Domain Policy The following GPOs were not applied because they were filtered out ------------------------------------------------------------------Local Group Policy Filtering: Not Applied (Empty) Turn off System Restore Filtering: Denied (Security) The computer is a part of the following security groups ------------------------------------------------------BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users This Organization R2B2SRV1$ Domain Controllers NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
USER SETTINGS -------------CN=Administrator,CN=Users,DC=r2test,DC=corp,DC=hasselltech,DC=local Last time Group Policy was applied: 5/9/2005 at 12:02:32 PM Group Policy was applied from: r2b2srv1.r2test.corp.hasselltech.local Group Policy slow link threshold: 500 kbps Domain Name: R2TEST Domain Type: Windows 2000 Applied Group Policy Objects ----------------------------Default Domain Policy The following GPOs were not applied because they were filtered out ------------------------------------------------------------------Local Group Policy Filtering: Not Applied (Empty) Turn off System Restore Filtering: Disabled (GPO) The user is a part of the following security groups --------------------------------------------------Domain Users Everyone BUILTIN\Administrators BUILTIN\Users BUILTIN\Pre-Windows 2000 Compatible Access NT AUTHORITY\INTERACTIVE NT AUTHORITY\Authenticated Users This Organization LOCAL Domain Admins Group Policy Creator Owners
To get inform at ion for t he user j hassell on t he rem ot e workst at ion JH- WNXP- LTP using GPRESULT, run:
gpresult /s JH-WNXP-LTP /USER jhassell
Likewise, t o get inform at ion for t he user lj ohnson in t he dom ain R2TEST on t he rem ot e workst at ion 192.168.1.120, run:
gpresult /s 192.168.1.120 /USER R2TEST\ljohnson
You also can add t he /V opt ion t o enable verbose logging, which will display det ailed inform at ion and not j ust a sum m ary view, or /Z, t o enable ext ended verbose logging ( even m ore det ails) . Use t he /SCOPE MACHINE opt ion wit h /Z t o look at only com put er configurat ion policies; sim ilarly, use /SCOPE USER t o look at user configurat ion policies. You can redirect t he out put of GPRESULT t o a t ext file using t he st andard > DOS redirect operat or.
6 .9 . Th e La st W or d GP offers a flexible, com pat ible, and cent ralized way t o obt ain a consist ent securit y and shell configurat ion across your organizat ion. Through t he use of securit y policies and I nt elliMirror t echnologies, all discussed in t his chapt er, you can reduce your adm inist rat ive burden and achieve nirvana. I n t he next chapt er, I 'll t ake an in- dept h look at t he m ost popular securit y opt ions wit hin Windows Server 2008 and discuss how t o m ake your m achines and net work m ore hardened and secure against t hreat s.
Ch a pt e r 7 . W in dow s Se cu r it y a n d Pa t ch M a n a ge m e n t Ent ire books are devot ed t o Windows securit y—how t o secure Windows client s, servers, headless m achines, t erm inals, web servers, and m ore. I n t his chapt er, however, I 've chosen t o highlight som e of t he useful t ools for m anaging and aut om at ing securit y on Windows Server 2008. I 've also included som e references t o securit y policy set t ings t hat m ost organizat ions will find helpful. I n t he int erest of full disclosure, I m ust say I have not included an exhaust ive reference t o every securit y set t ing t o be found in Windows. So m any opt ions are unique t o different environm ent s t hat I 've found t he best st rat egy for t his part icular book is t o give a broad overview of securit y policy m anagem ent t ools, along wit h som e general set t ings t hat can increase securit y great ly, and t hen let you explore t he Windows securit y feat ures yourself.
7 .1 . Un de r st a n din g Se cu r it y Con side r a t ion s Most sm all- and m edium - size businesses have several issues t o keep in m ind when securing t heir configurat ions. Som e of t hese m ight include t he following:
The organizat ion com prises m ult iple servers, and m any have dist inct and independent roles. I t is difficult t o be consist ent and st rict enough wit h a securit y policy when m ult iple m achines are perform ing different funct ions, each wit h it s own securit y requirem ent s.
Older operat ing syst em s and applicat ions are in use. Older program s and syst em s oft en use program m ing and com m unicat ion t echniques t hat , alt hough secure enough when t hey were developed, can be exploit ed easily by t oday's aut om at ed at t acks. I t can be problem at ic t o ensure t hat t hese older plat form s are support ed correct ly and are prot ect ed adequat ely from a const ant securit y t hreat .
I n som e m arket s and professions, you m ust deal wit h legal procedures, prot ect ions, and consequences. For inst ance, in t he m edical profession, t he Healt h I nsurance Port abilit y and Account abilit y Act ( HI PAA) has present ed som e challenges regarding dat a privacy and safekeeping t hat are m aking life m ore " int erest ing" ( in t he ancient - Chinese- curse sense of t he t erm ) for I T personnel. Such legislat ion and regulat ion can alt er your securit y policy in specific sit uat ions.
There m ight be a lack of physical securit y at t he sit e, which m akes any com put er- based securit y configurat ions you plan t o m ake effect ive. Aft er all, if som eone can m ake off wit h your dom ain cont roller, all bet s are off.
There m ight be a lack of securit y expert ise am ong t he t echnical em ployees at your com pany. Const ruct ing and t hen im plem ent ing a securit y policy is a challenging t ask t hat requires pat ience and knowledge. Lacking t hese t wo qualit ies can m ake for a painful process. Of course, t his chapt er will help wit h t he lat t er.
There m ight be t hreat s—int ernal, ext ernal, or even accident al—t hat could dam age your syst em s or harm t he valuable dat a cont ained t herein. Take a hurricane, for exam ple. What happens when loot ers grab t he backup t ape from t he regional bank whose walls have collapsed during t he st orm ? What kinds of bad t hings m ight t hose t hieves do wit h t hat inform at ion?
Finally, t he m ost com m on scenario, t here are lim it ed resources—in t erm s of bot h m oney and labor—t o
im plem ent secure solut ions.
Of course, not all of t hese condit ions apply t o all businesses, but it 's very likely t hat each is an obst acle t hat m ost organizat ions run int o. I n t his chapt er, I 'll provide cost - effect ive ways t o address som e of t hese obst acles.
7 .1 .1 . Pr in ciple s of Se r ve r Se cu r it y Server securit y operat es off t he CI A principle, which is depict ed in Figure 7- 1.
Figu r e 7 - 1 . Th e CI A pr in ciple of se r ve r se cu r it y
CI A st ands for confident ialit y, int egrit y, and availabilit y. Confident ialit y is t he concept t hat inform at ion access is prot ect ed and rest rict ed t o only t hose who should have access. I nt egrit y is t he concept t hat inform at ion is prot ect ed from being t am pered wit h or ot herwise m odified wit hout prior aut horizat ion. And availabilit y refers t o ensuring t hat access t o t he inform at ion is available at all t im es, or at least as oft en as possible. Keeping t he CI A fram ework in m ind, you can t ake a num ber of different securit y approaches at t he server level. One of t he m ost successful m et hods of preserving confident ialit y, int egrit y, and availabilit y is t he layered approach, which bot h reduces an at t acker's chance of success and increases his risk of det ect ion. The layered approach com prises seven layers, each wit h it s own m et hods and m echanism s for prot ect ion:
Dat a level
The dat a level guards against m alicious act ivit y perform ed on t he act ual dat a. Prot ect ion at t he dat a level includes ACLs and encrypt ing filesyst em s. Safeguards at t his level cover t he confident ialit y and int egrit y levels of t he CI A t riangle.
Applicat ion level
Applicat ion- level securit y prot ect s individual program s from at t ack. Securit y at t his level can include hardening t he applicat ions t hem selves, inst alling securit y pat ches from t he vendors, and act ivat ing ant ivirus soft ware and perform ing regular scans. Safeguards at t his level cover t he int egrit y and availabilit y levels of t he CI A t riangle.
Host level
Prot ect ion at t he host level secures t he com put er and it s operat ing syst em from at t ack, which nearly elim inat es t he pot ent ial for at t ack on t he dat a and applicat ion levels. Prot ect ion at t his level includes hardening t he operat ing syst em it self ( which is t he prim ary focus of t his chapt er) , m anaging securit y pat ches, aut hent icat ion, aut horizat ion, and account ing, and host - based int rusion det ect ion syst em s. Safeguards at t his level cover t he int egrit y and availabilit y levels of t he CI A t riangle.
I nt ernal net work level
The organizat ion's net work is t he next level, which prot ect s against int ruders ent ering at t he perim et er and sniffing t raffic, looking for keys t o accessing levels higher t han t his one. Prot ect ion at t his level includes segm ent ing your net work int o subnet s, using I P Securit y ( I PSec) , and inst alling net work int rusion det ect ion syst em s. Safeguards at t his level include all facet s of t he CI A t riangle: confident ialit y, int egrit y, and availabilit y.
Perim et er level
The perim et er is where t he int ernal net work connect s t o ot her ext ernal net works, including t hose t o ot her branches of t he sam e corporat ion and connect ions t o t he I nt ernet . Perim et er- level prot ect ions m ight include firewalls and quarant ining virt ual privat e net work ( VPN) and dial- up access. Safeguards at t his level include all facet s of t he CI A t riangle: confident ialit y, int egrit y, and availabilit y.
Physical securit y level
The physical securit y level involves prot ect ing t he real est at e in which t he business pract ices. Guards, locks, and t racking devices all com prise prot ect ion at t his level. Safeguards at t his level cover t he confident ialit y and int egrit y levels of t he CI A t riangle.
Policies, procedures, and awareness level
This level involves educat ing users as t o best pract ices and accept able and unaccept able m et hods of dealing wit h inform at ion t echnology. Safeguards at t his level can include all facet s of t he CI A t riangle: confident ialit y, int egrit y, and availabilit y.
Ch a pt e r 7 . W in dow s Se cu r it y a n d Pa t ch M a n a ge m e n t Ent ire books are devot ed t o Windows securit y—how t o secure Windows client s, servers, headless m achines, t erm inals, web servers, and m ore. I n t his chapt er, however, I 've chosen t o highlight som e of t he useful t ools for m anaging and aut om at ing securit y on Windows Server 2008. I 've also included som e references t o securit y policy set t ings t hat m ost organizat ions will find helpful. I n t he int erest of full disclosure, I m ust say I have not included an exhaust ive reference t o every securit y set t ing t o be found in Windows. So m any opt ions are unique t o different environm ent s t hat I 've found t he best st rat egy for t his part icular book is t o give a broad overview of securit y policy m anagem ent t ools, along wit h som e general set t ings t hat can increase securit y great ly, and t hen let you explore t he Windows securit y feat ures yourself.
7 .1 . Un de r st a n din g Se cu r it y Con side r a t ion s Most sm all- and m edium - size businesses have several issues t o keep in m ind when securing t heir configurat ions. Som e of t hese m ight include t he following:
The organizat ion com prises m ult iple servers, and m any have dist inct and independent roles. I t is difficult t o be consist ent and st rict enough wit h a securit y policy when m ult iple m achines are perform ing different funct ions, each wit h it s own securit y requirem ent s.
Older operat ing syst em s and applicat ions are in use. Older program s and syst em s oft en use program m ing and com m unicat ion t echniques t hat , alt hough secure enough when t hey were developed, can be exploit ed easily by t oday's aut om at ed at t acks. I t can be problem at ic t o ensure t hat t hese older plat form s are support ed correct ly and are prot ect ed adequat ely from a const ant securit y t hreat .
I n som e m arket s and professions, you m ust deal wit h legal procedures, prot ect ions, and consequences. For inst ance, in t he m edical profession, t he Healt h I nsurance Port abilit y and Account abilit y Act ( HI PAA) has present ed som e challenges regarding dat a privacy and safekeeping t hat are m aking life m ore " int erest ing" ( in t he ancient - Chinese- curse sense of t he t erm ) for I T personnel. Such legislat ion and regulat ion can alt er your securit y policy in specific sit uat ions.
There m ight be a lack of physical securit y at t he sit e, which m akes any com put er- based securit y configurat ions you plan t o m ake effect ive. Aft er all, if som eone can m ake off wit h your dom ain cont roller, all bet s are off.
There m ight be a lack of securit y expert ise am ong t he t echnical em ployees at your com pany. Const ruct ing and t hen im plem ent ing a securit y policy is a challenging t ask t hat requires pat ience and knowledge. Lacking t hese t wo qualit ies can m ake for a painful process. Of course, t his chapt er will help wit h t he lat t er.
There m ight be t hreat s—int ernal, ext ernal, or even accident al—t hat could dam age your syst em s or harm t he valuable dat a cont ained t herein. Take a hurricane, for exam ple. What happens when loot ers grab t he backup t ape from t he regional bank whose walls have collapsed during t he st orm ? What kinds of bad t hings m ight t hose t hieves do wit h t hat inform at ion?
Finally, t he m ost com m on scenario, t here are lim it ed resources—in t erm s of bot h m oney and labor—t o
im plem ent secure solut ions.
Of course, not all of t hese condit ions apply t o all businesses, but it 's very likely t hat each is an obst acle t hat m ost organizat ions run int o. I n t his chapt er, I 'll provide cost - effect ive ways t o address som e of t hese obst acles.
7 .1 .1 . Pr in ciple s of Se r ve r Se cu r it y Server securit y operat es off t he CI A principle, which is depict ed in Figure 7- 1.
Figu r e 7 - 1 . Th e CI A pr in ciple of se r ve r se cu r it y
CI A st ands for confident ialit y, int egrit y, and availabilit y. Confident ialit y is t he concept t hat inform at ion access is prot ect ed and rest rict ed t o only t hose who should have access. I nt egrit y is t he concept t hat inform at ion is prot ect ed from being t am pered wit h or ot herwise m odified wit hout prior aut horizat ion. And availabilit y refers t o ensuring t hat access t o t he inform at ion is available at all t im es, or at least as oft en as possible. Keeping t he CI A fram ework in m ind, you can t ake a num ber of different securit y approaches at t he server level. One of t he m ost successful m et hods of preserving confident ialit y, int egrit y, and availabilit y is t he layered approach, which bot h reduces an at t acker's chance of success and increases his risk of det ect ion. The layered approach com prises seven layers, each wit h it s own m et hods and m echanism s for prot ect ion:
Dat a level
The dat a level guards against m alicious act ivit y perform ed on t he act ual dat a. Prot ect ion at t he dat a level includes ACLs and encrypt ing filesyst em s. Safeguards at t his level cover t he confident ialit y and int egrit y levels of t he CI A t riangle.
Applicat ion level
Applicat ion- level securit y prot ect s individual program s from at t ack. Securit y at t his level can include hardening t he applicat ions t hem selves, inst alling securit y pat ches from t he vendors, and act ivat ing ant ivirus soft ware and perform ing regular scans. Safeguards at t his level cover t he int egrit y and availabilit y levels of t he CI A t riangle.
Host level
Prot ect ion at t he host level secures t he com put er and it s operat ing syst em from at t ack, which nearly elim inat es t he pot ent ial for at t ack on t he dat a and applicat ion levels. Prot ect ion at t his level includes hardening t he operat ing syst em it self ( which is t he prim ary focus of t his chapt er) , m anaging securit y pat ches, aut hent icat ion, aut horizat ion, and account ing, and host - based int rusion det ect ion syst em s. Safeguards at t his level cover t he int egrit y and availabilit y levels of t he CI A t riangle.
I nt ernal net work level
The organizat ion's net work is t he next level, which prot ect s against int ruders ent ering at t he perim et er and sniffing t raffic, looking for keys t o accessing levels higher t han t his one. Prot ect ion at t his level includes segm ent ing your net work int o subnet s, using I P Securit y ( I PSec) , and inst alling net work int rusion det ect ion syst em s. Safeguards at t his level include all facet s of t he CI A t riangle: confident ialit y, int egrit y, and availabilit y.
Perim et er level
The perim et er is where t he int ernal net work connect s t o ot her ext ernal net works, including t hose t o ot her branches of t he sam e corporat ion and connect ions t o t he I nt ernet . Perim et er- level prot ect ions m ight include firewalls and quarant ining virt ual privat e net work ( VPN) and dial- up access. Safeguards at t his level include all facet s of t he CI A t riangle: confident ialit y, int egrit y, and availabilit y.
Physical securit y level
The physical securit y level involves prot ect ing t he real est at e in which t he business pract ices. Guards, locks, and t racking devices all com prise prot ect ion at t his level. Safeguards at t his level cover t he confident ialit y and int egrit y levels of t he CI A t riangle.
Policies, procedures, and awareness level
This level involves educat ing users as t o best pract ices and accept able and unaccept able m et hods of dealing wit h inform at ion t echnology. Safeguards at t his level can include all facet s of t he CI A t riangle: confident ialit y, int egrit y, and availabilit y.
7 .2 . Lock in g D ow n W in dow s Mult iuser syst em s are securit y holes in and of t hem selves. The sim plest syst em s—t hose used by only one person—are t he easiest ones t o secure because t here's m uch less diversit y and variance of usage on t he part of one person t han t here is on t he part of m any. Unfort unat ely, m ost of our I T environm ent s require m ult iple user account s, so t he following sect ion focuses on som e prudent ways t o lock down Windows syst em s, including Windows Server 2008 m achines and associat ed client workst at ion operat ing syst em s.
7 .2 .1 . Pa ssw or d Policie s Long passwords are m ore secure, period. As you m ight suspect , t here are m ore perm ut at ions and com binat ions t o t ry when one is at t em pt ing t o crack a m achine via brut e force, and com m on English words, on which a dict ionary at t ack can be based, are generally short er t han eight charact ers in lengt h. By t he sam e t oken, passwords t hat have not been changed in a long t im e are also insecure. Alt hough m ost users grudgingly change t heir passwords on a regular basis when encouraged by adm inist rat ors, som e account s—nam ely t he Adm inist rat or and Guest account s—oft en have t he sam e password for life, which m akes t hem an easy t arget for at t ack. To count er t hese t hreat s, consider set t ing som e basic requirem ent s for passwords. To set t hese rest rict ions on individual workst at ions and Windows Server 2008 m em ber servers, follow t hese st eps:
1 . Open t he MMC and navigat e t o t he Local Securit y Policy snap- in. You usually access t his by select ing St art All Program s Adm inist rat ive Tools.
2 . Navigat e down t he t ree, t hrough Securit y Set t ings, t o Account Policies.
3 . Click Password Policy.
4 . Enable t he " Passwords m ust m eet com plexit y requirem ent s" set t ing.
5 . Change t he " Minim um password lengt h" t o a decent lengt h. I recom m end eight charact ers. ( I m ust not e here t hat I prefer passwords longer t han 14 charact ers, but I predict t hat you will encount er serious user resist ance t o such a m ove.)
6 . Change t he " Maxim um password age" set t ing t o a conservat ive set t ing. I recom m end 90 days.
You can accom plish t he sam e t hrough GP if you have a Windows dom ain by select ing an appropriat e GPO and loading t he Group Policy Obj ect Edit or, as explained in Chapt er 6 . Keep in m ind t hat changes t o t he dom ain password policy will affect all m achines wit hin t he scope of t he GP. The configurat ion t ree wit hin t he Group Policy Obj ect Edit or rem ains t he sam e.
7 .2 .1 .1 . Gr a n u la r pa ssw or d policie s New t o Windows Server 2008 is t he abilit y t o define different password policies for different users. No longer do you have t o set up dist inct dom ains when you need different password policies t o apply t o specific users; wit h
Windows Server 2008, you can apply specific password policies t o users' account s in global securit y groups. To use t his new feat ure, t here are a few prerequisit es soft ware- wise. They include:
The dom ain funct ional level m ust be Windows Server 2008.
You m ust be a dom ain adm inist rat or t o set a password policy. You can delegat e t his, however.
You m ust fully configure t he password set t ings obj ect , or PSO.
What is a PSO? The password set t ings obj ect resides in t he password set t ings cont ainer, which is unique t o any given dom ain. The PSO has different at t ribut es, which can in t urn hold different values, for password and account lockout policies, like com plexit y and age requirem ent s, m axim um unsuccessful logon at t em pt s before logout , and so on. The PSO can be linked t o individual user account s or groups, and t hese account s can have m ult iple PSOs assigned t o t hem . The process t o enable fine- grained password cont rol and t o enable access t o PSO lacks a lot of finish; unfort unat ely, you have t o go spelunking int o t he int ernals of Act ive Direct ory in order t o enable t his support . Before you em bark on t his procedure, I recom m end generat ing a full backup of your syst em . Here is t he process:
1 . From t he St art m enu, t ype adsiedit and t hen click t he result ing link at t he t op of t he window called ADSI Edit .
2 . Right - click on ADSI Edit in t he right pane, and from t he cont ext m enu, select " Connect t o."
3 . Click OK in t he Connect ion Set t ings screen.
4 . I n t he left pane of ADSI Edit , expand t he " Default nam ing cont ext " past t he first node and click on t he CN= Syst em node.
5 . I n t he right pane, right - click on CN= Password Set t ings Cont ainer and from t he New m enu, choose Obj ect .
6 . On t he result ing Creat e Obj ect screen, select t he only class list ed ( msDS-PasswordSettings) and click Next .
7 . You'll be t aken t hrough a num ber of rat her crypt ic screens t hat cont ain at t ribut es for which you need t o provide values. For exam ple, perhaps we want t o creat e a special password policy t hat applies only t o adm inist rat ors. Table 7- 1 shows t hese at t ribut es, som e suggest ed values t hat are relevant t o our exam ple, and an explanat ion of exact ly what each value is. Cont inue t hrough each of t he st eps, ent ering t he values in t he whit e box as request ed.
8 . Click Finish on t he confirm at ion dialog.
9 . I f you expand t he CN= Syst em node in t he left pane, and t hen click on CN= Password Set t ings Cont ainer, you'll now see t he PasswordPolicyAdm ins policy t hat we j ust creat ed. This is your confirm at ion t hat t he policy has been successfully creat ed.
From t his point all we have t o do is t o assign t he new policy t o m ost any com binat ion of users and groups. To do so:
1 . Right - click t he PSO from wit hin ADSI Edit or and select Propert ies, and on t he result ing screen, click t he Filt er but t on.
2 . Select t he following opt ions: " Mandat ory," " Opt ional," " Const ruct ed," " Backlinks," and " Syst em - only." Ensure t hat t he " Show only at t ribut es t hat have values" opt ion is not select ed.
3 . I n t he list on t he At t ibut e Edit or t ab, navigat e t o m sDS- PSOAppliesTo.
4 . Select m sDS- PSOAppliesTo and click t he Edit but t on at t he bot t om left of t he screen.
5 . The " Mult i- valued Dist inguished Nam e wit h Securit y Principal Edit or" window appears. Click t he Add DN but t on and t hen ent er t he securit y group, user, or any com binat ion t hereof t hat should be affect ed by t his new password set t ings policy. You'll need t o use t he dist inguished nam e, which is t he LDAP version of a cont ainer nam e. You can have as m any ent ries on t his screen as you like.
6 . Click OK.
Your new policy is now configured, deployed, and filt ered on t he appropriat e securit y group ( Table 7- 1) .
Ta ble 7 - 1 . At t r ibu t e s, va lu e s, a n d de scr ipt ion s ( n ot e m in u s sign s) At t ribut e
Va lu e
D e scr ipt ion
Cn
PasswordPolicyAdmins The nam e of your policy; t ry t o be descript ive.
msDS-PasswordSettingsPrecedence
10
Like AD replicat ion, t his is a " cost " which is used t o det erm ine which password would win in t he event of a conflict of t hese password policies ( a lower num ber indicat es a higher priorit y and higher possibilit y of winning a conflict ) .
msDS-PasswordReversibleEncryptionEnabled
False
Should passwords be st ored wit h reversible encrypt ion?
msDS-PasswordHistoryLength
32
The num ber of passwords Windows Server 2008 will rem em ber.
msDSPasswordComplexityEnabled
True
Should users be required t o have a password t hat Windows Server 2008 considers com plex?
At t ribut e
Va lu e
D e scr ipt ion
msDS-MinimumPasswordLength
16
Minim um num ber of charact ers in a password.
msDS-MinimumPasswordAge
-864000000000
Minim um age of t he password. The value is 1 day.
msDS-MaximumPasswordAge
-36288000000000
Maxim um t olerable age of a single password. The value is 42 days, or 6 weeks.
msDS-LockoutThreshold
30
Specifies t he num ber of at t em pt s a user can m ake wit h an invalid password before t he account will be t em porarily disabled.
msDSLockoutObservationWindow
-18000000000
Specifies how long t he syst em should wait before reset t ing t he count er t hat m onit ors invalid access at t em pt s. ( The value is 6 m inut es.)
msDS-LockoutDuration
-18000000000
Specifies how long a user should be locked out if a password is incorrect ly ent ered. ( The value is 6 m inut es.)
One final not e on passwords: encourage your users t o use passphrases and not j ust passwords. This is a great way t o enforce a 14- charact er m inim um password lengt h while st ill m aking it easy for your users t o rem em ber t heir codes. For exam ple, suggest t hat t hey use som et hing such as " My dog is nam ed Molly! " as a password inst ead of som et hing such as " j sx8q6sv8qt r3r" . Tell your users t o t ype t heir passwords in t he password ent ry box as t hough t hey were t yping int o Microsoft Word or anot her com m on word processing program . Windows can accept it , and your users are m ore likely t o rem em ber it .
7 .2 .2 . Accou n t Lock ou t Policie s Three old- fashioned m et hods of gaining unaut horized access t o a syst em are t o at t em pt aut hent icat ion using t he following:
A well- known usernam e ( e.g., adm inist rat or)
A usernam e not known but derived logically ( e.g., adm in)
A different password for t he usernam e on each at t em pt , repeat ing as oft en as possible
Windows can t hwart t hese st yles of at t ack using an account lockout policy, which will disable an account for a specified period aft er a cert ain num ber of unsuccessful logon at t em pt s. To set t he account lockout policy, follow t hese st eps:
1 . Open t he MMC and load t he Group Policy Obj ect Edit or for an appropriat e GPO, or navigat e t o t he Local
1. Securit y Policy snap- in.
2 . Navigat e down t he t ree, t hrough Securit y Set t ings, t o Account Policies.
3 . Click Account Lockout Policy.
4 . Set t he " Account lockout t hreshold" t o a reasonably sm all num ber. I recom m end t hree bad login at t em pt s.
5 . Set bot h t he " Account lockout durat ion" and t he " Reset account lockout aft er" opt ions t o 15 m inut es. This set t ing resist s at t ack while not seriously im posing on users who j ust suffer from " t ypo syndrom e."
As wit h password policy, you can configure account lockout policy at t he local com put er or dom ain level. However, because t he password policies are dom ain dependent , t he " local" level is in effect only when t he com put er is not logged on t o t he dom ain.
7 .2 .3 . Loca l Opt ion s I n addit ion t o securing local account s, t he newer Windows plat form s give you t he abilit y t o lock down cert ain right s and configurat ions on t he local com put er in addit ion t o any dom ain securit y policy t hat m ight be configured. Several of t he available opt ions do lit t le t o t hwart at t acks, so in t his sect ion I 'll cover t he six m ost effect ive changes you can m ake t o your local securit y policy. You can enable all of t he hardening suggest ions in t his sect ion t hrough t he Securit y Opt ions sect ion of t he Local Securit y Policy snap- in t o t he MMC. You can usually find t his snap- in under St art , All Program s, and Adm inist rat ive Tools. To get t o t he appropriat e sect ion, navigat e t he snap- in t ree by select ing Com put er Configurat ion, Windows Set t ings, Securit y Set t ings, and Local Policies. Then click Securit y Opt ions, and t he different configurat ion swit ches will appear in t he right hand pane. The inst ruct ions in t his sect ion assum e t hat you have already loaded t he snap- in and navigat ed t o t he appropriat e sect ion.
7 .2 .3 .1 . An on ym ou s a cce ss Windows allows access by an anonym ous user t o m any shares and files using a null user account ; t his is a securit y hazard, of course. You st ill can enable anonym ous access t o files and direct ories by explicit ly grant ing right s t o t he ANONYMOUS USER account in Windows inside t he appropriat e ACL. This set t ing m erely disables t hat access by default , so you know exact ly where connect ions are being m ade. To fix t his hazard, set Addit ional Rest rict ions for Anonym ous Connect ions t o " No access wit hout explicit anonym ous perm issions."
7 .2 .3 .2 . Sh u t dow n w it h ou t logon Windows 2000 and Windows XP Professional m achines com e in a default configurat ion t hat allows you t o shut down t he syst em using t he Shut down ... but t on on t he logon screen, so you m ight be fam iliar wit h t his feat ure. However, Windows 2000 Server and Windows Server 2008 m achines disable t his out of t he box. Despit e t he convenience fact or of t his feat ure, it 's best t o leave reboot ing a m achine t o adm inist rat ors.
Change " Allow syst em t o shut down wit hout having t o log on" t o Disabled t o secure t his.
7 .2 .3 .3 . Au t om a t ic logoff Som e users log on t o t he net work and t hen don't log off for m ont hs. This is a prom inent securit y hole, as when t hat user leaves her desk, she st ill is aut hent icat ed t o t he net work wit h her credent ials. Malicious people can use t his t o do dest ruct ive t hings: delet e and t ransfer files, plant a " root kit " or backdoor program , or change passwords. You can m ake aut om at ic logoff work in t wo ways: first , each valid user needs t o have a t im e when she is not perm it t ed t o log on. This can be som et im e in t he early m orning, perhaps 3: 00 t o 3: 30 a.m . Then, a change t o t he local securit y policy needs t o be m ade so t hat when t he user's logon t im e expires, she is not perm it t ed t o log on. To set up a logon t im e rest rict ion on a dom ain cont roller for an Act ive Direct ory- enabled dom ain, follow t hese st eps:
1 . Go t o t he Act ive Direct ory Users and Com put ers snap- in.
2 . Expand t he icon for your dom ain and click t he Users cont ainer.
3 . Right - click a user and select Propert ies.
4 . Click t he Account t ab, and t hen click t he Logon Hours ... but t on.
5 . Select t he appropriat e region of t im e in t he calendar block, and click t he radio but t ons t o t he right t o eit her perm it or deny logons during t hat t im e.
6 . Click OK, and t hen OK once m ore t o exit t he user propert y sheet .
This opt ion is available only for m em bers of an Act ive Direct ory dom ain.
Now, m ake t he change t o t he com put er's local securit y policy. I nside t he Local Com put er Policy snap- in, change " Aut om at ically log off users when logon t im e expires" t o Enabled. I f you do not have a dom ain, inst ead change " Aut om at ically log off users when logon t im e expires ( local) " t o Enabled. This will work even if users have locked t heir workst at ions.
7 .2 .3 .4 . D igit a lly sign in g com m u n ica t ion I t 's a good idea t hese days for a com put er t o aut hent icat e it self t o ot her com put ers during a com m unicat ion. Ot herwise, a t echnique called " spoofing" can be used, and a cracker's com put er can pose as t he rem ot e end of a connect ion and receive pot ent ially sensit ive inform at ion. You can prevent t his by using digit al signat ures. However, t hese are not pervasive; Windows com pensat es for t his lim it ed use by providing t wo opt ions in t he
local policy: require it when possible, or require it , period. I recom m end requiring t he signat ures when possible on bot h ends of a connect ion ( t he RPC prot ocol refers t o t he request ing end as t he " client " and t he responding end as t he " server," regardless of t he syst em s' usual roles) . Unsigned t ransm issions should occur only when signat ures are not available, support ed, or possible.
Be aware t hat t his set t ing will probably break com m unicat ions bet ween Windows Server 2008 and Windows Server 2003 m achines and older, less secure client operat ing syst em s, including Windows 95, Windows 98, and Windows ME. The SCW will set t his policy for you and warn you of t his.
To require digit ally signed com m unicat ion when possible, change " Digit ally sign client com m unicat ion ( when possible) " t o Enabled and " Digit ally sign server com m unicat ion ( when possible) " t o Enabled.
7 .2 .3 .5 . Re qu ir in g t h e t h r e e - k e yst r ok e sa lu t e a t logon The logon screen is one of t he m ost t rust ed aspect s of a com put er t o a norm al user. He t rust s it enough t hat he gives his password and usernam e, and t hen t he com put er t rust s him , t oo, if all of t hat is correct and verified. A cracker can t ake advant age of t his m ut ual t rust by writ ing a program t hat runs as a syst em service—in ot her words, it doesn't need user privileges. The program will m im ic t he logon box, grab t he user's input , and do som et hing wit h it such as em ail t he password t o t he cracker, save t he credent ials t o a backdoor program dat a file, or any num ber of ot her nefarious t hings. However, pressing Ct rl- Alt - Del brings Windows t o at t ent ion, and you get t he aut hent ic Windows logon and not a shell of one t hat a cracker creat es. This easy st ep m akes your syst em m uch m ore secure. To require t his keyst roke t o begin, change " Disable CTRL+ ALT+ Delet e requirem ent for logon" t o Disabled. ( Yes, t hat 's right . Microsoft uses som e quest ionable t erm inology.)
7 .2 .3 .6 . La st u se r n a m e displa y By default , Windows displays t he usernam e of t he last successfully aut hent icat ed person t o use t hat part icular syst em on t he logon screen. This is giving away needless inform at ion, alt hough som e of your users are probably accust om ed t o it . To disable t he last usernam e from being displayed, change t he " Do not display last user nam e in logon screen" set t ing t o Enabled.
7 .2 .3 .7 . Pa ssw or d e x pir a t ion pr om pt Earlier in t his chapt er, I discussed set t ing password policies t o prevent brut e force at t acks. Of course, changing passwords is a problem for som e users who'd rat her not be bot hered wit h I S m inut iae and sim ply would like t o use t heir com put ers t o be product ive. Wit h t his policy set t ing, you can t ell t he syst em t o aut om at ically rem ind a user when his password will expire and prom pt him t o change it . Set t ing t his value t o 14 days gives a user am ple opport unit y t o change his password because t hat is in excess of m ost scheduled vacat ions and business t rips. To enable t he password expirat ion prom pt , change t he " Prom pt user t o change password before expirat ion" set t ing t o 14 days at m inim um .
7 .2 .4 . N e t w or k Opt ion s Via Gr ou p Policy Windows Server 2008 and GP allow you t o configure securit y opt ions t hat reside inside GPOs t hat will apply t o
groups of com put ers. GP can m anage securit y set t ings t hroughout an Act ive Direct ory environm ent in seven areas. They are shown in Table 7- 2.
Ta ble 7 - 2 . GP a r e a s a n d de scr ipt ion s Ar e a
D e scr ipt ion
Account area
This area applies securit y configurat ion t o user account s, including passwords, account lockout s, and Kerberos t icket policies. Password and account lockout policies apply t o workst at ions and servers; Kerberos t icket policies apply only t o dom ain cont rollers.
Local policies
This area allows you t o set audit ing and event logging policies, user right s assignm ent s, and Regist ry keys t hat direct ly affect syst em securit y. Set t ings in t his area apply t o all Windows 2000 or lat er syst em s.
Rest r ict ed groups
This part icularly useful group allows you t o define policies regarding a user's m em bership int o securit y groups t hat allow elevat ed privileges. I t 's sim ple t o define a policy where dom ain users can never be m em bers of t he local Adm inist rat ors group; ot her policies are equally easy.
Syst em services
Here, you can set st art up opt ions for services and access cont rols on t hem .
Regist r y
I n t his area, you can configure access perm issions on specific keys in t he Regist ry.
Public key policies
Here, you can est ablish set t ings for encrypt ed recovery agent s for t he Windows EFS, cert ificat e aut horit ies for a specific Windows dom ain, t rust ed cert ificat e aut horit ies, and ot her public crypt ography opt ions.
I PSec policies on This area allows you t o define I PSec configurat ions for any given unit in your Act ive Act ive Direct ory Direct ory.
7 .2 .4 .1 . Vie w in g t h e de fa u lt dom a in policy When you inst all Windows Server 2008, a default dom ain securit y policy is creat ed. The default dom ain securit y policy is sim ply a set of configurat ions t hat apply cert ain securit y set t ings t o all m em bers of t he dom ain: t hese can include securit y set t ings for displaying t he usernam e of t he last user t hat logged on t o a syst em , how long a password should be, whet her workst at ions should digit ally sign t ransm issions t o and from a server, and so on. I t 's a sim ple t ask t o use t his default policy as a base and cust om ize set t ings based on your individual im plem ent at ion. Let 's look at t his default policy first , and t hen work t hrough cust om izing it . To view t he default dom ain securit y policy, follow t hese st eps:
1 . Open t he Group Policy Managem ent Console.
2 . Expand t he t ree in t he left pane t hrough your forest , Dom ains, your dom ain, Group Policy Obj ect s, and find Default Dom ain Policy.
3 . Right - click on Default Dom ain Policy and select Edit .
4 . To view each default dom ain policy, drill down t hrough Com put er Configurat ion, Policies, Windows Set t ings, and Securit y Set t ings, and click Account Policies.
5.
5 . Look at t he right pane. You'll see Password Policy, Account Lockout Policy, and Kerberos Policy. By clicking each, you can view or change it s default configurat ion.
Figure 7- 2 shows t he default dom ain policy on a st andard, out - of- t he- box inst allat ion of Windows Server 2008.
Figu r e 7 - 2 . D e fa u lt dom a in policy in W in dow s Se r ve r 2 0 0 8
7 .2 .4 .2 . Vie w in g t h e de fa u lt dom a in con t r olle r se cu r it y policie s The default dom ain cont roller securit y policy, like t he default dom ain securit y policy, applies a com m on configurat ion t o a group of com put ers, but t his t im e t he focus is only on dom ain cont rollers. Dom ain cont rollers oft en have special securit y considerat ions t hat ought t o be addressed separat ely, and t his default policy does t hat . Follow t hese st eps:
1 . Open t he Group Policy Managem ent Console.
2 . Expand t he t ree in t he left pane t hrough your forest , Dom ains, your dom ain, Group Policy Obj ect s, and find Default Dom ain Cont rollers Policy.
3 . Right - click on Default Dom ain Cont rollers Policy and select Edit .
4.
4 . Drill down t hrough Com put er Configurat ion, Policies, Windows Set t ings, and Securit y Set t ings, and click Account Policies.
5 . Look at t he right pane. You'll see Password Policy, Account Lockout Policy, and Kerberos Policy. By clicking each, you can view or change it s default configurat ion.
Figure 7- 3 shows t he default dom ain cont roller securit y policy on a st andard, out - of- t he- box inst allat ion of Windows Server 2008.
Figu r e 7 - 3 . D e fa u lt dom a in con t r olle r se cu r it y policy in W in dow s Se r ve r 2 0 0 8
There is a special way in which account policies are dist ribut ed t o dom ain cont rollers t hat deserves com m ent . All dom ain cont rollers in a specific dom ain will apply securit y policies est ablished at t he dom ain level regardless of where t he act ual com put er obj ect for t hat dom ain cont roller resides in Act ive Direct ory. This helps t o ensure t hat consist ent account policies apply t o any dom ain account . All ot her policies are applied at t he norm al hierarchical level, bot h t o dom ain cont rollers and t o ot her workst at ions and servers in t he dom ain. Only dom ain cont rollers are affect ed by t his special except ion. This is j ust a t ip t o rem em ber when you're planning account policy dist ribut ion am ong your organizat ional unit s.
7 .2 .4 .3 . Vie w in g a dom a in con t r olle r 's e ffe ct ive se cu r it y policy To view t he effect ive securit y policy from a dom ain cont roller, com plet e t hese st eps:
1 . Choose St art , click Run, and t ype GPEdit.msc. The Group Policy Obj ect Edit or will open.
2 . I n t he left pane, drill down t hrough Com put er Configurat ion and click Local Policies.
Windows Set t ings
Securit y Set t ings,
Now you can view t he dom ain cont roller's effect ive securit y policy. When you're finished, close t he Group Policy/ Local Com put er Policy snap- in. ( When prom pt ed t o save console set t ings, click No, unless you've done som et hing you want t o hold on t o.) At t his point , you have all t he t ools you need t o begin pushing aut om at ed securit y configurat ions t o client s running Windows 2000 and lat er. Not e t hat all set t ings covered in t his book, unless not ed at t he t im e each is present ed, are fair gam e for dist ribut ion under GP.
7 .2 .4 .4 . Fin a l w or ds: or ga n izin g policy la you t Wit h power com es com plexit y, and GP is no except ion. Windows adm inist rat ors have squandered away m any hours of t heir lives on basic GP t roubleshoot ing. Answers t o quandaries such as, " Why isn't t his policy in effect on t his syst em ?" or " I t hought I t urned off I PSec! " can be difficult t o t rack down if your Act ive Direct ory is full of GPOs t hat are applied inconsist ent ly, redundant ly, and inappropriat ely. To curt ail your securit y policies and m ake t hem easier t o locat e, disable, change, and apply, t ry t o follow t hese guidelines.
Organize your policies logically and define boundaries t o cont ain t hem
Alt hough your Act ive Direct ory m ight be organized by geographic locat ion, your syst em m anagem ent needs m ight revolve around a different paradigm : for inst ance, you m ight need I PSec for all com pany execut ives' lapt ops, but t hey m ight not all be in your New York office. Or all m iddle m anagers in your corporat ion m ight require a cust om ized version of I nt ernet Explorer t hat doesn't lock t hem out from accessing t he I nt ernet , which m ight be t he default configurat ion for all com put ers in t he dom ain. The idea is t o m ap out t he kinds of rest rict ions you need, and t hen define boundaries t o which t hose policies apply. This will m ake it easier t o apply t hem t o t he t arget users and com put ers even if t he geographical and m anagerial boundaries do not m at ch.
I nside t hose boundaries, configure policies t hat represent com m on values in your organizat ion
Do you usually configure workst at ions in your finance depart m ent t o lock a com put er aft er t hree unsuccessful logon at t em pt s? Does a part icular dom ain in your forest need addit ional deskt op rest rict ions—should t hey not be allowed t o run t he Cont rol Panel, for inst ance? Change t heir wallpaper? I nst all soft ware on t heir own? These are t he kinds of policy set s t hat likely sound fam iliar. Group t hese t oget her and creat e GPOs for each of t hese like set s of policy set t ings.
Configure organizat ional unit s inside Act ive Direct ory t hat cont ain m achines grouped according t o sim ilar roles or funct ions wit hin an organizat ion
This get s furt her int o t he granularit y of your securit y policies. For exam ple, Windows com es by default wit h dom ain cont rollers residing in a separat e organizat ional unit in Act ive Direct ory. You m ight consider put t ing deskt ops, lapt ops, and servers int o t heir own organizat ional unit s, which m akes it easier t o apply policies, such as requiring use of t he EFS, only t o lapt ops.
Now I 'll present an underst at em ent : it can require som e work t o configure GP correct ly and effect ively. The m ost difficult part s of t he process are planning and laying out t he policy set t ings; Windows t akes care of t he act ual deploym ent t o client com put ers, which is one of t he feat ures t hat m akes GP a com pelling m anagem ent t ool. This ease of deploym ent is a double- edged sword, however: it is equally sim ple t o m isconfigure an ACL or change a set t ing ( anybody who has played wit h t he " require signed com m unicat ions" set t ings knows t his all t oo well) and wreak ut t er havoc on your dom ain. The process also is m ade m ore difficult by t he lack of an API , so you can't writ e sim ple aut om at ion program s t o help you out . You have t o go t he long way. Even m ore difficult som et im es is get t ing t he big pict ure. That is t o say, it is hard t o see how your Act ive Direct ory layout and st ruct ure—which logically and t radit ionally have likely m im icked your organizat ion's hierarchical personnel st ruct ure—can co- exist wit h GPOs, which seem t o cross hierarchy boundaries and rely on ot her scopes of applicat ion. Wit h careful planning, however, GP can overlay your exist ing direct ory st ruct ure and com plem ent it wit h it s own m anagem ent boundaries.
GP configurat ion, st ruct ure, and operat ion are covered in det ail in Chapt er 6 .
7 .3 . Usin g Au dit in g a n d t h e Eve n t Log Keeping t rack of what your syst em is doing is one of t he m ost im port ant , but t edious, processes of good I T securit y m anagem ent . I n t his sect ion, I 'll look at t he t ools t o audit event s t hat happen on your syst em and t he ut ilit ies used t o view t hem . Audit ing cont rols and propert ies are m odified t hrough GPOs in Windows 2000, Windows XP, and Windows Server 2008. Assum ing your com put er is part icipat ing in an Act ive Direct ory dom ain, you can find t he dom ain Windows Set t ings audit ing policy inside t he Default Dom ain Policy, in t he Com put er Configurat ion Securit y Set t ings Local Policies Audit Policies t ree. Ot herwise, you can view t he Local Securit y Policy t hrough t he Adm inist rat ive Tools applet in t he Cont rol Panel. The set t ings for each GPO indicat e on what t ype of event s and on what t ype of result a log ent ry will be writ t en. Here are t he opt ions for audit ing policies:
Audit account logon event s
Writ es an ent ry when dom ain users aut hent icat e against a dom ain cont roller
Audit account m anagem ent
I ndicat es when user account s are added, m odified, or delet ed
Audit direct ory service access
Audit s when queries and ot her com m unicat ions wit h Act ive Direct ory are m ade
Audit logon event s
Writ es an ent ry when local users access a resource on a part icular com put er
Audit obj ect access
I ndicat es when cert ain files, folders, or ot her syst em obj ect s are opened, closed, or ot herwise " t ouched"
Audit policy change
Audit s when local policies ( such as t he Local Securit y Policy) and t heir associat ed obj ect s are changed
Audit privilege use
Writ es an ent ry when users m ake use of privileges assigned t o t hem ( such as " Take Ownership" )
Audit process t racking
Tracks program act ivat ion, when program s close, and ot her event s t hat program s cause
Audit syst em event s
Audit s when a user rest art s a com put er or when event s are writ t en t o t he securit y log or ot herwise affect syst em securit y
You can configure individual obj ect s t o be audit ed by edit ing t he syst em access cont rol list ( SACL) for any given obj ect , which is m uch like assigning perm issions, except it is indicat ing t o Windows on what t ype of access an event log ent ry should be writ ing. You can access t he SACL for an obj ect by clicking t he Advanced but t on on t he Securit y t ab of t he obj ect 's propert ies sheet . On t he Audit ing t ab, aft er clicking Edit t o m ake t he sheet act ive, you can click Add t o include new audit ing event s for an obj ect , or click View/ Edit t o m odify an exist ing audit ing event . Figure 7- 4 shows t he SACL for an obj ect .
Figu r e 7 - 4 . Th e SACL for a n obj e ct
Only NTFS files and folders can be audit ed. FAT part it ions do not cont ain t he necessary perm ission inform at ion t o support audit ing event s.
7 .3 .1 . Re com m e n de d I t e m s t o Au dit You'll want t o t ake part icular not e of t he following it em s from your event logs:
Logon and logoff event s are t racked by t he " Audit account logon event s" set t ing, which can indicat e repeat ed logon failures and point t o a part icular user account t hat is being used for an at t ack.
Account m anagem ent is t racked by t he " Audit account m anagem ent " set t ing, which indicat es users who have t ried t o use, or used, t heir grant ed user and com put er adm inist rat ion power.
St art up and shut down event s are t racked by t he " Audit syst em event " set t ing, which shows t hat a user has t ried t o shut down a syst em as well as what services m ight not have st art ed up properly upon reboot .
Policy changes are t racked by t he " Audit policy change" set t ing, which can indicat e users t am pering wit h securit y set t ings.
Privilege use event s are t racked by t he " Audit privilege use" set t ing, which can show at t em pt s t o change perm issions t o cert ain obj ect s.
You should be aware of a couple of t hings. First , t oo m uch audit ing consum es large am ount s of resources. Ent ries will be writ t en every t im e a user m oves a m ouse ( OK, t hat 's an exaggerat ion, but not m uch of one) . Second, t oo m uch audit ing also t ends t o be overwhelm ing, and because audit ing in general will do not hing for you if you don't view t he audit ent ries ... can you see a loop form ing? You don't want t o look at audit s because t here is so m uch t o wade t hrough, so effect ively you're wast ing resources and gaining no securit y advant age from it . Be aware.
7 .3 .2 . Eve n t Logs Sim ilar t o audit ing policies, t he policies for configuring t he event logs are found inside t he Default Dom ain Policy, in t he Com put er Configurat ion Policies Windows Set t ings Securit y Set t ings Event Log t ree. Here are t he opt ions for event log policies:
Maxim um applicat ion log size
Set s t he m axim um size t he log is allowed t o reach before t he oldest event s in t he log will be purged.
Maxim um securit y log size
Does t he sam e as t he previous it em but pert ains t o t he securit y log.
Maxim um syst em log size
Does t he sam e as t he previous t wo it em s but pert ains t o t he syst em log.
Prevent local guest s group from accessing applicat ion log
Disallows access t o t he applicat ion log from users logged on t o t he Guest account .
Prevent local guest s group from accessing securit y log
Disallows access t o t he securit y log from users logged on t o t he Guest account .
Prevent local guest s group from accessing t o syst em log
Disallows access t o t he syst em log from users logged on t o t he Guest account .
Ret ain applicat ion log
Specifies whet her t o overwrit e event s or save t hem when t he applicat ion logfile reaches t he m axim um size.
Ret ain securit y log
Specifies whet her t o overwrit e event s or save t hem when t he securit y logfile reaches t he m axim um size.
Ret ain syst em log
Specifies whet her t o overwrit e event s or save t hem when t he syst em logfile reaches t he m axim um size.
Ret ent ion m et hod for applicat ion log
Specifies whet her Windows should overwrit e old applicat ion log event s as it sees fit or only t hose older t han n days; you also can choose t o sim ply not overwrit e files and clear t he logs m anually.
Ret ent ion m et hod for securit y log
Specifies whet her Windows should overwrit e old securit y log event s as it sees fit or only t hose older t han n days; you also can choose t o sim ply not overwrit e files and clear t he logs m anually.
Ret ent ion m et hod for syst em log
Specifies whet her Windows should overwrit e old syst em log event s as it sees fit or only t hose older t han n days; you also can choose t o sim ply not overwrit e files and clear t he logs m anually.
To configure t he event logs locally on a com put er t hat does not part icipat e in a dom ain, load t he Event Viewer console ( which is wit hin t he Cont rol Panel and Adm inist rat ive Tools) and t hen right - click each log in t he left pane. You can set t he log size opt ions on t his screen, including t he m axim um size and t he act ions Windows should t ake when t hat lim it is reached.
7 .3 .2 .1 . Th e Eve n t Vie w e r The Event Viewer allows you t o look at event s in m any different event logs by default . Ot her applicat ions can add t heir own logs int o t he Event Viewer console. Figure 7- 5 shows a t ypical Event Viewer console.
Figu r e 7 - 5 . An Eve n t Vie w e r con sole
This Event Viewer console m ay look different t o you over previous versions, and t hat 's because it s layout has been refined and enhanced. You can see a sum m ary on t he opening screen of a variet y of adm inist rat ive event s t hat m ay need your at t ent ion; t his is a " cust om view" built by Microsoft and shipped in t he box wit h t he product and usually covers t he m aj orit y of sources t hat would generat e an error t hat needs your at t ent ion. You can access all of t he event logs available in t he left pane. Here's a sum m ary of what is available.
Applicat ion Log
Logs m essages, warnings, and errors generat ed by individual applicat ions ( program s) . You'll find t his log in raw form at at % Syst em Root % \ Syst em 32\ Winevt \ Logs\ Applicat ion.evt x .
Forwarded Event s Log
Logs event s sent t o t he current m achine from ot her servers. You can find t his log in raw form at at % Syst em Root % \ Syst em 32\ Config\ ForwardedEvent s.evt x.
Securit y Log
Logs event s generat ed by t he audit ing configurat ion you have set up ( see earlier in t his chapt er for m ore inform at ion on set t ing up audit ing) . You'll see t his log in raw form at at % Syst em Root % \ Syst em 32\ Winevt \ Logs\ Securit y.evt x.
Set up Log
Logs event s generat ed by Windows Server 2008 it self during inst allat ion and ot her set up periods; can be found in % Syst em Root % \ Syst em 32\ Winevt \ Logs\ Set up.evt x .
Syst em Log
Logs event s generat ed by Windows Server 2008 during norm al operat ion. This will norm ally be full of service inform at ion, such as warnings and failures. You will see t his log in raw form at at % Syst em Root % \ Syst em 32\ Winevt \ Logs\ Syst em .evt x .
DFS Replicat ion Log
Logs replicat ion act ivit ies t hrough t he DFS ( Dist ribut ed File Syst em ) funct ionalit y; see Chapt er 3 for m ore inform at ion on DFS.
Direct ory Service Log
Logs event s encount ered by Act ive Direct ory Dom ain Services ( AD DS) and it s count erpart s; see Chapt er 5 for m ore inform at ion on AD DS.
DNS Server Log
Logs DNS queries, responses, and ot her m essages and errors encount ered by t he service. See Chapt er 4 for m ore inform at ion on DNS.
File Replicat ion Service Log
Logs m essages generat ed by t he old, pre- Windows Server 2008 File Replicat ion Service. I n pure Windows Server 2008 environm ent s, you can ignore t his log.
Hardware Event s Log
Logs errors, inform at ion, and warnings generat ed by drivers for hardware elem ent s on your syst em .
Microsoft \ Windows Logs
This folder and it s subfolders relat e t o individual Windows feat ures and services and are t he place t o look for errors, warnings, and inform at ional event s generat ed by som e Windows feat ures.
To m ake it easier for you t o see t he event s you're m ost int erest ed in, you m ay wish t o creat e a cust om view t hat will filt er t he event log t o event s m at ching cert ain crit eria. To do so, open Event Viewer and t hen, from t he right pane, click t he Creat e Cust om View link. The result ing screen, shown in Figure 7- 6, allows you t o set t he crit eria by which event s will be filt ered.
Figu r e 7 - 6 . Cr e a t in g a cu st om vie w in t h e Eve n t Vie w e r
Select t he propert ies of t he event s you'd like t o view, and t hen click OK. The cust om view will be saved and you can always access an updat ed cust om view, fresh wit h t he lat est event s, from t he Cust om Views node in t he left pane of t he Event Viewer console.
To clear event s from your Event Viewer console, right - click on t he log for which you want t o delet e event s and choose Clear Log from t he cont ext m enu.
7 .4 . Th e La st W or d I n t his chapt er, I 've t aken you t hrough t he various considerat ions of securit y in a net work environm ent and t hen shown you how t o im plem ent a basic layer of securit y using t ools built in t o Windows Server 2008 or t hat are freely available. Recall t hat I m ent ioned in t he int roduct ory sect ion of t his chapt er t hat I didn't int end t o present an exhaust ive list of t weaks and set t ings t o adj ust t o allow Windows Server 2008 t o be at it s m ost secure. Rat her, I 've given you a com prehensive foundat ion so t hat you can build on t he concept s and procedures you learned in t his chapt er t o creat e a secure infrast ruct ure around your servers.
Ch a pt e r 8 . I n t e r n e t I n for m a t ion Se r vice s 7 One of t he m aj or bundled applicat ions wit h any version of Windows on t he server is I nt ernet I nform at ion Services ( I I S) . And what a long road it 's been since I I S 4, in Windows NT Server 4.0. The product has been redesigned wit h securit y in m ind, m ade capable of running server- side applicat ions wit h t he help of Microsoft 's .NET program m ing languages, and t urned from a bout ique- st yle I nt ernet server int o a world- class set of code capable of running t he m ost int ense I nt ernet - facing applicat ions. So, what im provem ent s will I I S 7, included in t he upcom ing Longhorn Server, bring t o t he t able? Let 's t ake a look at five m aj or enhancem ent s t o I I S and what t hey m ean for you.
8 .1 . M a j or I m pr ove m e n t s First off, and perhaps m ost im port ant ly, I I S is com plet ely m odular. I f you're fam iliar wit h t he popular Apache web server soft ware, you know t hat perhaps it s biggest st rengt h is t hat Apache can run on a bare- bones inst allat ion. You can configure it t o serve j ust st at ic HTML and not hing else, or you can dynam ically load m odules t hat enable different t ypes of cont ent t o be processed and served. You can com pile a cust om Apache inst allat ion t hat does only what you want it t o. I I S has never really had t he abilit y t o pick and choose from it s feat ures and abilit ies, which had t wo significant drawbacks: for one, it s perform ance som ewhat suffered because t he code was busy host ing feat ures and support ing cont ent t hat you m ay have never int ended t o use, and t wo, securit y was a problem in t hat t he surface area of t he product was m ade larger by default , even if you had no use for som e feat ures. I n I I S 7, however, feat ures operat e m odularly, in t hat you can load t hem in any com binat ion and wit h no dependencies and really creat e a lean, m ean server t hat does what you want it t o do very well, and not hing else. You also gain t he benefit of I I S 7's ext ensibilit y: it 's easier t han ever t o writ e a cust om m odule t hat plugs direct ly int o t he I I S core t o enable special funct ionalit y for your operat ion. Addit ionally, j ust about every set t ing and choice in I I S 7 can be configured from a t ext file. Taking anot her page from Apache's playbook, each set t ing in any sit e configured wit hin I I S can be edit ed direct ly from t he web.config file. Aside from t he obvious convenience, t his is a boon for firm s t hat host large am ount s of web sit es—it 's now t rivial t o deploy an ident ical configurat ion across t housands of sit es in seconds; you j ust copy web.config t o each sit e and you are finished. You can also delegat e adm inist rat ion of cert ain sect ions of web.config t o ot her people, so t hat a bit of cont rol is available for, say, individual sit e owners while not necessarily requiring everyone t o cont act t he I I S adm inist rat or for any changes t o be m ade. Version cont rol is equally sim ple—j ust m ake several different versions of a t ext file, st ore t hem in som e organized fashion, and ret rieve when necessary. Very cool. Also, t he m anagem ent int erface for I I S 7 has been com plet ely redesigned and is now m ore t ask- orient ed. I I S t hrows away t he som et im es confusing, clut t ered int erface t hat plagued I I S 4, 5, 6, and 7 and offers a brandnew console look designed t o expose m ore feat ures in a m anner sensible t o t he user while m aking rapid, largescale adm inist rat ion across hundreds or t housands of sit es quit e sim ple. As wit h m ost everyt hing else about I I S 7, t he new int erface is ext ensible as well, so you can creat e cust om plug- ins t hat work direct ly wit hin t he I I S 7 Managem ent Console. Securit y has been cont inually enhanced and im proved in I I S 7, even over and above t hat in I I S 6. Com pared t o I I S 5, which cam e wit h Windows 2000, I I S 6 was light years ahead in t he securit y area. ( I n fact , for years I called I I S 5 Swiss cheese.) As web applicat ions proliferat e and t he popularit y of .NET- based web sit es cont inues t o increase, you'll find I I S t aking an even m ore prom inent role in corporat e net works, and securit y is m ore im port ant t han ever given t hat m any of t hese applicat ions process and st ore sensit ive inform at ion. I n I I S 7, .NET applicat ions are run direct ly wit hin t he I I S core it self and not sent t o t he I nt ernet Services Applicat ion Program m ing I nt erface ( I SAPI ) ext ension. Essent ially, t he .NET runt im e environm ent becom es one as t he dist inct ion am ong ASP, .NET code, and I I S blurs. You also get t he benefit of form s aut hent icat ion for any t ype of cont ent , so you can aut hent icat e against a dat abase for j ust about any page or piece of web cont ent , not j ust .NET code. Addit ionally, t he I USR_m achine account prevalent in previous versions of I I S has been replaced wit h t he built - in I USR account , which can't be used t o log on int eract ively t o t he server and also has ident ical SI Ds across all m achines using t he sam e version of t he operat ing syst em . This m eans t hat your Deny perm issions will
work no m at t er which m achine t hey were originally creat ed on and applied t o. Fast CGI support allows you t o run applicat ions based on dynam ic languages t hat heret ofore have not t radit ionally been used in t he cont ext of Windows- based web serving. This support effect ively m eans you can run PHP, Perl, Ruby, and ot her applicat ions on I I S—and best of all, you'll get a perform ance benefit , t oo, as Fast CGI recycles processes for fast er service. So, now you can get t he advant ages of Apache ( m odularit y and securit y, prim arily) , wit h t he ext ensiblit y of Windows- based host ing, all wit hout having t o rewrit e your business applicat ions in an I I S- com pat ible language. That 's a big win for a lot of I T shops. And finally, you can use t he Windows PowerShell adm inist rat ion environm ent t o adm inist er I I S 7. While PowerShell will also support adm inist ering Windows Server 2003 m achines running I I S 6, I I S 7 was designed t o be m anaged from t he com m and line wit h PowerShell. Also included is t he new APPCMD ut ilit y, which runs from t he st andard com m and line, and allows you t o creat e and configure sit es, set t ings, and m ore. APPCMD can be especially useful if you have script s t o program m at ically m anage your environm ent .
Ch a pt e r 8 . I n t e r n e t I n for m a t ion Se r vice s 7 One of t he m aj or bundled applicat ions wit h any version of Windows on t he server is I nt ernet I nform at ion Services ( I I S) . And what a long road it 's been since I I S 4, in Windows NT Server 4.0. The product has been redesigned wit h securit y in m ind, m ade capable of running server- side applicat ions wit h t he help of Microsoft 's .NET program m ing languages, and t urned from a bout ique- st yle I nt ernet server int o a world- class set of code capable of running t he m ost int ense I nt ernet - facing applicat ions. So, what im provem ent s will I I S 7, included in t he upcom ing Longhorn Server, bring t o t he t able? Let 's t ake a look at five m aj or enhancem ent s t o I I S and what t hey m ean for you.
8 .1 . M a j or I m pr ove m e n t s First off, and perhaps m ost im port ant ly, I I S is com plet ely m odular. I f you're fam iliar wit h t he popular Apache web server soft ware, you know t hat perhaps it s biggest st rengt h is t hat Apache can run on a bare- bones inst allat ion. You can configure it t o serve j ust st at ic HTML and not hing else, or you can dynam ically load m odules t hat enable different t ypes of cont ent t o be processed and served. You can com pile a cust om Apache inst allat ion t hat does only what you want it t o. I I S has never really had t he abilit y t o pick and choose from it s feat ures and abilit ies, which had t wo significant drawbacks: for one, it s perform ance som ewhat suffered because t he code was busy host ing feat ures and support ing cont ent t hat you m ay have never int ended t o use, and t wo, securit y was a problem in t hat t he surface area of t he product was m ade larger by default , even if you had no use for som e feat ures. I n I I S 7, however, feat ures operat e m odularly, in t hat you can load t hem in any com binat ion and wit h no dependencies and really creat e a lean, m ean server t hat does what you want it t o do very well, and not hing else. You also gain t he benefit of I I S 7's ext ensibilit y: it 's easier t han ever t o writ e a cust om m odule t hat plugs direct ly int o t he I I S core t o enable special funct ionalit y for your operat ion. Addit ionally, j ust about every set t ing and choice in I I S 7 can be configured from a t ext file. Taking anot her page from Apache's playbook, each set t ing in any sit e configured wit hin I I S can be edit ed direct ly from t he web.config file. Aside from t he obvious convenience, t his is a boon for firm s t hat host large am ount s of web sit es—it 's now t rivial t o deploy an ident ical configurat ion across t housands of sit es in seconds; you j ust copy web.config t o each sit e and you are finished. You can also delegat e adm inist rat ion of cert ain sect ions of web.config t o ot her people, so t hat a bit of cont rol is available for, say, individual sit e owners while not necessarily requiring everyone t o cont act t he I I S adm inist rat or for any changes t o be m ade. Version cont rol is equally sim ple—j ust m ake several different versions of a t ext file, st ore t hem in som e organized fashion, and ret rieve when necessary. Very cool. Also, t he m anagem ent int erface for I I S 7 has been com plet ely redesigned and is now m ore t ask- orient ed. I I S t hrows away t he som et im es confusing, clut t ered int erface t hat plagued I I S 4, 5, 6, and 7 and offers a brandnew console look designed t o expose m ore feat ures in a m anner sensible t o t he user while m aking rapid, largescale adm inist rat ion across hundreds or t housands of sit es quit e sim ple. As wit h m ost everyt hing else about I I S 7, t he new int erface is ext ensible as well, so you can creat e cust om plug- ins t hat work direct ly wit hin t he I I S 7 Managem ent Console. Securit y has been cont inually enhanced and im proved in I I S 7, even over and above t hat in I I S 6. Com pared t o I I S 5, which cam e wit h Windows 2000, I I S 6 was light years ahead in t he securit y area. ( I n fact , for years I called I I S 5 Swiss cheese.) As web applicat ions proliferat e and t he popularit y of .NET- based web sit es cont inues t o increase, you'll find I I S t aking an even m ore prom inent role in corporat e net works, and securit y is m ore im port ant t han ever given t hat m any of t hese applicat ions process and st ore sensit ive inform at ion. I n I I S 7, .NET applicat ions are run direct ly wit hin t he I I S core it self and not sent t o t he I nt ernet Services Applicat ion Program m ing I nt erface ( I SAPI ) ext ension. Essent ially, t he .NET runt im e environm ent becom es one as t he dist inct ion am ong ASP, .NET code, and I I S blurs. You also get t he benefit of form s aut hent icat ion for any t ype of cont ent , so you can aut hent icat e against a dat abase for j ust about any page or piece of web cont ent , not j ust .NET code. Addit ionally, t he I USR_m achine account prevalent in previous versions of I I S has been replaced wit h t he built - in I USR account , which can't be used t o log on int eract ively t o t he server and also has ident ical SI Ds across all m achines using t he sam e version of t he operat ing syst em . This m eans t hat your Deny perm issions will
work no m at t er which m achine t hey were originally creat ed on and applied t o. Fast CGI support allows you t o run applicat ions based on dynam ic languages t hat heret ofore have not t radit ionally been used in t he cont ext of Windows- based web serving. This support effect ively m eans you can run PHP, Perl, Ruby, and ot her applicat ions on I I S—and best of all, you'll get a perform ance benefit , t oo, as Fast CGI recycles processes for fast er service. So, now you can get t he advant ages of Apache ( m odularit y and securit y, prim arily) , wit h t he ext ensiblit y of Windows- based host ing, all wit hout having t o rewrit e your business applicat ions in an I I S- com pat ible language. That 's a big win for a lot of I T shops. And finally, you can use t he Windows PowerShell adm inist rat ion environm ent t o adm inist er I I S 7. While PowerShell will also support adm inist ering Windows Server 2003 m achines running I I S 6, I I S 7 was designed t o be m anaged from t he com m and line wit h PowerShell. Also included is t he new APPCMD ut ilit y, which runs from t he st andard com m and line, and allows you t o creat e and configure sit es, set t ings, and m ore. APPCMD can be especially useful if you have script s t o program m at ically m anage your environm ent .
8 .2 . Th e N e w Ar ch it e ct u r e Modularit y is t he key word and was t he ult im at e design concept surrounding t he com plet e redevelopm ent of t he request processing pipeline in I I S 7. There are 40 different m odules t hat m ake up t he feat ure set of I I S, divided int o eight cat egories. These m odules are individually list ed here, so you can see how different m odules m ake up t he funct ional st ack t hat is I I S 7.
Com m on HTTP Web Server Com ponent s
StaticFileModule
DefaultDocumentModule
DirectoryListingModule
HttpRedirect
CustomErrorModule
Windows Process Act ivat ion Service
ProcessModel
NetFxEnvironment
ConfigurationAPI
Securit y
BasicAuthModule
DigestAuthModule
WindowsAuthModule
CertificateAuthModule
AnonymousAuthModule
IPSecurityModule
UrlAuthorizationModule
RequestFilteringModule
Healt h and Diagnost ics
HttpLoggingModule
CustomLoggingModule
RequestMonitorModule
HTTPTracingModule
ODBCLogging
LoggingLibraries
Perform ance
HTTPStaticCompression
HTTPDynamicCompression
Managem ent
ManagementConsole
ManagementScripting
ManagementService
Metabase
WMICompatibility
LegacyScripts
LegacySnap-in
Applicat ion Developm ent
NetFxExtensibility
ISAPIModule
ISAPIFilterModule
CGIModule
ServerSideIncludeModule
ASP
ASP.NET
FTP Publishing
FTPServer
FTPManagement
8 .2 .1 . N e w : Th e W in dow s Pr oce ss Act iva t ion Se r vice All inst allat ions of I I S 7 require a service new t o Windows Server 2008, known as t he Windows Process Act ivat ion Service, or WPAS. WPAS essent ially m aint ains and adm inist ers all worker processes and applicat ion pools for I I S on any given m achine, list ening for new request s and eit her assigning t hem t o exist ing processes or st art ing new work processes and m arshalling t he request t o t hat process. WPAS also act s as a clearinghouse for configurat ion inform at ion for sit es, applicat ion pools, and overarching web applicat ions running on t he m achine.
8 .3 . Role s As wit h any ot her enhanced funct ionalit y of Windows Server 2008, web server service is provided t hrough a role. I nt erest ingly, as discussed in t he int roduct ory sect ion of t his chapt er, t he m odularit y of I I S has result ed in a significant ly scaled- back init ial inst allat ion of I I S—in fact , if you choose t o inst all t he Web Server role, which is t he m ost basic way t o get I I S code on your Windows Server 2008 m achine, you receive only t he following pieces of t he web server soft ware ( aside from t he Windows Process Act ivat ion Service) :
Com m on HTTP services, including st ubs t o host st at ic cont ent , choose a default docum ent for unspecific request s, browsing direct ories via t ext , and recording errors
Healt h and diagnost ic funct ionalit y, including logging and request m onit oring
Securit y code, including request filt ering funct ionalit y ( t his is t he old URLScan ut ilit y, which is now baked int o t he final release of I I S 7)
Perform ance t ools, including Gzip- based st at ic cont ent com pression t echnology
The I I S Managem ent Console
That 's it . You don't get any sort of dynam ic host ing funct ionalit y wit h t he basic Web Server role; you're lim it ed t o host ing t ext and sim ple HTML. This is t he way syst em s will be going forward: you inst all a m inim al set of funct ionalit ies and layer only what you require in specific scenarios on t op of t hat base inst allat ion. This reduces overhead, im proves securit y, and m inim izes t he pot ent ial at t ack surface of public- facing code. But not everyone can only host st at ic HTML cont ent . The Applicat ion Server role t akes I I S t o anot her level and enables dynam ic web cont ent t o be served from t he web service. Since I I S has been scaled down in t his release t o it s bare m inim um part s, you have t o add t he applicat ion server role in order t o access funct ionalit y like ASP.NET, .NET Fram ework applicat ions, and applicat ions based on dynam ic web t echnologies like CardSpace, Windows Com m unicat ion Foundat ion, Windows Present at ion Foundat ion, and Windows Workflow Foundat ion. To inst all t he web server role:
1 . Open Server Manager.
2 . Click Roles in t he left pane, and t hen click t he Add Roles link in t he right pane.
3 . Click Next off t he " Before You Begin" page.
4 . On t he page list ing roles available for inst allat ion, select Web Server ( I I S) . You will t hen get a pop- up window explaining t hat you also need t he Windows Process Act ivat ion Service, as shown in Figure 8- 1. Click Add Required Feat ures t o cont inue, and t hen click Next .
Figu r e 8 - 1 . I n st a llin g t h e W in dow s Pr oce ss Act iva t ion Se r vice w it h I I S
5 . Read t he overview of t he role, and t hen click Next t o cont inue.
6 . On t he Select Role Services screen, shown in Figure 8- 2, select t he m odules you would like t o inst all along wit h t he core I I S code. Click Next t o cont inue.
Figu r e 8 - 2 . Se le ct in g m odu le s t o in st a ll a lon g w it h t h e cor e I I S fu n ct ion a lit y
7 . Confirm t he choices you m ade during t he wizard, and t hen click I nst all t o com m ence set t ing up t he web
7. server service.
To inst all t he applicat ion server role:
1 . Open Server Manager.
2 . Click Roles in t he left pane, and t hen click t he Add Roles link in t he right pane.
3 . Click Next off t he " Before You Begin" page.
4 . On t he page list ing roles available for inst allat ion, select Applicat ion Server. You will t hen get a pop- up window explaining t hat you also need t he .NET Fram ework 3.0 and a st ub support ing t hat fram ework for t he Windows Process Act ivat ion Service, as shown in Figure 8- 3. Click Add Required Feat ures t o cont inue, and t hen click Next .
Figu r e 8 - 3 . Se t t in g u p t h e a pplica t ion se r ve r r ole
5 . Read t he overview of t he role, and t hen click Next t o cont inue.
6 . On t he Select Role Services screen, shown in Figure 8- 4, select t he m odules you would like t o inst all along wit h t he applicat ion server funct ionalit y. Click Next t o cont inue.
Figu r e 8 - 4 . I n st a llin g su ppor t in g m odu le s for t h e a pplica t ion se r ve r r ole
7 . Confirm t he choices you m ade during t he wizard, and t hen click I nst all t o com m ence set t ing up t he web server service.
8 .4 . M a n a gin g I I S Gr a ph ica lly The graphical m anagem ent ut ilit y for I I S, called I nt ernet I nform at ion Services Manager, has been radically redesigned from t he t ools and consoles available in I I S 6 and Windows Server 2003. Figure 8- 5 illust rat es t he new appearance of t his t ool. Here's a quick t our of what t o not ice:
Figu r e 8 - 5 . An in t r odu ct ion t o t h e r e de sign e d I I S M a n a ge r in W in dow s Se r ve r 2 0 0 8
Not e t he presence of an address bar, like t he one in I nt ernet Explorer, when you first open I I S Manager. You can see a breadcrum b- like t rail of your progress t hrough t he various screens, helping you find where you are and how you arrived t here.
On t he hom e page, you'll see t he feat ure list occupying t he m enu pane. This list , which is dynam ically generat ed, shows cont ext - specific feat ures t hat you m ay want t o configure.
I nst ead of t he t ab- frenzy feel of I I S 6, you get t hree t ypes of pages in I I S Manager 7: list pages, where you can generally sort by a variet y of fields; t he t ask pane, which aut om at ically changes and present s t he m ost popular and/ or likely opt ions for your current cont ext ; and a propert y grid, which list s t he at t ribut es associat ed wit h any given obj ect or feat ure in I I S Manager.
For now, let 's st ep t hrough creat ing a new web sit e, adj ust ing it s propert ies, adding a virt ual direct ory for an applicat ion, and creat ing a new applicat ion pool.
8 .4 .1 . Cr e a t in g a Sit e Creat ing a new web sit e is one of t he core responsibilit ies of an I I S adm inist rat or. You can add a new sit e t o a m achine wit h I I S 7 inst alled in j ust a couple of clicks. To do so:
1 . Open I I S Manager.
2 . Expand t he server list in t he left pane.
3 . Right - click on t he server and select Add Web Sit e from t he pop- up cont ext m enu. This is shown in Figure 8- 6 .
Figu r e 8 - 6 . Cr e a t in g a n e w sit e
4 . Ent er a sit e nam e and t he applicat ion pool t his sit e will use.
5 . Ent er t he pat h t o t he cont ent t hat I I S will serve for t his sit e. This can be eit her a local pat h or a net work pat h, nam ed via UNC convent ions. I f you need t o ent er credent ials t o access t hat pat h, click t he " Connect as" but t on and ent er t hem t here.
6 . Under Binding, select t he prot ocol, I P address, and port num ber under which I I S should list en for request s t o t his sit e. You can also ent er a host nam e if you want t o host m ult iple sit es on one I P address; I I S will look at t he host header t o det erm ine from which sit e t o service t hat request .
7 . Click OK t o confirm t he web sit e's creat ion.
8 .4 .2 . Adj u st in g Sit e Pr ope r t ie s You'll see t hat in I I S 7, you adj ust sit e propert ies t hrough a new propert y grid view rat her t han t he t ab m aze t hat was I I S Manager in Windows Server 2003. The Advanced Set t ings dialog, which is shown in Figure 8- 7, walks you t hrough t he at t ribut es assigned t o a sit e, including it s applicat ion pool, bindings, physical pat h, connect ion lim it s, prot ocols, and failed request t racking.
Figu r e 8 - 7 . Th e Adva n ce d Se t t in gs dia log for a n I I S w e b sit e
You can adj ust ot her propert ies using t hose t hat are list ed on t he feat ures page. Not e t hat once you select a sit e in t he left pane of I I S Manager, t he feat ures list in t he m iddle pane changes. I f you swit ch t he grouping opt ion under " Group by: " t o " area," you can get a list of feat ures and propert ies t hat you can adj ust per I I S area—propert ies specific t o ASP.NET, and propert ies specific t o I I S. Table 8- 1 list s t he I I S- specific propert ies.
Ta ble 8 - 1 . Fe a t u r e s a va ila ble for m odifica t ion on a n I I S 7 w e b sit e Fe a t u r e
D e scr ipt ion
Aut hent icat ion
Configures t he m et hods of aut hent icat ion used on a sit e. Allows for anonym ous, ASP.NET im personat ion, basic, digest , form s, and Windows aut hent icat ion. To use digest aut hent icat ion, t he I I S m achine m ust be a m em ber of a dom ain.
Aut horizat ion Rules
Specifies rules for allowing users t o access sit es. You can set up allow or deny- based rules, based on a user's ident it y, role, group, or t he verbs used in t he original request ( POST, GET, et c.) .
Com pression
Allows you t o enable st at ic and dynam ic cont ent com pression, which can enhance t he " perceived perform ance" of a web sit e.
Default Docum ent
Specifies t he default file t hat will be served when no specific page is request ed by t he originat or.
Fe a t u r e
D e scr ipt ion
Direct ory Browsing
Configures how direct ory list ings are sent t o t he request or's browser, including what fields ( t im e, size, ext ension, dat e) are present ed.
Error Pages
Set s t he pat h t o cust om error pages for a sit e. You can add pages based on t he HTTP st at us code.
Failed Request Tracing Rules
Configures t racing for failed request s. ( You m ust act ivat e failed request t racing, on t he m ain page of I I S Manager in t he act ion pane, before you can adj ust t he propert ies herein.) You can elect t o t race specific t ypes of cont ent t hat generat e specific failure codes, and assign t hem t o t race providers t hat can int erpret t he result s.
Handler Mappings
Specifies t he DLLs and m anaged code add- ins t hat handle specific request s from t he I nt ernet .
HTTP Redirect
Configures rules for redirect ing request s for a sit e t o anot her file or URL. Click t he checkbox t o enable and ent er t he t arget pat h. You can also elect t o cont rol t he redirect behavior t o t he ent ire sit e or j ust a direct ory, and adj ust t he HTTP st at us code ret urned t o t he request er t hat corresponds wit h t he redirect ion.
HTTP Response Headers
Adds headers t o responses from t he web server. I n regular operat ions, you m ay not find a lot of use for t his capabilit y.
I Pv4 Address and Allows you t o ban or allow access t o cont ent host ed by I I S based on t he I P address of t he Dom ain Rest rict ions request er. The list ings here are in order of priorit y. I SAPI Filt ers
Configures I SAPI filt ers t hat process dynam ic request s t o t he web server. This is m ainly for backward com pat ibilit y wit h older web applicat ions.
Logging
Tweaks how I I S logs request s on t he server. You can select t he logfile pat h, t he t ype of ent ries writ t en, and how log rollover will be scheduled and execut ed.
MI ME Types
Set s t he list of filenam e ext ensions and corresponding t ypes of cont ent t hat are served as st at ic files ( in anot her words, are not int erpret ed dynam ically) .
Modules
Allows you t o add a m anaged code- based m odule t hat will alt er how I I S answers web request s; also let s you configure exist ing m odules and act ivat e t hem .
Out put Caching
Configures caching of out put , which can speed up response t im e when users ask for result s of popular dynam ically generat ed queries.
SSL Set t ings
Allows you t o m odify SSL requirem ent s for a sit e or applicat ion, including how t o handle client cert ificat es.
8 .4 .3 . Vir t u a l D ir e ct or ie s Virt ual direct ories are a great way t o m ake a sit e's st ruct ure easy t o navigat e for your users, even if t he act ual cont ent st ored in physical disks is locat ed in several different locat ions or on several different com put ers. Not only does a well- form ed virt ual direct ory st ruct ure m ake a sit e easy t o use for a web surfer, but it increases t he flexibilit y of m anagem ent for t he web developer. I t also provides a layer of securit y t hrough obscurit y because t he virt ual direct ory need not correspond direct ly t o a physical direct ory on a hard disk. To add a new virt ual direct ory t o a web sit e:
1 . Open I I S Manager.
2 . I n t he left pane, expand t he server list , click t he appropriat e server t arget , and select t he appropriat e web sit e.
3 . Right - click on t hat sit e, and select Add Virt ual Direct ory. This is shown in Figure 8- 8.
4 . Ent er t he alias t hat users will specify t o refer t o t his virt ual direct ory. This is t he t ext t hat com es aft er t he / in t he URL.
5 . Specify t he locat ion of t he cont ent t hat will populat e t his virt ual direct ory, eit her via a local pat h or an UNC- st yle pat h. I f you need t o ent er credent ials t o access t hat locat ion, click t he " Connect as" but t on and ent er t hem t here.
6 . Click OK t o confirm t he creat ion of t he virt ual direct ory.
Figu r e 8 - 8 . Th e Add Vir t u a l D ir e ct or y scr e e n
You can adj ust t he propert ies of t he virt ual direct ory m uch like a web sit e it self, right from t he m iddle pane wit h all of t he feat ures and t heir icons list ed. These are funct ionally equivalent t o t he opt ions covered in t he previous sect ion pert aining t o web sit es t hem selves.
8 .4 .4 . Applica t ion Pools Applicat ion pools provide a m easure of st abilit y and reliabilit y for high- volum e web applicat ions host ed wit h I I S 7. Alt hough t hey provide great er predict abilit y in behavior and several ot her side benefit s when it com es t o host ing web applicat ions in I I S, each applicat ion pool t akes up a m inim um of about 4 MB of m em ory on your I I S m achine, so it 's best t o accurat ely configure your applicat ion pools if you're planning t o have m ult iple pools on one m achine. New t o I I S 7.0 is t he abilit y t o specify t o I I S how t o process request s t hat involve m anaged resources; you can do t his via t wo m odes, int egrat ed m ode or classic m ode. I n previous versions of I I S, t his was a set t ing t hat you could configure only at t he server- wide level, but now you can specify classic or int egrat ed m ode on a perapplicat ion pool basis. I n int egrat ed m ode, you are get t ing t he full benefit of t he new m odular archit ect ure and t he reworked request pipeline found in I I S 7. When a worker process in an applicat ion pool receives a request , t he request goes t hrough a list of event s ordered by priorit y, and each of t hose event s loads t he m odules needed t o deal wit h t he request and form responses t o it . Each event calls t he necessary nat ive and m anaged m odules t o process port ions of t he request and t o generat e t he response. I n t his way, you get m anaged feat ures for all applicat ions and elim inat e som e of t he duplicat e processing t hat classic m ode, by design, required. I n classic m ode, request s go t hrough t he process t hat was found in I I S 6, wherein request s are nat ively processed by I I S, and t hen what 's left is passed t o an I SAPI DLL for processing, say, m anaged code or som et hing t hat t he core of I I S 6 wasn't able t o nat ively handle. Then, responses are sent back t o I I S t o rout e t o t he original request or, m aking for an added am ount of processing t im e.
Only use classic m ode if your web applicat ions don't work in int egrat ed m ode.
First , let 's t ake a look at t he propert ies and set t ings for t he " cat ch- all" applicat ion pool configured once you add t he Applicat ion Server role. Open I I S Manager, expand t he server list in t he left pane, click your I I S server, and t hen click Applicat ion Pools. You should see " Default AppPool" in t he m ain pane of t he screen. One of t he m ain concept s t o underst and in conj unct ion wit h applicat ion pools is recycling. Recycling is how I I S 7 ensures responsive processes by killing off old processes when t hey finish handling t heir request s and st art ing new ones t o list en. You can configure how oft en t his recycling occurs, whet her at a cert ain cycle of t im e or at specific t im es t hroughout t he day, and at what m em ory usage level ( in t erm s of eit her t ot al used m em ory or virt ual user m em ory) a recycling will be t riggered. To configure t hese set t ings, click Recycling in t he act ion pane, and t oggle t he set t ings t hat present t hem selves. I f you have a dynam ic web applicat ion, and you want t o segregat e it s worker processes so t hat t hey do not overlap wit h t hose residing in t he Default AppPool, you can creat e a new applicat ion pool. To add a new applicat ion pool, follow t hese st eps:
1 . Open I I S Manager.
2 . I n t he left pane, expand t he server list , click t he appropriat e server t arget , right - click on Applicat ion Pools, and select Add Applicat ion Pool. This is shown in Figure 8- 9.
Figu r e 8 - 9 . Addin g a n e w a pplica t ion pool t o a n I I S se r ve r
3 . Ent er a nam e for t he new pool, specify t he version of t he .NET Fram ework t hat t his pool should use, select eit her classic or int egrat ed m ode ( see earlier in t his chapt er for a descript ion of how applicat ion pool request s are pipelined in each m ode) , and t hen click OK.
8 .4 .5 . En a blin g Ce n t r a lize d Con figu r a t ion Through t he cent ralized configurat ion feat ure, you can set up one I I S m achine as you want it , export t hat configurat ion t o a file, and t hen direct ot her I I S m achines t o access t hat configurat ion file, m aking it easy t o deploy a uniform configurat ion across m ult iple I I S servers. To effect cent ralized configurat ion, do t he following:
1 . Open I I S Manager.
2 . Select t he m ast er server t hat cont ains t he configurat ion you want t o replicat e in t he left pane, and t hen click Shared Configurat ion in t he right pane.
3 . I n t he t ask pad, click Export Configurat ion, and t hen ent er t he pat h t o export t he configurat ion files. Also, ent er a password t hat will guard t he encrypt ion keys export ed during t his process as well.
4 . Now, back on t he Shared Configurat ion page, click " Enable shared configurat ion" and check t he box.
5.
5 . Specify t he pat h t o t he shared configurat ion file, click Apply, and t hen ent er t he password as prom pt ed.
8 .4 .6 . Usin g t h e W e b M a n a ge m e n t Se r vice The web m anagem ent service allows you t o m anage I I S rem ot ely, from any com put er connect ed t o t he I nt ernet . The WMS set s up a secure HTTP/ SSL- based connect ion, allowing you t o m anage and set configurat ions in a prot ect ed environm ent . To use t he Web Managem ent Service, you m ust first inst all t he WMS subcom ponent t hrough t he Add Roles Wizard in Server Manager. Once you have WMS inst alled, you need t o enable rem ot e connect ions for m anagem ent . From wit hin I I S Manager, click t he appropriat e server in t he left pane, open t he Managem ent Service feat ure in t he right pane, and check t he Enable Rem ot e Managem ent checkbox under Rem ot e Connect ions, as shown in Figure 8- 10.
Figu r e 8 - 1 0 . En a blin g t h e r e m ot e m a n a ge m e n t se r vice
From t his page, you can also configure som e opt ional set t ings, including which credent ials ( Windows or I I S Manager) should be accept ed t o allow access t o rem ot e m anagem ent ; what I P address, port , and SSL cert ificat e should be used; where t o log request s and connect ions; and whit e- and black- list s for I P addresses.
Be sure t o t ake not e of t he port num ber assigned on t he Managem ent Service screen; you'll use t hat t o act ually connect t o t he web m anagem ent service.
8 .5 . M a n a gin g I I S fr om t h e Com m a n d Lin e I n t his sect ion, we'll t ake a look at adm inist ering I I S 7 out side of I I S Manager. We'll st art by exam ining som e com m on adm inist rat ive scenarios t hrough t he user of AppCm d.exe, and t hen look at t he t ext - file configurat ion opt ions t hat t his new version of I I S present s t o us.
8 .5 .1 . AppCm d.e x e : On e - St op Con figu r a t ion I I S 7 includes AppCm d.exe, which is a new, one- st op execut able for adm inist ering essent ially every funct ion I I S provides. Through AppCm d, you can creat e and configure sit es, applicat ion pools, and virt ual direct ories; st art , st op, and recycle sit es and pools; exam ine current act ivit ies in t he core of t he web server service; and generally find, copy, and im port configurat ions of bot h I I S it self and t he ASP.NET subcom ponent . AppCm d t akes a logical synt ax: you perform an operat ion, or com m and, on a specific piece of I I S, or an obj ect . For exam ple, you can list sit es ( list being t he com m and and sit e being t he obj ect ) , add applicat ions, delet e worker processes, or set configurat ions.
You can get a general sense of t he scope of funct ions AppCm d support s by using t he /? swit ch at a com m and line.
For exam ple, we can list t he sit es t hat are st opped on a server by using t he following com m and:
appcmd list sites /state:Stopped
We can add a com plet ely new web sit e ent irely from t he com m and line. Let 's add a sit e nam ed " Booksit e" t hat list ens on port 81 and whose cont ent is st ored at c:\inetpub\wwwroot\booksite: Code View: appcmd add site /name:BookSite /id:2 /bindings:"http/*:81:" /physicalPath:"C:\inetpub\ wwwroot\booksite"
I can change t he ident ifier for m y new sit e t o num ber 99 using t he following com m and:
appcmd set site "BookSite" /id:99
I can delet e t he sit e t hat I j ust added as follows:
appcmd delete site "Booksite"
To creat e a backup, which will allow you t o fix unwant ed changes t o server configurat ion and ret urn t o a configurat ion t hat , at one point , funct ioned correct ly, it 's a sim ple one- line com m and:
appcmd add backup 20071015
You can t hen display a list of available backups using t he first com m and below, and t hen rest ore one of t hem using t he second com m and ( t he rest ore com m and st ops t he server, adds t he configurat ion from t he backup, and t hen rest art s t he server) :
appcmd list backups appcmd restore backup "20071015"
I f you st art piping out put of one com m and and feeding t o anot her com m and, you can achieve som e useful out com es. For exam ple, t o recycle all applicat ion pools, you can use:
appcmd list apppool /xml | appcmd recycle apppool /in
You can also recycle applicat ion pools serving a specific web sit e; in t his exam ple, let 's say " Com pany Web" : Code View: appcmd list site "Company Web" /xml | appcmd list app /in /xml | appcmd list apppool/in /xml | appcmd recycle apppool /in appcmd list app /site.name:"Company Web" /xml | appcmd list apppool /in /xml | appcmd recycle apppool /in
We can st art all of t he sit es we st opped in t he earlier exam ple in t his sect ion wit h t he following com m and:
appcmd list site /state:stopped /xml | appcmd start site /in
You can do direct ory or file m aint enance on a cert ain direct ory safely by det erm ining which sit es read from a specific locat ion, like C: \ inet pub\ wwwroot : Code View: appcmd list vdir /physicalPath:C\inetpub\wwwroot /xml | appcmd list app /xml /in | appcmd list site /in
You can also see what applicat ions are served by worker process 2450: Code View: appcmd list wp 2450 /xml | appcmd list apppool /xml /in | appcmd list app /in
And perhaps useful for a quick scan of serving problem s, you can ret rieve a list of all sit es generat ing 404 errors, indicat ing t hat a page cannot be found by I I S:
appcmd list trace /statusCode:404 /xml | appcmd list site /in
8 .5 .2 . XM L Con figu r a t ion The old I I S m et abase now t akes on new life and a new form at in applicat ionHost .config, which now form s t he cent ral configurat ion st ore for an I I S server. I t defines all sit es, applicat ions, virt ual direct ories, and applicat ion pools on a given m achine. And, because of t he delegat ed configurat ion abilit ies of I I S 7, you can choose from t hree ways of archit ect ing configurat ions t hrough t ext files in I I S 7:
Single configurat ion file
I n t his configurat ion, all set t ings are writ t en t o t he applicat ionHost .config file. This t ype of configurat ion is m ost useful when an adm inist rat or want s 100% cont rol over t he set t ings and configurat ion of an I I S inst allat ion. To use t his configurat ion, open I I S Manager, click on t he appropriat e web server, and navigat e t o Feat ure Delegat ion; t hen, set all feat ures t o Read Only ( Figure 8- 11) . At t hat point , your changes can be m ade wit hin t he applicat ionHost .config file and t hat will be t he m ast er resource for your configurat ion.
Figu r e 8 - 1 1 . Se t t in g fe a t u r e de le ga t ion
Delegat ed configurat ion
I f you choose t o delegat e som e feat ures and configurat ions t o individual sit es or applicat ions, you can use t he delegat ed configurat ion archit ect ure. I n t his configurat ion, delegat ed set t ings are writ t en t o t he web.config file bet ween t he ent ries. You can set up feat ure delegat ion from t he appropriat ely nam ed icon under I I S Manager—set t he specific feat ure t o Read/ Writ e.
Shared configurat ion
I n t he shared configurat ion form at , you can set up I I S on m ult iple m achines and have each of t he inst allat ions synchronized wit h t he sam e set t ings by sharing a unified applicat ionHost .config file. This is a fant ast ic way t o deploy a large num ber of web servers wit h uniform configurat ions, such as in a web farm scenario.
Let 's t ake a look at a configurat ion file now. To do so:
1 . From t he St art m enu, point t o All Program s and open t he Accessories group.
2 . Right - click on Not epad, and from t he pop- up cont ext m enu, choose Run As Adm inist rat or.
3 . Acknowledge t he UAC prom pt and cont inue.
4 . From t he File m enu, choose Open, change t he filt ered view t o All Files, and t hen navigat e t o \ Windows\ Syst em 32\ inet srv\ config, and open t he file you'd like t o view.
The configurat ion files are sim ple XML files t hat are easy t o parse visually. Plus, wit h your t ext edit or, you can use t he find funct ion in your soft ware t o go st raight t o a sect ion you want t o m odify, as well as search and replace t o change a configurat ion globally. Here's a sam ple from t he applicat ionHost .config file on a plain vanilla Windows Server 2008 m achine wit h t he Web Server and Applicat ion Server roles inst alled ( Exam ple 8- 1) . Ex a m ple 8 - 1 . A sa m ple XM L con figu r a t ion file Code View: -->
8 .6 . Th e La st W or d I I S 7 is a com plex beast , and in t his chapt er we walked t hrough it s m aj or and som e of it s m ore m inor feat ures. We looked at t he new archit ect ure, inst alling I I S, m anaging it graphically via t he newly redesigned I nt ernet I nform at ion Services Manager console and from t he com m and line, and we exam ined how you can adm inist er and configure I I S obj ect s from it s great XML- based configurat ion schem es. There's obviously m uch m ore t o I I S t han resides wit hin t he scope of t his book, but you now have a good idea of what 's new and im proved in t his version, and where t he set t ings and swit ches reside. The bot t om line: I I S 7 represent s a huge leap forward in t he st abilit y, perform ance, overhead use, and ext ensibilit y of host ing on t he Windows plat form . I t t ruly is a next - generat ion web server product .
Ch a pt e r 9 . W in dow s Se r ve r 2 0 0 8 Se r ve r Cor e Server Core? I s t hat like an apple ( or Apple, nat ch) core? I t depends on how you look at it , really: in t he cont ext of t his book, it 's Microsoft 's great new addit ion t o t he Longhorn Server product . Essent ially, Server Core is a slim m ed- down, appliance- like version of Longhorn Server t hat funct ions in a couple of lim it ed roles and does not hing else. Server Core, as I see it , has t wo m ain advant ages: it 's ext rem ely focused, which m eans it does what it does very well, result ing in bet t er perform ance, resilience, and robust ness t han a full- fledged operat ing syst em . I t also has lim it ed dependencies on ot her pieces of t he Windows puzzle, in t hat t he Core is designed t o work wit hout a lot of ot her soft ware inst alled; it can generally work by it self. I n com parison, m any of t he previous Windows com ponent s aren't really necessary—like Windows Explorer or I nt ernet Explorer, for exam ple—which is som et hing t hat can't be said for Windows Server 2003. All of t his t ranslat es int o a far sm aller at t ack surface t han t he st andard Windows Server product , given all of t he m at erial t hat 's been st ripped out . But t here are som e aspect s of Server Core wit h which you m ight not yet be fam iliar, as well as som e int erest ing fact s and lim it at ions of t he " core" - based approach t o com put ing. We'll t ake a look at t hem here.
9 .1 . Th e La ck of a Sh e ll This is probably t he m ost unset t ling but , upon reflect ion, m ost int erest ing and welcom e difference bet ween Server Core and t he t radit ional Windows server operat ing syst em . When you boot Server Core, you'll get a colored screen t hat looks like a single- color deskt op, which m ight fool you int o t hinking t hat you inst alled t he wrong version. But you'll quickly be correct ed as you get a com m and- prom pt window; when it appears, all act ivit y st ops. I t looks a lot like regular Windows if you open Task Manager and kill t he explorer.exe process. Figure 9- 1 shows t his.
Figu r e 9 - 1 . Th e de fa u lt e n vir on m e n t w h e n a u se r logs on in t e r a ct ive ly t o a Se r ve r Cor e - ba se d m a ch in e
I ndeed, you can open Not epad—j ust about t he only graphical applicat ion inst alled—but you can open it only from t he com m and line, and you can't save as anot her file; t here is no support for displaying t hose sort s of Explorer windows. I n fact , t hose windows are generat ed by code called a " shim ," which is essent ially a program m ing st ub t hat allows Not epad t o display t hese Explorer- relat ed dialog boxes wit hout t ying int o Explorer it self. Essent ially, you'll need t o t hink back t o your DOS days t o get accust om ed t o adm inist ering Server Core. The com m and line is very, very powerful—in m any inst ances you can accom plish m ore wit h com m ands, opt ions, and swit ches t han you can wit h t he GUI —but it can be int im idat ing t o st art .
Here are som e ot her t hings you don't get wit h Windows Server 2008 Server Core:
No .NET Fram ework, or even t he com m on language runt im e ( CLR)
No Microsoft Managem ent Console, and no relat ed snap- ins
The vast m aj orit y of Cont rol Panel applet s are not present
No Run box, and no St art m enu t o go wit h it
Ch a pt e r 9 . W in dow s Se r ve r 2 0 0 8 Se r ve r Cor e Server Core? I s t hat like an apple ( or Apple, nat ch) core? I t depends on how you look at it , really: in t he cont ext of t his book, it 's Microsoft 's great new addit ion t o t he Longhorn Server product . Essent ially, Server Core is a slim m ed- down, appliance- like version of Longhorn Server t hat funct ions in a couple of lim it ed roles and does not hing else. Server Core, as I see it , has t wo m ain advant ages: it 's ext rem ely focused, which m eans it does what it does very well, result ing in bet t er perform ance, resilience, and robust ness t han a full- fledged operat ing syst em . I t also has lim it ed dependencies on ot her pieces of t he Windows puzzle, in t hat t he Core is designed t o work wit hout a lot of ot her soft ware inst alled; it can generally work by it self. I n com parison, m any of t he previous Windows com ponent s aren't really necessary—like Windows Explorer or I nt ernet Explorer, for exam ple—which is som et hing t hat can't be said for Windows Server 2003. All of t his t ranslat es int o a far sm aller at t ack surface t han t he st andard Windows Server product , given all of t he m at erial t hat 's been st ripped out . But t here are som e aspect s of Server Core wit h which you m ight not yet be fam iliar, as well as som e int erest ing fact s and lim it at ions of t he " core" - based approach t o com put ing. We'll t ake a look at t hem here.
9 .1 . Th e La ck of a Sh e ll This is probably t he m ost unset t ling but , upon reflect ion, m ost int erest ing and welcom e difference bet ween Server Core and t he t radit ional Windows server operat ing syst em . When you boot Server Core, you'll get a colored screen t hat looks like a single- color deskt op, which m ight fool you int o t hinking t hat you inst alled t he wrong version. But you'll quickly be correct ed as you get a com m and- prom pt window; when it appears, all act ivit y st ops. I t looks a lot like regular Windows if you open Task Manager and kill t he explorer.exe process. Figure 9- 1 shows t his.
Figu r e 9 - 1 . Th e de fa u lt e n vir on m e n t w h e n a u se r logs on in t e r a ct ive ly t o a Se r ve r Cor e - ba se d m a ch in e
I ndeed, you can open Not epad—j ust about t he only graphical applicat ion inst alled—but you can open it only from t he com m and line, and you can't save as anot her file; t here is no support for displaying t hose sort s of Explorer windows. I n fact , t hose windows are generat ed by code called a " shim ," which is essent ially a program m ing st ub t hat allows Not epad t o display t hese Explorer- relat ed dialog boxes wit hout t ying int o Explorer it self. Essent ially, you'll need t o t hink back t o your DOS days t o get accust om ed t o adm inist ering Server Core. The com m and line is very, very powerful—in m any inst ances you can accom plish m ore wit h com m ands, opt ions, and swit ches t han you can wit h t he GUI —but it can be int im idat ing t o st art .
Here are som e ot her t hings you don't get wit h Windows Server 2008 Server Core:
No .NET Fram ework, or even t he com m on language runt im e ( CLR)
No Microsoft Managem ent Console, and no relat ed snap- ins
The vast m aj orit y of Cont rol Panel applet s are not present
No Run box, and no St art m enu t o go wit h it
9 .2 . Re a list ic D e ploym e n t Sce n a r ios At t he m ost fundam ent al level, Server Core can only be a file server, print server, dom ain cont roller, an Act ive Direct ory Light weight Direct ory Services ( LDS) server, st ream ing m edia server, DHCP server, DNS server, or Windows Server Virt ualizat ion server. I t can part icipat e in clust ers and net work load- balancing groups, run t he subsyst em for Unix applicat ions, perform backups using Server Core's im proved capabilit ies, and be m anaged and report st at us t hrough SNMP. There are a few ot her ancillary capabilit ies, but it 's pret t y st ripped down and only appropriat e at t his point for t he four basic roles I j ust delineat ed. Fut ure releases m ight expand t he roles in which core- based operat ing syst em s can run, but t hey are not available yet . Table 9- 1 list s t he roles and feat ures t hat are included in t he Server Core inst allat ion of Windows Server 2008.
Ta ble 9 - 1 . Ava ila ble r ole s a n d fe a t u r e s on W in dow s Se r ve r 2 0 0 8 Se r ve r Cor e m a ch in e s Role s a va ila ble in Se r ve r Cor e
Fe a t u r e s a va ila ble in Se r ve r Cor e
Act ive Direct ory and Act ive Direct ory Light weight Dom ain Services ( LDS)
Bit Locker Drive Encrypt ion
DHCP Server
Failover Clust ering
DNS Server
Mult ipat h I / O
File Services ( including DFSR and NFS)
Rem ovable St orage Managem ent
Print Services
SNMP Services
St ream ing Media Services
Subsyst em for Unix- based Applicat ions
Windows Server Virt ualizat ion
Telnet Client Windows Server Backup WI NS Server
9 .3 . N o M a n a ge d Code The code behind t he .NET Fram ework is not m odular enough t o be broken up int o j ust t he com ponent s t hat Server Core will be able t o run. ( This m ight be added in fut ure releases and looks t o be reasonably high on t he priorit y list .) Not only does t his m ean you can't run any cust om web applicat ions you m ight have creat ed, but you also lose access t o som e of t he bet t er m anagem ent soft ware t hat com es along wit h t his generat ion of Windows, including Windows PowerShell ( which used t o go by t he code nam e Monad) . Server Core j ust isn't a .NET m achine at t his point , so for web applicat ions and ot her cust om soft ware, you will need t o deploy t he regular, fully fleshed- out Longhorn Server edit ion of t he operat ing syst em .
9 .4 . Fe w Th ir d- Pa r t y Soft w a r e Applica t ion s Mainly, you are going t o encount er problem s wit h soft ware t hat is designed t o display widget s in t he syst em t ray, like som e ant ivirus and shell m odificat ion applicat ions. You m ay also encount er som e problem s wit h m anagem ent soft ware, alt hough t ypically t hese t ypes of applicat ions work in t he background and don't display anyt hing graphically. For exam ple, agent s from t he SMS 2005 and MOM 2005 fam ily of m anagem ent product s should work fine on Server Core boxes, as t heir operat ions are largely under t he surface and not present ed t o t he user in a graphical fashion. Last ly, driver inst allat ion will be a sore point in a few inst ances, and you'll need t o eit her use hardware wit h drivers bundled wit h t he Server Core release or preload t he appropriat e drivers wit h t he included Drvload ut ilit y. You m ight face driver signing issues as well, t hough t hese can be m it igat ed by act ually t ouching t he driversigning policy on t he Server Core m achine t hrough Group Policy—but of course, you have t o do t hat rem ot ely.
9 .5 . I n st a lla t ion I nst alling t he Server Core edit ion of Windows Server 2008 isn't very different from inst alling a norm al, full inst allat ion of Windows Server 2008. There is one key screen—t he product select ion dialog—wherein you elect t o inst all t he core versus t he full inst allat ion. Aft er t hat point , t here is no difference inst allat ion- wise. This key screen is depict ed in Figure 9- 2.
Figu r e 9 - 2 . Se le ct in g t h e Se r ve r Cor e e dit ion of W in dow s Se r ve r 2 0 0 8 du r in g in st a lla t ion
You will need 512 MB of RAM in your Server Core t arget m achine during t he inst allat ion process. Server Core it self, once inst alled, does not require t hat m uch m em ory, but t he Set up process does. Disk space isn't as m uch of a problem : a t ypical Server Core inst allat ion requires only about 20% of t he space of a st andard Windows Server 2008 inst allat ion.
I f you are using Windows Deploym ent Services in your organizat ion, you can deploy Server Core m achines t hrough t he aut om at ed syst em . Just select t he Server Core opt ion in t he inst allat ion m enu. See Chapt er 2 for m ore inform at ion on Windows Deploym ent Services.
9 .6 . I n it ia l Con figu r a t ion Like m ost servers, you need t o t weak som e set t ings and add som e inform at ion t o t he Server Core syst em before you can reasonably deploy it int o product ion. I n t his sect ion, let 's st ep t hrough som e of t he init ial st eps t o set up a Windows Server 2008 Server Core box, including:
Changing t he adm inist rat or password
Ent ering dat e, t im e, and t im e zone/ locat ion inform at ion
Set t ing up net work connect ions
Est ablishing t he nam e of t he server and j oining it t o an exist ing dom ain
Enabling aut om at ic updat es, if necessary, and downloading available updat es
Act ivat ing t he server
9 .6 .1 . Se t t in g a n Adm in ist r a t or Pa ssw or d By default , Server Core inst alls it self wit h a built - in local adm inist rat or account t hat is enabled wit h no password, but t hat requires a password change ( effect ively est ablishing a password for t he account it self) upon t he first logon. This is great for t he first logon, but t here are t wo ot her ways in which you can change t he password of an associat ed account :
You can use t he venerable com m and line- based net user ut ilit y. For exam ple, net user adm inist rat or * will ask you t o t ype a new password for t he adm inist rat or account .
You can hit Ct rl- Alt - Del ( t he t hree- keyst roke salut e) and click t he Change Password opt ion t hat appears. You'll need t o ent er t he old password, t he new password, and a confirm at ion ent ry. Click t he right arrow t o perform t he change.
9 .6 .2 . Con figu r in g D a t e , Tim e , a n d Loca t ion Opt ion s One of t he only t wo Cont rol Panel GUI - based dialog boxes t hat you can access is t he Dat e and Tim e applet , which let s you addit ionally adj ust t he t im e zone, set rem inders before Daylight Saving Tim e begins and ends, configure addit ional clocks ( alt hough t here is no facilit y t o act ually view t hese addit ional clocks) , and configure t he server t o synchronize aut om at ically wit h I nt ernet t im e servers. You can access t his applet from t he com m and line using t he following ent ry, illust rat ed in Figure 9- 3:
Figu r e 9 - 3 . Th e D a t e a n d Tim e con t r ol pa n e l opt ion in Se r ve r Cor e , a cce sse d fr om t h e com m a n d lin e
Control timedate.cpl
Sim ilarly, t he Regional and Language Opt ions applet is available from t he com m and line as follows:
Control intl.cpl
I t brings up t he applet shown in Figure 9- 4.
Figu r e 9 - 4 . Th e Re gion a l a n d La n gu a ge Opt ion s con t r ol pa n e l scr e e n , a ga in a cce sse d on ly fr om t h e com m a n d lin e
9 .6 .3 . I n st a llin g a n d Applyin g H a r dw a r e D r ive r s I f you need t o add new hardware t o your server or updat e t he drivers on your m achine, you can do so via t he com m and line. Server Core does include support for Plug and Play, so you won't have t o spelunk t hrough t ext based configurat ion files or m assage t he Regist ry, but you will need t o do t he following:
1 . Manually copy t he driver files from t heir original m edia t o a locat ion on t he Server Core box.
2 . Run t he pnputil com m and t o inst all t he driver.
3 . Reboot if necessary.
The synt ax for t he plug- and- play ut ilit y is:
pnputil -i -a driver.inf
9 .6 .4 . Se t t in g Up N e t w or k Con n e ct ion s Since Windows Server 2008 Server Core has no shell, you'll have t o configure your net work connect ions via t he com m and line. There is a robust set of com m and- line t ools t hat are fairly easy t o use. The first t o acquaint yourself wit h is t he " net sh int erface ipv4" group of com m ands. Let 's first exam ine what int erfaces we have inst alled by default on our Server Core box. Use t he following com m and t o get a list of all configured net work int erfaces on t he Server Core m achine:
>netsh interface ipv4 show interfaces Idx --1 10
Met --50 10
MTU ----4294967295 1500
State ----------connected connected
Name ------------------Loopback Pseudo-Interface 1 Local Area Connection
As you can see from t he result ing out put of t he com m and, t here are t wo net work int erfaces on t his m achine. The one m ost relevant t o our scenario—nam ed, as you m ight expect , Local Area Connect ion—has an " idx," or index num ber, of 10. This num erical value is im port ant t o t he following com m ands, as it ident ifies which LAN adapt er we're t arget ing in each com m and. Now, let 's set a st at ic I P address of 192.168.0.99 t o t his m achine, wit h t he regular 255.255.255.0 net work m ask, and a gat eway of 192.168.0.1. We can use t he " set address" feat ure of t he netsh com m and t o get t his assignm ent com plet ed. Type in t he following: Code View: Netsh interface ipv4 set address name="10" source=static address=192.168.0.99 mask=255.255.255.0 gateway=192.168.0.1
Now, let 's also add a couple of DNS servers t o t he m ix. Let 's assign 24.25.5.150 as t he first server ( we'll assign t he priorit y via t he " index" swit ch, which is different t han t he " nam e" or " I dx" swit ches and at t ribut es we've already seen) , and 24.25.5.149 as t he second DNS server.
Netsh interface ipv4 add dnsserver name="10" address=24.25.5.150 index=1 Netsh interface ipv4 add dnsserver name="10" address=24.25.5.149 index=2
I f you didn't receive any errors back from t hose com m ands, t hen t he reconfigurat ion com plet ed successfully. You can check your result s in a m ore convenient form at by using t he ipconfig /all com m and. Here is som e sam ple out put , t he result s of our configurat ion evidenced in all t he right places: Code View:
Windows IP Configuration Host Name . . . . . Primary Dns Suffix Node Type . . . . . IP Routing Enabled. WINS Proxy Enabled.
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
: : : : :
WIN-1UUMA7JYIC8 Hybrid No No
Ethernet adapter Local Area Connection: Connection-specific DNS Suffix Description . . . . . . . . . . Physical Address. . . . . . . . DHCP Enabled. . . . . . . . . . Autoconfiguration Enabled . . . Link-local IPv6 Address . . . . IPv4 Address. . . . . . . . . . Subnet Mask . . . . . . . . . . Default Gateway . . . . . . . . DNS Servers . . . . . . . . . .
. . . . . . . . . .
: : : : : : : : : :
Media State . . . . . . . . . . Connection-specific DNS Suffix Description . . . . . . . . . . Physical Address. . . . . . . . DHCP Enabled. . . . . . . . . . Autoconfiguration Enabled . . .
. . . . . .
: : : : : :
Intel(R) PRO/1000 MT Network Connection 00-0C-29-EA-A7-3D No Yes fe80::2132:e6ca:f75a:2545%10(Preferred) 192.168.0.99(Preferred) 255.255.255.0 192.168.0.1 24.25.5.150 24.25.5.149 NetBIOS over Tcpip. . . . . . . . : Enabled Tunnel adapter Local Area Connection* 8: Media disconnected Microsoft ISATAP Adapter 00-00-00-00-00-00-00-E0 No Yes
Tunnel adapter Local Area Connection* 9: Connection-specific DNS Suffix Description . . . . . . . . . . Physical Address. . . . . . . . DHCP Enabled. . . . . . . . . . Autoconfiguration Enabled . . . IPv6 Address. . . . . . . . . . Link-local IPv6 Address . . . . Default Gateway . . . . . . . . NetBIOS over Tcpip. . . . . . .
. . . . . . . . .
: : : : : : : : :
Teredo Tunneling Pseudo-Interface 02-00-54-55-4E-01 No Yes 2001:0:4136:e390:3020:8d1:3f57:ff9c(Preferred) fe80::3020:8d1:3f57:ff9c%12(Preferred) :: Disabled
9 .6 .5 . N a m in g t h e Se r ve r a n d Join in g a D om a in Upon inst allat ion, Windows Server 2008 Server Core assigns a random st ring t o be t he com put er's nam e. While t his is great at avoiding com put er nam e conflict s on t he net work when you first bring up a new server, it 's hardly a great nam e t o keep as a perm anent reference. You can det erm ine t he current nam e of a Server Core m achine using t he following com m and:
>hostname WIN-1UUMA7JYIC8
To renam e t hat random st ring int o som et hing m eaningful—say, WS08- CORE- 1, use t he netdom com m and and it s associat ed swit ches as follows: Code View: >netdom renamecomputer WIN-1UUMA7JYIC8 /NewName:WS08-CORE-1 This operation will rename the computer WIN-1UUMA7JYIC8 to WS08-CORE-1. Certain services, such as the Certificate Authority, rely on a fixed machine name. If any services of this type are running on WIN-1UUMA7JYIC8, then a computer name change would have an adverse impact. Do you want to proceed (Y or N)?y The computer needs to be restarted in order to complete the operation. The command completed successfully.
Not ice t he com put er needed t o be rest art ed aft er t he nam e change, which you m ay expect . Aft er t he server rest art s, you m ay want t o j oin t he server t o a dom ain. For inst ance, t o j oin our newly nam ed WS08- CORE- 1 m achine t o t he HASSELLTECH dom ain, use t he com m and below. Make sure you add t he ext ra d s as pict ured t o t he userd and passwordd swit ches, as t hey indicat e t hat you are providing t he credent ials wit h t he perm issions sufficient t o add a m achine t o t he given dom ain: Code View: >netdom join WS08-CORE-1 /domain:HASSELLTECH /userd:Administrator /passwordd:* Type the password associated with the domain user: The computer needs to be restarted in order to complete the operation. The command completed successfully.
9 .6 .6 . En a blin g Au t om a t ic Upda t e s You can configure how aut om at ic updat es are handled by Windows Server 2008 Server Core t hrough a special script called scregedit .wsf , which is unique t o t his edit ion of t he operat ing syst em —it can't be found on a regular inst allat ion of Windows Server 2008. Using t he scregedit .wsf script gives you t he abilit y t o m assage a lot of set t ings, including how aut om at ic Windows updat es are handled, t he set t ings for Windows Error Report ing, allowing Term inal Services Rem ot e Adm inist rat ion connect ions and from what version of t he RDP client such connect ions should be accept ed, whet her t he I P Securit y ( I PSEC) Monit or should be able t o rem ot ely m anagem ent I PSEC, and various set t ings regarding t he priorit y and weight of DNS SRV records ( see Chapt er 4 for m ore on SRV records) . Our focus in t his sect ion is on pat ching. To cont act t he syst em and det erm ine t he current Aut om at ic Updat es configurat ion, use t he following com m and:
cscript scregedit.wsf /au /v
You can enable Aut om at ic Updat es, which in t he cont ext of Server Core m eans t hat Windows will download and inst all updat es aut om at ically ( t here is no facilit y by which you could be present ed wit h a list of updat es and approve t hem one by one) , by using t he following com m and:
cscript scregedit.wsf /au 4
And finally, t o check for updat es, use t his com m and:
wuauclt /detectnow
9 .6 .7 . Act iva t in g t h e Se r ve r Anot her script you'll use t o configure t he server is t he slm gr.vbs script , which—unlike scregedit .vbs—can be found on Windows Vist a and Windows Server 2008 full inst allat ions. The slm gr script t akes care of all licensing and act ivat ion t asks an adm inist rat or needs t o com plet e on a Windows m achine. There are four relevant opt ions for a Server Core m achine t hat you'll likely need t o know. I present t hem here, in t he order in which you would execut e t hem t o display and ult im at ely act ivat e a license of Windows Server 2008 Server Core. First , t his inst alls a product key, in case you didn't ent er a key during product set up:
cscript slmgr.vbs -ipk
This checks t he st at us and expirat ion dat e of t he current license on which t he m achine is act ivat ing, including t he grace period before act ivat ion:
cscript slmgr.vbs -xpr
The next one perform s t he act ivat ion process:
cscript slmgr.vbs -ato
And finally, t his reset s t he act ivat ion grace period. There is a lim it on t he num ber of t im es t he re- arm procedure can be used. I t is current ly t hree t im es:
cscript slmgr.vbs -rearm
9 .6 .8 . En a blin g Re m ot e D e sk t op Se r vice s The final st ep t o get t ing a m achine configured init ially is—if you so desire—t o set up Rem ot e Deskt op connect ions, so you can at least perform com m and- line adm inist rat ion from t he com fort of your office and not
necessarily sit t ing wit h t he m achine in t he dat acent er. Again, we go back t o t he scregedit .wsf script t o perform t his funct ion. To enable Rem ot e Deskt op, issue t his com m and:
cscript scregedit.wsf /ar 0
You m ight also want t o let older RDP client s, wit hout t he newest securit y and aut hent icat ion t echnologies, connect t o your Server Core m achine. I n t hat case, t oggle t he securit y set t ings by ent ering t he following at t he com m and line:
cscript scregedit.wsf /cs 0
Once you are in a Term inal Services session, you m ight want t o know how t o log off a session, given t here is no St art m enu. Fort unat ely, t here is a one- word com m and t o end your session, versus sim ply clicking t he close but t on in t he RDP client , which only disconnect s your graphical session ( and doesn't end anyt hing you have running) :
logoff
9 .7 . Adm in ist e r in g W in dow s Se r ve r 2 0 0 8 Se r ve r Cor e M a ch in e s Now t hat your m achine has been m ore or less configured and is ready t o be deployed, it 's t im e t o discuss how you go about preparing t he server for inst allat ion in different scenarios. As you know from earlier in t his book, Windows Server 2008 offers groups of services, and t he associat ed soft ware, wrapped in " roles" t hat correspond t o t he likely environm ent s in which you will deploy a m achine. On a full inst allat ion of Windows Server 2008, t hese roles are inst alled using t he Server Manager MMC console. On a Server Core m achine, t hat is obviously not possible, as t he graphical shell largely doesn't exist . There is a com m and- line ut ilit y called oclist t hat allows you t o view available roles t o inst all on a m achine wit h Windows Server 2008 Server Core. Once you have run oclist and ident ified any given role nam e, you can use t hat nam e in conj unct ion wit h t he ocsetup ut ilit y t o inst all or uninst all t hat server role or opt ional feat ure. Som e sam ple out put from oclist is shown in Figure 9- 5.
Figu r e 9 - 5 . Th e ou t pu t of t h e oclist .e x e com m a n d, sh ow n fr om a Se r ve r Cor e se ssion
Not e t hat t he DHCPServerCore role is list ed as not inst alled. Let 's say t hat we want ed our Server Core m achine deployed as a headless, GUI - less, st ripped- down DHCP server for our ent erprise. To prepare t he m achine, we need t o inst all t he DHCP Server role. Using t he nam e we obt ained from t he oclist com m and out put , we can st art t he role inst allat ion process wit h t he ocsetup com m and, as follows:
ocsetup DHCPServerCore
The syst em will t rundle for a while, and t he process should com plet e wit hout errors. To verify t hat t he role inst allat ion process is com plet e, run oclist again and t hen check t o see whet her t he DHCPServerCore role is list ed as " inst alled." To uninst all a role, use t he following com m and ( in our case, should we want t o uninst all t he DHCP Server role) :
ocsetup DHCPServerCore /uninstall
9 .7 .1 . I n st a llin g Act ive D ir e ct or y D om a in Se r vice s on Se r ve r Cor e One role t hat you would likely want t o inst all on a Server Core m achine is t he dom ain cont roller role. I nst allat ion of t his role on a Server Core m achine is a bit different , because inst alling t he role using ocsetup has a large dependency on t he graphical shell—m eaning t hat using t hat m et hod of set up can result in a very unst able Server Core m achine t hat t hinks it 's a dom ain cont roller in som e ways, but in ot her ways it doesn't . The only support ed way t o inst all t he dom ain cont roller role on a Server Core m achine is t o use t he dcpromo ut ilit y in unat t ended m ode. Using unat t ended m ode requires set t ing up a sim ple t ext file wit h som e param et ers t hat will allow dcpromo t o proceed wit hout needing t o prom pt t he user for any inform at ion, and ult im at ely you will be able t o successfully prom ot e a Server Core m em ber server t o a dom ain cont roller. You need, at a m inim um , t he following nine param et ers in a file called unat t end.t xt ( or anyt hing you want , as long as you rem em ber t he nam e) :
[DCInstall] ReplicaOrNewDomain=Domain NewDomain=Forest NewDomainDNSName=hasselltech.local AutoConfigDNS=Yes DNSDelegation=Yes DNSDelegationUserName=username DNSDelegationPassword=password RebootOnSuccess=NoAndNoPromptEither SafeModeAdminPassword=breakincaseofemergency
For m ore inform at ion on t hese param et ers, and ot hers t hat you could include, see Chapt er 5 .
Then, t o run t he ut ilit y, j ust issue t he following com m and:
dcpromo /unattend:unattend.txt
9 .7 .2 . W in dow s Re m ot e Sh e ll I ncluded wit h Windows Vist a and full inst allat ions of Windows Server 2008 is t he Windows Rem ot e Shell, or WinRS. You'll also find WinRS on inst allat ions of Windows Server 2003 R2. WinRS consist s of a list ener port ion t hat runs on t he Server Core m achine it self, and t he client soft ware on ot her m achines. The client soft ware sends com m ands addressed t o specific m achines t o t he list ener port on t hat m achine, and t he WinRS soft ware on t he Server Core m achine receives t he com m and, execut es, and t ransm it s t he out put back t o t he originat ing client m achine. First , you'll need t o act ivat e t he WinRS list ener on t he Server Core m achine. Use t he following com m and:
WinRM quickconfig
The process is shown in Figure 9- 6.
Figu r e 9 - 6 . Se t t in g u p t h e W in dow s Re m ot e Sh e ll list e n e r on t h e Se r ve r Cor e m a ch in e
Once t he list ener is configured, you can sim ply go t o any Windows Vist a or Windows Server 2008 ( full edit ion) m achine, and funnel your Server Core- dest ined com m ands t hrough winrs. For exam ple, t o see t he result s of t he oclist com m and, issue t he following at a com m and line on a Vist a m achine:
winrs -r:WS08-CORE-1 "oclist"
9 .7 .3 . Con t r ollin g Se r ve r Cor e Via Gr ou p Policy Many adm inist rat ors find set t ing up Server Core m achines wit h a consist ent configurat ion can be achieved m ost easily t hrough t he use of a t arget ed Group Policy at t ack. You can creat e a group policy obj ect ( GPO) t hat only applies t o Server Core m achines by lim it ing t he applicat ion of t he GPO's at t ribut es via WMI t o only m achines operat ing wit h t he Server Core SKU, or by creat ing an organizat ional unit ( OU) wit hin Act ive Direct ory Dom ain Services, placing only Server Core m achines wit hin t hat OU, and t hen linking t he GPO t o t he newly creat ed OU. I prefer t he WMI m et hod, as it doesn't force you t o const ruct your AD hierarchy based on operat ing syst em s, alt hough bot h m et hods ult im at ely work equally as well in t erm s of t he desired effect . To use t he WMI m et hod, filt er t he OperatingSystemSKU propert y under t he Win32_OperatingSystem class. The applicable values are as follow: 12 represent s t he Dat acent er Server Core edit ion, 13 represent s t he St andard Server Core edit ion, and 14 represent s t he Ent erprise Server Core edit ion.
For m ore inform at ion on using WMI t o filt er t he applicat ion of GPOs, see Chapt er 6 .
9 .8 . Th e La st W or d I n t his chapt er, I discussed t he Server Core edit ion of Windows Server 2008. Since t here is no graphical shell, all adm inist rat ion for Server Core is done t hrough t he com m and line. We discussed inst allat ion, init ial configurat ion, and m anagem ent and adm inist rat ion. Since Server Core is so st ripped down, t here isn't a lot t o cover. They are essent ially set - and- forget m achines, which is t he original concept of Server Core: t o becom e m ore appliance- like t han a full Windows Server 2008 inst allat ion.
Ch a pt e r 1 0 . Te r m in a l Se r vice s I n t he old days of m ainfram e com put ing, em ployees t ypically used t erm inal equipm ent t o connect t o a big m achine in a whit e room t hat ran all t heir program s and calculat ions. The t erm inal only showed t he user int erface while processing keyst rokes and responses from t he user; t he m ainfram e in t he back act ually execut ed t he program s and displayed t he result s t o t he end user so t hat very lit t le processor int elligence resided at t he client equipm ent end. This is largely why t hese t erm inal syst em s were called " dum b." Alt hough t he m ove int o t he personal com put ing and deskt op com put ing era m ade large inroads int o corporat e Am erica, t here are st ill som e uses for dum b t erm inal ( or in m ore m odern t erm inology, " t hin client " ) funct ionalit y. Windows Term inal Services ( TS) is a set of program s and ut ilit ies t hat enable t his funct ionalit y on a m ore int elligent , cont em porary level. I n fact , you m ight already be fam iliar wit h Term inal Services in a scaleddown m ode. Bot h Windows XP's Rem ot e Assist ance and Rem ot e Deskt op Connect ion ut ilit ies are exam ples of Term inal Services in act ion. Term inal Services passes only t he user int erface of a program running on a server t o t he client com put er, which t hen passes back t he appropriat e keyboard st rokes and m ouse clicks. The server running Term inal Services, which m any client s can access sim ult aneously, m anages t he connect ions and t he act ive program s seam lessly. I t appears t o t he user t hat he's using his own com put er, rat her t han one servicing ot her act ive applicat ions at t he sam e t im e. Why is t his useful? Many corporat ions, in an effort t o reduce deskt op support responsibilit ies for t heir help desks as well as equipm ent acquisit ion cost s, are deploying t hin client com put ers wit h lim it ed client - side funct ionalit y. These t hin client s provide users wit h a window int o a server t hat is running t he applicat ions t hey need. Microsoft Office, m any account ing applicat ions, and m ult it udes of ot her program s work effect ively under a Term inal Services environm ent , and t he reduced m anagem ent headaches are wort h t he ext ra init ial set up effort for som e businesses. Think about t he reduced cost of applying pat ches, upgrading soft ware, or rem oving out dat ed program s. You apply, upgrade, or rem ove once, and bingo: your ent ire ent erprise I T environm ent is updat ed. I t 's hard t o argue wit h t hat . This specific m ode of using Term inal Services is known, very sim ply, as Term inal Services. Term inal Services has anot her com m on use: rem ot e adm inist rat ion. This is a hassle- free way t hat you can connect t o m achines running a Term inal Services- com pat ible operat ing syst em and use t he m achine's int erface alm ost exact ly as if you were sit t ing in front of it . Windows 2000, XP, and Server 2003 and Server 2008 com e bundled wit h a license t o do t his. This is quit e a boon for adm inist rat ors: you don't have t o leave your cubicle t o adm inist er elem ent s of Windows on servers in your m achine room . A Term inal Services connect ion uses TCP port 3389 t o allow client s t o log on t o a session from t heir workst at ion. However, t he Term inal Services Configurat ion applet and t he Term inal Services Manager console, bot h of which I 'll also cover in t his chapt er, enable you t o change t his port and a num ber of ot her propert ies about each connect ion. Term inal Server has it s own m et hod for licensing client s t hat log on t o t erm inal servers, separat e from t he licensing m et hod for client s running one of t he ot her flavors of Windows Server 2008. I n addit ion t o being enabled t o use Term inal Services in t heir user account propert ies, client s m ust receive a valid license issued by a license server before t hey are allowed t o log on t o a t erm inal server. Lat er in t his chapt er I 'll discuss in great er det ail t he subj ect of licensing issues when using Term inal Services.
Term inal Services support is not included in Windows Server 2008 Web Edit ion, alt hough you can use t he Rem ot e Deskt op Connect ion applet in t he Cont rol Panel t o rem ot ely adm inist er t he server.
1 0 .1 . Th e Re m ot e D e sk t op Pr ot ocol
The Rem ot e Deskt op Prot ocol ( RDP) is t he prot ocol t hat drives Term inal Services. RDP is based on and is an ext ension of t he T.120 prot ocol fam ily of st andards. I t is a m ult ichannel- capable prot ocol t hat allows for separat e virt ual channels for carrying device com m unicat ion and present at ion dat a from t he server, as well as encrypt ed client m ouse and keyboard dat a. RDP provides a very ext ensible base from which t o build m any addit ional capabilit ies, support ing up t o 64,000 separat e channels for dat a t ransm ission as well as provisions for m ult ipoint t ransm ission. Figure 10- 1 illust rat es t he st ruct ure of RDP and it s funct ionalit y from a high- level perspect ive.
Figu r e 1 0 - 1 . An ove r vie w of RD P
The new Term inal Services client soft ware included in Windows Server 2008 ( Rem ot e Deskt op Connect ion, or RDC) uses RDP 6.0, and m any local resources are available wit hin t he rem ot e session: t he client drives, sm art cards, audio card, serial port s, print ers ( including net work) , and clipboard. Addit ionally, you can select color dept h from 256 colors ( 8- bit ) t o True Color ( 24- bit ) and resolut ion from 640 x 480 up t o 1,600 x 1,200. RDP basically t akes inst ruct ions from a t erm inal server host m achine on screen im ages and draws t hem ont o a client 's screen, refreshing t hat im age about 20 t im es every second if t here's act ivit y on t he client side. ( To save bandwidt h, if no act ivit y is det ect ed on t he client side, it cut s t he refresh rat e in half.) I t t hen not es any keyboard and m ouse act ivit y ( am ong ot her t hings) and relays t hose signals t o t he t erm inal server host m achine for processing. This t wo- way exchange of inform at ion is wrapped int o what 's called a session, which consist s of t he program s running on t he host m achine and t he inform at ion being sent over RDP bet ween t he t erm inal server and t he client m achine. Here's what 's new in Rem ot e Deskt op Connect ion 6.0:
Net work level aut hent icat ion ( NLA) and server aut hent icat ion
NLA is a new way for t he RDC client t o aut hent icat e t he user, client m achine, and server against one anot her, t hus rem oving t he aut hent icat ion t ransact ion from t he RDP process. Server aut hent icat ion uses Transport Layer Securit y, or TLS, t o m at ch a server's t rue ident it y against t he one it 's proj ect ing. This way client s can be sure t hat t hey're indeed t alking t o a real server and not a m alconfigured, " owned" m achine t hat m ay be posing as t he real server in order t o receive sensit ive dat a.
Display im provem ent s
You'll find t hat now, RDP sessions can support a m axim um resolut ion of 4,096 x 2,048 wit h addit ional support for widescreen m onit or scenarios. You can also span a session across m ult iple m onit ors if you have t he hardware inst alled, and on all of t hese sessions you can get 32- bit full color dept h and ClearType font sm oot hing.
Display dat a priorit izat ion
This allows RDP t o give m ore priorit y t o dat a used t o draw your RDP display during bandwidt h- int ensive operat ions like t ransferring large files or print ing a big docum ent , elim inat ing t he herky- j erky user experience found in previous versions of RDP while carrying out t hese operat ions. By default , 70% of available bandwidt h is used for display dat a and 30% for t he rem ainder of session dat a. You can change t his in t he Regist ry at HKEY_LOCAL_MACHI NE\ Syst em \ Current Cont rolSet \ Services\ Term DD; t he t wo keys are FlowControlDisplayBandwidth for t he display dat a and FlowControlChannelBandwidth for everyt hing else.
Deskt op experience and com posit ion
This feat ure allows users t o get t he look and feel of a regular Windows Vist a host , including various deskt op t hem es and access t o Windows Media Player, t hat were unavailable under previous versions of RDP and Term inal Services. You can access t his feat ure and enable it by using t he Add Feat ure select ion in Server Manager; t he correct ent ry t o select is " Deskt op Experience." This is ent irely server- based, so no client configurat ion is necessary.
Plug and Play Device Redirect ion Fram ework
This feat ure allows you t o redirect PnP device int eract ion from t he local RDP client t o t he server- based session, so t he user sees t he sam e seam less user int erface for t hese devices regardless of whet her t hey run locally or rem ot ely. PnP devices in a rem ot e session are lim it ed in scope so t hat t hey are only accessible t o t hat session.
Term inal Services EasyPrint
TS EasyPrint rem oves t he need t o inst all print er drivers on t he TS host in t he vast m aj orit y of cases by t aking advant age of t he new XPS print pat h t hat was int roduced in Windows Vist a and Windows Server 2008, act ing as a proxy and redirect ing all calls for t he user int erface t o t he print driver inst alled on t he client . Users print ing from wit hin a session will see print ing progress as t hey expect and can even adj ust print er propert ies as necessary.
Single Sign- On
New t o Windows Server 2008, users t hat are logged on t o a dom ain can gain access t o a dom ain- j oined Term inal Server m achine wit hout needing t o ent er credent ials a second t im e. This feat ure, however, only works wit h t he Windows Vist a- Windows Server 2008 client - server duo.
Ch a pt e r 1 0 . Te r m in a l Se r vice s I n t he old days of m ainfram e com put ing, em ployees t ypically used t erm inal equipm ent t o connect t o a big m achine in a whit e room t hat ran all t heir program s and calculat ions. The t erm inal only showed t he user int erface while processing keyst rokes and responses from t he user; t he m ainfram e in t he back act ually execut ed t he program s and displayed t he result s t o t he end user so t hat very lit t le processor int elligence resided at t he client equipm ent end. This is largely why t hese t erm inal syst em s were called " dum b." Alt hough t he m ove int o t he personal com put ing and deskt op com put ing era m ade large inroads int o corporat e Am erica, t here are st ill som e uses for dum b t erm inal ( or in m ore m odern t erm inology, " t hin client " ) funct ionalit y. Windows Term inal Services ( TS) is a set of program s and ut ilit ies t hat enable t his funct ionalit y on a m ore int elligent , cont em porary level. I n fact , you m ight already be fam iliar wit h Term inal Services in a scaleddown m ode. Bot h Windows XP's Rem ot e Assist ance and Rem ot e Deskt op Connect ion ut ilit ies are exam ples of Term inal Services in act ion. Term inal Services passes only t he user int erface of a program running on a server t o t he client com put er, which t hen passes back t he appropriat e keyboard st rokes and m ouse clicks. The server running Term inal Services, which m any client s can access sim ult aneously, m anages t he connect ions and t he act ive program s seam lessly. I t appears t o t he user t hat he's using his own com put er, rat her t han one servicing ot her act ive applicat ions at t he sam e t im e. Why is t his useful? Many corporat ions, in an effort t o reduce deskt op support responsibilit ies for t heir help desks as well as equipm ent acquisit ion cost s, are deploying t hin client com put ers wit h lim it ed client - side funct ionalit y. These t hin client s provide users wit h a window int o a server t hat is running t he applicat ions t hey need. Microsoft Office, m any account ing applicat ions, and m ult it udes of ot her program s work effect ively under a Term inal Services environm ent , and t he reduced m anagem ent headaches are wort h t he ext ra init ial set up effort for som e businesses. Think about t he reduced cost of applying pat ches, upgrading soft ware, or rem oving out dat ed program s. You apply, upgrade, or rem ove once, and bingo: your ent ire ent erprise I T environm ent is updat ed. I t 's hard t o argue wit h t hat . This specific m ode of using Term inal Services is known, very sim ply, as Term inal Services. Term inal Services has anot her com m on use: rem ot e adm inist rat ion. This is a hassle- free way t hat you can connect t o m achines running a Term inal Services- com pat ible operat ing syst em and use t he m achine's int erface alm ost exact ly as if you were sit t ing in front of it . Windows 2000, XP, and Server 2003 and Server 2008 com e bundled wit h a license t o do t his. This is quit e a boon for adm inist rat ors: you don't have t o leave your cubicle t o adm inist er elem ent s of Windows on servers in your m achine room . A Term inal Services connect ion uses TCP port 3389 t o allow client s t o log on t o a session from t heir workst at ion. However, t he Term inal Services Configurat ion applet and t he Term inal Services Manager console, bot h of which I 'll also cover in t his chapt er, enable you t o change t his port and a num ber of ot her propert ies about each connect ion. Term inal Server has it s own m et hod for licensing client s t hat log on t o t erm inal servers, separat e from t he licensing m et hod for client s running one of t he ot her flavors of Windows Server 2008. I n addit ion t o being enabled t o use Term inal Services in t heir user account propert ies, client s m ust receive a valid license issued by a license server before t hey are allowed t o log on t o a t erm inal server. Lat er in t his chapt er I 'll discuss in great er det ail t he subj ect of licensing issues when using Term inal Services.
Term inal Services support is not included in Windows Server 2008 Web Edit ion, alt hough you can use t he Rem ot e Deskt op Connect ion applet in t he Cont rol Panel t o rem ot ely adm inist er t he server.
1 0 .1 . Th e Re m ot e D e sk t op Pr ot ocol
The Rem ot e Deskt op Prot ocol ( RDP) is t he prot ocol t hat drives Term inal Services. RDP is based on and is an ext ension of t he T.120 prot ocol fam ily of st andards. I t is a m ult ichannel- capable prot ocol t hat allows for separat e virt ual channels for carrying device com m unicat ion and present at ion dat a from t he server, as well as encrypt ed client m ouse and keyboard dat a. RDP provides a very ext ensible base from which t o build m any addit ional capabilit ies, support ing up t o 64,000 separat e channels for dat a t ransm ission as well as provisions for m ult ipoint t ransm ission. Figure 10- 1 illust rat es t he st ruct ure of RDP and it s funct ionalit y from a high- level perspect ive.
Figu r e 1 0 - 1 . An ove r vie w of RD P
The new Term inal Services client soft ware included in Windows Server 2008 ( Rem ot e Deskt op Connect ion, or RDC) uses RDP 6.0, and m any local resources are available wit hin t he rem ot e session: t he client drives, sm art cards, audio card, serial port s, print ers ( including net work) , and clipboard. Addit ionally, you can select color dept h from 256 colors ( 8- bit ) t o True Color ( 24- bit ) and resolut ion from 640 x 480 up t o 1,600 x 1,200. RDP basically t akes inst ruct ions from a t erm inal server host m achine on screen im ages and draws t hem ont o a client 's screen, refreshing t hat im age about 20 t im es every second if t here's act ivit y on t he client side. ( To save bandwidt h, if no act ivit y is det ect ed on t he client side, it cut s t he refresh rat e in half.) I t t hen not es any keyboard and m ouse act ivit y ( am ong ot her t hings) and relays t hose signals t o t he t erm inal server host m achine for processing. This t wo- way exchange of inform at ion is wrapped int o what 's called a session, which consist s of t he program s running on t he host m achine and t he inform at ion being sent over RDP bet ween t he t erm inal server and t he client m achine. Here's what 's new in Rem ot e Deskt op Connect ion 6.0:
Net work level aut hent icat ion ( NLA) and server aut hent icat ion
NLA is a new way for t he RDC client t o aut hent icat e t he user, client m achine, and server against one anot her, t hus rem oving t he aut hent icat ion t ransact ion from t he RDP process. Server aut hent icat ion uses Transport Layer Securit y, or TLS, t o m at ch a server's t rue ident it y against t he one it 's proj ect ing. This way client s can be sure t hat t hey're indeed t alking t o a real server and not a m alconfigured, " owned" m achine t hat m ay be posing as t he real server in order t o receive sensit ive dat a.
Display im provem ent s
You'll find t hat now, RDP sessions can support a m axim um resolut ion of 4,096 x 2,048 wit h addit ional support for widescreen m onit or scenarios. You can also span a session across m ult iple m onit ors if you have t he hardware inst alled, and on all of t hese sessions you can get 32- bit full color dept h and ClearType font sm oot hing.
Display dat a priorit izat ion
This allows RDP t o give m ore priorit y t o dat a used t o draw your RDP display during bandwidt h- int ensive operat ions like t ransferring large files or print ing a big docum ent , elim inat ing t he herky- j erky user experience found in previous versions of RDP while carrying out t hese operat ions. By default , 70% of available bandwidt h is used for display dat a and 30% for t he rem ainder of session dat a. You can change t his in t he Regist ry at HKEY_LOCAL_MACHI NE\ Syst em \ Current Cont rolSet \ Services\ Term DD; t he t wo keys are FlowControlDisplayBandwidth for t he display dat a and FlowControlChannelBandwidth for everyt hing else.
Deskt op experience and com posit ion
This feat ure allows users t o get t he look and feel of a regular Windows Vist a host , including various deskt op t hem es and access t o Windows Media Player, t hat were unavailable under previous versions of RDP and Term inal Services. You can access t his feat ure and enable it by using t he Add Feat ure select ion in Server Manager; t he correct ent ry t o select is " Deskt op Experience." This is ent irely server- based, so no client configurat ion is necessary.
Plug and Play Device Redirect ion Fram ework
This feat ure allows you t o redirect PnP device int eract ion from t he local RDP client t o t he server- based session, so t he user sees t he sam e seam less user int erface for t hese devices regardless of whet her t hey run locally or rem ot ely. PnP devices in a rem ot e session are lim it ed in scope so t hat t hey are only accessible t o t hat session.
Term inal Services EasyPrint
TS EasyPrint rem oves t he need t o inst all print er drivers on t he TS host in t he vast m aj orit y of cases by t aking advant age of t he new XPS print pat h t hat was int roduced in Windows Vist a and Windows Server 2008, act ing as a proxy and redirect ing all calls for t he user int erface t o t he print driver inst alled on t he client . Users print ing from wit hin a session will see print ing progress as t hey expect and can even adj ust print er propert ies as necessary.
Single Sign- On
New t o Windows Server 2008, users t hat are logged on t o a dom ain can gain access t o a dom ain- j oined Term inal Server m achine wit hout needing t o ent er credent ials a second t im e. This feat ure, however, only works wit h t he Windows Vist a- Windows Server 2008 client - server duo.
1 0 .2 . Addin g t h e Te r m in a l Se r ve r Role You can use t he Server Manager, as wit h ot her roles in Windows Server 2008, t o inst all Term inal Services. When you use Server Manager t o inst all Term inal Services, you can choose from five opt ions:
Term inal Server
This inst alls t he core of TS funct ionalit y, including t he abilit y t o j ust share one applicat ion wit h TS Rem ot eApp.
TS Licensing
Deploys a TS Licensing Server t o m anage client access licenses for TS client s.
TS Session Broker
I nst alls soft ware t hat can allow sessions t o spread against a farm of TS host s.
TS Gat eway
I nst alls t he feat ure t hat allows TS client s t o use HTTPS t o begin, use, and end sessions over t he I nt ernet wit hout needing t o est ablish a VPN connect ion. When you choose t his role, you will be prom pt ed t o inst all I I S and Net work Policy and Access Services if you haven't already.
TS Web Access
Creat es a " port al" - like environm ent where client s can choose applicat ions and st art TS sessions for t hose applicat ions from wit hin a web browser. When you choose t his role, you will be prom pt ed t o inst all I I S if you haven't already.
The perm issions t o connect t o a t erm inal server are sim ple t o underst and. Any user who want s t o connect via Term inal Services m ust be a m em ber of t he Rem ot e Deskt op Users group on t he com put er she is connect ing t o. You can alt er t he access perm issions, t im e- of- day requirem ent s, and ot her propert ies for t his group t hrough t he Act ive Direct ory Users and Com put ers snap- in as usual. ( See Chapt er 5 for m ore inform at ion on m anaging users and groups wit hin Act ive Direct ory.) I f your m achine is not part icipat ing in an Act ive Direct ory environm ent , user account s m ust be m em bers of t he Adm inist rat ors group of t he m achine t o which t hey're t rying t o connect . You should inst all Term inal Services on an NTFS- form at t ed part it ion t o t ake advant age of t he superior securit y feat ures of t hat filesyst em .
1 0 .3 . En a blin g Re m ot e D e sk t op As I m ent ioned earlier in t his chapt er, Rem ot e Deskt op m ode is a special Term inal Services feat ure t hat enables you t o open an RDP session as a single user t o a specific m achine and use it s int erface as t hough you were direct ly in front of it . This is useful if you're not looking t o host applicat ions for m ult iuser access but sim ply want a way t o avoid walking t o t he server closet . Windows Server 2008 com es inst alled wit h everyt hing you need t o use RDP t o adm inist er a server rem ot ely, but as a securit y precaut ion, t he service is t urned off. I t 's easy t o t urn it back on, and it follows t he sam e pat t ern t hat you use t o t urn on Rem ot e Deskt op in Windows XP versions as well. To t urn it back on, follow t hese st eps:
1 . Open t he Syst em applet in t he Cont rol Panel.
2 . Click t he Rem ot e set t ings link, and acknowledge t he UAC prom pt if necessary.
3 . Under t he sect ion at t he bot t om called Rem ot e Deskt op, select t he " Allow connect ions from com put ers running any version of Rem ot e Deskt op ( less secure) " radio but t on for backward com pat ibilit y wit h all versions of t he RDP client , or " Allow connect ions only from com put ers running Rem ot e Deskt op wit h Net work Level Aut hent icat ion ( m ore secure) " t o lim it connect ions t o RDP 6.0 client s.
4 . Click Apply, and t hen click OK.
Windows will display a dialog box t hat rem inds you t hat it disables RDP access t o account s t hat have no password. This is t o prot ect your com put er from being invaded by I nt ernet crackers. I f you're using a firewall, you m ight also want t o ensure t hat port 3389 is open and port forwarding is configured if required by your rout er/ firewall. Windows will rem ind you of t his, t oo. Once Rem ot e Deskt op m ode is enabled, up t o t wo adm inist rat ive users can connect t o t he server sim ult aneously and use it as t hough t hey were sit t ing in front of it . The rem ainder of t his chapt er will focus on Term inal Services m ode, where m ore users can connect and use t he server as a t rue applicat ion server.
1 0 .4 . On t h e Use r 's Side I n t his sect ion, I 'll t ake a look at int eract ing wit h Term inal Services from t he client 's perspect ive.
1 0 .4 .1 . Usin g t h e RD P Clie n t Windows XP and Windows Vist a com e wit h a built - in client t hat speaks RDP, called Rem ot e Deskt op Connect ion. All Program s Accessories Com m unicat ions Rem ot e Deskt op You can find it by select ing St art Connect ion. Execut ing t he program brings up a screen such as t he one in Figure 10- 2.
Figu r e 1 0 - 2 . Th e ba sic Re m ot e D e sk t op Con n e ct ion scr e e n
Ent er a server nam e t o est ablish a basic, no- frills connect ion t o a m achine. I f you want t o cust om ize t he environm ent you're working in, click t he Opt ions but t on at t he lower right of t he Rem ot e Deskt op Connect ion box. You're present ed wit h a box wit h five t abs: General, Display, Local Resources, Program s, and Experience. Let 's walk t hrough each t ab:
General
On t he General t ab, you can choose t he Term inal Services m achine t o log on t o. You also can save t he current set t ings t o an RDP file, which you can open lat er by clicking t he Save As but t on, or you can open an exist ing RDP set t ings file by clicking Open.
Display
On t he Display t ab, you can select t he resolut ion ( up t o full screen at your current resolut ion) in which t he session window will be displayed. You also can choose your color dept h. You m ust disconnect and t hen reconnect before changes t o t hese set t ings will t ake effect . Finally, check t he opt ion t o display t he connect ion bar—a sm all panel cent ered at t he t op of t he session window—during full- screen sessions. The connect ion bar provides an easy way t o m inim ize, m axim ize, and disconnect from a session.
Local Resources
On t he Local Resources t ab, you can choose t o redirect sound t o t he client m achine, t o not play sounds at all, or t o play t hem on t he rem ot e m achine ( t o t he chuckle of som e coworkers, perhaps) . You also can set t he applicat ion of st andard Windows keyboard short cut s—such as Alt - Tab, Ct rl- Esc, Ct rl- Alt - Del, and t he like—t o t he local com put er, t he rem ot e com put er, or t he rem ot e com put er only if t he display is set t o full- screen m ode. Finally, you can choose whet her t o m ake disk drives, print ers, and serial port s on t he client m achine available t o t he Term inal Services session.
Program s
On t he Program s t ab, you can select one specific execut able t hat will run aut om at ically upon connect ion. This m eans t hat as soon as t he user closes t he program , t he connect ion is t erm inat ed; t here is no shell access t o t he session. You m ight choose t o lock down Hum an Resources users by specifying t hat t hey can run only a PeopleSoft applicat ion; if t hey close PeopleSoft , t heir connect ion t o t he Term inal Services host m achine is closed. You also can specify a working direct ory t hat t he Open and Save dialog boxes will default t o while t he program is running.
Experience
On t he Experience t ab, you can adj ust Microsoft 's guesses as t o your link qualit y and how bandwidt h is m anaged during t he session. You can choose your appropriat e connect ion speed, and you can explicit ly allow or deny t he following t o be t ransm it t ed: t he deskt op background, font sm oot hing, deskt op com posit ion, t he cont ent s of windows while t hey're being m oved, anim at ions of windows and m enus ( t he
scroll and fade effect s) , Windows deskt op t hem es, and t he caching of bit m aps.
Advanced
On t he Advanced t ab, you can adj ust t he server aut hent icat ion level so t hat you are warned if server aut hent icat ion fails, you can connect no m at t er what t he result s of t he aut hent icat ion t est s are, or you are not able t o connect if aut hent icat ion fails. You calso configure TS Gat eway set t ings t hat will allow you t o st art sessions t o host s t hat reside behind firewalls.
1 0 .4 .2 . Con figu r in g a Use r 's En vir on m e n t A few set t ings inside a user's Act ive Direct ory account can affect t he behavior of a Term inal Services session. Open Act ive Direct ory Users and Com put ers and select a sam ple user from your direct ory. Right - click t he user and select Propert ies. When t he user's set t ings are opened, click t he Sessions t ab. You will see a box like t he one in Figure 10- 3.
Figu r e 1 0 - 3 . Use r pr ope r t ie s in Act ive D ir e ct or y for Te r m in a l Se r vice s
Using t he Sessions t ab, you can configure Term inal Services' behavior when a user's session becom es inact ive for a cert ain period of t im e. You can set t he server t o aut om at ically log off a session t hat is disconnect ed aft er a specified int erval of t im e. You can also set a t im e lim it on act ive sessions and idle sessions, and t hen configure t he behavior when t hat lim it is reached. ( This is great if you have a cent ral m achine for checking em ail t hat 's locat ed in a kiosk or ot her publicly accessible locat ion.) Finally, on t his t ab you can specify t hat reconnect ion t o an exist ing session can occur eit her from any com put er, or only from t he com put er t hat originat ed t he session as an added securit y m easure. On t he Environm ent t ab, you can m ake m any of t he sam e m odificat ions as on t he Program s t ab of Rem ot e Deskt op Connect ion. You can select one specific execut able t hat will run aut om at ically and exclusively upon connect ion. You can also specify a working direct ory t hat t he Open and Save dialog boxes will default t o while t he program is running. Plus, you can m ap devices from t he client m achine t o t he Term inal Services session by default inside t he user's propert ies, which will carry forward int o any fut ure sessions. On t he Rem ot e Cont rol t ab, you can specify whet her an adm inist rat or can rem ot ely cont rol or observe a user's session. You also can configure whet her such an act ion requires a user's perm ission. Plus, you can delineat e
how m uch cont rol over t he session is allowed—can t he adm inist rat or j ust view t he session, or can he also int eract wit h t he session? On t he Term inal Services Profile t ab, you can ent er a user profile t o be used when connect ing t o a session. I f you want t o use a m andat ory profile, be sure t o enum erat e t he full net work pat h down t o t he individual profile folder for t hat user. You also can det erm ine whet her a drive is m apped t o a user's hom e direct ory, which drive let t er t o use, and which net work drive t o m ap t o. Finally, you can decide whet her a specific user should be allowed t o log in t o a t erm inal server. This isn't t he best place for t his opt ion, in m y opinion, but we have a while t o wait ( unt il Longhorn Server is released) for t his t o be changed.
1 0 .4 .3 . Alt e r n a t ive RD P Clie n t s You m ight wish t o access TS sessions host ed on Windows 2000 Server and Windows Server 2008 m achines from com put ers t hat run on alt ernat ive plat form s, such as Linux or Mac OS X. I n t his sect ion, I 've com piled a brief list of available, reasonably robust RDP client ut ilit ies t hat are available for operat ing syst em s ot her t han Windows:
rdeskt op
rdeskt op is an open RDP client , but unlike Cit rix I CA, requires no server ext ensions. rdeskt op current ly runs on m ost Unix- based plat form s wit h t he X Window Syst em . ( This includes m ost com m ercially available Linux syst em s.) As of t his writ ing, t he lat est st able version of rdeskt op is 1.4.0. You can download rdeskt op from ht t p: / / www.rdeskt op.org .
Rem ot e Deskt op Client for Mac
Microsoft it self has released t he Rem ot e Deskt op Client for Mac, which allows users of Mac OS X t o open a TS session t o t heir Windows XP or Windows Server 2003 m achines from t he com fort of t heir own environm ent . Download t he client from Microsoft 's Mac- orient ed web sit e, locat ed at ht t p: / / www.m icrosoft .com / m ac/ ot herproduct s/ ot herproduct s.aspx?pid= rem ot edeskt opclient .
1 0 .5 . Te r m in a l Se r vice s Adm in ist r a t ion You can adm inist er a Term inal Services m achine from t hree point s:
The Term inal Services Manager console wit hin Server Manager
You can run t his console t o display and cont rol Term inal Services connect ions on a net work.
The Term inal Services Configurat ion console wit hin Server Manager
This console adj ust s t he individual Term inal Services configurat ions on each TS host .
The Term inal Services Licensing console
This console m anages licensing across all Term inal Services m achines in a dom ain.
At press t im e, TS licensing policies were st ill being developed and t hus I will not be covering licensing. I nst ead, in t his sect ion, I 'll cover t he basic adm inist rat ive funct ions t hat t he Term inal Services Manager applet can perform , and t hen I will focus on som e com m on t asks using t he Term inal Services Configurat ion applet .
1 0 .5 .1 . Te r m in a l Se r vice s M a n a ge r Term inal Services Manager ( TSM) is t he focal point where all connect ions bet ween client com put ers and Term inal Services m achines com e int o view. Think of it as " m ission cont rol."
TSM's full funct ionalit y only works when you run t he console from a m achine connect ed t o Term inal Services t hrough a TS session. Running TSM locally on t he m achine running Term inal Services will lim it t he funct ionalit y available t o you.
Figure 10- 4 shows t he basic TSM layout .
Figu r e 1 0 - 4 . Th e de fa u lt Te r m in a l Se r vice s M a n a ge r w in dow
By default , TSM shows all Term inal Services servers in your dom ain. You can connect t o all of t hem at once if you so choose, but TSM looks at only one server at a t im e by default . To find servers, use t he following procedures:
To find all Term inal Services servers in your dom ain, in t he right pane click Refresh.
To connect t o any part icular server, right - click it s nam e in any list and select Connect .
Using TSM, you can perform a variet y of net work- and dom ain- wide session m anagem ent funct ions. You can m onit or a session, disconnect it , log it off, send m essages t o users, and t ake cont rol of a session, am ong m any ot her t hings.
1 0 .5 .1 .1 . Con n e ct in g t o a se ssion Connect ing t o anot her session on a server is a useful t ool for an adm inist rat or working rem ot ely, for exam ple, t o fix a problem wit h a user's configurat ion in Microsoft Office while t he user is at lunch. You always can connect t o any act ive session or t o a session t hat is disconnect ed. You can also connect t o a session t hat is logged on inside your current securit y cont ext ( m eaning basically your usernam e) or, if you have t he appropriat e perm issions ( Full Cont rol or User Access perm issions over Term inal Services sessions) , you can connect t o any session. To connect t o a session, follow t hese st eps:
1 . Right - click t he appropriat e session in t he m iddle pane of TSM on t he Sessions t ab. Alt ernat ively, t o connect t o a session run by a user, right - click t he appropriat e user's nam e on t he Users t ab. Choose Connect in eit her case.
2 . You are prom pt ed for a password if needed. Ot herwise, cont rol is swit ched t o t he new session, and t he act ive session is disconnect ed.
1 0 .5 .1 .2 . D iscon n e ct in g a se ssion A session t hat is disconnect ed is unique, in t hat it cont inues t o run on t he server, but t he act ual net work link bet ween t he client and t he Term inal Services m achine is severed. Using a disconnect ed session, a user can ret urn t o a previous session at any t im e by sim ply re- est ablishing t he connect ion, alleviat ing t he need for eit her logging off or logging on. The cat ch is, of course, t hat server resources are finit e, and if all users leave t heir sessions disconnect ed, everybody's copy of Out look is st ill receiving m ail, and everyone's PowerPoint present at ions are st ill open t o be edit ed. But disconnect ing a session is st ill a handy way t o clear your screen t o t ake off t o lunch, knowing t hat when you com e back your deskt op will be as you left it . I t 's som et im es useful t o disconnect a session when Rem ot e Deskt op fails t o pick up your old connect ion. A user can disconnect any session of his own, and an adm inist rat or can disconnect any session over which he has Full Cont rol right s. To disconnect a session, follow t hese st eps:
1 . Right - click t he appropriat e session and choose Disconnect .
2 . You are prom pt ed t o confirm your choice. Click OK, and t he session will be disconnect ed.
You can select m ult iple sessions at a t im e in t he right pane by pressing and holding t he Ct rl key and clicking each session t hat you want t o disconnect .
1 0 .5 .1 .3 . Loggin g off a se ssion Logging off a session ends t hat part icular user's session on a host , t hereby m aking any RAM and CPU resources t hat t he part icular session was using available t o ot her users. Users m ust t hen log on t he next t im e t hey connect t o t he Term inal Services server. A user can log off any session of her own, and an adm inist rat or can log off any session over which she has Full Cont rol right s. To log off a session, follow t hese st eps:
1 . Right - click t he appropriat e session in t he right pane of TSM, and choose Log Off.
2 . You are prom pt ed t o confirm your choice. Click OK, and t he session will be disconnect ed.
Keep in m ind t hat forcibly logging off users will result in dat a loss for t hose users, so always m ake t hem aware of any aut om at ic logoffs before t hey happen. You also can log off a session by issuing t he logoff com m and, followed by t he session I D or nam e ( which you can find inside TSM) , at t he t erm inal server's com m and prom pt . To log off session num ber 8, for exam ple, use t he following com m and:
logoff 8
1 0 .5 .1 .4 . Re se t t in g a se ssion When you reset a session, it forcibly t erm inat es t hat session: program s are closed, open dat a is lost , and m em ory t hat t hose program s were occupying is im m ediat ely ret urned t o t he Term inal Services host . A user can reset any session of his own, and an adm inist rat or can reset any session over which he has Full Cont rol right s. To reset a session, follow t hese st eps:
1 . Right - click t he appropriat e session and choose Reset .
2 . You are prom pt ed t o confirm your choice. Click OK, and t he session will be reset .
You can select m ult iple sessions at a t im e in t he right pane by pressing and holding t he Ct rl key and clicking each session t hat you want t o reset . You also can reset a session by issuing t he reset com m and, followed by t he session I D or nam e, at t he t erm inal server's com m and prom pt . To reset session num ber 8, for exam ple, use t he following com m and:
reset session 8
1 0 .5 .1 .5 . Vie w in g se ssion in for m a t ion Using TSM, you can get a wealt h of det ail about any part icular session on a Term inal Services host m achine, including t he following:
Originat ing com put er
Running process
Session im age resolut ion and color dept h
Dat a encrypt ion level
To view t his inform at ion, find t he session in t he left pane of TSM, and select it . Then, t o view current ly running program s and services, click t he Processes t ab. You'll see a list ing m uch like t hat found in t he Windows Task Manager. On t he I nform at ion t ab in t he sam e pane, you find a list ing of t he usernam e, client nam e, dat a encrypt ion level, originat ing com put er, and m ore. But let 's say you want inform at ion on all sessions, including t heir processes and logged- on users, for a part icular Term inal Services m achine, dom ain, or even an ent ire net work. This is possible wit h TSM: sim ply select t he m achine, dom ain, or net work in t he left pane of TSM and use t he Users, Sessions, or Processes t abs in t he right pane t o cont rol t he display of inform at ion. Figure 10- 5 shows t his in act ion.
Figu r e 1 0 - 5 . Vie w in g in for m a t ion on m u lt iple se ssion s in TSM
You also can view t his inform at ion from t he com m and line wit h t he query process, query session, query termserver, and query user com m ands. These sim ple com m ands display a t able or list of t he desired inform at ion. Here is exam ple out put from t he four com m ands: Code View: C:\>query process USERNAME SESSIONNAME ID PID IMAGE >administrator rdp-tcp#10 1 4900 rdpclip.exe >administrator rdp-tcp#10 1 4980 explorer.exe >administrator rdp-tcp#10 1 3488 ducontrol.exe >administrator rdp-tcp#10 1 5780 ctfmon.exe >administrator rdp-tcp#10 1 3308 sqlmangr.exe >administrator rdp-tcp#10 1 5056 cmd.exe >administrator rdp-tcp#10 1 3088 query.exe >administrator rdp-tcp#10 1 5844 qprocess.exe C:\>query session SESSIONNAME USERNAME ID STATE TYPE DEVICE console 0 Conn wdcon rdp-tcp 65536 Listen rdpwd >rdp-tcp#10 administrator 1 Active rdpwd C:\>query user USERNAME SESSIONNAME ID STATE IDLE TIME LOGON >administrator rdp-tcp#10 1 Active . 7/15/2004 5:49 PM C:\>query termserver NETWORK NETWORK
mercury hasselltech.local
1 0 .5 .1 .6 . Se n din g a m e ssa ge t o a u se r Som et im es it 's necessary t o send a m essage t o all users logged on t o a specific host , whet her t o m ent ion t hat t here m ight be downt im e t hat evening, or t hat a virus or worm ( God forbid) has invaded t he Term inal Services m achine and it needs t o be shut down im m ediat ely. To send a m essage t o a user, follow t hese st eps:
1 . I n t he m iddle pane of TSM, right - click eit her t he sessions or users t o whom you want t o send a m essage, and select Send Message.
2 . I n t he Send Message dialog box, ent er t he t ext for your m essage. I f you want t o use separat e lines, press Ct rl- Ent er t o begin a new line.
3 . Click OK when you've finished ent ering t he m essage.
A not ificat ion will be sent t o t he appropriat e people. A sam ple is shown in Figure 10- 6.
Figu r e 1 0 - 6 . Use r m e ssa gin g w it h Te r m in a l Se r vice s
You also can send a m essage via t he com m and- line, which m ight be helpful if you are planning on script ing a m essage t ransm ission t hat is t riggered by a cert ain event . The msg com m and is used t o send t hese m essages; som e exam ples are present ed here:
To send a m essage t o user lm j ohnson on server WTS1:
msg lmjohnson /server:WTS1 message
To send a m essage t o a part icular session nam e:
msg RDP-tcp#4 message
To send a m essage t hat will display on a user's screen for 30 seconds:
msg lmjohnson /server:WTS1 /time:30 message
For m ore inform at ion on t he swit ches and argum ent s available wit h t he msg com m and, t ype msg /? at any com m and prom pt .
1 0 .5 .1 .7 . Ta k in g con t r ol of a se ssion Have you ever been on a t roubleshoot ing call t hat was an int ensely frust rat ing exercise in walking a user t hrough a procedure in, say, Excel or Access? What if t he user could wat ch you perform t he act ions on his screen, and what if you could show t he user t he st eps wit hout leaving your desk? I f t he user has a session on a Term inal Services m achine, you as t he adm inist rat or can t ake cont rol of his session and have full access t o what ever t he user's screen displays. The user can wat ch what ever you do in his session, m aking t he t ool wonderful for quick problem solving. The user also can cont rol his session at t he sam e t im e, so bot h sides can int er act .
This is exact ly like t he Rem ot e Assist ance feat ure, which is available in Windows XP, Windows Vist a, and Windows Server 2003 and Server 2008 but recom m ended for use only wit h client com put ers running Windows XP. You shouldn't use Rem ot e Assist ance on servers for securit y reasons; rely on t he Term inal Services rem ot e cont rol feat ure inst ead.
To t ake cont rol of a part icular session, follow t hese st eps:
1 . I n t he m iddle pane of TSM, right - click eit her t he sessions or users from whom you want t o t ake cont rol, and select Rem ot e Cont rol.
2 . The Rem ot e Cont rol dialog appears. Here, select t he appropriat e key t o be pressed along wit h t he Ct rl key t o end a rem ot e cont rol session.
3.
3 . By default , when you select OK, t he user is prom pt ed inside his session wit h a box asking him t o confirm your request t o t ake over his session. The user m ust acknowledge t his prom pt before rem ot e cont rol can begin.
I t 's possible t o t urn off t he aforem ent ioned user confirm at ion requirem ent t hrough t he user's propert ies inside Act ive Direct ory Users and Com put ers. On t he Rem ot e Cont rol t ab, uncheck t he " Require user's perm ission" checkbox, as shown in Figure 10- 7.
Figu r e 1 0 - 7 . D isa blin g t h e u se r n ot ifica t ion r e qu ir e m e n t for r e m ot e con t r ol
Lat er in t his chapt er, I will discuss a way t o t urn t his not ificat ion on and off on a per- server basis. You can also rem ot ely cont rol a user's session from t he com m and line using t he SHADOW com m and. You m ust know t he session's nam e or ident ificat ion num ber. For exam ple, t o connect t o session 3 on t he current server, issue t he following com m and:
shadow
To connect t o session 2 on server WTS2 and have t he SHADOW ut ilit y t ell you exact ly what it does, issue t he following com m and:
shadow 2 /server:WTS2 /v
1 0 .5 .2 . Te r m in a l Se r vice s Con figu r a t ion The Term inal Services Configurat ion applet provides a way t o configure set t ings t hat are relevant t o a specific server. When you open Term inal Services Configurat ion, you'll not e t hat t he m iddle pane of t he console has t wo sect ions: Connect ions and Edit Set t ings. Let 's focus on t he Edit Set t ings sect ion in t his part of t he chapt er. You'll see t hat you are provided wit h eit her six or seven opt ions in t he Edit Set t ings sect ion, depending on whet her your t erm inal server m achine is a m em ber of a clust er. Here are t he opt ions and t heir int ended purposes:
Delet e t em porary folders on exit
I f t his opt ion is set t o Yes, any t em porary folders creat ed by Windows will be delet ed. I f t he opt ion is set t o No, all t em porary folders will rem ain. The default is Yes.
Use t em porary folders per session
I f t his opt ion is set t o Yes, each session will have it s own set of t em porary folders for it s exclusive use. I f t his opt ion is set t o No, all sessions will use one set of server- based t em porary folders. The default is Yes.
Rest rict Each User t o One Session
I f t his opt ion is set t o Yes, no user can log on m ore t han once t o a part icular Term inal Services host m achine. I f t his opt ion is set t o No, a user can log on m ult iple t im es t o t he sam e server. The default is Yes.
User logon m ode
This opt ion let s you allow all connect ions, allow j ust reconnect ions but prevent new logons, or allow reconnect ions but prohibit new logons unt il t he server is rest art ed. This is useful for gradually downing servers for m aint enance.
License server discovery m ode
This opt ion allows you t o specify how license servers are used, whet her Windows Server 2008 can aut om at ically discover license servers, or whet her you want t o use specific license servers.
Term inal Services licensing m ode
I f t his opt ion is set t o Per Device, Term inal Services CALs are given t o each client com put er t hat connect s t o t he host . I f t his opt ion is set t o Per User, CALs are dist ribut ed t o each user t hat connect s t o t he host . The default is Per Device.
Mem ber of farm in TS Session Broker
This opt ion let s you j oin a session broker farm , part icipat e in Session Broker load balancing, and use I P address redirect ion.
The following sect ions will t ake you t hrough com m on adm inist rat ive t asks using t he Connect ions node inside Term inal Services Configurat ion.
1 0 .5 .2 .1 . Cr e a t in g a n e w con n e ct ion list e n e r Use t he Term inal Services Configurat ion applet t o creat e a new Term inal Services connect ion by following t hese st eps:
1 . Open t he Term inal Services Configurat ion applet wit hin Server Manager.
2 . I n t he right pane, click Creat e New Connect ion.
3 . The configurat ion wizard st art s. Follow t he prom pt s on t he wizard t o configure your connect ion.
Windows perm it s only one RDP- based connect ion per net work card in t he m achine running Term inal Services. Usually, adm inist rat ors find t hat t he preconfigured connect ion creat ed when Term inal Services is inst alled is really t he only one t hey need. However, if you need m ore RDP connect ions, you'll need t o inst all an addit ional net work adapt er for each connect ion needed.
1 0 .5 .2 .2 . Re st r ict in g Te r m in a l Se r vice s con n e ct ion s You can rest rict t he t ot al num ber of RDP connect ions t o any given server, which can be helpful if you have bandwidt h problem s on your net work or your Term inal Services server m achine has lim it ed hardware resources. To rest rict t he t ot al num ber of RDP connect ions t o a server t hrough t he Term inal Services Configurat ion applet , follow t hese st eps:
1 . Open t he Term inal Services Configurat ion applet wit hin Server Manager.
2 . I n t he m iddle pane, select t he applicable connect ion, right - click it , and choose Propert ies.
3 . Move t o t he Net work Adapt er t ab and click Maxim um Connect ions.
4 . Ent er t he m axim um num ber of sessions you want t o connect t o t his server.
5 . Click Apply t o finish.
To do so using GP, which overrides and t akes precedence over t he set t ings specified in Term inal Services Configurat ion, follow t hese st eps:
1 . Open t he Group Policy Obj ect Edit or snap- in.
2 . Navigat e t hrough Com put er Configurat ion t ree in t he left pane.
Adm inist rat ive Tem plat es
Windows Com ponent s in t he
3 . Select Term inal Services, and in t he right pane, double- click t he Lim it Num ber of Connect ions set t ing.
4 . Click Enabled.
5 . Move t o t he " TS Maxim um Connect ions allowed" box. I n it , ent er t he m axim um num ber of connect ions you want t o allow, and t hen click OK.
You m ight want t o rest rict t he num ber of Term inal Services sessions by server t o im prove perform ance and decrease load. This t echnique works especially well when you have a t erm inal server farm consist ing of m achines of various capabilit ies and configurat ions. You can adj ust each server t o t he opt im al num ber of connect ions t o ensure a consist ent response t im e across t he farm for your users. RDP connect ions, by default , are configured t o allow an unlim it ed num ber of sessions on each server.
1 0 .5 .2 .3 . En cr ypt ion le ve ls Term inal Services support s m ult iple levels of encrypt ion t o secure com m unicat ions bet ween t he client and t he server. To change t hese levels t hrough Term inal Services Configurat ion, follow t hese st eps:
1 . Open t he Term inal Services Configurat ion applet wit hin Server Manager.
2 . I n t he m iddle pane, select t he applicable connect ion, right - click it , and choose Propert ies.
3 . Navigat e t o t he General t ab, and select t he encrypt ion level t hat best suit s your needs. ( I provide a descript ion of t he levels short ly.)
You can also change t he TS encrypt ion level using Group Policy:
1 . Open t he Group Policy applet .
2 . Navigat e t hrough Com put er Configurat ion Term inal Services.
Adm inist rat ive Tem plat es
Windows Com ponent s
3 . Select Encrypt ion and Securit y.
4 . I n t he right pane, double- click t he Set Client Connect ion Encrypt ion Level set t ing, and t hen click Enabled.
5 . I n t he Encrypt ion Level list , click t he desired securit y level.
6 . Click OK t o finish t he procedure.
Use t his guide t o det erm ine which securit y set t ing is best for your environm ent :
FI PS Com pliant
Encrypt s client - t o- server and server- t o- client com m unicat ions st rongly enough t o be in accordance wit h t he Federal I nform at ion Processing St andard ( FI PS) . This m et hod uses Microsoft - developed crypt ographic m odules.
I f you have already est ablished FI PS encrypt ion t hrough a syst em crypt ography policy obj ect or t hrough t he Term inal Services Set Client Encrypt ion Level opt ion, you cannot change t he encrypt ion level t hrough t he Term inal Services Configurat ion applet or t hrough a GPO.
High
Encrypt s client - t o- server and server- t o- client com m unicat ions using st rong 128- bit encrypt ion; useful only when t he t erm inal server resides in an environm ent com posed of 128- bit com pliant client s only ( i.e., one of t he Windows Server 2008 operat ing syst em s) . Ot her client s using noncom pliant OSes will not be able t o connect unless t hey download a separat e Term inal Services client t hat support s high encrypt ion from Microsoft 's web sit e at ht t p: / / www.m icrosoft .com / downloads/ det ails.aspx?Fam ilyI D= 33AD53D89ABC- 4E15- A78F- EB2AABAD74B5&displaylang= en.
Client Com pat ible
Encrypt s client - t o- server and server- t o- client com m unicat ions at t he m axim um possible level ( key st rengt h) support ed on t he client end. This opt ion is best when t he t erm inal server resides in a m ixed client environm ent .
Low
Encrypt s client - t o- server com m unicat ions only, using 56- bit encrypt ion.
I t 's also im port ant t o not e t hat t he aforem ent ioned GP procedure will work for local securit y policy configurat ions. However, if you have a dom ain environm ent and want t o push t his policy ont o an exist ing dom ain or organizat ional unit , you need t o connect t o t he dom ain cont roller using an account wit h adm inist rat or right s. Then you need t o m ake t he change t hrough t he Group Policy Managem ent Console. Also be aware t hat dat a sent from t he server t o t he client ( and not vice versa) is not encrypt ed.
1 0 .5 .2 .4 . Re m ot e con t r ol pe r m ission s You can adj ust how adm inist rat ors will be able t o " shadow" a Term inal Services session. You can rest rict a user t o viewing a session only, or allow him t o have full cont rol of t he keyboard and m ouse. To adj ust t hese set t ings t hrough Term inal Services Configurat ion, follow t hese st eps:
1 . Open t he Term inal Services Configurat ion applet wit hin Server Manager.
2 . I n t he m iddle pane, select t he applicable connect ion, right - click it , and choose Propert ies.
3 . Navigat e t o t he Rem ot e Cont rol t ab.
4 . Click " Use Rem ot e Cont rol wit h t he Following Set t ings" t o configure rem ot e cont rol for t he connect ion. Or, t o disallow rem ot e cont rol, click Do Not Allow Rem ot e Cont rol.
5 . To display a m essage on t he client asking perm ission t o view or t ake part in t he session, check t he " Require user's perm ission" checkbox.
6 . Under " Level of Cont rol," click " View t he Session" t o specify t hat t he user's session can be viewed only, or
6. click " I nt eract wit h t he Session" t o specify t hat t he user's session can be act ively cont rolled wit h your keyboard and m ouse.
7 . Click OK t o com plet e t he procedure.
To do so using GP, follow t hese st eps:
1 . Open t he Group Policy applet .
2 . Navigat e t hrough Com put er Configurat ion
Adm inist rat ive Tem plat es
Windows Com ponent s.
3 . Select Term inal Services.
4 . I n t he right hand pane, double- click t he " Set Rules for Rem ot e Cont rol of Term inal Services User Sessions" set t ing, and t hen click Enabled.
5 . I n t he Opt ions box, click t he desired rem ot e cont rol perm issions as described previously. Or, t o disallow rem ot e cont rol, click No Rem ot e Cont rol Allowed.
6 . Click OK t o com plet e t he procedure.
You should t horoughly t est any changes you m ake t o GP set t ings before applying t hem t o users or com put ers. Use t he RSoP t ool t o t est new policy set t ings and confirm t hat t hey will be applied as you int end. Chapt er 6 cont ains det ailed discussions and procedures for using t his t ool. The aforem ent ioned GP procedure also will work for local syst em policies. I f you're using an Act ive Direct orybased dom ain, t hough, and you want t o push t his policy ont o an exist ing dom ain or organizat ional unit , you need t o connect t o t he dom ain cont roller using an account wit h adm inist rat or right s and t hen m ake t he change t hrough t he Group Policy Managem ent Console. Policies in effect are applied t o, and t herefore are in full force for, every client t hat connect s t o t he t erm inal server.
1 0 .6 . Te r m in a l Se r vice s Re m ot e App Term inal Services Rem ot eApp let s you define program s t o be run direct ly from a TS- enabled server but appear t ot ally int egrat ed wit hin t he local copy of Windows. The int egrat ion is nearly perfect , showing off a seam less independent t askbar but t on, resizable applicat ion window areas, Alt - Tab swit ching funct ionalit y, populat ion of syst em t ray icons where appropriat e, and m ore. Term inal Services Rem ot eApp is designed t o rem ove from t he user's m ind t he idea t hat he is using a host ed applicat ion; t he only giveaway would be t he ToolTip in t he t askbar t hat indicat es Term inal Services is in use, plus occasional slow response because of net work lat ency or server overload. I t will look j ust like t he applicat ion is running locally. I t 's very sim ple t o deploy as well. You sim ply creat e .rdp files t hat act as form at t ed profiles of available host ed applicat ions. You can deploy t hese RDP files however you like t hroughout t he ent erprise, t hrough Group Policy or over a web sit e, or t hrough em ail or a syst em s m anagem ent t ool, and so on. I n t his exam ple, let 's configure Calculat or—t ruly a com plex applicat ion, of course—t o be used wit h TS Rem ot eApp:
1 . Open Server Manager.
2 . Drill down t hrough t he Term inal Services node in t he left pane t o TS Rem ot eApp Manager.
3 . I n t he right pane, click Add Rem ot eApp Program s t o launch t he Rem ot eApp Wizard. Click Next off t he int roduct ory screen.
4 . The " Choose program s t o add t o t he Rem ot eApp Program s list " screen appears. Here is where you add specific applicat ions t o t he Rem ot eApp list . Click t he box beside Calculat or, and t hen click Next .
5 . Review your set t ings, and t hen click Finish.
6 . Back in t he TS Rem ot eApp Manager console, scroll down if necessary t o t he Rem ot eApp Program s list in t he m iddle pane. Right - click on t he newly added Calculat or applet and select Creat e Windows I nst aller Package.
7 . Click Next off t he int roduct ory screen.
8 . The Specify Package Set t ings screen appears. Here, ent er t he locat ion t o which t his Windows I nst aller package will be deployed. Verify t he t erm inal server set t ings, gat eway set t ings, and any cert ificat e set t ings, t hen click Next .
9 . The Configure Dist ribut ion Package screen appears. Here, you can choose where end users will see t he appropriat e short cut s for t his package and whet her t he package should t ake over client ext ensions for t he applicat ion—only appropriat e when users don't have a copy of t his applicat ion inst alled locally. Click Next .
1 0 . Review your set t ings, and t hen click Finish.
Now we have configured t he package. You can deploy t his MSI file via Group Policy ( see Chapt er 6 for an ext ensive walkt hrough of applicat ion deploym ent via Group Policy) . Once t he MSI file is deployed on each com put er, t he user will see a Paint icon under t he Rem ot eApp program group in t he St art m enu. Select ing it brings up a t rust dialog asking t he user t o ensure t hat t he rem ot e com put er is t rust wort hy; acknowledging t hat dialog and allowing t he connect ion will bring up a " St art ing Rem ot eApp" dialog followed by t he Paint applicat ion, in all of it s classic- t hem ed glory, right on your deskt op.
1 0 .7 . Te r m in a l Se r vice s W e b Acce ss The Term inal Services Web Access feat ure let s adm inist rat ors m ake Term inal Services Rem ot eApp- host ed applicat ions available on a web page. Users can browse t he list for t he applicat ion t hey are looking for, select it , and t hen be seam lessly connect ed t o t he applicat ion. You can even int egrat e TS Web Access wit hin SharePoint sit es using an included web part , so users have access from t heir collaborat ion port al t o various host ed applicat ions. Using TS Web Access is st raight forward. By default , adding an applicat ion t o TS Rem ot eApp, as we did wit h t he Calculat or earlier in t his chapt er, aut om at ically m akes t he applicat ion available for users via t he TS Web Access gat eway. To check, open I nt ernet Explorer and navigat e t o ht t p: / / servernam e/ t s. Aft er aut hent icat ing t o t he server, you should see a Rem ot eApp Program s list wit h Paint populat ed in t he m iddle of t he screen. Clicking on it opens Paint , as you m ight expect . I f you click Rem ot e Deskt op, you can aut om at ically connect t o any TS host t o which you have access, m uch like t he old / t sweb link in previous versions of Windows Server. I f you want t o configure TS Web Access furt her, sim ply use t he sam e URL as above, but aut hent icat e using your adm inist rat or credent ials, and t hen click t he Configurat ion link in t he bar at t he t op of t he program list window.
1 0 .8 . Te r m in a l Se r vice s Ga t e w a y Term inal Services Gat eway, useful for corporat ions where large num bers of rem ot e users would st ill need t o be able t o t ake advant age of RDP- based applicat ion deploym ent , allows users t o access host ed applicat ions from a cent ralized web port al accessible over Port 443 ( or any ot her port you choose) via an encrypt ed HTTPS channel. To furt her cont rol access, t here are connect ion aut horizat ion policies, or CAPs, t hat adm inist rat ors can creat e t o define user groups t hat are perm it t ed t o access TS t hrough t he TS Gat eway m achine, and resource aut horizat ion policies, or RAPs, t hat grant access t o resources like an applicat ion or a server t o only cert ain groups. So, you can lim it host ed applicat ion use t o only t hose users t hat need it while st ill deploying full- client copies of your program s t o users wit h deskt ops, lapt ops, and ot her devices t hat can support t hem . When you add t he TS Gat eway role, you are prom pt ed t o choose cert ificat es for SSL encrypt ion—eit her one you already have, one t hat is creat ed on t he fly and self- signed, or one you m ay choose lat er. You'll also be asked what t ypes of aut horizat ion policies you would like t o creat e—you can defer t his select ion as well depending on your needs. You should creat e one of each t ype of policy in order t o get t he m axim um effect from TS Gat eway. You can creat e CAPs and RAPs from wit h Server Manager. Here's how:
1 . Open Server Manager.
2 . Drill down t hrough t he Term inal Services node in t he left pane t o TS Gat eway Manager.
3 . I n t he left pane, expand t he server and t he Policies node.
4 . Click Connect ion Aut horizat ion Policies and t hen in t he right pane, click Creat e New Policy t o creat e a new CAP.
5 . Click Resource Aut horizat ion Policies and t hen in t he right pane, click Creat e New Policy t o creat e a new RAP.
Due t o t im e lim it at ions in order t o print t his book by t he official release of Windows Server 2008, we have kept coverage of TS Gat eway t o a m inim um . For a com plet e walkt hrough of creat ing CAPs and RAPs, visit t he O'Reilly web sit e and t he official page for t his book. We will post a link t o a m ore det ailed walkt hrough by press t im e.
1 0 .9 . Com m a n d- Lin e Ut ilit ie s Several neat ut ilit ies t hat are sprinkled t hroughout t his chapt er, and som e t hat I didn't cover in det ail, enable you t o perform m uch of t he funct ionalit y you find in t he graphical m anagem ent int erfaces for Term inal Services from t he com m and line. I 've collect ed t hem all in t his final sect ion of t he chapt er, as a quick reference of sort s:
change logon
Enables logons ( using t he /enable swit ch) or disables logons ( using t he /disable swit ch) t o a specific server. Use /query t o find out what m ode a m achine is current ly in.
change port
Modifies serial port m appings for program s t hat operat e in DOS com pat ibilit y m ode. Use /query t o find out t he current m appings.
change user
Changes t he m ode in which a Term inal Services m achine operat es. Using /install swit ches t he m achine int o inst all m ode t o add applicat ions of m ult isession use, and using /execute disables t he inst all m ode for norm al funct ionalit y. Use /query t o det erm ine t he current m ode. See earlier in t his chapt er for det ailed inform at ion on t his com m and.
cprofile
Cleans profiles for inefficient use of space, and rem oves from t he Regist ry any file associat ions t he user has configured. Profiles m ust not be in use t o run t his t ool. Use /L t o clean every local profile, /I t o prom pt you before cleaning each profile, and /V t o display each act ion t he program has t aken.
flattemp
Enables flat t em porary direct ories—t hat is, enables t he redirect ion of t em porary direct ories t o a locat ion ot her t han t he default . /enable enables t hese direct ories ( obviously) , /disable does t he opposit e, and /query displays t he feat ure's current st at us.
Logoff
Logs off a session. Use logoff sessionname or logoff sessionid t o ident ify t he session t o end, and specify a part icular server using t he /V swit ch if necessary. See earlier in t his chapt er for det ailed inform at ion on t his com m and.
msg
Sends a m essage. See earlier in t his chapt er for det ailed inform at ion on t his com m and.
query process
Displays a t able list ing processes by session. See earlier in t his chapt er for sam ple out put of t his com m and.
query session
Displays a t able list ing sessions on a specific server. See earlier in t his chapt er for sam ple out put of t his com m and.
query termserver
Displays a list of known t erm inal servers in a dom ain. See earlier in t his chapt er for sam ple out put of t his com m and.
query user
Displays a list of users current ly logged on t o t erm inal services sessions. See earlier in t his chapt er for sam ple out put of t his com m and.
register
Set s an applicat ion t o operat e as eit her a syst em global resource, wit h t he /system swit ch, or a user global resource, wit h t he /user swit ch. I nclude t he execut able file's nam e as an argum ent .
reset session
Reset s a session. Use reset sessionname or reset sessionid t o ident ify t he session t o end, and specify a part icular server using t he /V swit ch if necessary. See earlier in t his chapt er for det ailed inform at ion on t his com m and.
shadow
Views t he display for anot her user's session. You m ust run t his over a Term inal Services connect ion t o t he host m achine. See earlier in t his chapt er for det ailed inform at ion on t his com m and.
tscon
Connect s t o anot her session running on a server. See earlier in t his chapt er for det ailed inform at ion on t his com m and.
tsdiscon
Disconnect s from anot her session running on a server. See earlier in t his chapt er for det ailed inform at ion on t his com m and.
tskill
Kills a cert ain process. Use tskill processid or tskill processname. To specify a server, use t he /server swit ch, and t o specify a cert ain session under which a process is running, use /ID:sessionid. To end a process running under all sessions, issue t he /a swit ch.
tsprof
Configures profiles for users connect ing t o a t erm inal server. See earlier in t his chapt er for det ailed inform at ion on t his com m and.
tsshutdn
Shut s down a t erm inal server. You can specify an am ount of t im e t o wait before shut t ing down t he m achine by adding t he num ber as an argum ent aft er t he com m and nam e ( i.e., tsshutdn 120 t o wait t wo m inut es) . You also can specify whet her t o sim ply rest art t he m achine by using t he /reboot swit ch, or t o power it down com plet ely wit h t he /powerdown swit ch.
1 0 .1 0 . Th e La st W or d Windows Term inal Services is a useful inclusion t o Windows Server 2008, allowing adm inist rat ors t o m anage t heir servers wit hout having t o be direct ly in front of t he console, and also allowing corporat ions t o cent rally host applicat ions t o reduce t ot al cost of ownership, m anagem ent , and adm inist rat ive requirem ent s. I n t his chapt er, I explored bot h t he user and t he adm inist rat or side of TS and how it can add value t o t he Windows infrast ruct ure.
Ch a pt e r 1 1 . D H CP a n d N e t w or k Acce ss Pr ot e ct ion I n t his chapt er, I 'll t ake a look at t wo m aj or com m unicat ions and net working services t hat are com m only used in Windows Server 2008 inst allat ions: t he Dynam ic Host Configurat ion Prot ocol, which helps adm inist rat ors wit h I P address m anagem ent , and t he Net work Access Prot ect ion feat ure t o prot ect your net work from unt rust ed client s. This chapt er has a pract ical focus. Ent ire books can ( and have) been writ t en on each of t hese t opics, so I cannot possibly cover all of t hem in dept h. Because of t he vast am ount of resources already available, I 've chosen t o focus on providing inst ruct ions for configuring t hese prot ocols and services t o work under Windows Server 2008 rat her t han overwhelm you wit h page aft er page of t heory. I discuss t he m echanics a bit , but I place m ore em phasis on hands- on act ivit ies.
1 1 .1 . D yn a m ic H ost Con figu r a t ion Pr ot ocol The Dynam ic Host Configurat ion Prot ocol ( DHCP) assist s adm inist rat ors by aut om at ically configuring com put ers wit h I P addresses, saving t he hassle of assigning and t racking st at ic I P addresses am ong m ult iple m achines. When DHCP is coupled wit h dynam ic DNS, a t echnique you learned about in Chapt er 4 , a lot of adm inist rat ive headaches form erly encount ered by net work adm inist rat ors are reduced and, in som e cases, even elim inat ed.
1 1 .1 .1 . H ow I t W or k s The process is st art ed by t he client , which m akes a request for an I P address t o a DHCP server. I f a client is new t o t he net work, or current ly has an invalid I P address, t he client will broadcast a DHCPDI SCOVER m essage over t he local subnet . The responding DHCP server ( or, in som e cases, servers) will send an offer request in t he form of a DHCPOFFER packet . Then t he client will acknowledge receipt of t hat offer and officially ask for an address wit h a DHCPREQUEST packet . I n ret urn, t he DHCP server will confirm t he lease and send any addit ional opt ions t hat are configured wit h t he address inside a DHCPACK packet . Leases are grant ed for a period of t im e known as t he lease durat ion . Aft er 50% of t he lease durat ion has lapsed, t he client will request an ext ension—officially, t his is a lease renewal—from t he DHCP server from which it originally obt ained t he lease. I f t he client doesn't receive a response from t hat server, it will wait unt il 87.5% of t he lease durat ion t o at t em pt t o renew it s current lease wit h any DHCP m achine on t he net work. I f no server honors t he lease renewal request , t he client will end it s use of t he current I P address and t hen behave like a new client , as described previously. Opt ions are at t ribut es of a DHCP lease t hat define cert ain charact erist ics about t he I P address and I P st ack of t he com put er leasing t he address. For exam ple, DHCP opt ions specify param et ers such as t he DNS connect ion suffix ( e.g., client 2.hassellt ech.local) , t he default gat eway for a part icular com put er ( t he rout er t hrough which t raffic out side t he local subnet is sent ) , and ot her im port ant t rait s of a connect ion. Using DHCP opt ions saves you a lot of t im e in m anually assigning t hese t rait s t o all your client com put ers, and it adds t he elem ent of consist ency—all your com put ers leasing addresses wit hin a cert ain scope get t he sam e opt ions and not a hodgepodge of configurat ions. A Windows feat ure called Aut om at ic Privat e I P Addressing ( API PA) overlaps DHCP funct ionalit y and can eit her be your best friend or drive you t o insanit y. Microsoft im plem ent ed t his feat ure so t hat if a client is unable t o lease an I P address from a DHCP server, it will resort t o using a random ly chosen I P address from Microsoft 's own Class B range ( 169.254.0.0 wit h subnet 255.255.0.0 and no default gat eway assigned) . The address is verified using an ARP request broadcast out t o t he net work t o ensure t hat no ot her client is using t hat address. This feat ure is m eant for convenience because m ost sm all businesses and hom e net works don't want t o offer DHCP services from Windows it self and would like t heir net works t o j ust work. However, if you have connect ivit y problem s, Aut om at ic Client Configurat ion ( ACC) can really get in t he way of t roubleshoot ing at t im es. I t 's best t o underst and ACC's behavior under t he following circum st ances:
I f a client has a valid lease from a DHCP server but can't connect t o t hat DHCP server, ACC will at t em pt t o ping t he default rout er/ gat eway ent ry defined by t he lease. I f t he client receives a reply, ACC assum es t he m achine is st ill on t he net work where t he original DHCP server is locat ed, and it will cont inue t o use it s lease.
I f a rout er isn't answering at t he gat eway address in t he lease, ACC will release t he current I P address and pick an aut om at ic address from t he 169.254.0.0 range.
I n any event , when ACC is act ive, t he client will cont inue t o search every five m inut es for a valid DHCP server t o eit her renew it s lease or obt ain a new address and corresponding lease.
You can also specify t hat t he client use an alt ernat e address in t he event t hat t he m achine can't get an I P address from t he DHCP server. You can view t he set t ings and configure t his in t he propert ies of t he net work connect ion off t he St art m enu.
1 1 .1 .2 . I n st a llin g a D H CP Se r ve r Now t hat you know a bit about how DHCP works, let 's m ove t o inst alling an act ual DHCP server. I t 's a fairly easy process. From Server Manager, select Add Role, and t hen check t he DHCP Server role. You'll be asked about t he nam e of t he parent dom ain t hat client s use for nam e resolut ion and t he I P addresses of t he DNS servers wit h which client s will resolve nam es. You also will have an opport unit y t o add a scope ( t hough we will walk t hrough t hat in t he next sect ion) and enable or disable DHCPv6 st at eless m ode, which is a sort of aut om at ic selfaddressing t hat client s can use. Finally, you'll be present ed wit h t he opport unit y t o aut horize t he server in Act ive Direct ory. I n t erm s of act ually adding pools of addresses for t he DHCP role t o dole out , t hat 's out lined in t he next sect ion, so let 's go t here now.
1 1 .1 .3 . Cr e a t in g a N e w D H CP Scope Creat ing a new DHCP scope involves select ing t he range of I P addresses you want t o m ake available t o be leased out t o client s who request t hem . This set of I P addresses is known as t he scope. The New Scope Wizard appears bot h when you first inst all a DHCP server and whenever you invoke it t hrough t he DHCP adm inist rat ion console, which you find off t he Adm inist rat ive Tools m enu on t he St art m enu. To creat e a new scope on your DHCP server, follow t hese st eps:
1 . Open t he DHCP adm inist rat ion console by select ing DHCP from t he Adm inist rat ive Tools folder.
2 . Right - click t he appropriat e DHCP server in t he left pane, and select New Scope from t he pop- up cont ext m enu.
3 . The New Scope Wizard appears. Click Next t o m ove off t he int roduct ory screen.
4 . Ent er a nam e and a friendly, useful descript ion ( for your purposes only) for t he new scope and t hen click Next .
5 . The I P Address Range screen appears ( see Figure 11- 1) . Ent er a nonint errupt ed range of I P addresses t hat you want t o offer t o client s int o t he " St art I P address" and " End I P address" fields. Then, ent er t he subnet m ask t o ident ify t he net work or subnet addresses you're using. ( I n m ost cases, you can accept t he default s.) Click Next t o cont inue.
Figu r e 1 1 - 1 . Th e I P Addr e ss Ra n ge scr e e n
6 . The Add Exclusions page appears next , depict ed in Figure 11- 2. On t his page, you can ent er a single address or range of addresses wit hin your scope t hat you want t o exclude from client provisioning—for exam ple, if you have a few servers wit h I P addresses wit hin your chosen range, you can ident ify t hose addresses so DHCP won't give t hem out and cause a conflict . Click Next t o cont inue when you've ent ered any relevant addresses.
Figu r e 1 1 - 2 . Th e Add Ex clu sion s scr e e n
7 . The Lease Durat ion screen appears, which allows you t o specify how long a DHCP- assigned address will be valid for a given scope. This is shown in Figure 11- 3. Deskt op syst em s can keep an I P lease for a long t im e; lapt ops and ot her m obile com put ers, however, should be given short lease durat ions so t hat when t hey are inact ive, t heir I P address becom es available t o be reassigned t o ot her m achines. I f you have a m ix of bot h, I suggest favoring a short er lease t im e. Adj ust t he t im e using t he individual sliders for days, hours, and m inut es, and t hen click Next when you're done.
Figu r e 1 1 - 3 . Th e Le a se D u r a t ion scr e e n
8 . The Configure DHCP Opt ions screen appears. Here, you can specify whet her t o sim ply configure t he scope wit h t he opt ions you've specified t o t his point , or furt her cust om ize t he dat a t ransm it t ed in response t o each DHCP request . I n t his exam ple, we'll proceed t hrough t he ext ended opt ions t o discuss each one. Select " Yes, I want t o configure t hese opt ions now," and t hen click Next t o cont inue.
9 . The Rout er ( Default Gat eway) screen appears, as depict ed in Figure 11- 4. Here, you can specify a list of available net work gat eways or rout ers in your order of preference. Add t hem using t he Add but t ons and adj ust t he list as needed using t he Rem ove, Up, and Down but t ons. Click Next when you've finished ent ering gat eways.
Figu r e 1 1 - 4 . Th e Rou t e r ( D e fa u lt Ga t e w a y) scr e e n
1 0 . The Dom ain Nam e and DNS Servers screen appears, shown in Figure 11- 5. On t his screen, you can input t he parent dom ain nam e t hat your client com put ers should use for t his connect ion. You also can specify preferred DNS servers for your client com put ers. You can eit her input a fully qualified dom ain nam e and click t he Resolve but t on t o find out t he I P address, or ent er t he I P address direct ly and click Add t o insert a server int o t he list . Use t he Rem ove, Up, and Down but t ons t o edit t he list as needed. Click Next when you've finished.
Figu r e 1 1 - 5 . Th e D om a in N a m e a n d D N S Se r ve r s scr e e n
1 1 . The WI NS Servers screen appears. This is shown in Figure 11- 6. On t his screen, ent er t he WI NS servers for your ent erprise t hat client s receiving addresses from t his scope should use. You can eit her input a fully qualified dom ain nam e and click t he Resolve but t on t o find out t he I P address, or ent er t he I P address direct ly and click Add t o insert a server int o t he list . Use t he Rem ove, Up, and Down but t ons t o edit t he list as needed. Click Next when you've finished.
1 2 . Finally, t he Act ivat e Scope screen appears. When you act ivat e a scope, you st art DHCP service for it . Choose your preferred opt ion, and t hen click Next .
Figu r e 1 1 - 6 . Th e W I N S Se r ve r s scr e e n
Once inside t he DHCP console, which is shown in Figure 11- 7, under t he specific scope you can view t he address pool, add a new exclusion range, view current I P addresses, ent er reservat ions ( m ore on t his lat er) , and reconfigure opt ions for t he scope. To view t he current set of leases, sim ply click Address Leases underneat h t he node t hat represent s t he scope in which you're int erest ed.
Figu r e 1 1 - 7 . Th e D H CP a dm in ist r a t ion con sole
1 1 .1 .4 . Au t h or izin g a D H CP Se r ve r Alt hough you can inst all DHCP servers on any m achine running Windows Server 2008, t he first DHCP server you inst all m ust hook it self int o Act ive Direct ory and needs t o be on a m achine t hat is a m em ber of a dom ain. Aut horized DHCP servers are list ed wit hin t he direct ory, and each DHCP server in a dom ain checks t his list t o see whet her it is aut horized t o provide service; if it doesn't find it self in t hat list , it will not respond t o DHCP request s. DHCP servers on st andalone servers t hat are not m em bers of dom ains can respond t o DHCP request s; t hey do not need t o be aut horized, alt hough t his can pose a securit y t hreat , since a rogue server could assist client s and rout e t hem t o different servers. I f you have a DHCP server t hat is locat ed on a dom ain m em ber m achine, you can aut horize it by doing t he following:
1 . Log on t o t he m achine wit h an account t hat has Ent erprise Adm inist rat or credent ials.
2 . Open t he DHCP adm inist rat ion console by select ing DHCP from t he Adm inist rat ive Tools folder.
3 . Right - click t he appropriat e DHCP server in t he left pane and select " Manage aut horized servers" from t he pop- up cont ext m enu.
4 . The Manage Aut horized Servers screen appears, as shown in Figure 11- 8. The screen list s all previously aut horized DHCP servers. Click Aut horize t o add t he server t o t his list .
Figu r e 1 1 - 8 . Th e M a n a ge Au t h or ize d Se r ve r s scr e e n
5 . On t he following screen, ent er t he fully qualified dom ain nam e for t he DHCP server or it s associat ed I P address. Press OK.
6 . Confirm your choice on t he following dialog box.
Now t he DHCP server is aut horized and will begin serving I P addresses t o client s who request t hem .
1 1 .1 .5 . Re se r va t ion s Reservat ions allow you t o effect ively set st at ic I P addresses t hrough DHCP. Alt hough a client using reservat ions st ill will be configured t o obt ain a dynam ic I P address, t he DHCP server has a reservat ion in it s dat abase for t hat client —which is ident ified using t he MAC address of t he net work card—and t hus will always receive t he sam e I P address from t he DHCP server. To creat e a new reservat ion, right - click Reservat ions under t he appropriat e scope in t he left hand pane and select New Reservat ion. The New Reservat ion screen will appear. Here, ent er a friendly nam e for t his reservat ion as a reference, and t hen t he I P address t o reserve. Then, ent er t he MAC address of t he net work card inside t he com put er t hat you want t o have t he reserved address. ( You can see t his from t he com m and line by issuing t he ipconfig /all com m and and looking for t he physical adapt er address, or t hrough t he Cont rol Panel and Net work Connect ions by right - clicking t he adapt er and select ing St at us.) Ent er a descript ion of t he reservat ion if you want , and t hen click OK. Figure 11- 9 shows t he reservat ions screen.
Figu r e 1 1 - 9 . M a k in g a D H CP r e se r va t ion
1 1 .1 .6 . Un de r st a n din g Cla sse s Classes dist inguish bet ween different syst em s and users for t he purposes of assigning or allowing different opt ions. Two t ypes of classes are available wit hin DHCP: vendor classes, which are set by t he m anufact urer and cannot be edit ed; and user classes, which are set at t he client level on client com put ers and can be edit ed and used by adm inist rat ors. Vendor classes can be used t o send all com put ers m at ching a cert ain class a specific set of DHCP opt ions—for exam ple, t o configure m em bers of t hat class wit h a different set of DNS servers or gat eways. And wit h t he Windows Server 2008 vendor classes, you can offer specific syst em s t he opt ion of disabling Net BI OS, releasing it s lease upon shut down, and defining a m et ric for rout ing request s quickly and efficient ly t o net work gat eways.
Vendors choose t heir own vendor classes, so you will need t o consult wit h your vendor's docum ent at ion or support group t o det erm ine what vendor classes your adapt ers will list en for and respond t o. Vendor classes can also represent t he m anufact urer of t he net work card and t he m anufact urer of t he com put er, whichever m akes t he m ost sense for your organizat ion. Microsoft has creat ed t he MSFT prefix t o provide classificat ion of it s DHCP client s in Windows 98 and higher.
User classes are set by adm inist rat ors and furt her define group users t hrough m eans t hat aren't available via t he vendor class. For exam ple, you can set a user class for " Charlot t e office" and anot her for " Raleigh office," t o segregat e t he different groups t o different I P resources. I dent ical classes need t o be set on t he client and on t he DHCP server. Wit h user classes, it 's possible t o use predefined classes t o support groups of client s wit h special needs, such as client s using t he older BOOTP prot ocol, or client s connect ing t hrough t he Rout ing and Rem ot e Access Service. User classes really are m eant for larger net works t hat need t o m anage DHCP opt ion assignm ent s based on different com put er crit eria, and t hat need t o assign and override t he st andard opt ion assignm ent s at t he server, scope, or reservat ion level. To creat e a user class on t he server, follow t hese st eps:
1 . Open t he DHCP adm inist rat or console.
2 . Right - click t he DHCP server and select Define User Classes from t he pop- up cont ext m enu.
3 . The DHCP User Classes dialog box appears. Click t he Add but t on.
4 . The New Class box appears, as shown in Figure 11- 10 .
Figu r e 1 1 - 1 0 . Th e N e w Cla ss box
5 . Ent er a nam e for t he new class; t his should be ident ical t o t he nam e you will use on a client . Also, ent er a friendly descript ion for your purposes if you want .
6 . Ent er t he ASCI I t ext of t he class by clicking under t he word ASCI I and t yping t ext . The binary version of what you t ype will be generat ed aut om at ically.
7 . Click OK.
The new class has been creat ed. Now, configure t he DHCP opt ions t o send only t o t his class:
1 . Under t he server node in t he left pane on t he DHCP adm inist rat or console, right - click Scope Opt ions and select Configure Opt ions.
2 . Navigat e t o t he Advanced t ab.
3 . Under User Class, select t he new class I D you j ust configured.
4 . Finally, under Available Opt ions, select t he opt ions you want t o configure and ent er t he values for t hose opt ions.
5 . Click OK when you've finished.
Now t he scope is configured t o send cert ain opt ions t o your new class. On each client com put er t hat will be a m em ber of t hat class, issue t he following com m and:
ipconfig /setclassid "Local Area Connection" "Name of New User Class"
You will receive a m essage indicat ing t hat t he assignm ent was successful.
1 1 .1 .7 . Su pe r scope s A superscope is a collect ion of scopes t hat can service request s from client s from m ult iple subnet s over t he sam e physical layer m edium . By configuring a DHCP server wit h a superscope t hat encom passes several sm aller scopes, you can provide DHCP service t o m ult iple subnet s sim ult aneously. Use superscopes when you need t o provide leases t o client s on m ore t han one subnet wit h one DHCP server. To begin configuring a superscope, follow t hese st eps:
1 . Load t he DHCP adm inist rat or console.
2 . Then right - click t he DHCP server node and select New Superscope from t he pop- up cont ext m enu. Click Next off t he int roduct ory screen for t he wizard.
3 . Ent er t he nam e of t he new superscope you're creat ing, and t hen click Next .
4 . From t he Available Scopes list , select t he scopes t o include in t his new superscope. You can hold down t he Ct rl but t on and click t o select m ult iple scopes.
5 . Click Next and confirm your set t ings. Then, click Finish.
The superscope is now act ive.
1 1 .1 .8 . Con flict D e t e ct ion To ensure t hat one I P address is not leased t o t wo different client s, t he Windows Server 2008 DHCP service includes a conflict det ect ion m echanism , which involves a ping t est t o verify t hat an I P address isn't in use before it is leased t o a client . You can verify t hat t his feat ure is enabled, which you m ight want t o do if you need t o rebuild your DHCP server and ensure t hat , when you bring t he server back up, it won't lease I P addresses current ly in use. To do so, right - click t he server nam e in t he DHCP m anagem ent console, select Propert ies, and navigat e t o t he Advanced t ab. Find t he opt ion called Conflict Det ect ions At t em pt , and set it t o any value great er t han 0 but less t han 2
( perform ance issues arise wit h great er values) . This num ber specifies t he num ber of ping at t em pt s t he DHCP server will m ake before issuing an address.
1 1 .1 .9 . D H CP I m plica t ion s for D N S The Windows Server 2008 DNS service support s updat es from DHCP client s so t hat nam e- t o- I P m appings cont inue t o be accurat e t hrough t he release and renewal process. On client s, you can configure t his behavior by opening t he propert ies of t he local area connect ion ( on Windows XP, you can find a list of net work connect ions from t he " Connect t o" m enu on t he St art m enu; in Windows 2000, t his is done t hrough t he Net work & Dial- up Connect ions applet in t he Cont rol Panel) . Once you are inside t he propert ies sheet , navigat e t o t he DNS t ab. At t he bot t om of t he screen, select t he " Regist er t his connect ion's addresses in DNS" opt ion, as shown in Figure 11- 11. This will inst ruct t he client t o t ransm it an updat ed A record t o t he prim ary DNS server.
Figu r e 1 1 - 1 1 . Re gist e r in g a D H CP- a ssign e d clie n t a ddr e ss in D N S
I f you want t he DHCP server t o handle t hese updat es inst ead of t he client , t he first st ep is t o m ake your DHCP server com put er obj ect a m em ber of t he DnsUpdat eProxy group wit hin Act ive Direct ory. I f you have gone t hrough t he process of aut horizing your DHCP server ( described earlier in t his chapt er) , t his st ep has been com plet ed aut om at ically. I f you haven't gone t hrough t his process, look at t he DHCP adm inist rat ors' console—right - click t he DHCP server node and click Propert ies. Navigat e t o t he DNS t ab, which is shown in Figure 11- 12 .
Figu r e 1 1 - 1 2 . Con figu r in g D H CP- ba se d u pda t e s t o D N S
Here, you can inst ruct t he DHCP service t o aut om at ically updat e DNS records for it s client s at all t im es or only in inst ances where t he client request s t he updat e be pushed t o t he DNS server. You also can t ell t he service t o expire t he A records for a client when it s current lease expires, and you can enable updat es for client s t hat are unable t o dynam ically updat e t heir own records in DHCP.
Ch a pt e r 1 1 . D H CP a n d N e t w or k Acce ss Pr ot e ct ion I n t his chapt er, I 'll t ake a look at t wo m aj or com m unicat ions and net working services t hat are com m only used in Windows Server 2008 inst allat ions: t he Dynam ic Host Configurat ion Prot ocol, which helps adm inist rat ors wit h I P address m anagem ent , and t he Net work Access Prot ect ion feat ure t o prot ect your net work from unt rust ed client s. This chapt er has a pract ical focus. Ent ire books can ( and have) been writ t en on each of t hese t opics, so I cannot possibly cover all of t hem in dept h. Because of t he vast am ount of resources already available, I 've chosen t o focus on providing inst ruct ions for configuring t hese prot ocols and services t o work under Windows Server 2008 rat her t han overwhelm you wit h page aft er page of t heory. I discuss t he m echanics a bit , but I place m ore em phasis on hands- on act ivit ies.
1 1 .1 . D yn a m ic H ost Con figu r a t ion Pr ot ocol The Dynam ic Host Configurat ion Prot ocol ( DHCP) assist s adm inist rat ors by aut om at ically configuring com put ers wit h I P addresses, saving t he hassle of assigning and t racking st at ic I P addresses am ong m ult iple m achines. When DHCP is coupled wit h dynam ic DNS, a t echnique you learned about in Chapt er 4 , a lot of adm inist rat ive headaches form erly encount ered by net work adm inist rat ors are reduced and, in som e cases, even elim inat ed.
1 1 .1 .1 . H ow I t W or k s The process is st art ed by t he client , which m akes a request for an I P address t o a DHCP server. I f a client is new t o t he net work, or current ly has an invalid I P address, t he client will broadcast a DHCPDI SCOVER m essage over t he local subnet . The responding DHCP server ( or, in som e cases, servers) will send an offer request in t he form of a DHCPOFFER packet . Then t he client will acknowledge receipt of t hat offer and officially ask for an address wit h a DHCPREQUEST packet . I n ret urn, t he DHCP server will confirm t he lease and send any addit ional opt ions t hat are configured wit h t he address inside a DHCPACK packet . Leases are grant ed for a period of t im e known as t he lease durat ion . Aft er 50% of t he lease durat ion has lapsed, t he client will request an ext ension—officially, t his is a lease renewal—from t he DHCP server from which it originally obt ained t he lease. I f t he client doesn't receive a response from t hat server, it will wait unt il 87.5% of t he lease durat ion t o at t em pt t o renew it s current lease wit h any DHCP m achine on t he net work. I f no server honors t he lease renewal request , t he client will end it s use of t he current I P address and t hen behave like a new client , as described previously. Opt ions are at t ribut es of a DHCP lease t hat define cert ain charact erist ics about t he I P address and I P st ack of t he com put er leasing t he address. For exam ple, DHCP opt ions specify param et ers such as t he DNS connect ion suffix ( e.g., client 2.hassellt ech.local) , t he default gat eway for a part icular com put er ( t he rout er t hrough which t raffic out side t he local subnet is sent ) , and ot her im port ant t rait s of a connect ion. Using DHCP opt ions saves you a lot of t im e in m anually assigning t hese t rait s t o all your client com put ers, and it adds t he elem ent of consist ency—all your com put ers leasing addresses wit hin a cert ain scope get t he sam e opt ions and not a hodgepodge of configurat ions. A Windows feat ure called Aut om at ic Privat e I P Addressing ( API PA) overlaps DHCP funct ionalit y and can eit her be your best friend or drive you t o insanit y. Microsoft im plem ent ed t his feat ure so t hat if a client is unable t o lease an I P address from a DHCP server, it will resort t o using a random ly chosen I P address from Microsoft 's own Class B range ( 169.254.0.0 wit h subnet 255.255.0.0 and no default gat eway assigned) . The address is verified using an ARP request broadcast out t o t he net work t o ensure t hat no ot her client is using t hat address. This feat ure is m eant for convenience because m ost sm all businesses and hom e net works don't want t o offer DHCP services from Windows it self and would like t heir net works t o j ust work. However, if you have connect ivit y problem s, Aut om at ic Client Configurat ion ( ACC) can really get in t he way of t roubleshoot ing at t im es. I t 's best t o underst and ACC's behavior under t he following circum st ances:
I f a client has a valid lease from a DHCP server but can't connect t o t hat DHCP server, ACC will at t em pt t o ping t he default rout er/ gat eway ent ry defined by t he lease. I f t he client receives a reply, ACC assum es t he m achine is st ill on t he net work where t he original DHCP server is locat ed, and it will cont inue t o use it s lease.
I f a rout er isn't answering at t he gat eway address in t he lease, ACC will release t he current I P address and pick an aut om at ic address from t he 169.254.0.0 range.
I n any event , when ACC is act ive, t he client will cont inue t o search every five m inut es for a valid DHCP server t o eit her renew it s lease or obt ain a new address and corresponding lease.
You can also specify t hat t he client use an alt ernat e address in t he event t hat t he m achine can't get an I P address from t he DHCP server. You can view t he set t ings and configure t his in t he propert ies of t he net work connect ion off t he St art m enu.
1 1 .1 .2 . I n st a llin g a D H CP Se r ve r Now t hat you know a bit about how DHCP works, let 's m ove t o inst alling an act ual DHCP server. I t 's a fairly easy process. From Server Manager, select Add Role, and t hen check t he DHCP Server role. You'll be asked about t he nam e of t he parent dom ain t hat client s use for nam e resolut ion and t he I P addresses of t he DNS servers wit h which client s will resolve nam es. You also will have an opport unit y t o add a scope ( t hough we will walk t hrough t hat in t he next sect ion) and enable or disable DHCPv6 st at eless m ode, which is a sort of aut om at ic selfaddressing t hat client s can use. Finally, you'll be present ed wit h t he opport unit y t o aut horize t he server in Act ive Direct ory. I n t erm s of act ually adding pools of addresses for t he DHCP role t o dole out , t hat 's out lined in t he next sect ion, so let 's go t here now.
1 1 .1 .3 . Cr e a t in g a N e w D H CP Scope Creat ing a new DHCP scope involves select ing t he range of I P addresses you want t o m ake available t o be leased out t o client s who request t hem . This set of I P addresses is known as t he scope. The New Scope Wizard appears bot h when you first inst all a DHCP server and whenever you invoke it t hrough t he DHCP adm inist rat ion console, which you find off t he Adm inist rat ive Tools m enu on t he St art m enu. To creat e a new scope on your DHCP server, follow t hese st eps:
1 . Open t he DHCP adm inist rat ion console by select ing DHCP from t he Adm inist rat ive Tools folder.
2 . Right - click t he appropriat e DHCP server in t he left pane, and select New Scope from t he pop- up cont ext m enu.
3 . The New Scope Wizard appears. Click Next t o m ove off t he int roduct ory screen.
4 . Ent er a nam e and a friendly, useful descript ion ( for your purposes only) for t he new scope and t hen click Next .
5 . The I P Address Range screen appears ( see Figure 11- 1) . Ent er a nonint errupt ed range of I P addresses t hat you want t o offer t o client s int o t he " St art I P address" and " End I P address" fields. Then, ent er t he subnet m ask t o ident ify t he net work or subnet addresses you're using. ( I n m ost cases, you can accept t he default s.) Click Next t o cont inue.
Figu r e 1 1 - 1 . Th e I P Addr e ss Ra n ge scr e e n
6 . The Add Exclusions page appears next , depict ed in Figure 11- 2. On t his page, you can ent er a single address or range of addresses wit hin your scope t hat you want t o exclude from client provisioning—for exam ple, if you have a few servers wit h I P addresses wit hin your chosen range, you can ident ify t hose addresses so DHCP won't give t hem out and cause a conflict . Click Next t o cont inue when you've ent ered any relevant addresses.
Figu r e 1 1 - 2 . Th e Add Ex clu sion s scr e e n
7 . The Lease Durat ion screen appears, which allows you t o specify how long a DHCP- assigned address will be valid for a given scope. This is shown in Figure 11- 3. Deskt op syst em s can keep an I P lease for a long t im e; lapt ops and ot her m obile com put ers, however, should be given short lease durat ions so t hat when t hey are inact ive, t heir I P address becom es available t o be reassigned t o ot her m achines. I f you have a m ix of bot h, I suggest favoring a short er lease t im e. Adj ust t he t im e using t he individual sliders for days, hours, and m inut es, and t hen click Next when you're done.
Figu r e 1 1 - 3 . Th e Le a se D u r a t ion scr e e n
8 . The Configure DHCP Opt ions screen appears. Here, you can specify whet her t o sim ply configure t he scope wit h t he opt ions you've specified t o t his point , or furt her cust om ize t he dat a t ransm it t ed in response t o each DHCP request . I n t his exam ple, we'll proceed t hrough t he ext ended opt ions t o discuss each one. Select " Yes, I want t o configure t hese opt ions now," and t hen click Next t o cont inue.
9 . The Rout er ( Default Gat eway) screen appears, as depict ed in Figure 11- 4. Here, you can specify a list of available net work gat eways or rout ers in your order of preference. Add t hem using t he Add but t ons and adj ust t he list as needed using t he Rem ove, Up, and Down but t ons. Click Next when you've finished ent ering gat eways.
Figu r e 1 1 - 4 . Th e Rou t e r ( D e fa u lt Ga t e w a y) scr e e n
1 0 . The Dom ain Nam e and DNS Servers screen appears, shown in Figure 11- 5. On t his screen, you can input t he parent dom ain nam e t hat your client com put ers should use for t his connect ion. You also can specify preferred DNS servers for your client com put ers. You can eit her input a fully qualified dom ain nam e and click t he Resolve but t on t o find out t he I P address, or ent er t he I P address direct ly and click Add t o insert a server int o t he list . Use t he Rem ove, Up, and Down but t ons t o edit t he list as needed. Click Next when you've finished.
Figu r e 1 1 - 5 . Th e D om a in N a m e a n d D N S Se r ve r s scr e e n
1 1 . The WI NS Servers screen appears. This is shown in Figure 11- 6. On t his screen, ent er t he WI NS servers for your ent erprise t hat client s receiving addresses from t his scope should use. You can eit her input a fully qualified dom ain nam e and click t he Resolve but t on t o find out t he I P address, or ent er t he I P address direct ly and click Add t o insert a server int o t he list . Use t he Rem ove, Up, and Down but t ons t o edit t he list as needed. Click Next when you've finished.
1 2 . Finally, t he Act ivat e Scope screen appears. When you act ivat e a scope, you st art DHCP service for it . Choose your preferred opt ion, and t hen click Next .
Figu r e 1 1 - 6 . Th e W I N S Se r ve r s scr e e n
Once inside t he DHCP console, which is shown in Figure 11- 7, under t he specific scope you can view t he address pool, add a new exclusion range, view current I P addresses, ent er reservat ions ( m ore on t his lat er) , and reconfigure opt ions for t he scope. To view t he current set of leases, sim ply click Address Leases underneat h t he node t hat represent s t he scope in which you're int erest ed.
Figu r e 1 1 - 7 . Th e D H CP a dm in ist r a t ion con sole
1 1 .1 .4 . Au t h or izin g a D H CP Se r ve r Alt hough you can inst all DHCP servers on any m achine running Windows Server 2008, t he first DHCP server you inst all m ust hook it self int o Act ive Direct ory and needs t o be on a m achine t hat is a m em ber of a dom ain. Aut horized DHCP servers are list ed wit hin t he direct ory, and each DHCP server in a dom ain checks t his list t o see whet her it is aut horized t o provide service; if it doesn't find it self in t hat list , it will not respond t o DHCP request s. DHCP servers on st andalone servers t hat are not m em bers of dom ains can respond t o DHCP request s; t hey do not need t o be aut horized, alt hough t his can pose a securit y t hreat , since a rogue server could assist client s and rout e t hem t o different servers. I f you have a DHCP server t hat is locat ed on a dom ain m em ber m achine, you can aut horize it by doing t he following:
1 . Log on t o t he m achine wit h an account t hat has Ent erprise Adm inist rat or credent ials.
2 . Open t he DHCP adm inist rat ion console by select ing DHCP from t he Adm inist rat ive Tools folder.
3 . Right - click t he appropriat e DHCP server in t he left pane and select " Manage aut horized servers" from t he pop- up cont ext m enu.
4 . The Manage Aut horized Servers screen appears, as shown in Figure 11- 8. The screen list s all previously aut horized DHCP servers. Click Aut horize t o add t he server t o t his list .
Figu r e 1 1 - 8 . Th e M a n a ge Au t h or ize d Se r ve r s scr e e n
5 . On t he following screen, ent er t he fully qualified dom ain nam e for t he DHCP server or it s associat ed I P address. Press OK.
6 . Confirm your choice on t he following dialog box.
Now t he DHCP server is aut horized and will begin serving I P addresses t o client s who request t hem .
1 1 .1 .5 . Re se r va t ion s Reservat ions allow you t o effect ively set st at ic I P addresses t hrough DHCP. Alt hough a client using reservat ions st ill will be configured t o obt ain a dynam ic I P address, t he DHCP server has a reservat ion in it s dat abase for t hat client —which is ident ified using t he MAC address of t he net work card—and t hus will always receive t he sam e I P address from t he DHCP server. To creat e a new reservat ion, right - click Reservat ions under t he appropriat e scope in t he left hand pane and select New Reservat ion. The New Reservat ion screen will appear. Here, ent er a friendly nam e for t his reservat ion as a reference, and t hen t he I P address t o reserve. Then, ent er t he MAC address of t he net work card inside t he com put er t hat you want t o have t he reserved address. ( You can see t his from t he com m and line by issuing t he ipconfig /all com m and and looking for t he physical adapt er address, or t hrough t he Cont rol Panel and Net work Connect ions by right - clicking t he adapt er and select ing St at us.) Ent er a descript ion of t he reservat ion if you want , and t hen click OK. Figure 11- 9 shows t he reservat ions screen.
Figu r e 1 1 - 9 . M a k in g a D H CP r e se r va t ion
1 1 .1 .6 . Un de r st a n din g Cla sse s Classes dist inguish bet ween different syst em s and users for t he purposes of assigning or allowing different opt ions. Two t ypes of classes are available wit hin DHCP: vendor classes, which are set by t he m anufact urer and cannot be edit ed; and user classes, which are set at t he client level on client com put ers and can be edit ed and used by adm inist rat ors. Vendor classes can be used t o send all com put ers m at ching a cert ain class a specific set of DHCP opt ions—for exam ple, t o configure m em bers of t hat class wit h a different set of DNS servers or gat eways. And wit h t he Windows Server 2008 vendor classes, you can offer specific syst em s t he opt ion of disabling Net BI OS, releasing it s lease upon shut down, and defining a m et ric for rout ing request s quickly and efficient ly t o net work gat eways.
Vendors choose t heir own vendor classes, so you will need t o consult wit h your vendor's docum ent at ion or support group t o det erm ine what vendor classes your adapt ers will list en for and respond t o. Vendor classes can also represent t he m anufact urer of t he net work card and t he m anufact urer of t he com put er, whichever m akes t he m ost sense for your organizat ion. Microsoft has creat ed t he MSFT prefix t o provide classificat ion of it s DHCP client s in Windows 98 and higher.
User classes are set by adm inist rat ors and furt her define group users t hrough m eans t hat aren't available via t he vendor class. For exam ple, you can set a user class for " Charlot t e office" and anot her for " Raleigh office," t o segregat e t he different groups t o different I P resources. I dent ical classes need t o be set on t he client and on t he DHCP server. Wit h user classes, it 's possible t o use predefined classes t o support groups of client s wit h special needs, such as client s using t he older BOOTP prot ocol, or client s connect ing t hrough t he Rout ing and Rem ot e Access Service. User classes really are m eant for larger net works t hat need t o m anage DHCP opt ion assignm ent s based on different com put er crit eria, and t hat need t o assign and override t he st andard opt ion assignm ent s at t he server, scope, or reservat ion level. To creat e a user class on t he server, follow t hese st eps:
1 . Open t he DHCP adm inist rat or console.
2 . Right - click t he DHCP server and select Define User Classes from t he pop- up cont ext m enu.
3 . The DHCP User Classes dialog box appears. Click t he Add but t on.
4 . The New Class box appears, as shown in Figure 11- 10 .
Figu r e 1 1 - 1 0 . Th e N e w Cla ss box
5 . Ent er a nam e for t he new class; t his should be ident ical t o t he nam e you will use on a client . Also, ent er a friendly descript ion for your purposes if you want .
6 . Ent er t he ASCI I t ext of t he class by clicking under t he word ASCI I and t yping t ext . The binary version of what you t ype will be generat ed aut om at ically.
7 . Click OK.
The new class has been creat ed. Now, configure t he DHCP opt ions t o send only t o t his class:
1 . Under t he server node in t he left pane on t he DHCP adm inist rat or console, right - click Scope Opt ions and select Configure Opt ions.
2 . Navigat e t o t he Advanced t ab.
3 . Under User Class, select t he new class I D you j ust configured.
4 . Finally, under Available Opt ions, select t he opt ions you want t o configure and ent er t he values for t hose opt ions.
5 . Click OK when you've finished.
Now t he scope is configured t o send cert ain opt ions t o your new class. On each client com put er t hat will be a m em ber of t hat class, issue t he following com m and:
ipconfig /setclassid "Local Area Connection" "Name of New User Class"
You will receive a m essage indicat ing t hat t he assignm ent was successful.
1 1 .1 .7 . Su pe r scope s A superscope is a collect ion of scopes t hat can service request s from client s from m ult iple subnet s over t he sam e physical layer m edium . By configuring a DHCP server wit h a superscope t hat encom passes several sm aller scopes, you can provide DHCP service t o m ult iple subnet s sim ult aneously. Use superscopes when you need t o provide leases t o client s on m ore t han one subnet wit h one DHCP server. To begin configuring a superscope, follow t hese st eps:
1 . Load t he DHCP adm inist rat or console.
2 . Then right - click t he DHCP server node and select New Superscope from t he pop- up cont ext m enu. Click Next off t he int roduct ory screen for t he wizard.
3 . Ent er t he nam e of t he new superscope you're creat ing, and t hen click Next .
4 . From t he Available Scopes list , select t he scopes t o include in t his new superscope. You can hold down t he Ct rl but t on and click t o select m ult iple scopes.
5 . Click Next and confirm your set t ings. Then, click Finish.
The superscope is now act ive.
1 1 .1 .8 . Con flict D e t e ct ion To ensure t hat one I P address is not leased t o t wo different client s, t he Windows Server 2008 DHCP service includes a conflict det ect ion m echanism , which involves a ping t est t o verify t hat an I P address isn't in use before it is leased t o a client . You can verify t hat t his feat ure is enabled, which you m ight want t o do if you need t o rebuild your DHCP server and ensure t hat , when you bring t he server back up, it won't lease I P addresses current ly in use. To do so, right - click t he server nam e in t he DHCP m anagem ent console, select Propert ies, and navigat e t o t he Advanced t ab. Find t he opt ion called Conflict Det ect ions At t em pt , and set it t o any value great er t han 0 but less t han 2
( perform ance issues arise wit h great er values) . This num ber specifies t he num ber of ping at t em pt s t he DHCP server will m ake before issuing an address.
1 1 .1 .9 . D H CP I m plica t ion s for D N S The Windows Server 2008 DNS service support s updat es from DHCP client s so t hat nam e- t o- I P m appings cont inue t o be accurat e t hrough t he release and renewal process. On client s, you can configure t his behavior by opening t he propert ies of t he local area connect ion ( on Windows XP, you can find a list of net work connect ions from t he " Connect t o" m enu on t he St art m enu; in Windows 2000, t his is done t hrough t he Net work & Dial- up Connect ions applet in t he Cont rol Panel) . Once you are inside t he propert ies sheet , navigat e t o t he DNS t ab. At t he bot t om of t he screen, select t he " Regist er t his connect ion's addresses in DNS" opt ion, as shown in Figure 11- 11. This will inst ruct t he client t o t ransm it an updat ed A record t o t he prim ary DNS server.
Figu r e 1 1 - 1 1 . Re gist e r in g a D H CP- a ssign e d clie n t a ddr e ss in D N S
I f you want t he DHCP server t o handle t hese updat es inst ead of t he client , t he first st ep is t o m ake your DHCP server com put er obj ect a m em ber of t he DnsUpdat eProxy group wit hin Act ive Direct ory. I f you have gone t hrough t he process of aut horizing your DHCP server ( described earlier in t his chapt er) , t his st ep has been com plet ed aut om at ically. I f you haven't gone t hrough t his process, look at t he DHCP adm inist rat ors' console—right - click t he DHCP server node and click Propert ies. Navigat e t o t he DNS t ab, which is shown in Figure 11- 12 .
Figu r e 1 1 - 1 2 . Con figu r in g D H CP- ba se d u pda t e s t o D N S
Here, you can inst ruct t he DHCP service t o aut om at ically updat e DNS records for it s client s at all t im es or only in inst ances where t he client request s t he updat e be pushed t o t he DNS server. You also can t ell t he service t o expire t he A records for a client when it s current lease expires, and you can enable updat es for client s t hat are unable t o dynam ically updat e t heir own records in DHCP.
1 1 .2 . N e t w or k Acce ss Pr ot e ct ion Viruses and m alware are oft en st opped by soft ware defenses t hat run on t he deskt op; in fact , t he ant ivirus, ant ispyware, and ot her securit y suit e soft ware business has rapidly becom e a very lucrat ive indust ry. As useful as t hose prot ect ions are, however, t he best solut ion would be such t hreat s never get t ing a chance t o access t he net work—like t he old saying goes, " The quickest way out of som et hing is t o never have been in it ." I n Windows Server 2008, t here is a t echnology t hat allows com put ers t o be exam ined against a baseline set by an adm inist rat or, and if a m achine doesn't st ack up in any way against t hat baseline, t he syst em can be prevent ed from accessing t he net work—quarant ined, as it were, from t he healt hy syst em s unt il t he user fixes his broken m achine. This funct ionalit y is called Net work Access Prot ect ion ( NAP) . You m ight know of NAP's predecessor, Net work Access Quarant ine Cont rol, or NAQC. I t debut ed in Windows Server 2003 as a m ore lim it ed form of quarant ine prot ect ion. NAQC is lim it ed t o prot ect ing your corporat e net work against rem ot e users: it prevent s unhindered access t o a net work for a rem ot e user unt il aft er his com put er has been verified as m eet ing cert ain baselines set by a net work adm inist rat or. Under NAQC, when a client est ablishes a connect ion t o a rem ot e net work's endpoint , t he client will receive an I P address, but I nt ernet Aut hent icat ion Service est ablishes a quarant ine m ode t hat is lift ed only aft er healt h verificat ion is com plet e. While NAQC is useful, it requires program m ing a baseline script t o set up; it s m anagem ent facilit ies are next t o none; and m ost crit ically, it offers no safeguards against infect ed m achines inside t he corporat e cam pus.
1 1 .2 .1 . H ow I t W or k s NAP addresses t hese weaknesses and builds on t he solid prem ise of NAQC—t hat st opping spyware and viruses dead, before t hey can ever reach t he net work, is t he best line of defense. NAP in Windows Server 2008 can be considered in t hree different part s:
Healt h policy validat ion
Validat ion is t he process where t he m achine at t em pt ing t o connect t o t he net work is exam ined and checked against cert ain healt h crit eria t hat an adm inist rat or set s. This crit eria can include pat ch st at e, service- pack level, presence of AV soft ware and so on.
Healt h policy com pliance
Com pliance policies can be set so t hat m anaged com put ers t hat fail t he validat ion process can be aut om at ically updat ed or fixed via Syst em s Managem ent Server or som e ot her m anagem ent soft ware. This is an opt ional, but very useful, part of NAP. You can also set up m echanism s t o ensure t hat com pliance is ongoing and t hat m achines are healt hy for t he ent ire t im e t hey're on t he net work.
Lim it ed access
Access lim it ing can be t he enforcem ent m echanism for NAP. I t 's possible t o run NAP in m onit oring- only
m ode, which logs t he com pliance and validat ion st at e of com put ers connect ing t o t he net work. But in act ive m ode, com put ers t hat fail validat ions are put int o a lim it ed- access area of t he net work, which t ypically blocks alm ost all net work access and rest rict s t raffic t o a set of specially hardened servers t hat cont ain t he t ools m ost com m only needed t o get m achines up t o snuff.
Here's t he basic process for a NAP session and t he various bit s and pieces t hat are involved:
1 . A client asks for access t o t he net work and present s it s current st at e of healt h t o t he Dynam ic Host Configurat ion Prot ocol ( DHCP) server, virt ual privat e net work ( VPN) server, or a com pat ible swit ch or rout er.
2 . The DHCP/ VPN server or rout er/ swit ch sends t he healt h st at us, as present ed by t he client , t o t he Microsoft Net work Policy Server, which is a m achine based on t he RADI US prot ocol t hat replaces t he I nt ernet Aut hent icat ion Service you m ight know from Windows Server 2003.
3 . The Net work Policy Server checks t he healt h st at us against t he crit eria t hat t he adm inist rat or set s and, based on t he result s of t he check, does one of t he following: if t he m achine does not com ply wit h t he I T policy, t he client is put int o a rest rict ed virt ual LAN; is disallowed, via I Psec rules or via 802.1x wire- level prot ect ion, from t alking wit h healt hy m achines; or is given a very lim it ed set of rout es via DHCP. Regardless of t he m et hod of rest rict ion, t he unhealt hy client can access a few ( presum ably specially hardened) servers t hat have t he resources needed for a client t o fix it self. St eps 1 t hrough 3 are t hen repeat ed. I f t he m achine com plies wit h policy, t he client is grant ed full access t o t he net work.
4 . On t he client side, syst em healt h agent s ( SHA) and syst em healt h validat ors ( SHV) are sm all pieces of code t hat ensure t hat t he checks and validat ions are m ade on each individual client m achine as necessary, as m ent ioned in st ep 1. Windows Vist a includes default SHAs and SHVs t hat can be cust om ized. Addit ionally, t he NAP agent client piece t akes t he healt h st at us inform at ion provided by t he SHAs and hands t hem t o enforcem ent client s, or ECs, t hat act ually do t he enforcem ent on client s ( lim it ing t he scope of a DHCP rout e, verifying packet filt ers, and so on) depending on which enforcem ent m echanism you choose.
Take a look at Figure 11- 13 , which shows how all of t he pieces of NAP fit t oget her regardless of t he t ype of enforcem ent you choose.
Figu r e 1 1 - 1 3 . Th e ba sic a r ch it e ct u r e of N AP
1 1 .2 .2 . En for ce m e n t M e ch a n ism s There are several ways t hat NAP enforces it s access lim it ing capabilit ies wit h client s. Let 's t ake a look at t he five current ly support ed wit hin Windows Server 2008. Through DHCP- based enforcem ent , client s at t em pt t o lease an I P address from a DHCP server wit h Windows Server 2008 and t he Net work Policy Server roles inst alled. That server checks t he healt h of t he client , and, if t he client m eet s t hose requirem ent s, issues a valid I P lease. I f t he client is j udged t o be unhealt hy, t he DHCP server issues a very lim it ed lease t hat cont ains j ust an I P address, a subnet m ask, and a set of host rout es lim it ed in scope t o a few rem ediat ion servers on t he rest rict ed net work. There is no default gat eway. Once t he client has been rem ediat ed, it pings t he DHCP/ NAP server t o perform anot her round of checks and only at t hat point is a full DHCP lease issued. Wit h VPN enforcem ent , t he behavior of NAP is m ore like it s predecessor, NAQC. When t he VPN client st art s a connect ion wit h t he VPN concent rat or or server on your perim et er net work, t he VPN server ( also running Net work Policy Server) or anot her m achine wit h t hose required roles checks t he healt h of t he pot ent ial client . I f t he client is healt hy, it get s unfet t ered access t o t he net work, but if it is not healt hy, a set of packet filt ers is placed on t he connect ion t o lim it access t o only t hose servers t hat host t he it em s needed t o rem ediat e t he sit uat ion. The VPN server can lat er rem ove t he packet filt ers once t he client is deem ed healt hy by t he appropriat e host . Via 802.1x enforcem ent , you get t he advant ages of NAP for hard- wired client s in a m ore t am per- proof way t han wit h DHCP- based enforcem ent . 802.1x is t he I EEE st andard t hat defines behavior at a port - level, m eaning t he act ual place t hat a net work cable is plugged in. By aut hent icat ing devices at t he port level, you achieve nearly inst ant aneous NAP enforcem ent s and also enable any sort of device t o be prot ect ed and enforced, depending on how you look at it , when on t he net work, and not j ust Windows client s or rem ot e m achines ent ering t hrough a VPN. The drawback is t hat hardware com pat ible wit h enforcing NAP at t he port level is expensive; t he swit ch m ust be able t o com m unicat e wit h t he Net work Policy Server m achine via an encrypt ed EAP session in order t o learn whet her or not t ransm issions capabilit ies on a cert ain port should be enabled when a device is det ect ed. I Psec enforcem ent is an int erest ing, and perhaps m ost realist ic, m echanism of all of t he ones we've discussed so far. For it t o be effect ive, you m ust deploy I Psec policies t o eit her all of your sensit ive m achines or all of t he host s on your net work t hat lim it t hem t o accept ing incom ing com m unicat ions only from m achines t hat have a healt h cert ificat e. Once t he policies are in place, you can configure NAP sim ply t o issue valid healt h cert ificat es
t o healt hy client s; t hose client s can t hen com m unicat e wit h any host . But unhealt hy client s aren't issued healt h cert ificat es, and even t hough t hey ( a) have a valid I P address, ( b) have no scope- lim it ed rout es in place, and ( c) t here is no hardware m echanism for disabling t heir com m unicat ions, because of t he I Psec policies t hat are in place, m achines will sim ply drop com m unicat ions from t hat unhealt hy client —fingers in t he ears, if you will. To use t his enforcem ent m echanism , you'll need t he Healt h Regist rat ion Aut horit y, which obt ains healt h cert ificat es for t hose healt hy client s from a cert ificat ion aut horit y. Finally, t he TS Gat eway m echanism allows you t o place NAP enforcem ent for your rem ot e Term inal Services client s, alt hough you cannot current ly aut orem ediat e t hese t ypes of client s.
1 1 .2 .3 . I m ple m e n t in g N AP in Ph a se s Since NAP is so far- reaching and has t he power t o t urn your net work- connect ed m achines int o st andalone, deaf PCs ( which m ight lim it product ivit y in m ore t han a few scenarios) , it 's best t o deploy NAP in phases, so t hat ( a) your users know what 's happening and aren't int errupt ed by it s enforcem ent , and ( b) you have a sense of t he effect s NAP will have on t he m achines on your net work. Here's a sam ple progression t hat I recom m end when int roducing NAP int o your net work.
Phase 1: Report ing only
I n t his phase, everyt hing NAP does—checking client s, t he result s of healt h t est s, what enforcem ent would have been put int o place—is logged cent rally, but no rem ediat ion or quarant ining is act ually perform ed. I n t his phase, t he goal is t o get a sense of what port ion of your client s is unhealt hy, how m any users your event ual enforcem ent policy would affect , and what t ypes of unhealt hy st at es your client s are in. No one is cut off from net work access in t his phase, but you get a decent diagnost ic of t he healt h of t he m achines on your net work.
Phase 2: Report ing and rem ediat ion
Aft er at least a m ont h, and preferably m ore, in Phase 1, you can now enable rem ediat ion in addit ion t o t he report ing. This will probably fix a not - insignificant port ion of t he client s t hat were report ing as unhealt hy in Phase 1, lim it ing t he pool of m achines t hat will be cut off t o a sm aller num ber, t hough t hey are st ill not com plet ely quarant ined from t he net work.
Phase 3: Delayed enforcem ent
Once you have configured aut orem ediat ion and have m onit ored t he report ing logs for a while, you can set up NAP t o allow unhealt hy client s t o access t he net work for a lim it ed am ount of t im e. This helps client s who need pat ches t o have access t o t he corporat e net work for enough t im e t o download t hose pat ches before t hey are cut off. You can set up t he delayed enforcem ent lengt h t o anyt hing you choose; I suggest a window no sm aller t han a day and no longer t han a week, since you want t o reinforce t he im port ance of healt hy client s t o your users wit hout berat ing t hem endlessly about pat ching on what m ay be a busy workday for t hem . ( Som e organizat ions m ay choose t o leave NAP in t his m ode perm anent ly. I don't recom m end t his approach, as m alware oft en needs very lit t le t im e t o infect your net work, and if you are infest ed wit h a virus or worm while NAP is in deferred enforcem ent m ode, what is t he point of having NAP deployed in t he first place?)
Phase 4: I m m ediat e enforcem ent
Finally, aft er everyone has pat ched up and all of your regular client s have had a chance t o rem ediat e t hem selves and get healt hy, sim ply rem ove t he grace period t hat Phase 3 allows and m ake NAP cut off unhealt hy client s im m ediat ely if t hey cannot be aut orem ediat ed. Rem em ber t hat NAP can aut om at ically fix sim ple problem s wit h a m achine's st at e—if it s firewall is off, for exam ple—so in t his sense you are only cut t ing off m achines wit h m ore com plex healt h st at e issues.
1 1 .2 .4 . Con figu r in g N e t w or k Acce ss Pr ot e ct ion Any NAP deploym ent is cent ralized on t he Net work Policy Server, so let 's st art t here and configure NAP wit h t he 802.1X enforcem ent m echanism . Make sure t hat t he Net work Policy and Access Services role is inst alled on your m achine before proceeding.
1 . From Adm inist rat ive Tools off t he St art m enu, choose Net work Policy Server.
2 . Let 's get acquaint ed wit h t his environm ent . I n t he left pane of t he Net work Policy server applicat ion, you'll see t he Policies node and t he Net work Access Prot ect ion node, as shown in Figure 11- 14 . Under t he Policies node, you can configure healt h policies t hat will be used as t he baseline t hat client s m ust m eet . You can configure t he SHVs and any rem ediat ion servers under t he Net work Access Prot ect ion node. Addit ionally, we will need a RADI US set up since we are dem onst rat ing 802.1X aut hent icat ion; t he hardware swit ches we are using will be RADI US client s.
Figu r e 1 1 - 1 4 . Th e N e t w or k Policy Se r ve r con sole
3.
3 . Expand RADI US Client s and Servers in t he left pane, and right - click on RADI US Client s; select New RADI US Client from t he pop- up cont ext m enu.
4 . The New RADI US Client screen appears, as shown in Figure 11- 15 . Here, we'll configure t he swit ch t hat we are using, giving it a friendly nam e of " swit ch" and it s I P address. Also, click t he Generat e radio but t on t o have a shared secret aut om at ically generat ed. You will need t o copy and past e t his secret int o t he swit ch's configurat ion as well. Click OK when finished.
Figu r e 1 1 - 1 5 . Th e N e w RAD I US Clie n t scr e e n
5 . Expand Policies in t he right pane, and right - click on Healt h Policies; choose New from t he pop- up cont ext m enu.
6 . The Creat e New Healt h Policy screen appears, as shown in Figure 11- 16 . Here, you define what a healt hy baseline is. You would creat e one policy for com pliant com put ers, using t he " Client passes all SHV checks" opt ion and t he Windows Securit y Healt h Validat or SHV, and t hen anot her policy for noncom pliant com put ers using any of t he ot her opt ions in t he Client SHV Checks list .
Figu r e 1 1 - 1 6 . Th e Cr e a t e N e w H e a lt h Policy scr e e n
7 . Expand Policies in t he left pane, and right - click on Net work Policies; select New from t he pop- up cont ext m enu.
8 . The New Net work Policy screen appears, as shown in Figure 11- 17 . Here, you nam e a net work policy, use an " unspecified" t ype of net work access server, and click Next .
Figu r e 1 1 - 1 7 . Th e N e w N e t w or k Policy scr e e n
9 . The Specify Condit ions page appears. Click t he Add but t on t o display t he " Select condit ion" dialog, as shown in Figure 11- 18 . The healt h policies you defined in st ep 6 are used as condit ions here, m eaning t hat if one of t he condit ions ( t he healt h policies) m at ches t he crit eria, t hat net work policy will be enforced. So, you would add one net work policy for com pliant , or healt hy, m achines, and anot her for noncom pliant , or unhealt hy, m achines. Click Next .
Figu r e 1 1 - 1 8 . Th e " Se le ct con dit ion " dia log
10.
1 0 . The Specify Access Perm ission page appears. Here, you choose whet her t o grant or deny access if t he condit ions you configured in t he previous st ep are m at ched. Click Next .
1 1 . The Configure Aut hent icat ion Met hods screen appears, as shown in Figure 11- 19 . For 802.1x NAP enforcem ent , you need t o add t he Microsoft : Prot ect ed EAP ( PEAP) opt ion t o t he EAP Types list , so click t he Add but t on and select it from t he list . You can also choose t o enable or disable som e of t he less secure aut hent icat ion m et hods. Click Next .
Figu r e 1 1 - 1 9 . Th e Con figu r e Au t h e n t ica t ion M e t h ods
1 2 . The Configure Const raint s page appears, as shown on Figure 11- 20 . Here, you can configure addit ional it em s relat ing t o t he net work policy; if t hese it em s aren't sat isfied, t he NPS rej ect s access t o t he pot ent ial client . You can set up m axim um idle t im e, m axim um session t im e, a specific MAC address ( called a Called St at ion I D in RADI US t erm s) , day and t im e rest rict ions, and t he t ype of device being used. Click Next .
Figu r e 1 1 - 2 0 . Th e Con figu r e Con st r a in t s pa ge
1 3 . The Configure Set t ings screen appears. Here, you set up t he specifics of t he policy. We're part icularly int erest ed in t he NAP Enforcem ent page, so click t hat in t he left part of t he screen and look in t he result ing right part , shown in Figure 11- 21 . Here, you can choose what " phase" of NAP im plem ent at ion should be used in conj unct ion wit h t his policy—eit her full access, deferred enforcem ent , or lim it ed access. Rem em ber t hat t his set t ing only falls under t he scope of t he policy you're creat ing, so you would choose " allow full net work access" for your com pliant policy and one of t he ot her t wo opt ions for your noncom pliant policy. Also, for your noncom pliant policy, you can t ick t he box under t he " Aut o rem ediat ion" sect ion t o set up aut om at ic fixups where possible. Click Next , and t hen Finish on t he next page of t he wizard.
Figu r e 1 1 - 2 1 . Th e N AP En for ce m e n t se ct ion of t h e Con figu r e Se t t in gs pa ge
1 4 . Now t hat your net work and healt h policies are configured, set up t he checks t hat t he Windows Syst em Healt h Validat or will m ake by expanding t he Net work Access Prot ect ion node, clicking on Syst em Healt h Validat ors, and double- clicking on Windows Securit y Healt h Validat or in t he right pane.
1 5 . The Windows Securit y Healt h Validat or Propert ies screen appears. Under t he Error Code Resolut ion sect ion, you can choose how t he SHV will respond if cert ain condit ions are m et , including t im eout s, connect ion difficult ies, and error codes. At t he t op, t he Configure but t on will t ake you t o where you can set up t he specific checks t hat are m ade for client s. Click Configure.
1 6 . The Windows Securit y Healt h Validat or screen appears, as shown in Figure 11- 22 . There are t wo t abs, one for Windows Vist a, and one for Windows XP (Figure 11- 23 ) . Here is where you choose what you desire for firewall configurat ion, virus prot ect ion, spyware prot ect ion ( for Windows Vist a only) , aut om at ic updat ing, securit y updat e prot ect ion, and so on. Configure as desired, and click OK and t hen OK again t o close out .
Figu r e 1 1 - 2 2 . Th e W in dow s Se cu r it y H e a lt h Va lida t or scr e e n , on t h e W in dow s Vist a t a b
Figu r e 1 1 - 2 3 . Th e W in dow s Se cu r it y H e a lt h Va lida t or scr e e n , on t h e W in dow s XP t a b
At t his point , you have configured everyt hing on t he server end. Rem em ber, you need t wo net work policies—one for com pliant m achines, one for noncom pliant m achines—and t wo healt h policies—again, one for com pliant and t he ot her for noncom pliant com put ers. Once you have t hose four policies, and have configured t he Windows Securit y Healt h Validat or wit h t he appropriat e securit y crit eria, you j ust need t o deploy a couple of set t ings t o your client s. The sim plest way t o do t his is via Group Policy—you'll find t he required set t ings under Com put er Configurat ion, Windows Set t ings, Securit y Set t ings, and Net work Access Prot ect ion. Your opt ions, shown in Figure 11- 23 , are:
DHCP Quarant ine Enforcem ent Client
Rem ot e Access Quarant ine Enforcem ent Client
I Psec Relying Part y
TS Gat eway Quarant ine Enforcem ent Client
EAP Quarant ine Enforcem ent Client
Just choose t he appropriat e client , each of which corresponds t o one of t he enforcem ent m echanism s covered earlier in t his chapt er, and set it t o enabled, and you are ready t o deploy.
1 1 .2 .5 . Be n e fit s a n d D r a w ba ck s NAP is a t ruly great addit ion t o Windows Server 2008. The advant ages are num erous. You get very effect ive prot ect ion against m alware before it can infilt rat e your net work, it is included in t he licensing cost of t he server product , and it present s anot her way for your users t o t ake securit y seriously. I f t heir syst em s aren't up t o snuff, t hey can't get t heir work done, so syst em int egrit y becom es a unified priorit y across bot h I T and t he user com m unit y alike. That 's not t o say NAP is a golden t icket t o securit y nirvana; t here are indeed som e disadvant ages. One is t hat t here are deploym ent scenarios t hat j eopardize t he effect iveness of NAP. For exam ple, DHCP- based prot ect ion ( where few rout es are assigned before healt h verificat ion) is easily bypassed on t he client —by users who know what t hey're doing—by sim ply ent ering a st at ic I P address and DNS/ rout er inform at ion. Two, t he elem ent of det ect ion of net work devices com ing online can be difficult t o im plem ent securely, part icularly solut ions t hat rely on det ect ing broadcast packet s. And finally, t he best deploym ent m et hod—802.1x prot ect ion wit h com pat ible swit ch or rout er hardware—is expensive and requires a lot of t im e t o t est and bring online. Can you rely on NAP? I t hink you cert ainly can, so long as it is deployed correct ly and as part of a m ult ilayered solut ion t o securit y. Defense in dept h st ill applies—NAP is not an end- all, be- all answer t o your problem s, in m y opinion. But NAP can and should play a very cent ral role t o your approach t o securit y.
1 1 .3 . Th e La st W or d I n t his chapt er, I 've looked at a t wo net working syst em s and t echniques. DHCP com bines wit h DNS t o provide an aut om at ic and self- m anaging way t o provide I P services t o your net work. NAP is a great way t o assess t he int egrit y and qualit y of rem ot e client m achines before t hey have a chance t o pot ent ially infect your net work wit h m alicious soft ware. I n t he next chapt er, I discuss how t o scale your net work services using soft ware t o provide load balancing and fault t olerance.
Ch a pt e r 1 2 . An I n t r odu ct ion t o Clu st e r in g Te ch n ologie s Clust ers work t o provide fault t olerance t o a group of syst em s so t hat t he services t hey provide are always available—or are at least unavailable for t he least possible am ount of t im e. Clust ers also provide a single publicfacing presence for a set of syst em s, which m eans end users and ot hers who t ake advant age of t he resources t he clust er m em bers provide aren't aware t hat t he clust er com prises m ore t han one m achine. They see only a single, unified presence on t he net work. The dirt y work of spreading t he load am ong m ult iple m achines is done behind t he scenes by clust ering soft ware. Microsoft provides t wo dist inct t ypes of clust ering wit h Windows Server 2008:
Net work load- balancing ( NLB) clust ers
These t ypes of clust ers allow for t he high availabilit y of services t hat rely on t he TCP/ I P prot ocol. You can have up t o 32 m achines running any edit ion of Windows Server 2008, Windows Server 2003, and Windows 2000 Server ( wit h one m inor except ion, covered lat er in t his chapt er) part icipat ing in an NLB clust er.
True server clust ers
Server clust ers are t he " prem ium " variet y of highly available m achines and consist of servers t hat can share workloads and processes across all m em bers of t he clust er ( wit h som e except ions, as you'll see lat er in t his chapt er) . Failed m em bers of t he clust er are aut om at ically det ect ed and t he work being perform ed on t hem is m oved t o ot her, funct ional m em bers of t he clust er. True server clust ers are support ed in only t he Ent erprise and Dat acent er edit ions of Windows Server 2008.
Where m ight each t ype of clust er be useful? For one, NLB is a very inexpensive way t o achieve high TCP/ I P availabilit y for servers t hat run web services or ot her int ranet or I nt ernet applicat ions. I n effect , NLB act s as a balancer, dist ribut ing t he load equally am ong m ult iple m achines running t heir own, independent , isolat ed copies of I I S. NLB only prot ect s against a server going offline, in t hat if a copy of I I S on a m achine fails, t he load will be redist ribut ed am ong t he ot her servers in t he NLB clust er. Dynam ic web pages t hat m aint ain sessions don't receive m uch benefit from t his t ype of clust ering because m em bers of t he clust er are running independent , unconnect ed versions of I I S and t herefore cannot cont inue sessions creat ed on ot her m achines. However, m uch web cont ent is st at ic, and som e im plem ent at ions of dynam ic web sit es do not use sessions. Thus, chances are t hat NLB can im prove t he reliabilit y of a sit e in product ion. Ot her services t hat can t ake advant age of NLB are I P- based applicat ions such as FTP and VPN. I f you have business- crit ical applicat ions t hat m ust be available at all t im es, t rue server clust ering is a bet t er fit . I n t rue server clust ers, all m em bers of t he clust er are aware of all t he ot her m em bers' shared resources. The m em bers also m aint ain a " heart beat " pulse t o m onit or t he availabilit y of services on t heir fellow m em bers' m achines. I n t he event of a resource or m achine failure, t he Windows Server 2008 clust ering service can aut om at ically hand off j obs, processes, and sessions begun on one m achine t o anot her m achine. That isn't t o say t his swapping is com plet ely t ransparent . When t he applicat ion is m oved or falls t o anot her m em ber in t he clust er, client sessions are act ually broken and re- est ablished on t he new owners of t he resources. Alt hough t his happens relat ively quickly, depending on t he nat ure of your applicat ion it probably will not go unnot iced by your users. Oft en, your client s will be asked t o re- aut hent icat e t o t he new clust er owner. However, t he clust er effect ively act s as one unit and is com plet ely fault - t olerant , and if you design t he st ruct ure of your clust er correct ly, you can avoid any one single point of failure. This decreases t he chance t hat a single failed hardware
or soft ware com ponent will bring your ent ire business- crit ical applicat ion t o it s knees. I n t his chapt er, I 'll deal wit h each t ype of clust ering individually, int roducing concept s and showing you how t o accom plish t he m ost com m on adm inist rat ive t asks.
1 2 .1 . N e t w or k Loa d- Ba la n cin g Clu st e r s NLB in Windows Server 2008 is accom plished by a special net work driver t hat works bet ween t he drivers for t he physical net work adapt er and t he TCP/ I P st ack. This driver com m unicat es wit h t he NLB program ( called wlbs.exe, for t he Windows Load Balancing Service) running at t he applicat ion layer—t he sam e layer in t he OSI m odel as t he applicat ion you are clust ering. NLB can work over FDDI - or Et hernet - based net works—even wireless net works—at up t o gigabit speeds. Why would you choose NLB? For a few reasons:
NLB is an inexpensive way t o m ake a TCP/ I P- dependent applicat ion som ewhat fault t olerant , wit hout t he expense of m aint aining a t rue server clust er wit h fault - t olerant com ponent s. No special hardware is required t o creat e an NLB clust er. I t 's also cheap hardware- wise because you need only t wo net work adapt ers t o m it igat e a single point of failure.
The " shared not hing" approach—m eaning each server owns it s own resources and doesn't share t hem wit h t he clust er for m anagem ent purposes, so t o speak—is easier t o adm inist er and less expensive t o im plem ent , alt hough t here is always som e dat a lag bet ween servers while inform at ion is t ransferred am ong t he m em bers. ( This approach also has it s drawbacks, however, because NLB can only direct client s t o backend servers or t o independent ly replicat ed dat a.)
Fault t olerance is provided at t he net work layer, ensuring t hat net work connect ions are not direct ed t o a server t hat is down.
Perform ance is im proved for your web or FTP resource because load is dist ribut ed aut om at ically am ong all m em bers of t he NLB clust er.
NLB works in a seem ingly sim ple way: all com put ers in an NLB clust er have t heir own I P address j ust like all net worked m achines do t hese days, but t hey also share a single, clust er- aware I P address t hat allows each m em ber t o answer request s on t hat I P address. NLB t akes care of t he I P address conflict problem and allows client s who connect t o t hat shared I P address t o be direct ed aut om at ically t o one of t he clust er m em bers. NLB clust ers support a m axim um of 32 clust er m em bers, m eaning t hat no m ore t han 32 m achines can part icipat e in t he load- balancing and sharing feat ures. Most applicat ions t hat have a load over and above what a single 32- m em ber clust er can handle t ake advant age of m ult iple clust ers and use som e sort of DNS loadbalancing t echnique or device t o dist ribut e request s t o t he m ult iple clust ers individually. When considering an NLB clust er for your applicat ion, ask yourself t he following quest ions: how will failure affect applicat ion and ot her clust er m em bers? I f you are running a high- volum e e- com m erce sit e and one m em ber of your clust er fails, are t he ot her servers in t he clust er adequat ely equipped t o handle t he ext ra t raffic from t he failed server? A lot of clust er im plem ent at ions m iss t his im port ant concept and lat er see t he consequence—a cascading failure caused by a perpet ually growing load failed over ont o servers perpet ually failing from overload. Such a scenario is very com m on and ent irely defeat s t he t rue purpose of a clust er. Avoid t his by ensuring t hat all clust er m em bers have sufficient hardware specificat ions t o handle addit ional t raffic when necessary. Also exam ine t he kind of applicat ion you are planning on clust ering. What t ypes of resources does it use
ext ensively? Different t ypes of applicat ions st ret ch different com ponent s of t he syst em s part icipat ing in a clust er. Most ent erprise applicat ions have som e sort of perform ance t est ing ut ilit y; t ake advant age of any t hat your applicat ion offers in a t est ing lab and det erm ine where pot ent ial bot t lenecks m ight lie. Web applicat ions, Term inal Services, and Microsoft 's I SA Server 2004 product can t ake advant age of NLB clust ering.
I t 's im port ant t o be aware t hat NLB is unable t o det ect whet her a service on t he server has crashed but not t he m achine it self, so it could direct a user t o a syst em t hat can't offer t he request ed service.
1 2 .1 .1 . N LB Te r m in ology Before we dig deeper int o our coverage of NLB, let 's discuss a few t erm s t hat you will see. Som e of t he m ost com m on NLB t echnical t erm s are as follows:
NLB driver
This driver resides in m em ory on all m em bers of a clust er and is inst rum ent al in choosing which clust er node will accept and process t he packet . Coupled wit h port rules and client affinit y ( all defined on t he following pages) , t he driver decides whet her t o send t he packet up t he TCP/ I P st ack t o t he applicat ion on t he current m achine, or t o pass on t he packet because anot her server in t he clust er will handle it .
Unicast m ode
I n unicast m ode, NLB host s send packet s t o a single recipient .
Mult icast m ode
I n m ult icast m ode, NLB host s send packet s t o m ult iple recipient s at t he sam e t im e.
Port rules
Port rules define t he applicat ions on which NLB will " work it s m agic," so t o speak. Cert ain applicat ions list en for packet s sent t o t hem on specific port num bers—for exam ple, web servers usually list en for packet s addressed t o TCP port 80. You use port rules t o inst ruct NLB t o answer request s and loadbalance t hem .
Affinit y
Affinit y is a set t ing t hat cont rols whet her t raffic t hat originat ed from a cert ain clust er m em ber should be ret urned t o t hat part icular clust er node. Effect ively, t his cont rols which clust er nodes will accept what t ypes of t raffic.
1 2 .1 .2 . N LB Ope r a t ion St yle s a n d M ode s An NLB clust er can operat e in four different ways:
Wit h a single net work card in each server, using unicast m ode
Wit h m ult iple net work cards in each server, using unicast m ode
Wit h a single net work card in each server, using m ult icast m ode
Wit h m ult iple net work cards in each server, using m ult icast m ode
You cannot m ix unicast and m ult icast m odes am ong t he m em bers of your clust er. All m em bers m ust be running eit her unicast or m ult icast m ode, alt hough t he num ber of cards in each m em ber can differ. The following sect ions det ail each m ode of operat ion.
1 2 .1 .2 .1 . Sin gle ca r d in e a ch se r ve r in u n ica st m ode A single net work card in each server operat ing in unicast m ode requires less hardware, so obviously it 's less expensive t han m aint aining m ult iple NI Cs in each clust er m em ber. However, net work perform ance is reduced because of t he overhead of using t he NLB driver over only one net work card—clust er t raffic st ill has t o pass t hrough one adapt er, which can be easily sat urat ed, and is addit ionally run t hrough t he NLB driver for load balancing. This can creat e real hang- ups in net work perform ance. An addit ional drawback is t hat clust er host s can't com m unicat e wit h one anot her t hrough t he usual m et hods, such as pinging—it 's not support ed using j ust a single adapt er in unicast m ode. This has t o do wit h MAC address problem s and t he Address Resolut ion Prot ocol ( ARP) . Sim ilarly, Net BI OS isn't support ed in t his m ode eit her. This configurat ion is shown in Figure 12- 1.
Figu r e 1 2 - 1 . Sin gle ca r d in e a ch se r ve r in u n ica st m ode
1 2 .1 .2 .2 . M u lt iple ca r ds in e a ch se r ve r in u n ica st m ode This is usually t he preferred configurat ion for NLB clust ers because it enables t he m ost funct ionalit y for t he price in equipm ent . However, it is inherent ly m ore expensive because of t he second net work adapt er in each clust er m em ber. Having t hat second adapt er, t hough, m eans t hat t here are no lim it at ions am ong regular com m unicat ions bet ween m em bers of t he NLB clust er. Addit ionally, Net BI OS is support ed t hrough t he first configured net work adapt er for sim pler nam e resolut ion. All t ypes and brands of rout ers support t his m et hod, and having m ore t han one adapt er in a m achine rem oves bot t lenecks found wit h only one adapt er. This configurat ion is shown in Figure 12- 2.
Figu r e 1 2 - 2 . M u lt iple ca r ds in e a ch se r ve r in u n ica st m ode
1 2 .1 .2 .3 . Sin gle ca r d in e a ch se r ve r in m u lt ica st m ode Using a single card in m ult icast m ode allows m em bers of t he clust er t o com m unicat e wit h one anot her norm ally, but net work perform ance is st ill reduced because you are st ill using only a single net work card. Rout er support m ight be spot t y because of t he need t o support m ult icast MAC addresses, and Net BI OS isn't support ed wit hin t he clust er. This configurat ion is shown in Figure 12- 3.
Figu r e 1 2 - 3 . Sin gle ca r d in e a ch se r ve r in m u lt ica st m ode
1 2 .1 .2 .4 . M u lt iple ca r ds in e a ch se r ve r in m u lt ica st m ode This m ode is used when som e host s have one net work card and ot hers have m ore t han one, and all require regular com m unicat ions am ong t hem selves. I n t his case, every host needs t o be in m ult icast m ode because all host s in an NLB clust er m ust be running t he sam e m ode. You m ight run int o problem s wit h rout er support using t his m odel, but wit h careful planning you can m ake it work. This configurat ion is shown in Figure 12- 4.
Figu r e 1 2 - 4 . M u lt iple ca r ds in e a ch se r ve r in m u lt ica st m ode
1 2 .1 .3 . Por t Ru le s NLB clust ers feat ure t he abilit y t o set port rules, which are sim ply ways t o inst ruct Windows Server 2008 t o handle each TCP/ I P port 's clust er net work t raffic. NLB does t his filt ering in t hree m odes: disabled, where all net work t raffic for t he associat ed port or port s will be blocked; single host m ode, where net work t raffic from an associat ed port or port s should be handled by one specific m achine in t he clust er ( st ill wit h fault t olerance feat ures enabled) ; and m ult iple host s m ode ( t he default m ode) , where m ult iple host s in t he clust er can handle port t raffic for a specific port or range of port s. The rules cont ain t he following param et ers:
The virt ual I P address t o which t he rule should be applied
The port range for which t his rule should be applied
The prot ocols for which t his rule should apply, including TCP, UDP, or bot h
The filt ering m ode t hat specifies how t he clust er handles t raffic described by t he port range and prot ocols, as discussed j ust before t his list
I n addit ion, you can select one of t hree opt ions for client affinit y ( which is, sim ply put , t he t ypes of client s from which t he clust er will accept t raffic) : None, Single, and Class C. Single and Class C are used t o ensure t hat all net work t raffic from a part icular client is direct ed t o t he sam e clust er host . None indicat es t hat t here is no client affinit y, and t raffic can go t o any clust er host . When using port rules in an NLB clust er, it 's im port ant t o rem em ber t hat t he num ber and cont ent of port rules m ust m at ch exact ly on all m em bers of t he clust er. When j oining a node t o an NLB clust er, if t he num ber or cont ent of port rules on t he j oining node doesn't m at ch t he num ber or cont ent of rules on t he exist ing m em ber nodes, t he j oining m em ber will be denied m em bership t o t he clust er. You need t o synchronize t hese port rules m anually across all m em bers of t he NLB clust er.
1 2 .1 .4 . Cr e a t in g a n N LB Clu st e r To creat e a new NLB clust er, use t he Net work Load Balancing Manager and follow t hese inst ruct ions:
1 . From Server Manager, click on Feat ures in t he left pane, and t hen click Add Feat ures in t he m ain window.
2 . On t he Select Feat ures screen, check t he Net work Load Balancing box and click Next .
3 . On t he confirm at ion screen, acknowledge t he possible rest art at t he end of t he set up procedure and t hen click I nst all.
4 . Once t he inst allat ion is com plet e, from t he St art m enu, point t o Adm inist rat ive Tools and click on Net work Load Balancing Manager.
5 . From t he Clust er m enu, select New.
6 . The New Clust er: Connect screen appears, as shown in Figure 12- 5. Here, ent er t he I P address or DNS nam e of t he host t hat will be added t o t he clust er first . Then click Connect . The list in t he whit e box at t he bot t om of t he screen will be populat ed wit h t he net work int erfaces available for creat ing a clust er. Click t he public int erface, and click Next .
Figu r e 1 2 - 5 . Th e N e w Clu st e r : Con n e ct scr e e n
7 . The Host Param et ers screen appears, as seen in Figure 12- 6. On t his screen, ent er t he priorit y for t he host of t he clust er, t he dedicat ed I P t hat you'll use t o connect t o t his specific m em ber node, and t he init ial st at e of t his host when you first boot up Windows Server 2008. Click Finish t o com plet e t he process.
Figu r e 1 2 - 6 . Th e H ost Pa r a m e t e r s scr e e n
8 . The Clust er I P Addresses screen appears. Here, ent er any addit ional I P addresses t he clust er m ight need. You m ight want t his for specific applicat ions, but it 's not required for a st andard set up. Click Next when you've finished, or if t here are no ot her I P addresses by which t his clust er will be known.
9 . The Clust er Param et ers screen appears, as shown in Figure 12- 7. Here, you specify t he nam e of t he clust er and t he I P address inform at ion by which ot her com put ers will address t he clust er. Ent er t he I P address, subnet m ask, and full I nt ernet nam e ( i.e., t he canonical DNS nam e) . Also choose unicast or m ult icast m ode, as discussed in t he previous sect ion. Click Next t o cont inue.
Figu r e 1 2 - 7 . Th e Clu st e r Pa r a m e t e r s scr e e n
Enabling rem ot e cont rol of your clust er—m eaning being able t o load t he NLB Manager client on ot her syst em s and connect rem ot ely t o t he clust er—is not recom m ended because it is a large securit y risk. Avoid t his unless absolut ely necessary, and use ot her t ools such as Term inal Services or Rem ot e Deskt op.
1 0 . The Port Rules screen appears, as shown in Figure 12- 8. Ent er and configure any port rules you'd like, as discussed in t he previous sect ion, and t hen click Next when you're done.
Figu r e 1 2 - 8 . Th e Por t Ru le s scr e e n
The NLB clust er is creat ed, and t he first node is configured and added t o t he clust er.
1 2 .1 .5 . Addin g Ot h e r N ode s t o t h e Clu st e r Chances are good t hat you want t o add anot her m achine t o t he clust er t o t ake advant age of load balancing. To add a new node t o an exist ing clust er, use t his procedure:
1 . From t he Adm inist rat ive Tools m enu, open t he Net work Load Balancing Manager console.
2 . I n t he left pane, right - click t he clust er t o which you'd like t o add a node, and t hen select " Add Host t o Clust er" from t he pop- up cont ext m enu.
3 . The Connect screen appears. Type in t he DNS nam e or t he I P address of t he host t o j oin t o t he clust er. Click t he Connect but t on t o populat e t he list of net work int erfaces on t hat host , and t hen select t he card t hat will host public t raffic and click Next .
4 . The Host Param et ers screen appears. Ent er t he appropriat e priorit y of t he host ( a set t ing t hat allows you t o specify which m achine should get t he largest num ber of request s—useful if you have t wo m achines in a clust er and one is m ore powerful t han t he ot her) , t he dedicat ed I P address of t his m em ber of t he clust er, and t he init ial st at e of t he pot ent ial m em ber node when Windows Server 2008 first boot s. You can set t he init ial st at e t o St art ed, St opped, or Suspended.
5 . Click Finish t o com plet e t he procedure.
The node is t hen added t o t he select ed NLB clust er. You can t ell t he process is finished when t he node's st at us, as indicat ed wit hin t he Net work Load Balancing Manager console, says " Converged."
1 2 .1 .6 . Re m ovin g N ode s fr om t h e Clu st e r For various reasons, you m ight need t o rem ove a j oined node from t he clust er—t o perform syst em m aint enance, for exam ple, or t o replace t he node wit h a newer, fresher, m ore powerful m achine. You m ust rem ove an NLB clust er m em ber gracefully. To do so, perform t he st eps t hat follow.
1 . From t he Adm inist rat ive Tools m enu, open t he Net work Load Balancing Manager console.
2 . Right - click Net work Load Balancing Clust ers in t he left pane, and from t he pop- up cont ext m enu, select " Connect t o Exist ing."
3 . Ent er t he host t o connect t o and click Connect . Then, at t he bot t om of t he Connect screen, select t he clust er on t he host , and click Next .
4 . Finally, back in t he console, right - click t he node you want t o rem ove in t he left pane, and select Delet e Host from t he pop- up cont ext m enu.
This rem oves t he node. I f you are only upgrading a node of t he clust er and don't want t o perm anent ly rem ove a node from a clust er, you can use a couple of t echniques t o gradually reduce t raffic t o t he host and t hen m ake it available for upgrading. The first is t o perform a dr ainst op on t he clust er host t o be upgraded. Drainst opping prevent s new client s from accessing t he clust er while allowing exist ing client s t o cont inue unt il t hey have com plet ed t heir current operat ions. Aft er all current client s have finished t heir operat ions, clust er operat ions on t hat node cease. To perform a drainst op, follow t hese st eps:
1 . Open a com m and- line window.
2 . From t he com m and line, t ype wlbs drainstop :, replacing t he variable wit h t he clust er I P address and t he Host I D wit h t he unique num ber set in t he Host Param et ers t ab in NLB pr oper t ies.
For exam ple, if m y clust er was locat ed at 192.168.0.14 and I want ed t o upgrade node 2, I would ent er t he following com m and:
Wlbs drainstop 192.168.0.14:2
I n addit ion, you can configure t he " Default st at e" of t he " I nit ial host st at e" t o St opped as you learned in t he previous sect ion. This way, t hat part icular node cannot rej oin t he clust er during t he upgrade process. Then you can verify t hat your upgrade was com plet ed sm oot hly before t he clust er is rej oined and client s begin accessing it .
1 2 .1 .7 . Pe r for m a n ce Opt im iza t ion NLB clust ers oft en have problem s wit h swit ches. Swit ches differ from hubs in t hat dat a t ransm ission am ong client com put ers connect ed t o a hub is point - t o- point : t he swit ch keeps a cache of t he MAC address of all m achines and sends t raffic direct ly t o it s endpoint , whereas hubs sim ply broadcast all dat a t o all connect ed m achines and t hose m achines m ust pick up t heir own dat a. However, swit ches work against NLB clust ers because every packet of dat a sent t o t he clust er passes t hrough all t he port s on t he swit ch t o which m em bers of t he clust er are at t ached because all clust er m em bers share t he sam e I P address, as you've already learned. Obviously, t his can be a problem . To avert t his problem , you can choose from a few workarounds:
Use a prem ium hub t o connect t he NI Cs of all clust er m em bers, and t hen use t he uplink feat ure on t he hub t o link t he hub t o t he swit ch.
Enable unicast m ode as opposed t o m ult icast m ode. Rem em ber, you need t o m ake t his change on all m em bers of t he clust er.
I f possible, have all host s on t he sam e subnet , and t hen connect t hem t o an isolat ed swit ch or configure t hem t o connect in a single VLAN if you have t hat capabilit y.
Disable t he source MAC m asking feat ure in t he Regist ry. The source MAC m asking feat ure is used t o change t he MAC address of t raffic originat ing from t he clust er from t he individual clust er node's MAC address t o t he MAC address of t he server. I n m ult icast m ode in swit ching environm ent s, t his can flood swit ching port s, so disabling t his feat ure will work around t hat problem . Change t he HKEY_LOCAL_MACHI NE\ Syst em \ Current Cont rolSet \ Services\ WLBS\ Param et ers\ MaskSourceMAC Regist ry value from 1 t o 0. Rest art all m em bers of t he clust er aft er m aking t his change.
Ch a pt e r 1 2 . An I n t r odu ct ion t o Clu st e r in g Te ch n ologie s Clust ers work t o provide fault t olerance t o a group of syst em s so t hat t he services t hey provide are always available—or are at least unavailable for t he least possible am ount of t im e. Clust ers also provide a single publicfacing presence for a set of syst em s, which m eans end users and ot hers who t ake advant age of t he resources t he clust er m em bers provide aren't aware t hat t he clust er com prises m ore t han one m achine. They see only a single, unified presence on t he net work. The dirt y work of spreading t he load am ong m ult iple m achines is done behind t he scenes by clust ering soft ware. Microsoft provides t wo dist inct t ypes of clust ering wit h Windows Server 2008:
Net work load- balancing ( NLB) clust ers
These t ypes of clust ers allow for t he high availabilit y of services t hat rely on t he TCP/ I P prot ocol. You can have up t o 32 m achines running any edit ion of Windows Server 2008, Windows Server 2003, and Windows 2000 Server ( wit h one m inor except ion, covered lat er in t his chapt er) part icipat ing in an NLB clust er.
True server clust ers
Server clust ers are t he " prem ium " variet y of highly available m achines and consist of servers t hat can share workloads and processes across all m em bers of t he clust er ( wit h som e except ions, as you'll see lat er in t his chapt er) . Failed m em bers of t he clust er are aut om at ically det ect ed and t he work being perform ed on t hem is m oved t o ot her, funct ional m em bers of t he clust er. True server clust ers are support ed in only t he Ent erprise and Dat acent er edit ions of Windows Server 2008.
Where m ight each t ype of clust er be useful? For one, NLB is a very inexpensive way t o achieve high TCP/ I P availabilit y for servers t hat run web services or ot her int ranet or I nt ernet applicat ions. I n effect , NLB act s as a balancer, dist ribut ing t he load equally am ong m ult iple m achines running t heir own, independent , isolat ed copies of I I S. NLB only prot ect s against a server going offline, in t hat if a copy of I I S on a m achine fails, t he load will be redist ribut ed am ong t he ot her servers in t he NLB clust er. Dynam ic web pages t hat m aint ain sessions don't receive m uch benefit from t his t ype of clust ering because m em bers of t he clust er are running independent , unconnect ed versions of I I S and t herefore cannot cont inue sessions creat ed on ot her m achines. However, m uch web cont ent is st at ic, and som e im plem ent at ions of dynam ic web sit es do not use sessions. Thus, chances are t hat NLB can im prove t he reliabilit y of a sit e in product ion. Ot her services t hat can t ake advant age of NLB are I P- based applicat ions such as FTP and VPN. I f you have business- crit ical applicat ions t hat m ust be available at all t im es, t rue server clust ering is a bet t er fit . I n t rue server clust ers, all m em bers of t he clust er are aware of all t he ot her m em bers' shared resources. The m em bers also m aint ain a " heart beat " pulse t o m onit or t he availabilit y of services on t heir fellow m em bers' m achines. I n t he event of a resource or m achine failure, t he Windows Server 2008 clust ering service can aut om at ically hand off j obs, processes, and sessions begun on one m achine t o anot her m achine. That isn't t o say t his swapping is com plet ely t ransparent . When t he applicat ion is m oved or falls t o anot her m em ber in t he clust er, client sessions are act ually broken and re- est ablished on t he new owners of t he resources. Alt hough t his happens relat ively quickly, depending on t he nat ure of your applicat ion it probably will not go unnot iced by your users. Oft en, your client s will be asked t o re- aut hent icat e t o t he new clust er owner. However, t he clust er effect ively act s as one unit and is com plet ely fault - t olerant , and if you design t he st ruct ure of your clust er correct ly, you can avoid any one single point of failure. This decreases t he chance t hat a single failed hardware
or soft ware com ponent will bring your ent ire business- crit ical applicat ion t o it s knees. I n t his chapt er, I 'll deal wit h each t ype of clust ering individually, int roducing concept s and showing you how t o accom plish t he m ost com m on adm inist rat ive t asks.
1 2 .1 . N e t w or k Loa d- Ba la n cin g Clu st e r s NLB in Windows Server 2008 is accom plished by a special net work driver t hat works bet ween t he drivers for t he physical net work adapt er and t he TCP/ I P st ack. This driver com m unicat es wit h t he NLB program ( called wlbs.exe, for t he Windows Load Balancing Service) running at t he applicat ion layer—t he sam e layer in t he OSI m odel as t he applicat ion you are clust ering. NLB can work over FDDI - or Et hernet - based net works—even wireless net works—at up t o gigabit speeds. Why would you choose NLB? For a few reasons:
NLB is an inexpensive way t o m ake a TCP/ I P- dependent applicat ion som ewhat fault t olerant , wit hout t he expense of m aint aining a t rue server clust er wit h fault - t olerant com ponent s. No special hardware is required t o creat e an NLB clust er. I t 's also cheap hardware- wise because you need only t wo net work adapt ers t o m it igat e a single point of failure.
The " shared not hing" approach—m eaning each server owns it s own resources and doesn't share t hem wit h t he clust er for m anagem ent purposes, so t o speak—is easier t o adm inist er and less expensive t o im plem ent , alt hough t here is always som e dat a lag bet ween servers while inform at ion is t ransferred am ong t he m em bers. ( This approach also has it s drawbacks, however, because NLB can only direct client s t o backend servers or t o independent ly replicat ed dat a.)
Fault t olerance is provided at t he net work layer, ensuring t hat net work connect ions are not direct ed t o a server t hat is down.
Perform ance is im proved for your web or FTP resource because load is dist ribut ed aut om at ically am ong all m em bers of t he NLB clust er.
NLB works in a seem ingly sim ple way: all com put ers in an NLB clust er have t heir own I P address j ust like all net worked m achines do t hese days, but t hey also share a single, clust er- aware I P address t hat allows each m em ber t o answer request s on t hat I P address. NLB t akes care of t he I P address conflict problem and allows client s who connect t o t hat shared I P address t o be direct ed aut om at ically t o one of t he clust er m em bers. NLB clust ers support a m axim um of 32 clust er m em bers, m eaning t hat no m ore t han 32 m achines can part icipat e in t he load- balancing and sharing feat ures. Most applicat ions t hat have a load over and above what a single 32- m em ber clust er can handle t ake advant age of m ult iple clust ers and use som e sort of DNS loadbalancing t echnique or device t o dist ribut e request s t o t he m ult iple clust ers individually. When considering an NLB clust er for your applicat ion, ask yourself t he following quest ions: how will failure affect applicat ion and ot her clust er m em bers? I f you are running a high- volum e e- com m erce sit e and one m em ber of your clust er fails, are t he ot her servers in t he clust er adequat ely equipped t o handle t he ext ra t raffic from t he failed server? A lot of clust er im plem ent at ions m iss t his im port ant concept and lat er see t he consequence—a cascading failure caused by a perpet ually growing load failed over ont o servers perpet ually failing from overload. Such a scenario is very com m on and ent irely defeat s t he t rue purpose of a clust er. Avoid t his by ensuring t hat all clust er m em bers have sufficient hardware specificat ions t o handle addit ional t raffic when necessary. Also exam ine t he kind of applicat ion you are planning on clust ering. What t ypes of resources does it use
ext ensively? Different t ypes of applicat ions st ret ch different com ponent s of t he syst em s part icipat ing in a clust er. Most ent erprise applicat ions have som e sort of perform ance t est ing ut ilit y; t ake advant age of any t hat your applicat ion offers in a t est ing lab and det erm ine where pot ent ial bot t lenecks m ight lie. Web applicat ions, Term inal Services, and Microsoft 's I SA Server 2004 product can t ake advant age of NLB clust ering.
I t 's im port ant t o be aware t hat NLB is unable t o det ect whet her a service on t he server has crashed but not t he m achine it self, so it could direct a user t o a syst em t hat can't offer t he request ed service.
1 2 .1 .1 . N LB Te r m in ology Before we dig deeper int o our coverage of NLB, let 's discuss a few t erm s t hat you will see. Som e of t he m ost com m on NLB t echnical t erm s are as follows:
NLB driver
This driver resides in m em ory on all m em bers of a clust er and is inst rum ent al in choosing which clust er node will accept and process t he packet . Coupled wit h port rules and client affinit y ( all defined on t he following pages) , t he driver decides whet her t o send t he packet up t he TCP/ I P st ack t o t he applicat ion on t he current m achine, or t o pass on t he packet because anot her server in t he clust er will handle it .
Unicast m ode
I n unicast m ode, NLB host s send packet s t o a single recipient .
Mult icast m ode
I n m ult icast m ode, NLB host s send packet s t o m ult iple recipient s at t he sam e t im e.
Port rules
Port rules define t he applicat ions on which NLB will " work it s m agic," so t o speak. Cert ain applicat ions list en for packet s sent t o t hem on specific port num bers—for exam ple, web servers usually list en for packet s addressed t o TCP port 80. You use port rules t o inst ruct NLB t o answer request s and loadbalance t hem .
Affinit y
Affinit y is a set t ing t hat cont rols whet her t raffic t hat originat ed from a cert ain clust er m em ber should be ret urned t o t hat part icular clust er node. Effect ively, t his cont rols which clust er nodes will accept what t ypes of t raffic.
1 2 .1 .2 . N LB Ope r a t ion St yle s a n d M ode s An NLB clust er can operat e in four different ways:
Wit h a single net work card in each server, using unicast m ode
Wit h m ult iple net work cards in each server, using unicast m ode
Wit h a single net work card in each server, using m ult icast m ode
Wit h m ult iple net work cards in each server, using m ult icast m ode
You cannot m ix unicast and m ult icast m odes am ong t he m em bers of your clust er. All m em bers m ust be running eit her unicast or m ult icast m ode, alt hough t he num ber of cards in each m em ber can differ. The following sect ions det ail each m ode of operat ion.
1 2 .1 .2 .1 . Sin gle ca r d in e a ch se r ve r in u n ica st m ode A single net work card in each server operat ing in unicast m ode requires less hardware, so obviously it 's less expensive t han m aint aining m ult iple NI Cs in each clust er m em ber. However, net work perform ance is reduced because of t he overhead of using t he NLB driver over only one net work card—clust er t raffic st ill has t o pass t hrough one adapt er, which can be easily sat urat ed, and is addit ionally run t hrough t he NLB driver for load balancing. This can creat e real hang- ups in net work perform ance. An addit ional drawback is t hat clust er host s can't com m unicat e wit h one anot her t hrough t he usual m et hods, such as pinging—it 's not support ed using j ust a single adapt er in unicast m ode. This has t o do wit h MAC address problem s and t he Address Resolut ion Prot ocol ( ARP) . Sim ilarly, Net BI OS isn't support ed in t his m ode eit her. This configurat ion is shown in Figure 12- 1.
Figu r e 1 2 - 1 . Sin gle ca r d in e a ch se r ve r in u n ica st m ode
1 2 .1 .2 .2 . M u lt iple ca r ds in e a ch se r ve r in u n ica st m ode This is usually t he preferred configurat ion for NLB clust ers because it enables t he m ost funct ionalit y for t he price in equipm ent . However, it is inherent ly m ore expensive because of t he second net work adapt er in each clust er m em ber. Having t hat second adapt er, t hough, m eans t hat t here are no lim it at ions am ong regular com m unicat ions bet ween m em bers of t he NLB clust er. Addit ionally, Net BI OS is support ed t hrough t he first configured net work adapt er for sim pler nam e resolut ion. All t ypes and brands of rout ers support t his m et hod, and having m ore t han one adapt er in a m achine rem oves bot t lenecks found wit h only one adapt er. This configurat ion is shown in Figure 12- 2.
Figu r e 1 2 - 2 . M u lt iple ca r ds in e a ch se r ve r in u n ica st m ode
1 2 .1 .2 .3 . Sin gle ca r d in e a ch se r ve r in m u lt ica st m ode Using a single card in m ult icast m ode allows m em bers of t he clust er t o com m unicat e wit h one anot her norm ally, but net work perform ance is st ill reduced because you are st ill using only a single net work card. Rout er support m ight be spot t y because of t he need t o support m ult icast MAC addresses, and Net BI OS isn't support ed wit hin t he clust er. This configurat ion is shown in Figure 12- 3.
Figu r e 1 2 - 3 . Sin gle ca r d in e a ch se r ve r in m u lt ica st m ode
1 2 .1 .2 .4 . M u lt iple ca r ds in e a ch se r ve r in m u lt ica st m ode This m ode is used when som e host s have one net work card and ot hers have m ore t han one, and all require regular com m unicat ions am ong t hem selves. I n t his case, every host needs t o be in m ult icast m ode because all host s in an NLB clust er m ust be running t he sam e m ode. You m ight run int o problem s wit h rout er support using t his m odel, but wit h careful planning you can m ake it work. This configurat ion is shown in Figure 12- 4.
Figu r e 1 2 - 4 . M u lt iple ca r ds in e a ch se r ve r in m u lt ica st m ode
1 2 .1 .3 . Por t Ru le s NLB clust ers feat ure t he abilit y t o set port rules, which are sim ply ways t o inst ruct Windows Server 2008 t o handle each TCP/ I P port 's clust er net work t raffic. NLB does t his filt ering in t hree m odes: disabled, where all net work t raffic for t he associat ed port or port s will be blocked; single host m ode, where net work t raffic from an associat ed port or port s should be handled by one specific m achine in t he clust er ( st ill wit h fault t olerance feat ures enabled) ; and m ult iple host s m ode ( t he default m ode) , where m ult iple host s in t he clust er can handle port t raffic for a specific port or range of port s. The rules cont ain t he following param et ers:
The virt ual I P address t o which t he rule should be applied
The port range for which t his rule should be applied
The prot ocols for which t his rule should apply, including TCP, UDP, or bot h
The filt ering m ode t hat specifies how t he clust er handles t raffic described by t he port range and prot ocols, as discussed j ust before t his list
I n addit ion, you can select one of t hree opt ions for client affinit y ( which is, sim ply put , t he t ypes of client s from which t he clust er will accept t raffic) : None, Single, and Class C. Single and Class C are used t o ensure t hat all net work t raffic from a part icular client is direct ed t o t he sam e clust er host . None indicat es t hat t here is no client affinit y, and t raffic can go t o any clust er host . When using port rules in an NLB clust er, it 's im port ant t o rem em ber t hat t he num ber and cont ent of port rules m ust m at ch exact ly on all m em bers of t he clust er. When j oining a node t o an NLB clust er, if t he num ber or cont ent of port rules on t he j oining node doesn't m at ch t he num ber or cont ent of rules on t he exist ing m em ber nodes, t he j oining m em ber will be denied m em bership t o t he clust er. You need t o synchronize t hese port rules m anually across all m em bers of t he NLB clust er.
1 2 .1 .4 . Cr e a t in g a n N LB Clu st e r To creat e a new NLB clust er, use t he Net work Load Balancing Manager and follow t hese inst ruct ions:
1 . From Server Manager, click on Feat ures in t he left pane, and t hen click Add Feat ures in t he m ain window.
2 . On t he Select Feat ures screen, check t he Net work Load Balancing box and click Next .
3 . On t he confirm at ion screen, acknowledge t he possible rest art at t he end of t he set up procedure and t hen click I nst all.
4 . Once t he inst allat ion is com plet e, from t he St art m enu, point t o Adm inist rat ive Tools and click on Net work Load Balancing Manager.
5 . From t he Clust er m enu, select New.
6 . The New Clust er: Connect screen appears, as shown in Figure 12- 5. Here, ent er t he I P address or DNS nam e of t he host t hat will be added t o t he clust er first . Then click Connect . The list in t he whit e box at t he bot t om of t he screen will be populat ed wit h t he net work int erfaces available for creat ing a clust er. Click t he public int erface, and click Next .
Figu r e 1 2 - 5 . Th e N e w Clu st e r : Con n e ct scr e e n
7 . The Host Param et ers screen appears, as seen in Figure 12- 6. On t his screen, ent er t he priorit y for t he host of t he clust er, t he dedicat ed I P t hat you'll use t o connect t o t his specific m em ber node, and t he init ial st at e of t his host when you first boot up Windows Server 2008. Click Finish t o com plet e t he process.
Figu r e 1 2 - 6 . Th e H ost Pa r a m e t e r s scr e e n
8 . The Clust er I P Addresses screen appears. Here, ent er any addit ional I P addresses t he clust er m ight need. You m ight want t his for specific applicat ions, but it 's not required for a st andard set up. Click Next when you've finished, or if t here are no ot her I P addresses by which t his clust er will be known.
9 . The Clust er Param et ers screen appears, as shown in Figure 12- 7. Here, you specify t he nam e of t he clust er and t he I P address inform at ion by which ot her com put ers will address t he clust er. Ent er t he I P address, subnet m ask, and full I nt ernet nam e ( i.e., t he canonical DNS nam e) . Also choose unicast or m ult icast m ode, as discussed in t he previous sect ion. Click Next t o cont inue.
Figu r e 1 2 - 7 . Th e Clu st e r Pa r a m e t e r s scr e e n
Enabling rem ot e cont rol of your clust er—m eaning being able t o load t he NLB Manager client on ot her syst em s and connect rem ot ely t o t he clust er—is not recom m ended because it is a large securit y risk. Avoid t his unless absolut ely necessary, and use ot her t ools such as Term inal Services or Rem ot e Deskt op.
1 0 . The Port Rules screen appears, as shown in Figure 12- 8. Ent er and configure any port rules you'd like, as discussed in t he previous sect ion, and t hen click Next when you're done.
Figu r e 1 2 - 8 . Th e Por t Ru le s scr e e n
The NLB clust er is creat ed, and t he first node is configured and added t o t he clust er.
1 2 .1 .5 . Addin g Ot h e r N ode s t o t h e Clu st e r Chances are good t hat you want t o add anot her m achine t o t he clust er t o t ake advant age of load balancing. To add a new node t o an exist ing clust er, use t his procedure:
1 . From t he Adm inist rat ive Tools m enu, open t he Net work Load Balancing Manager console.
2 . I n t he left pane, right - click t he clust er t o which you'd like t o add a node, and t hen select " Add Host t o Clust er" from t he pop- up cont ext m enu.
3 . The Connect screen appears. Type in t he DNS nam e or t he I P address of t he host t o j oin t o t he clust er. Click t he Connect but t on t o populat e t he list of net work int erfaces on t hat host , and t hen select t he card t hat will host public t raffic and click Next .
4 . The Host Param et ers screen appears. Ent er t he appropriat e priorit y of t he host ( a set t ing t hat allows you t o specify which m achine should get t he largest num ber of request s—useful if you have t wo m achines in a clust er and one is m ore powerful t han t he ot her) , t he dedicat ed I P address of t his m em ber of t he clust er, and t he init ial st at e of t he pot ent ial m em ber node when Windows Server 2008 first boot s. You can set t he init ial st at e t o St art ed, St opped, or Suspended.
5 . Click Finish t o com plet e t he procedure.
The node is t hen added t o t he select ed NLB clust er. You can t ell t he process is finished when t he node's st at us, as indicat ed wit hin t he Net work Load Balancing Manager console, says " Converged."
1 2 .1 .6 . Re m ovin g N ode s fr om t h e Clu st e r For various reasons, you m ight need t o rem ove a j oined node from t he clust er—t o perform syst em m aint enance, for exam ple, or t o replace t he node wit h a newer, fresher, m ore powerful m achine. You m ust rem ove an NLB clust er m em ber gracefully. To do so, perform t he st eps t hat follow.
1 . From t he Adm inist rat ive Tools m enu, open t he Net work Load Balancing Manager console.
2 . Right - click Net work Load Balancing Clust ers in t he left pane, and from t he pop- up cont ext m enu, select " Connect t o Exist ing."
3 . Ent er t he host t o connect t o and click Connect . Then, at t he bot t om of t he Connect screen, select t he clust er on t he host , and click Next .
4 . Finally, back in t he console, right - click t he node you want t o rem ove in t he left pane, and select Delet e Host from t he pop- up cont ext m enu.
This rem oves t he node. I f you are only upgrading a node of t he clust er and don't want t o perm anent ly rem ove a node from a clust er, you can use a couple of t echniques t o gradually reduce t raffic t o t he host and t hen m ake it available for upgrading. The first is t o perform a dr ainst op on t he clust er host t o be upgraded. Drainst opping prevent s new client s from accessing t he clust er while allowing exist ing client s t o cont inue unt il t hey have com plet ed t heir current operat ions. Aft er all current client s have finished t heir operat ions, clust er operat ions on t hat node cease. To perform a drainst op, follow t hese st eps:
1 . Open a com m and- line window.
2 . From t he com m and line, t ype wlbs drainstop :, replacing t he variable wit h t he clust er I P address and t he Host I D wit h t he unique num ber set in t he Host Param et ers t ab in NLB pr oper t ies.
For exam ple, if m y clust er was locat ed at 192.168.0.14 and I want ed t o upgrade node 2, I would ent er t he following com m and:
Wlbs drainstop 192.168.0.14:2
I n addit ion, you can configure t he " Default st at e" of t he " I nit ial host st at e" t o St opped as you learned in t he previous sect ion. This way, t hat part icular node cannot rej oin t he clust er during t he upgrade process. Then you can verify t hat your upgrade was com plet ed sm oot hly before t he clust er is rej oined and client s begin accessing it .
1 2 .1 .7 . Pe r for m a n ce Opt im iza t ion NLB clust ers oft en have problem s wit h swit ches. Swit ches differ from hubs in t hat dat a t ransm ission am ong client com put ers connect ed t o a hub is point - t o- point : t he swit ch keeps a cache of t he MAC address of all m achines and sends t raffic direct ly t o it s endpoint , whereas hubs sim ply broadcast all dat a t o all connect ed m achines and t hose m achines m ust pick up t heir own dat a. However, swit ches work against NLB clust ers because every packet of dat a sent t o t he clust er passes t hrough all t he port s on t he swit ch t o which m em bers of t he clust er are at t ached because all clust er m em bers share t he sam e I P address, as you've already learned. Obviously, t his can be a problem . To avert t his problem , you can choose from a few workarounds:
Use a prem ium hub t o connect t he NI Cs of all clust er m em bers, and t hen use t he uplink feat ure on t he hub t o link t he hub t o t he swit ch.
Enable unicast m ode as opposed t o m ult icast m ode. Rem em ber, you need t o m ake t his change on all m em bers of t he clust er.
I f possible, have all host s on t he sam e subnet , and t hen connect t hem t o an isolat ed swit ch or configure t hem t o connect in a single VLAN if you have t hat capabilit y.
Disable t he source MAC m asking feat ure in t he Regist ry. The source MAC m asking feat ure is used t o change t he MAC address of t raffic originat ing from t he clust er from t he individual clust er node's MAC address t o t he MAC address of t he server. I n m ult icast m ode in swit ching environm ent s, t his can flood swit ching port s, so disabling t his feat ure will work around t hat problem . Change t he HKEY_LOCAL_MACHI NE\ Syst em \ Current Cont rolSet \ Services\ WLBS\ Param et ers\ MaskSourceMAC Regist ry value from 1 t o 0. Rest art all m em bers of t he clust er aft er m aking t his change.
1 2 .2 . Se r ve r Clu st e r in g I f an NLB clust er is t oo lim it ed in funct ionalit y for you, invest igat e a t rue server clust er. I n a t rue server clust er, a group of m achines have a single ident it y and work in t andem t o m anage and, in t he event of failure, m igrat e applicat ions away from problem at ic nodes and ont o funct ional nodes. The nodes of t he clust er use a com m on, shared resource dat abase and log st orage facilit y provided by a physical st orage device t hat is locat ed on a hardware bus shared by all m em bers of t he clust er.
The shared dat a facilit y does not support I DE disks, soft ware RAI D ( including Windowsbased dynam ic RAI D) , dynam ic disks or volum es, t he EFS, m ount ed volum es and reparse point s, or rem ot e st orage devices such as t ape backup drives.
Windows Server 2008 offers a single m ixed- m ode t ype of clust ering t hat replaces t he old quorum and m aj orit y node set clust ers you m ight be fam iliar wit h from Windows Server 2003. I n t his new hybrid quorum m odel, t here is a concept of " vot es," and a clust er is by default designed t o t olerat e t he loss of a single vot e. Each node of a clust er get s a " vot e," as does t he st orage source for a clust er; t hus, if t he quorum disk is lost , t he clust er cont inues since only a single vot e is no longer present . To re- creat e t he old Windows Server 2003 m odel wit h a shared quorum disk as t he absolut e m ust - have resource for a clust er, you can sim ply assign a vot e t o t he quorum disk ( now called a wit ness disk) and no vot es for each node of t he clust er. Bet t er st ill, t he wit ness disk doesn't even have t o be a physical disk at all: it can be a file share over a net work, and one share can even funct ion as a wit ness for m ult iple server clust ers. Essent ially, t he concept of vot es was int roduced, as you can see, t o allow m ore flexibilit y in configuring clust ers and t heir t olerance of failure t han was previously possible. Clust ers m anage failure using failover and failback policies ( t hat is, unless you are using a single node clust er) . Failover policies dict at e t he behavior of clust er resources when a failure occurs—which nodes t he failed resources can m igrat e t o, t he t im ing of a failover aft er t he failure, and ot her propert ies. A failback policy specifies what will happen when t he failed node com es back online again. How quickly should t he m igrat ed resources and applicat ions be ret urned t o t he original node? Should t he m igrat ed obj ect s st ay at t heir new hom e? Should t he repaired node be ignored? You can specify all of t his behavior t hrough policies.
1 2 .2 .1 . Clu st e r Te r m in ology A few t erm s have specific m eanings when used in t he cont ext of clust ering. They include:
Net works
Net works, also called int erconnect s, are t he ways in which clust ers com m unicat e wit h ot her m em bers ( nodes) of t he clust er and t he public net work. The net work is t he m ost com m on point of failure in clust er nodes; always m ake net work cards redundant in a t rue server clust er.
Nodes
Nodes are t he act ual m em bers of t he clust er. The clust ering service support s only m em ber nodes running
Windows Server 2008 Ent erprise Edit ion or Dat acent er Edit ion. Ot her requirem ent s include t he TCP/ I P prot ocol, connect ion t o a shared st orage device, and at least one int erconnect t o ot her nodes.
Resources
Resources are sim ply anyt hing t hat can be m anaged by t he clust er service and t hat t he clust er can use t o provide a service t o client s. Resources can be logical or physical and can represent real devices, net work services, or filesyst em obj ect s. A special t ype of physical disk resource called t he quorum disk provides a place for t he clust er service t o st ore recovery logs and it s own dat abase. I 'll provide a list of som e resources in t he next sect ion.
Groups
Resources can be collect ed int o resource groups, which are sim ply unit s by which failover and failback policy can be specified. A group's resources all fail over and fail back according t o a policy applied t o t he group, and all t he resources m ove t o ot her nodes t oget her upon a failure.
Quorum
A quorum is t he shared st orage facilit y t hat keeps t he clust er resource dat abase and logs. As not ed earlier in t his sect ion, t his needs t o be a SCSI - based real drive wit h no special soft ware feat ures.
1 2 .2 .2 . Type s of Se r vice s a n d Applica t ion s A variet y of services and applicat ions can be clust ered out of t he box by t he failover clust ering service in Windows Server 2008. They include:
DFS Nam espace Server
This role host s DFS shared folders wit hin a clust er. See Chapt er 3 for m ore inform at ion on DFS.
DHCP
This t ype of resource m anages t he DHCP service, which can be used in a clust er t o assure availabilit y t o client com put ers. The DHCP dat abase m ust reside on t he shared clust er st orage device, ot herwise known as t he quorum disk.
Dist ribut ed Transact ion Coordinat or ( DTC)
DTC coordinat es disk and m em ory operat ions am ong applicat ions t hat reside across m ult iple m achines, m ost com m only in t he cont ext of dat abase servers and applicat ions.
File Share
Shares on servers can be m ade redundant and fault - t olerant aside from using t he DFS service ( covered in Chapt er 3 ) by using t he File Share resource inside a clust er. You can put shared files and folders int o a clust er as a st andard file share wit h only one level of folder visibilit y, as a shared subfolder syst em wit h t he root folder and all im m ediat e subfolders shared wit h dist inct nam es.
Generic Applicat ion
Applicat ions t hat are not clust er- aware ( m eaning t hey don't have t heir own fault - t olerance feat ures t hat can hook int o t he clust er service) can be m anaged wit hin a clust er using t he Generic Applicat ion resource. Applicat ions m anaged in t his way m ust be able t o st ore any dat a t hey creat e in a cust om locat ion, use TCP/ I P t o connect client s, and be able t o receive client s at t em pt ing t o reconnect in t he event of a failure. You can inst all a clust er- unaware applicat ion ont o t he shared clust er st orage device; t hat way, you need t o inst all t he program only once and t hen t he ent ire clust er can use it .
Generic Script
This resource t ype is used t o m anage operat ing syst em script s. You can clust er login script s and account provisioning script s, for exam ple, if you regularly use t hose funct ions and need t heir cont inued availabilit y even in t he event of a m achine failure. Hot m ail's account provisioning funct ions, for inst ance, are a good fit for t his feat ure, so users can sign up for t he service at all hours of t he day.
Generic Service
You can m anage Windows Server 2008 core services, if you require t hem t o be highly available, using t he Generic Service resource t ype. Only t he bundled services are support ed.
I nt ernet St orage Nam e Service ( iSNS) Server
This service polls t he net work for iSCSI t arget s and populat es a list of t hem for ot her com put ers.
Message Queuing
Message queuing allows applicat ions t hat run across m ult iple m achines t o synchronize com m unicat ions bet ween com put ers and wit h m achines t hat are on different net works or t hat are offline.
Ot her Server
This t ype of service provides an open access point for applicat ions t o t alk t o t he clust er. You'll need t o m anually configure t he applicat ion t o be clust ered aft er adding t his service t o t he clust er.
Print Server
Print services can be clust ered using t he Print Server resource. This represent s print ers at t ached direct ly t o t he net work, not print ers at t ached direct ly t o a clust er node's port s. Print ers t hat are clust ered appear norm ally t o client s, but in t he event t hat one node fails, print j obs on t hat node will be m oved t o anot her, funct ional node and t hen rest art ed. Client s t hat are sending print j obs t o t he queue when a failure occurs will be not ified of t he failure and asked t o resubm it t heir print j obs.
WI NS Server
The WI NS resource t ype is associat ed wit h t he Windows I nt ernet Nam ing Service, which m aps Net BI OS com put er nam es t o I P addresses. To use WI NS and m ake it a clust ered service, t he WI NS dat abase needs t o reside on t he quorum disk.
1 2 .2 .3 . Pla n n in g a Clu st e r Se t u p Set t ing up a server clust er can be t ricky, but you can t ake a lot of t he guesswork out of t he process wit h a clear plan of t he goals you are at t em pt ing t o accom plish. Are you int erest ed in achieving fault t olerance and load balancing at t he sam e t im e? Do you not care about balancing load but want your focus t o be ent irely on providing five- nines service? Or would you like t o provide only crit ical fault t olerance and t hereby reduce t he expense involved in creat ing and deploying t he clust er? I f you are int erest ed in a balance bet ween load balancing and high availabilit y, you allow applicat ions and resources in t he clust er t o " fail over," or m igrat e, t o ot her nodes in t he clust er in t he event of a failure. The benefit of t his set up is t hat t he resources cont inue t o operat e and are accessible t o client s, but t hey also increase t he load am ong t he rem aining, funct ioning nodes of t he clust er. This load can cause cascading failures—as nodes cont inually fail, t he load on t he rem aining nodes increases t o t he point where t heir hardware or soft ware is unable t o handle t he load, causing t hose nodes t o fail, and t he process cont inues unt il all nodes are dead—and t hat event ualit y really m akes your fault - t olerant clust er im m at erial. The m oral here is t hat you need t o exam ine your applicat ion, and plan each node appropriat ely t o handle an average load plus an " em ergency reserve" t hat can handle increased loads in t he event of failure. You also should have policies and procedures t o m anage loads quickly when nodes fail. This set up is shown in Figure 12- 9.
Figu r e 1 2 - 9 . A ba la n ce be t w e e n loa d ba la n cin g a n d h igh a va ila bilit y
I f your be- all and end- all goal is t rue high availabilit y, consider running a clust er m em ber as a hot spare, ready t o t ake over operat ions if a node fails. I n t his case, you would specify t hat if you had n clust er nodes, t he applicat ions and resources in t he clust er should run on n- 1 nodes. Then, configure t he one rem aining node t o be idle. I n t his scenario, t he applicat ions will m igrat e t o t he idle node and cont inue funct ioning when failures occur. A nice feat ure is t hat your hot spare node can change, m eaning t here's not necessarily a need t o m igrat e failedover processes t o t he previously failed node when it com es back up—it can rem ain idle as t he new hot spare. This reduces your m anagem ent responsibilit y a bit . This set up is shown in Figure 12- 10 .
Figu r e 1 2 - 1 0 . A se t u p w it h on ly h igh a va ila bilit y in m in d
Also consider a load- shedding set up. I n load shedding, you specify a cert ain set of resources or applicat ions as " crit ical" and t hose are aut om at ically failed over when one of your clust er nodes breaks. However, you also specify anot her set of applicat ions and resources as " noncrit ical." These do not fail over. This t ype of set up helps prevent cascading failures when t he load is m igrat ed bet ween clust er nodes because you shed som e of t he processing t im e requirem ent s in allowing noncrit ical applicat ions and resources t o sim ply fail. Once repairs have been m ade t o t he nonfunct ional clust er node, you can bring up t he noncrit ical applicat ions and resources, and t he sit uat ion will ret urn t o norm al. This set up is shown in Figure 12- 11 .
Figu r e 1 2 - 1 1 . A sa m ple loa d- sh e ddin g se t u p
1 2 .2 .4 . Cr e a t in g a Tr u e Se r ve r Clu st e r Wit h t he background out of t he way, it 's t im e t o creat e your first server clust er. Creat ing a new clust er involves inspect ing t he pot ent ial m em bers of t he clust er t o ensure t hat t hey m eet a solid baseline configurat ion and t hen st art ing t he clust er service on each so t hat resources are m anaged across t he m achines and not individually on each m achine. First , of course, you will need t o inst all t he Failover Clust ering feat ure. From Server Manager, click Feat ures in t he left pane, and t hen click Add Feat ures in t he m ain window. The Add Feat ures Wizard loads. On t he Feat ures page, check t he Failover Clust ering box and click Next , and t hen on t he confirm at ion page, click t he I nst all but t on. You'll be able t o m onit or t he progress of t he inst allat ion from t here. Next , you'll need t o validat e t he hardware configurat ion you've select ed for your clust er. The validat ion process exam ines t he hardware on t he servers t hat will m ake up t he clust er, ensuring t hat t hey are set up t o fail over correct ly in t he event of an error. To validat e, you will need local adm inist rat or right s t o each of t he m em bers of t he clust er. To begin:
1 . Open Failover Clust er Managem ent from t he Adm inist rat ive Tools m enu off t he St art m enu, and t hen click " Validat e a Configurat ion" in t he Managem ent sect ion of t he m ain window.
2 . Acknowledge t he warnings on t he first screen and click Next .
3 . Ent er t he nam es of t he servers t hat will m ake up your clust er—one by one—and click Add. The nam es will appear in t he whit e box. Once you have added all of t he servers t o t he list , click Next .
4 . On t he Test ing Opt ions screen, choose " Run all t est s" t o ensure m axim um com pat ibilit y wit h your configurat ion, and t hen click Next .
5 . The Confirm at ion screen appears. Confirm t he set t ings, which essent ially list t he workflow t he validat ion wizard will go t hrough t o probe t he com pat ibilit y of t he pot ent ial server clust er m em bers, and t hen click Next t o begin t he t est s.
6 . The validat ion t est s run. This can t ake around five m inut es per server for reasonably powered m achines, alt hough your t im es will alm ost cert ainly differ. Once t he t est s are com plet e, you'll be present ed wit h t he Failover Clust er Validat ion Report , which list s t he t est s t hat were run and also propert ies of each of t he pot ent ial m em bers of t he server clust er you want t o creat e. You can view t he report as a full HTML- based page by clicking t he View Report but t on. Ot herwise, click Finish.
Now, t o creat e a t rue server clust er, follow t hese st eps:
1 . Open Failover Clust er Managem ent from t he Adm inist rat ive Tools m enu off t he St art m enu, and t hen click " Creat e a Clust er" in t he Managem ent sect ion of t he m ain window.
2 . Acknowledge t he warnings on t he first screen and click Next .
3 . Ent er t he nam es of t he servers t hat will m ake up your clust er—one by one—and click Add. The nam es will appear in t he whit e box. Once you have added all of t he servers t o t he list , click Next .
4 . On t he " Access Point for Adm inist ering t he Clust er" screen, ent er t he nam e you want t o use t o adm inist er t he clust er—for exam ple, DCS for dom ain cont rollers, MAI L for your em ail servers, and so on. Click Next .
5 . The Confirm at ion screen appears. Here, verify your set t ings and t hen click Next .
6 . Once t he creat ion of t he server clust er is com plet e, t he Sum m ary screen will appear. You can click View Report for an ext ensive list of all act ions t he wizard t ook t o configure t he clust er. Click Finish t o exit t he wizard.
The new clust er is act ive, and t he first m em ber has been added t o it . When t he wizard exit s, you're dum ped back int o t he Failover Clust er Managem ent console, t his t im e populat ed wit h m anagem ent opt ions and t he new clust er node in t he left pane. Figure 12- 12 shows a sam ple console.
Figu r e 1 2 - 1 2 . A sa m ple Clu st e r Adm in ist r a t or scr e e n
1 2 .2 .5 . Usin g t h e H igh Ava ila bilit y W iza r d You can use t he High Availabilit y Wizard t o prepare your clust er for int roducing an applicat ion. The wizard does all of t he heavy lift ing t o ensure t hat if t he service or applicat ion you're configuring for t he server fails on one node, t he applicat ion will aut om at ically rest art . I f an ent ire node fails, t he clust er service will m ove t he applicat ion t o anot her node in t he clust er and ensure t hat it is as highly available as possible. Let 's st ep t hrough t he High Availabilit y Wizard and configure our own fault - t olerant applicat ion, Not epad ( aft er all, it 's a very im port ant applicat ion) :
1 . From wit hin t he Failover Clust er Managem ent console, select " Configure a Service or Applicat ion" from t he Configure sect ion. The High Availabilit y Wizard will appear. Click Next off of t he int roduct ory screen.
2 . The " Select Service or Applicat ion" screen appears. Select Generic Applicat ion from t he list and click Next .
3 . The Generic Applicat ion Set t ings screen appears. I n t he Com m and Line box, t ype %SystemRoot%\system32\notepad.exe. You can leave t he Param et ers box blank for t his exam ple. Click Next .
4 . The Client Access Point screen appears—here, sim ply ent er a nam e client s can use when referring t o t his applicat ion. Type Not epad and click Next .
5 . The Select St orage screen appears. Select t he shared volum e t his clust er will use for dat a, and t hen click Next .
6 . The Replicat e Regist ry Set t ings screen appears. There are no relevant Regist ry set t ings t hat need t o be m igrat ed across clust er m em bers, so we can skip t his screen; click Next .
7 . The Confirm at ion screen appears. Confirm all set t ings, and t hen click Next .
The new virt ual server and clust er resource is t hen creat ed and shown wit hin t he Failover Clust er Managem ent console. When you bring t he group online in t he console, you'll not ice t hat a Not epad window is opened in t he background. I f you close Not epad, it will aut om at ically relaunch it self. This is t he power of t he clust er, dem onst rat ed in a sim ple form , of course.
1 2 .3 . Com m a n d- Lin e Ut ilit ie s The cluster ut ilit y enables you t o m anage alm ost all of t he funct ions and adm inist rat ive needs of a server clust er from t he com m and line, m aking it easy t o int egrat e such funct ions int o script s and dynam ic web pages you m ight creat e. I n t his sect ion, I 'll t ake a look at t he various opt ions available wit h cluster and what you can do wit h t he ut ilit y. A couple of not es before I begin: when using cluster, t he locale set t ings for t he user account under which you're logged in m ust m at ch t he syst em default locale on t he com put er used t o m anage t he clust er. I t 's best t o m at ch t he locales on all clust er nodes and all com put ers from which you will use t he com m and- line ut ilit y. Wit h t hat out of t he way, let 's t ake a look at using t he ut ilit y. You can creat e new clust ers from t he com m and line; for exam ple, t o creat e a new clust er called " t est clust er" at t he I P address 192.168.1.140 wit h t he adm inist rat or account , use t he following: Code View: cluster testcluster /create ipaddress:192.168.1.140 /pass:Password /user:HASSELLTECH\ admnistratior /verbose
The /verbose opt ion out put s det ailed inform at ion t o t he screen about t he process of creat ing t he clust er. You can add a node or m ult iple node ( as shown in t he exam ple below) by using t he /add swit ch. I n t he next com m and, I 'm adding t hree nodes, called test1, test2, and test3, respect ively, t o t he testcluster clust er.
cluster testcluster /add:test1,test2,test3 /pass:Password /verbose
You m ight also wish t o change t he quorum resource via t he com m and line. You can do so as follows:
cluster testcluster /quorum:disk2 /path:D:\
One t hing t o not e in t he preceding com m and: if you change t he locat ion of t he quorum resource, do not om it t he drive let t er, t he colon, or any backslashes. Writ e out t he pat h nam e as if you were ent ering t he full pat h at t he com m and line.
1 2 .3 .1 . M a n a gin g I n dividu a l N ode s The node opt ion in clust er allows you t o check on t he st at us of and adm inist er a clust er node. Som e exam ple com m ands include:
cluster node test1 /status
This com m and displays t he clust er node st at us ( for exam ple, if t he node is up, down, or paused) .
cluster node test1 /forcecleanup
This com m and m anually rest ores t he configurat ion of t he clust er service on t he specified node t o it s original st at e.
cluster node test1 /start ( or /stop or /pause or /resume)
This com m and st art s, st ops, pauses, or resum es t he clust er service on t he specified node.
cluster node test1 /evict
This com m and evict s a node from a clust er.
cluster node test1 /listinterfaces
This com m and list s t he node's net work int erfaces.
1 2 .3 .2 . M a n a gin g t h e Clu st e r Se r vice I t se lf There is also a com m and, called clussvc, t hat allows you t o t ake act ion against a few t hings t hat m ight cause t he clust er service t o present t rouble. You should only use t his com m and if t he clust er service fails t o st art , and it should only be run locally from t he node t hat is present ing problem s. To enable t he debugging of t he resource dynam ic- link libraries ( DLLs) t hat are loaded by t he resource m onit or process, use t he following:
clussvc /debug /debugresmon
To allow t he clust er service t o st art up, despit e problem s wit h t he quorum device, issue t he following com m and:
clussvc /debug /fixquorum
When t he /fixquorum com m and is issued on a part icular node, t he clust er service st art s, but all t he resources, including t he quorum resource, rem ain offline. This allows you t o t hen m anually bring t he quorum resource online and m ore easily diagnose quorum device failures. The new quorum file is creat ed using inform at ion in t he clust er dat abase locat ed in
% syst em root % \ clust er\ CLUSDB. Be careful, however, as t hat inform at ion m ight be out of dat e; only use t his if no backup is available. Use t he following com m and t o disallow replicat ion of event log ent ries:
clussvc /debug /norepevtlogging
This com m and is useful in reducing t he am ount of inform at ion displayed in t he com m and window by filt ering out event s already recorded in t he event log. And in t he event t hat not hing else works, you can use t he following com m and t o force a quorum bet ween a list of clust er nodes for a m aj orit y node set clust er:
clussvc /debug /forcequorum node1,node2,node3
You m ight use t hat com m and in a case where all nodes in one locat ion have lost t he abilit y t o com m unicat e wit h nodes in anot her locat ion.
1 2 .4 . Th e La st W or d As you've learned in t his chapt er, Windows Server 2008 support s t wo dist inct t ypes of clust ering: NLB clust ers, which sim ply provide load dist ribut ion capabilit ies t o cert ain I P- based applicat ions; and t rue server clust ering, which provides fault - t olerance capabilit ies t o larger set s of m achines. NLB is quit e useful if you have a web- based applicat ion and several m achines t hat can be devot ed t o servicing t hat applicat ion. The hardware does not need t o be t erribly powerful, and NLB is a great way t o put used m achines int o service while providing a fast er end- user experience. True server clust ering is a bet t er fit for m edium - size organizat ions t hat have business- crit ical applicat ions t hat always have t o be available, no quest ions asked. Of course, wit h t he high availabilit y aspect com es increased cost , and t he hardware invest m ent required for t rue fault - t olerant capabilit ies is significant and should not be overlooked.
Ch a pt e r 1 3 . Pow e r Sh e ll PowerShell is Microsoft 's adm inist rat ive script ing t ool incorporat ed int o Windows Server 2008. Windows adm inist rat ors can learn PowerShell t o script com m on m anagem ent t asks. PowerShell is a download t hat is available for Windows XP, Server 2003, and Vist a; it is included wit hin Windows Server 2008 as a feat ure you add t o t he base OS. Under developm ent for several years, t he first public view of t he product was at t he Professional Developer's conference in Sept em ber 2003. The first release ( PowerShell on Windows XP and Windows 2003 Server) occurred in Novem ber 2006, wit h versions for Vist a and Longhorn server com ing during 2007. PowerShell is a com m and shell, sim ilar t o Unix shells like C- shell and Bourne shell or Microsoft 's CMD.EXE shell, focused on t he adm inist rat or ( as opposed t o a program m er) . Wit h PowerShell, an adm inist rat or can ent er int eract ive com m ands as well and run m ore det ailed script s. Script s can t ake param et ers and produce out put in a variet y of form s. PowerShell has t he com posabilit y of t he best versions of Unix/ Linux shells, wit h t he program m ing power of Ruby or Perl. Finally, it 's built on t op of t he .NET fram ework. This m eans you can access j ust about any .NET feat ure direct ly from PowerShell, as well as accessing COM and WMI obj ect s. I n t his chapt er, we will first look at t he background t o PowerShell and why Microsoft developed it . Next , we'll exam ine how t o inst all it , and use it bot h at t he com m and line and as a script ing t ool. Finally, we'll look at how you can ext end it for your own use.
1 3 .1 . W h y Pow e r Sh e ll? Before delving int o PowerShell it self, it 's im port ant t o underst and t he reasons it was developed as well as t he approaches t he PowerShell developm ent t eam t ook t o t he product . Ever since Microsoft got int o t he soft ware business, adm inist rat ors have been m anaging client and server syst em s using a huge array of sem i ad- hoc t ools. These include console t ools like CMD.EXE and a wealt h of com m and- line t ools. I n addit ion, t here were GUI t ools such as t he Microsoft Managem ent Console, Regedit .exe, Adsiedit , and LDP. The problem was t hat t hose t ools did not do " everyt hing" —t hus t here was occasionally a need t o use VBScript or even nat ive API s and C# / C+ + . Nor did t hese t ools int egrat e well—t here was no way t o use t he out put of, say, LDP as input t o Regedit . Since t here was no single t ool t hat did everyt hing, adm inist rat ors ended up needing t o use a variet y of disparat e t ools t o solve adm inist rat ive issues. These individual t ools were t ot ally adequat e for t heir original purpose. However, t he scope and capabilit y of each t ool was not consist ent . Each t ool did only part of t he t ask and provided lit t le int egrat ion wit h ot her t ools. As m any adm ins discovered, t hey would st art down one pat h, such as writ ing a bat ch script using OS provided t ools, only t o find t hat t he t ools don't quit e do what was needed. This m eant m oving t o a different t ool ( e.g., using VBScript and COM aut om at ion) and t hrowing away som e or all of t heir earlier work. Wit h t he m ore recent releases of Windows ( e.g., Windows XP, Windows Server 2003, and now Windows Server 2008) , Microsoft has m ade great st rides, part icularly wit h t he com m and- line t ools. While t he coverage is great ly im proved, m ore is needed. Microsoft 's answer t o t hese concerns is PowerShell. There are t hree key aspect s of PowerShell t hat are of int erest t o an adm in:
I t is focused on t he adm inist rat or.
I t is broad in scope and com plet eness.
I t is highly ext ensible.
You can direct ly call int o .NET, WMI , and COM t o work wit h exist ing code. You can access j ust about any sort of dat a, and t his includes PowerShell's nat ive support for XML. And if t hat 's not enough, you can writ e your own ext ensions—for exam ple, t o m ake PowerShell work wit h a cust om - developed line of business applicat ions.
Ch a pt e r 1 3 . Pow e r Sh e ll PowerShell is Microsoft 's adm inist rat ive script ing t ool incorporat ed int o Windows Server 2008. Windows adm inist rat ors can learn PowerShell t o script com m on m anagem ent t asks. PowerShell is a download t hat is available for Windows XP, Server 2003, and Vist a; it is included wit hin Windows Server 2008 as a feat ure you add t o t he base OS. Under developm ent for several years, t he first public view of t he product was at t he Professional Developer's conference in Sept em ber 2003. The first release ( PowerShell on Windows XP and Windows 2003 Server) occurred in Novem ber 2006, wit h versions for Vist a and Longhorn server com ing during 2007. PowerShell is a com m and shell, sim ilar t o Unix shells like C- shell and Bourne shell or Microsoft 's CMD.EXE shell, focused on t he adm inist rat or ( as opposed t o a program m er) . Wit h PowerShell, an adm inist rat or can ent er int eract ive com m ands as well and run m ore det ailed script s. Script s can t ake param et ers and produce out put in a variet y of form s. PowerShell has t he com posabilit y of t he best versions of Unix/ Linux shells, wit h t he program m ing power of Ruby or Perl. Finally, it 's built on t op of t he .NET fram ework. This m eans you can access j ust about any .NET feat ure direct ly from PowerShell, as well as accessing COM and WMI obj ect s. I n t his chapt er, we will first look at t he background t o PowerShell and why Microsoft developed it . Next , we'll exam ine how t o inst all it , and use it bot h at t he com m and line and as a script ing t ool. Finally, we'll look at how you can ext end it for your own use.
1 3 .1 . W h y Pow e r Sh e ll? Before delving int o PowerShell it self, it 's im port ant t o underst and t he reasons it was developed as well as t he approaches t he PowerShell developm ent t eam t ook t o t he product . Ever since Microsoft got int o t he soft ware business, adm inist rat ors have been m anaging client and server syst em s using a huge array of sem i ad- hoc t ools. These include console t ools like CMD.EXE and a wealt h of com m and- line t ools. I n addit ion, t here were GUI t ools such as t he Microsoft Managem ent Console, Regedit .exe, Adsiedit , and LDP. The problem was t hat t hose t ools did not do " everyt hing" —t hus t here was occasionally a need t o use VBScript or even nat ive API s and C# / C+ + . Nor did t hese t ools int egrat e well—t here was no way t o use t he out put of, say, LDP as input t o Regedit . Since t here was no single t ool t hat did everyt hing, adm inist rat ors ended up needing t o use a variet y of disparat e t ools t o solve adm inist rat ive issues. These individual t ools were t ot ally adequat e for t heir original purpose. However, t he scope and capabilit y of each t ool was not consist ent . Each t ool did only part of t he t ask and provided lit t le int egrat ion wit h ot her t ools. As m any adm ins discovered, t hey would st art down one pat h, such as writ ing a bat ch script using OS provided t ools, only t o find t hat t he t ools don't quit e do what was needed. This m eant m oving t o a different t ool ( e.g., using VBScript and COM aut om at ion) and t hrowing away som e or all of t heir earlier work. Wit h t he m ore recent releases of Windows ( e.g., Windows XP, Windows Server 2003, and now Windows Server 2008) , Microsoft has m ade great st rides, part icularly wit h t he com m and- line t ools. While t he coverage is great ly im proved, m ore is needed. Microsoft 's answer t o t hese concerns is PowerShell. There are t hree key aspect s of PowerShell t hat are of int erest t o an adm in:
I t is focused on t he adm inist rat or.
I t is broad in scope and com plet eness.
I t is highly ext ensible.
You can direct ly call int o .NET, WMI , and COM t o work wit h exist ing code. You can access j ust about any sort of dat a, and t his includes PowerShell's nat ive support for XML. And if t hat 's not enough, you can writ e your own ext ensions—for exam ple, t o m ake PowerShell work wit h a cust om - developed line of business applicat ions.
1 3 .2 . I n st a llin g Pow e r Sh e ll PowerShell is not inst alled in any version of Windows by default . For earlier versions of Windows ( Windows XP, Windows Server 2003) , you needed t o download soft ware from Microsoft 's web sit e. However, as PowerShell is included in t he inst allat ion binaries, inst alling it on Windows Server 2008 is really very sim ple. PowerShell has only one key dependency, t he .NET Fram ework version 2.0, which needs t o be inst alled before you can inst all PowerShell. I n Windows Server 2008, t he .NET Fram ework is inst alled by default . I n Windows Server 2008, PowerShell is an opt ional feat ure t hat you can inst all eit her using Server Manager, or as part of an unat t ended inst allat ion. Use t he Server Manager t o add t he PowerShell feat ure as follows:
1 . Run Server Manager, and select t he opt ion t o add a feat ure.
2 . Select t he PowerShell feat ure and click Next .
3 . Sit back and wat ch t he inst allat ion run.
As PowerShell is an OS feat ure, t he inst aller places PowerShell's core com ponent s int o t he % syst em root % \ syst em 32\ windowspowershell\ v1.0 folder. The inst aller adds copy help files, form at t ing XML, som e " get t ing st art ed" docum ent s, and a sam ple profile file t o t his locat ion. PowerShell is a m anaged applicat ion, based on t he .NET Fram ework. To speed up load t im es, t he PowerShell inst aller also inst alls PowerShell's core binaries int o t he .NET Global Assem bly Cache. I nst alling PowerShell also updat es t he Regist ry as follows:
Three new file t ypes are added t o HKEY_CLASSES_ROOT. They are .ps1 ( PowerShell script files) , .ps1xm l ( PowerShell display XML) , and .psc1 ( PowerShell Console) .
The inst allat ion process also populat es t he Regist ry key: KEY_LOCAL_MACHI NE\ SOFTWARE\ Microsoft \ PowerShell\ 1.
The inst aller m odifies t he syst em pat h t o include % syst em root % \ syst em 32\ WindowsPowerShell\ v1.0 .
Once you have inst alled PowerShell, you can verify a successful inst allat ion by clicking St art , t hen Run, and t hen ent ering PowerShell and hit t ing Ret urn.
1 3 .3 . Pow e r Sh e ll a n d Se cu r it y PowerShell, like any powerful adm in t ool, has t he pot ent ial t o do a lot of dam age t o a syst em if used incorrect ly. You can use PowerShell t o rem ove key files, rem ove or m odify Regist ry set t ings, delet e cert ificat es, and so on—all of which can be dangerous. To m inim ize t he risks, t he PowerShell t eam t ook t he following st eps:
1 . PowerShell is not inst alled by default —t here's no " backdoor" inst allat ions t hat m alware vendors could rely on.
2 . The PowerShell script file wit h t he .PS1 ext ension is associat ed wit h Not epad rat her t han wit h PowerShell. Double- clicking on a script opens Not epad wit h t he script t o edit as opposed t o execut ing script t hat could ot herwise be m alware.
3 . PowerShell's execut ion policy is set by default t o " rest rict ed" . This m eans you cannot run any script from inside PowerShell. You can easily change t his by using t he set-executionpolicy cmdlet t o a less secure set t ing.
4 . To st op local adm ins or users from set t ing t he execut ion policy t o unrest rict ed and running m alevolent script s, you can use Group Policy t o set PowerShell's execut ion policy.
This level of securit y m ay seem like a lot of hassle for an adm inist rat or, but t he approach goes a long way beyond reasonable m eans t o avoid self- inflict ed dam age.
1 3 .4 . St a r t in g Up Pow e r Sh e ll Once you com plet e t he st eps above, PowerShell is available on your syst em . You can run PowerShell by clicking on St art , t hen clicking on Run, ent ering PowerShell int o t he Open t ext box, and hit t ing OK or ret urn. Up should com e t he default PowerShell screen. When PowerShell st art s up, it at t em pt s t o load and t hen execut e four separat e script files:
% ALLUSERSPROFI LEe% \ Docum ent s\ PSConfigurat ion\ Profile.ps1
% ALLUSERSPROFI LEe% \ Docum ent s\ PSConfigurat ion\ Microsoft .Powershell_Profile.ps1
% USERPROFI LE% \ My Docum ent s\ PSConfigurat ion\ Profile.ps1
% USERPROFI LE% \ My Docum ent s\ PSConfigurat ion\ Microsoft .Powershell_Profile.ps1
Each of t hese files is a PowerShell script file as described short ly. Having four profile files m ay seem excessive, but t here is a good reason behind t his approach. Wit h PowerShell, you can use t he product as inst alled but you can also creat e your own shells wit h privat e addit ional cm dlet s ( explained in t he next sect ion) . An exam ple of a cust om shell is t he Exchange 2007 Managem ent shell. The t wo profile.ps1 files are run by every PowerShell shell t hat would include t he Exchange Managem ent Shell. The t wo Microsoft .Powershell_Profile.ps1 files, however are only execut ed by PowerShell.exe. Likewise, you have bot h personal st art up script s and global st art up script s. This gives you considerable flexibilit y in how you deploy PowerShell. Your ent erprise funct ions, filt ers, and aliases could live in t he All Users Profile.ps1. These are t hen available t o all shells for all users. You can t hen place personal or privat e PowerShell funct ions and ot her definit ions int o a personal .PS1 file for your part icular use.
1 3 .5 . Cm dle t s: Th e H e a r t of Pow e r Sh e ll At t he heart of PowerShell is t he cm dlet ( pronounced " com m and- let " ) . I t is t he sm allest bit of code you can run. A cm dlet is a block of code t hat you can run from t he PowerShell prom pt , or from a script , t hat does perform s a funct ion. Technically, a cm dlet is a .NET class t hat has been developed by eit her t he PowerShell t eam or a t hirdpart y developer and incorporat ed int o PowerShell. To call a cm dlet , j ust t ype it s nam e at t he PowerShell prom pt , as follows:
PSH [D:\foo]: Get-Process Handles NPM(K) PM(K) ------- ---------112 5 1220 42 2 1316 93 3 1740 267 7 4492 1045 9 7220 74 4 1284 107 4 3624 142 6 4636 ... [output snipped]
WS(K) VM(M) ----- ----3640 32 3424 29 5776 37 12140 64 7552 51 4824 30 7224 47 8472 179
CPU(s) -----0.06 199.19 494.06 1.61 242.39 1.84 0.67 1.09
Id -436 576 2456 47124 1680 3864 1016 372
ProcessName ----------alg ApntEx Apoint Connect csrss ctfmon DataServer EvtEng
I n t his exam ple, t he Get-Process cm dlet obt ains t he set of running processes on t he com put er and out put s a num ber of at t ribut es. The at t ribut es t hat are out put by Get-Process ( i.e., handle- count , non- paged kernel m em ory, paged kernel m em ory, working set , VM size, CPU t im e used, process- id, and process nam e) , are out put by default and are sort ed based on process nam e. Cm dlet s can t ake param et ers, as shown here:
PSH [D:\foo]: Get-Process notepad Handles ------48
NPM(K) -----3
PM(K) ----1392
WS(K) VM(M) ----- ----1072 31
CPU(s) -----1.48
Id ProcessName -- ----------1544 notepad
CPU(s) -----1.48
Id ProcessName -- ----------1544 notepad
PSH [D:\foo]: Get-process -Name notepad Handles NPM(K) ------- -----48 3 PSH [D:\foo]:
PM(K) ----1392
WS(K) VM(M) ----- ----1072 31
This exam ple shows t he Get-Process called wit h t he nam e of a process t o out put ( Not epad) . As t his exam ple dem onst rat es, param et ers can be eit her posit ional, where t he first value is assum ed t o be t he first param et er, t he second value specified t he second param et er, et c.; or nam ed, where t he value is explicit ly assigned t o a part icular param et er. Nam ed param et ers can be specified in any order, whereas posit ional param et ers need t o be specified in t he order t he cm dlet expect s.
All param et er nam es begin wit h a - ( m inus) followed by t he param et er nam e. One of t he m ore im port ant param et ers t hat all cm dlet s support is help or " - ?" . For exam ple: Code View: PSH [D:\foo]: get-process -? NAME Get-Process SYNOPSIS Gets the processes that are running on the local computer.
SYNTAX Get-Process [[-name] ] [] Get-Process -id [] Get-Process -inputObject []
DETAILED DESCRIPTION The Get-Process cmdlet retrieves a process object for each process. Without parameters, "Get-Process" gets all of the processes on the computer, as though you typed "Get-Process *". You can also identify a particular process by process name or process ID (PID), or pass a process object through the pipeline to Get-Process. For Get-Process, the default method is by process name. For Stop-Process, the default method is by process ID.
RELATED LINKS Stop-Process REMARKS For more information, type: "get-help Get-Process -detailed". For technical information, type: "get-help Get-Process -full". PSH [D:\foo]:
1 3 .6 . Ge t t in g H e lp w it h Pow e r Sh e ll Learning any new t ool, program , or OS t akes t im e—but som e are easier t o get t o know t han ot hers. PowerShell was designed from t he out set t o be as discoverable as possible. Once you know a few sm all t hings, you can use t hat knowledge t o learn m ore and t o get up t o speed. There are t wo cm dlet s t hat you will find helpful t o get you st art ed: Get-Help and Get-Command. The Get-Help cm dlet get s help about PowerShell cm dlet s and key concept s. Get-Command get s basic inform at ion about cm dlet s and ot her com m ands you can use from wit hin PowerShell. Addit ionally, every PowerShell cm dlet support s t he -? param et er t o get help. The Get-Help cm dlet t akes a param et er t o indicat e what you want t o get help on. One neat feat ure is t hat you can use wild cards in t he param et er t o get help about m ore t han one t hing, as shown here:
PSH [D:\foo]: get-help get-h* Name ---Get-Help
Category Synopsis -------- -------Cmdlet Displays information about Windows PowerShell cmdlets and concepts. Get-History Cmdlet Gets a list of the commands entered during the current session. Get-Host Cmdlet Gets a reference to the current console host object. Displays Windows PowerShell version... Get-Hash Cmdlet Gets the hash value for the specified file or byte array via the pipeline. Get-HTTP Cmdlet The get-http cmdlet can be used to retrieve documents from the World Wide Web.
This exam ple looked for help on Get-H* and t hat ret urned a synopsis of t he five cm dlet s on t he syst em t hat m at ch t his wild card. Get-Help * would ret urn a sum m ary of everyt hing t hat PowerShell could provide help about . Anot her nice exam ple of t he discoverabilit y t hat has been built int o PowerShell is t he help files. PowerShell com es wit h a num ber of sm all t ext files t hat describe key PowerShell concept s. You can view t hese by using t he Get-Help cm dlet . To see all t he help files, you t ype Get-Help about* and t his ret urns t he list of all t he help files. Typing Get-Help about_if provides inform at ion about t he if st at em ent as shown here: Code View: PSH [D:\foo]: get-help about_if TOPIC The if statement SHORT DESCRIPTION A language command for running a command block or blocks based on the results of one or more conditional tests
LONG DESCRIPTION You can use the if statement to run a code block if a specified conditional test evaluates to true. You can also specify one or
more additional conditional tests to run if all prior tests evaluate to false. Finally, you can specify an additional code block that is run if no other prior conditional test evaluates to true. {additional output not shown}
1 3 .7 . Usin g D a t a St or e s a n d Pow e r Sh e ll Pr ovide r s Today's m odern com put ing world m akes use of a vast variet y of dat a st ores, including t he file st ore, t he cert ificat e st ore, t he Regist ry, et c. Wit h previous t ools, each of t hese dat a st ores are accessed using different and incom pat ible t ools, m aking it hard for t he adm in t o learn, use, and m ast er. PowerShell t ake a different approach t hrough t he use of providers and st andard cm dlet s. A PowerShell provider is a soft ware com ponent t hat sit s bet ween t he act ual dat a st ore and t he st andard cm dlet s. The st andard cm dlet s call int o t he provider t o ret urn t he relevant dat a and present it in a adm infriendly way. To aid in conversion, PowerShell provides aliases for t hese st andard cm dlet s. The provider archit ect ure is shown at ht t p: / / m sdn2.m icrosoft .com / en- us/ library/ m s714658.d2eb7674- 3a27- 4baf- 91b7b8eaf1e8ab2c( en- us,VS.85) .gif. To illust rat e t his, let 's look at t he t wo dat a st ores, t he filesyst em and t he Regist ry: Code View: PSH [D:\foo]: dir Directory: Microsoft.PowerShell.Core\FileSystem::D:\foo Mode ---d----
LastWriteTime ------------14/10/2007 12:04
Length Name ------ ---bar
PSH [D:\foo]: cd bar PSH [D:\foo\bar]: ls Directory: Microsoft.PowerShell.Core\FileSystem::D:\foo\bar Mode ----a---
LastWriteTime ------------14/10/2007 12:04
Length Name ------ ---8 foobar.txt
PSH [D:\foo\bar]: cd hklm: PSH [HKLM:\]: ls Hive: Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE SKC --4 87 8
VC -0 0 0
Name ---HARDWARE SOFTWARE SYSTEM
Property -------{} {} {}
PSH [HKLM:\]: dir .\software\microsoft\powershell Hive: Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\microsoft\ powershell SKC --4
VC Name -- ---2 1
Property -------{Install, PID}
I n t his exam ple, we use bot h t he Dir and LS aliases t o exam ine t wo separat e dat a st ores: t he filesyst em and t he Regist ry. Bot h aliases are t o t he Get-ChildItem st andard cm dlet , which allows bot h Linux/ Unix and Dos/ Windows users t o use fam iliar nam es t o perform com m on and fam iliar operat ions. There are several m ore st andard cm dlet s:
Clear-Item
Delet es t he cont ent s of an it em , but does not delet e t he it em .
Clear-ItemProperty
Delet es t he value of a propert y, but does not delet e t he propert y it self.
Copy-Item
Copies an it em from one locat ion t o anot her wit hin a nam espace.
Copy-ItemProperty
Copies a propert y and value from a specified locat ion t o anot her locat ion.
Get-ChildItem
Get s t he it em s and child it em s in one or m ore specified locat ions.
Get-ItemProperty
Ret rieves t he propert ies of a specified it em .
Get-Item
Get s t he it em at t he specified locat ion.
Invoke-Item
I nvokes t he provider- specific default act ion on t he specified it em .
Move-Item
Moves an it em from one locat ion t o anot her.
New-Item
Creat es a new it em in a nam espace.
Move-ItemProperty
Moves a propert y from one locat ion t o anot her.
Rename-Item
Renam es an it em in a Windows PowerShell provider nam espace.
New-ItemProperty
Set s a new propert y of an it em at a locat ion.
Remove-Item
Delet es t he specified it em s.
Remove-ItemProperty
Delet es t he propert y and it s value from an it em .
Rename-ItemProperty
Renam es a propert y of an it em .
Set-Item
Changes t he value of an it em t o t he value specified in t he com m and.
Set-ItemProperty
Set s t he value of a propert y at t he specified locat ion.
This list represent s a num ber of new cm dlet s for t he adm in t o learn. I n order t o m inim ise t he learning curve, PowerShell provides com m on aliases for each of t hese st andard cm dlet , e.g., Get-ChildItem is aliased t o GCI, DIR, and LS. You can get a list of t hese aliases as follows: Code View: PSH [D:]: get-alias * | where {$_.definition -like "*item*"} | ft -auto CommandType Name Definition ---------- ---- ---------Alias cli Clear-Item Alias clp Clear-ItemProperty Alias cpi Copy-Item Alias cpp Copy-ItemProperty Alias gci Get-ChildItem Alias gi Get-Item Alias gp Get-ItemProperty Alias ii Invoke-Item Alias mi Move-Item Alias mp Move-ItemProperty Alias ni New-Item Alias ri Remove-Item Alias rni Rename-Item Alias rnp Rename-ItemProperty Alias rp Remove-ItemProperty Alias si Set-Item Alias sp Set-ItemProperty Alias cp Copy-Item Alias ls Get-ChildItem Alias mv Move-Item Alias rm Remove-Item Alias rmdir Remove-Item Alias copy Copy-Item Alias del Remove-Item Alias erase Remove-Item Alias move Move-Item Alias rd Remove-Item Alias ren Rename-Item
These aliases enable you t o st art using PowerShell and PowerShell providers st raight away using t he nam es of t he DOS/ Windows/ Unix/ Linux com m ands you are already fam iliar wit h. They also avoid you needing t o learn new cm dlet s in order t o get any value from PowerShell. The aliases and st andard cm dlet s call int o a provider t o obt ain t he relevant inform at ion ( t he cont ent s of t he current working file st ore folder, t he current node in t he Regist ry, et c.) . PowerShell com es wit h several providers, and you can add m ore. Providers built int o PowerShell include Alias, Environm ent , FileSyst em , Funct ion, Regist ry, Variable, and Cert ificat e. Addit ional t hird- part y providers include SQL Server, One- Not e and Microsoft Com put e Clust er. Wit h t he provider, you can use t he New-PSDrive t o creat e new drives. These drives can t hen be used as norm al drives in t he st andard cm dlet s and relat ed aliases. For exam ple:
PSH [D:\foo]: New-PSDrive -name scripts -psProvider Filesystem -root d:\foo Name ---scripts
Provider -------FileSystem
Root ---D:\foo
PSH [D:\foo]: dir scripts: Directory: Microsoft.PowerShell.Core\FileSystem::D:\foo Mode LastWriteTime Length Name --------------------- ---d---14/10/2007 12:04 bar
I n t his m anner, you can creat e new drives t hat are m ore m eaningful t han C: and D: . To see what drives are available, you can use t he Get-PSDrive cm dlet as shown here ( not e t he new script s drive we creat ed in t he previous exam ple) : Code View: PSH [D:\foo]: Get-PSDrive Name ---Alias C cert D E Env F Feed Function HKCU HKLM L R S scripts
Provider -------Alias FileSystem Certificate FileSystem FileSystem Environment FileSystem FeedStore Function Registry Registry FileSystem FileSystem FileSystem FileSystem
Root ---C:\ \ D:\ E:\ F:\
HKEY_CURRENT_USER HKEY_LOCAL_MACHINE L:\ R:\ S:\ D:\foo
T U Variable Y
FileSystem FileSystem Variable FileSystem
T:\ U:\ Y:\
Wit h t hese drives, you can perform act ions like Dir ENV: t o get a list of environm ent variables or dir Variable: t o see a list of variables in use. For m ore help on providers, t ype Get-Help about_providers at t he PowerShell prom pt . And for m ore det ailed inform at ion about providers and how t o build one, see ht t p: / / m sdn2.m icrosoft .com / en- us/ library/ m s714636.aspx .
1 3 .8 . Th e Pipe lin e The pipeline is a feat ure of PowerShell t hat t akes t he out put of one cm dlet and sends ( " pipes" ) it t o anot her cm dlet —as you m ay have not iced in som e of t he exam ples earlier in t his chapt er. The PowerShell pipeline is very sim ilar t o t he Pipeline in Unix and Linux—and is perhaps one of PowerShell's m ore significant feat ures. One m aj or difference is t hat in Unix/ Linux, what is usually sent bet ween st ages in t he pipeline is raw t ext t hat t hen needs t o be m anipulat ed—oft en referred t o as prayer- based parsing. For exam ple, you could use t he Unix com m and PS t o get a list of processes; t hen you could send t he t ext out put t o a form at t ing program t o m anipulat e t he out put . PowerShell sends .NET ( or ot her) obj ect s bet ween st ages in t he pipeline. For exam ple, you could pipe t he out put of t he Get-Process cm dlet int o t he Sort-Object cm dlet as follows:
PSH [D:\foo]: get-process | sort-object handles Handles NPM(K) PM(K) ------- ---------0 0 0 21 1 192 31 3 1224 35 2 1040 ... {rest of table removed}
WS(K) VM(M) ----- ----28 0 432 4 3072 32 3212 27
CPU(s) -----0.22 0.05 0.06
Id -0 1568 968 3940
ProcessName ----------Idle smss shstat Mctray
I n t his exam ple, t he Get-Process cm dlet obt ains a set of process obj ect s represent ing t he processes running on t he syst em , and sends t hem t o t he next st age of t he pipeline. These process obj ect s are t hen input t o t he SortObject cm dlet t hat sort s t he process obj ect s based on t he num ber of act ive handles. This is t hen out put t o t he console using t he default form at t er. Since PowerShell is passing obj ect s bet ween pipeline st ages, t he SortObject knows what is com ing in and knows whet her t he obj ect s have a handles propert y. The pipeline can be several levels deep, as shown here: Code View: PSH [D:\foo]: Get-Process | Where-Object {$_.Handles -gt 500} | Sort-Object Handles -Descending | Select-Object Processname, Id, Handles | Format-Table -Autosize
ProcessName ----------OUTLOOK svchost Quest.PowerGUI searchindexer PKTray csrss iexplore msnmsgr firefox explorer WINWORD System svchost POWERPNT lsass
Id Handles -- ------2552 5729 320 2355 5984 1839 2164 1563 4632 1267 1684 1216 2592 1044 3912 982 4004 970 3192 951 5588 882 4 856 2024 841 5876 817 1764 664
winlogon explorer services
1708 5940 1752
642 571 533
This exam ple first ret rieves all t he processes running on your syst em using Get-Process. These processes t hen go t o t he Where-Object cm dlet , which discards any process whose handle count is less t han or equal t o 500. The list is t hen sort ed in descending order, using Sort-Object. Next , t he Select-Object cm dlet ret rieves j ust t hree propert ies from t he obj ect s being passed. Finally, Format-Table form at s t hose propert ies int o a sim ple t able wit h t he m inim um num ber of spaces bet ween each colum n. I n t his exam ple, you see t he cm dlet nam es spelled out in full. You could use t he aliases for each cm dlet , t o reduce t he am ount of t yping you need t o do, by specifying: Code View: gps | where {$_.handles -gt 500} | sort handles -desc | select processname, id, handles | ft -a
You have t he opt ion of t yping m ore or less depending on your needs. I f you are ent ering t hese com m ands at t he PowerShell prom pt , t hen using aliases m akes t hings easy for you. Alt ernat ively, when developing product ion script s, specifying t he full nam es of cm dlet s and param et er nam es is a very good idea. To get m ore inform at ion about t he pipeline, use Get-Help About_Pipeline.
1 3 .9 . For m a t t in g Ba sics PowerShell was designed for use by adm inist rat ors as opposed t o program m ers, unlike VBScript . PowerShell knows how t o form at t he obj ect s produced by cm dlet s or t o display variable and ot her dat a t yped at t he PowerShell prom pt . As we have seen in t his chapt er t hus far, you can sim ply ent er a cm dlet or variable at t he PowerShell prom pt , and get nicely form at t ed out put . You can also use four addit ional cm dlet s, Format-Table, Format-List, Format-Wide, and Format-Custom t o creat e different form s of out put . PowerShell provides you wit h a num ber of opt ions for form at t ing. I n m ost cases, you can j ust accept PowerShell's built - in form at t ing. Or, if you are so inclined, you can delve deeper int o .NET for richer form at t ing feat ures. To illust rat e PowerShell form at t ing, here is a sim ple com m and t hat uses a Get-WMI obj ect t o ret rieve inform at ion about t he m em ory devices in a com put er: Code View: PSH [D:\foo]: Get-WMIObject -Class win32_memorydevice
_ _GENUS _ _CLASS _ _SUPERCLASS _ _DYNASTY _ _RELPATH _ _PROPERTY_COUNT _ _SERVER _ _NAMESPACE _ _PATH Device 0" Access AdditionalErrorData Availability BlockSize Caption ConfigManagerErrorCode ConfigManagerUserConfig CorrectableError CreationClassName Description DeviceID EndingAddress { more details snipped}
: : : : : : : : : : : : : : : : : : : : :
2 Win32_MemoryDevice Win32_SMBIOSMemory CIM_ManagedSystemElement Win32_MemoryDevice.DeviceID="Memory Device 0" 39 XP21 root\cimv2 \\XP21\root\cimv2:Win32_MemoryDevice.DeviceID="Memory
Memory Device
Win32_MemoryDevice Memory Device Memory Device 0 639
I n t his sim ple exam ple, PowerShell uses WMI t o obt ain m em ory device inform at ion from t he com put er and t hen out put s t his inform at ion t o t he console using default form at t ing. I f you'd like m ore inform at ion about t his WMI obj ect , see ht t p: / / m sdn2.m icrosoft .com / en- us/ library/ aa394197.aspx. By default , PowerShell pipes all t he out put obj ect s t o t he default form at t er, t he Out-Default cm dlet . This cm dlet t hen uses PowerShell's built - in display XML t o form at t he obj ect s. The default display XML is st ored in % syst em root % \ syst em 32\ windowspowershell\ v1.0 ( t he files have t he ext ension . PS1XML) .
You have several opt ions for dealing wit h form at t ing. As j ust m ent ioned, you can use PowerShell's built - in default form at t ing, and oft en t hat 's all you need. For exam ple, if you ent er DIR at t he PowerShell prom pt , you get a direct ory list ing, which usually cont ains t he inform at ion you require. As you can see from t he Win32_MemoryDevice exam ple, however, t his default form at m ay be m ore t han you want . To assist t he adm in, as not ed earlier, PowerShell includes four form at t ing cm dlet s you can use: Format-List ( alias FL) , Format-Table ( alias FT) , Format-Wide ( FW) , or Format-Custom ( FC) . You use t hese cm dlet s in t he last st age in t he pipeline, t o display a subset of propert ies. For exam ple: Code View: PS C:\foo> get-wmiobject win32_memorydevice | format-list deviceid, startingaddress, endingaddress deviceid : Memory Device 0 startingaddress : 0 endingaddress : 639 deviceid : Memory Device 1 startingaddress : 1024 endingaddress : 1048575 deviceid : Memory Device 2 startingaddress : 1048576 endingaddress : 2097151
As an alt ernat ive, you could use t he Format-Table cm dlet ( along wit h t he -autosize param et er) t o produce a nice t able: Code View: PS C:\foo> get-wmiobject win32_memorydevice | format-table deviceid, endingaddress, startingaddress -autosize deviceid startingaddress endingaddress ---------------------- ------------Memory Device 0 0 639 Memory Device 1 1024 1048575 Memory Device 2 1048576 2097151
The Format-* cm dlet s enable you t o override PowerShell's default form at t er. You j ust pipe t he out put you want int o one of t hese form at t ing cm dlet s. PowerShell uses som e sim ple rules when form at t ing obj ect s by default :
PowerShell first exam ines t he form at .ps1xm l files, looking for a view for t he obj ect t o be form at t ed. I f t he form at t ing XML files cont ain a view, PowerShell uses it t o creat e t he out put . PowerShell com es wit h a num ber of obj ect s t hat have defined views. You can easily adapt t hese as appropriat e. You can also add your own definit ions for any obj ect , including t he obj ect s t hat do not have a default view defined and any cust om obj ect s you add t o PowerShell.
I f t here is no defined view for t he obj ect , PowerShell exam ines t he .ps1xm l files t o find a default set of display propert ies for t he obj ect being form at t ed. I f one is found, PowerShell collect s t he propert ies nam ed, and m oves on t o t he next st ep. I f t here are no display propert ies defined, PowerShell collect s all t he propert ies and m oves on.
Based on t he previous st ep, PowerShell t hen calls eit her Format-Table t o display t he obj ect or calls Format-List. PowerShell uses Format-Table if t here are five or fewer propert ies t o display; ot herwise, it uses Format-List.
See ht t p: / / blogs.m sdn.com / powershell/ archive/ 2006/ 04/ 30/ 586973.aspx for m ore inform at ion on PowerShell form at t ing.
1 3 .1 0 . Va r ia ble s PowerShell allows you t o assign t he out put of a cm dlet or a pipeline of cm dlet s t o a variable. A variable is a nam ed obj ect t hat can hold any sort of value, including a sim ple t ype ( a num ber, st ring, Boolean value) , an array, or a m ore com plex t ype ( such as an obj ect ) . You can use variables t o obt ain individual propert ies of an obj ect , or t o hold values you use in a script . Variable nam es begin wit h a $ ( dollar sign) , as shown here:
PSH [D:\foo]: $a = 1 PSH [D:\foo]: $b=12.123 PSH [D:\foo]: $c="this is a string" PSH [D:\foo]: $a 1 PSH [D:\foo]: $b 12.123 PSH [D:\foo]: $c this is a string
PowerShell aut om at ically works out t he variable t ype, alt hough you can override t his. I n t his exam ple, $a is creat ed as an int eger, $b a double, and $c a st ring. And as discussed earlier, PowerShell used t he dat a t ype t o work out how t o form at t he obj ect s. To det erm ine t he t ype of any variable, you can pipe t he variable t o t he Get-Member cm dlet as shown here:
PSH [D:\foo]: $a | get-member TypeName: System.Int32 Name MemberType Definition ------------- ---------CompareTo Method System.Int32 CompareTo(Int32 value), ... Equals Method System.Boolean Equals(Object obj), ... GetHashCode Method System.Int32 GetHashCode( ) GetType Method System.Type GetType( ) GetTypeCode Method System.TypeCode GetTypeCode( ) ToString Method System.String ToString( ), System.String ToString (IFormatProvider provider), System.String ToS...
PSH [D:\foo]: $b| get-member TypeName: System.Double Name ---CompareTo Equals GetHashCode GetType GetTypeCode ToString
MemberType ---------Method Method Method Method Method Method
Definition ---------System.Int32 CompareTo(Object value), ... System.Boolean Equals(Object obj),... System.Int32 GetHashCode( ) System.Type GetType( ) System.TypeCode GetTypeCode( ) System.String ToString(String format, ...
You can also explicit ly define a variable t o be a specific t ype by including t he t ype nam e before t he variable as shown here: Code View: PSH [D:\foo]: [double] $a = 1 PSH [D:\foo]: $a 1 PSH [D:\foo]: $a | gm
TypeName: System.Double Name MemberType Definition ------------- ---------CompareTo Method System.Int32 CompareTo(Object value), ... Equals System.Boolean Equals(Object obj), System.Boolean ... GetHashCode Method System.Int32 GetHashCode( ) GetType Method System.Type GetType( ) GetTypeCode Method System.TypeCode GetTypeCode( ) ToString Method System.String ToString(String format,...
Method
Variables can also hold obj ect s and can be used in cont rol st at em ent s in a script . For exam ple, you could use t he Get-WMIObject cm dlet t o ret rieve t he BI OS inform at ion, and t hen perform som e act ion if a part icular value of t he BI OS inform at ion exist s, as shown here:
PSH [D:\foo]: $bios = Get-WMIObject Win32_Bios PSH [D:\foo]: $bios SMBIOSBIOSVersion : A04 Manufacturer : Dell Inc. Name : Phoenix ROM BIOS PLUS Version 1.10 A04 SerialNumber : DDC2H2J Version : DELL - 27d60a0d PSH [D:\foo]: $bios.SMBIOSBIOSVersion A04 PSH [D:\foo]: $bv = $bios.SMBIOSBIOSVersion PSH [D:\foo]: if ($bv -eq "A04") {write-host "Latest BIOS"} Latest BIOS PSH [D:\foo]:
I n t his exam ple, WMI ret urns t he BI OS inform at ion, from which t he BI OS version I D is ret rieved and out put . The BI OS version I D st ring is t hen t est ed using t he IF com m and and as you can see, since t he BI OS version ret urned from WMI is " A04" , t he t est is t rue and PowerShell print s out t he m essage. For m ore inform at ion on variables in PowerShell, see ht t p: / / www.m icrosoft .com / t echnet / t echnet m ag/ issues/ 2007/ 03/ PowerShell/ default .aspx.
1 3 .1 1 . W r it in g Scr ipt s While you can use t he PowerShell prom pt t o run cm dlet s, m ost Windows Server 2008 adm inist rat ors will writ e t heir own script s for perform ing t asks in t heir environm ent . For exam ple, you could develop a script t o ping rem ot e syst em s t o discover whet her t hey are available, and report on t hose t hat are not . You could ext end t his t o t im e how long a ping t akes and report whet her t hat t im e is out side of som e previously est ablished norm , or you could develop a script t o add a user t o your act ive direct ory, add t he users t o role- based securit y groups, enable t he Exchange and Unified m essaging m ailboxes, and enable t he user t o use t he Office Com m unicat ions server. A script is a t ext file wit h a PS1 ext ension t hat cont ains t he com m ands you m ight t ype at t he PowerShell prom pt along wit h a variet y of cont rol st at em ent s t o cont rol t he execut ion of your script . I n general, t here is not hing you can do in a script t hat you could not do at t he PowerShell prom pt —script s j ust cut down on t yping. This m eans you can t ry t hings out at t he PowerShell prom pt , and creat e your script from t here—som et hing not really possible in t radit ional script ing languages such as VBScript . For added securit y, script s can be digit ally signed. When com bined wit h PowerShell's execut ion policy, t his enables you t o rest rict adm inist rat ors t o only running script s specifically signed by your organizat ion. For m ore inform at ion about signing PowerShell script s, see ht t p: / / www.hanselm an.com / blog/ SigningPowerShellScript s.aspx. The world's short est Hello World script would be a file, hellow or ld.ps1, as follows:
PSH [D:\foo]: cat helloworld.ps1 "Hello World" PSH [D:\foo]: .\helloworld.ps1 Hello World PSH [D:\foo]:
This very short script j ust displays t he st ring " Hello World" . I t is not part icularly useful. Product ion script s t end t o do m ore t han j ust out put " Hello World" . Here's a m ore funct ional script t hat displays t he size of each disk ( including m apped net work drives) , along wit h t he am ount of free space available: Code View: PSH [D:\foo]: cat get-disksize.ps1 #get-disksize.ps1 #Thomas Lee [email protected] Param ($Computer = "localhost") #Get Disk info $colDisks = get-wmiobject Win32_LogicalDisk -computer $computer $Now display it " Device ID Type Size(M) Free Space(M)" ForEach ($Disk in $colDisks) { $drivetype=$disk.drivetype Switch ($drivetype) { 2 {$drivetype="FDD"} 3 {$drivetype="HDD"} 4 {$drivetype="Net"} 5 {$drivetype="CD "} }
" {0} {1} {2,15:n} {3,15:n}" -f $Disk.DeviceID, $drivetype, $($disk.Size/1mb), $($disk.freespace/1mb) } "" PSH [D:\foo]: .\get-disksize.ps1 Device ID Type Size(M) Free Space(M) C: HDD 20,928.43 1,005.85 D: HDD 21,202.97 2,783.07 E: HDD 53,168.21 2,460.73 F: CD 4,270.18 0.00 L: Net 1,526,214.19 502,263.14 R: Net 675,402.00 556,902.56 S: Net 76,253.84 34,930.72 T: Net 0.00 0.00 U: Net 0.00 0.00 Y: Net 69,970.60 8,091.59
A rich set of cont rol st ruct ures is available t o you while you're writ ing script s, including:
If-then-else
You can t est som e condit ion ( e.g., whet her a user exist s in AD) and based on t hat t est , carry out operat ions ( e.g., add t he user) if t he t est succeeds, or do som et hing else ( e.g., issue an error m essage) if it does not . For det ails on t he synt ax of t his const ruct , t ype Get-Help About_If.
Switch
This evaluat es an it em against a set of possible values and t akes t he act ion based on t hat evaluat ion. You could, for exam ple, obt ain t he BI OS version of a syst em , and t hen t est for each possible value. For det ails on t he synt ax of swit ch const ruct , t ype Get-Help About_Switch.
Looping
There are t hree looping cont rol st ruct ures: For, Do-Until, and While. Typing Get-Help about_while provides m ore inform at ion on t he While st at em ent .
For and For-each
These it erat e t hrough an array or a set of values. Type Get-Help About_For and Get-Help About_ForEach for m ore inform at ion about t he For st at em ent s.
Throw and Trap
These generat e and cat ch errors.
Unfort unat ely t here is very lit t le docum ent at ion wit hin PowerShell on Throw and Trap, as not ed in ht t p: / / blogs.m sdn.com / powershell/ archive/ 2006/ 12/ 29/ docum ent ing- t rap- and- t hrow.aspx . See ht t p: / / huddledm asses.org/ t rap- except ion- in- powershell/ for m ore det ails about Throw and Trap.
1 3 .1 2 . Obj e ct s: .N ET, W M I , a n d COM PowerShell is an obj ect - orient ed product —all t he language feat ures and const ruct s are based on obj ect s: cm dlet s em it obj ect s, variables are obj ect s, and language const ruct s allow you t o m anipulat e obj ect s. You can use t he propert ies of an obj ect and can call m et hods an obj ect cont ains. While som e PowerShell users m ay not m ake m uch direct use of t his obj ect orient at ion, PowerShell is able t o m ake use of .NET and WMI obj ect s, bot h at t he com m and line and in script s. Like m ost of PowerShell's feat ures, we could devot e an ent ire book t o t he subj ect of obj ect s in PowerShell. PowerShell is built on t he .NET Fram ework and enables you t o access and use m ost of t he classes wit hin t he fram ework. A rest rict ion of PowerShell version 1 is t hat t he asynchronous classes and m et hods are not support ed. Using .NET obj ect s is pret t y easy since m uch of it happens by default . You can eit her let PowerShell det erm ine t he .NET classes by default —for exam ple, t yping LS or DIR in a filesyst em drive produces a set of file and direct ory obj ect s. You can see t his by piping t he out put of a com m and t o t he Get-Member cm dlet , as shown here: Code View: PSH [D:\foo]: ls Directory: Microsoft.PowerShell.Core\FileSystem::D:\foo
Mode LastWriteTime ---------------d---14/10/2007 12:04 -a--09/09/2007 12:30 -a--14/10/2007 19:42 PSH [D:\foo]: dir | Get-Member
Length Name ------ ---bar 3 foo.txt 13 helloworld.ps1
TypeName: System.IO.DirectoryInfo Name MemberType ------------Create Method Create(DirectorySecurity CreateObjRef Method CreateObjRef(Type requested
Definition ---------System.Void Create(
), System.Void
System.Runtime.Remoting.ObjRef
... output snipped for brevity TypeName: System.IO.FileInfo Name ---AppendText CopyTo Create CreateObjRef CreateText Decrypt Delete Encrypt
MemberType ---------Method Method Method Method Method Method Method Method
Definition ---------System.IO.StreamWriter AppendText( ) System.IO.FileInfo CopyTo(String dest System.IO.FileStream Create( ) System.Runtime.Remoting.ObjRef Create System.IO.StreamWriter CreateText( ) System.Void Decrypt( ) System.Void Delete( ) System.Void Encrypt( )
Equals Method ... output snipped for brevity
System.Boolean Equals(Object obj)
I n t he above exam ple, t he LS com m and em it t ed System.IO.DirectoryInfo and System.IO.FileInfo obj ect s. To m any Windows adm ins not fam iliar wit h t he .NET, t his looks quit e com plex, but it does becom e second nat ure wit h a bit of pract ice. For m ore inform at ion on System.IO.DirectoryInfo obj ect s, see ht t p: / / m sdn2.m icrosoft .com / en- us/ library/ syst em .io.direct oryinfo.aspx and for m ore inform at ion on System.IO.FileInfo obj ect s, see ht t p: / / m sdn2.m icrosoft .com / en- us/ library/ syst em .io.fileinfo.aspx . You can also direct ly creat e .NET obj ect s. For exam ple, you could use t he New-Object cm dlet as shown here t o access .NET's random num ber class System.Random:
PSH [D:\foo]: $rand = New-Object PSH [D:\foo]: $rand.next( ) 92298896 PSH [D:\foo]: $rand.next( ) 1722419986 PSH [D:\foo]: $rand2 = New-Object PSH [D:\foo]: $rand2.NextDouble( 0.370553521611986 PSH [D:\foo]: $rand2.nextdouble( 0.561135980561905
System.Random
System.Random ) )
I f you want t o creat e random num bers t hat are bet ween t wo ot her num bers ( e.g., a random num ber bet ween 1 and 10, or bet ween 4 and 16) , you can specify a bot t om and t op range in a call t o .NEXT( ), as shown here:
PSH [D:\foo]: $rand = New-Object System.Random PSH [D:\foo]: $rand.next(1,10) 7 PSH [D:\foo]: $rand.next(4,16) 14
WMI obj ect s are creat ed using t he Get-WMIObject cm dlet . Like .NET obj ect s, WMI obj ect s have propert ies and m et hods you can call. Unlike norm al .NET obj ect s, you can access WMI obj ect s rem ot ely. There are a very large num ber of WMI classes, as shown at ht t p: / / m sdn2.m icrosoft .com / en- us/ library/ aa394554.aspx. PowerShell can also access COM obj ect s, which is useful for accessing legacy applicat ions t hat expose t hem . An exam ple of t his is using WMI t o exam ine t he Vist a Firewall: Wit h PowerShell, you can use t he firewall COM obj ect t o obt ain det ails of t he Windows Firewall. Here's a sim ple exam ple t hat shows how t o get t he Firewall COM obj ect and t he relat ed Firewall profile, which you can t hen m anipulat e:
PSH [D:\foo]: $fw = new-object -com HNetCfg.FwMgr PSH [D:\foo]: $profile = $fw.LocalPolicy.CurrentProfile
Once you get t his obj ect creat ed, you can exam ine it and det erm ine your firewall set up as follows: Code View: PSH PSH PSH PSH
[D:\foo]: [D:\foo]: [D:\foo]: [D:\foo]:
# determine global open ports (NB there aren't any!) $profile.GloballyOpenPorts | ft name, port # determine authorized applications $profile.AuthorizedApplications | ? {$_.Enabled} | ft name
Name ---localsrv SMTPServer Virtual PC 2007 WS_FTP 95 iTunes Microsoft Office OneNote Microsoft Office Groove PSH [D:\foo]: # determine enabled services PSH [D:\foo]: $profile.Services | ? {$_.Enabled} | ft name Name ---File and Printer Sharing Network Discovery PSH [D:\foo]: # determine enabled services (ports) PSH [D:\foo]: $profile.Services | ? {$_.Enabled} | select -expand GloballyOpenPorts Name : File and Printer Sharing (NB-Session-In) IpVersion : 2 Protocol : 6 Port : 139 Scope : 1 RemoteAddresses : LocalSubnet Enabled : True BuiltIn : True Name : File and Printer Sharing (SMB-In) IpVersion : 2 Protocol : 6 Port : 445 Scope : 1 RemoteAddresses : LocalSubnet Enabled : True BuiltIn : True {remainder of output snipped}
1 3 .1 3 . Adva n ce d Pow e r Sh e ll This chapt er has given an overview of PowerShell and exam ined a num ber of key feat ures. But t here are so m any m ore aspect s of PowerShell; you could fill books wit h t he inform at ion ( and indeed several writ ers have) . Som e of t he m ore advanced t asks you can accom plish wit h PowerShell include:
Updat e form at t ing t ype inform at ion
I f you are designing your own cm dlet s, providers, or applicat ions, you m ay want t o define your new obj ect t ypes, ext end exist ing obj ect t ypes, or m odify how an obj ect is displayed by t he host ing applicat ion. You m ay also want t o change PowerShell's default form at t ing t o suit your own needs. See ht t p: / / m sdn2.m icrosoft .com / en- us/ library/ m s714665.aspx for m ore det ails on how t o creat e new display XML files and incorporat e t hem int o your environm ent .
Host PowerShell in your own applicat ion
The Exchange 2008 m anagem ent console is an exam ple of t his. The EMC nat ively host s PowerShell and uses PowerShell t o carry out t he t asks specified in t he GUI . For m ore inform at ion on host ing PowerShell in your own applicat ion, see ht t p: / / m sdn2.m icrosoft .com / en- us/ library/ m s714661.aspx .
Add or am end cm dlet help inform at ion
You can writ e help inform at ion for your own cm dlet s or ext end t he help inform at ion for exist ing cm dlet s. See ht t p: / / m sdn2.m icrosoft .com / en- us/ library/ aa965353.aspx for m ore inform at ion.
Writ e cm dlet s in script
You can use PowerShell t o writ e pipeline- aware funct ions, in effect cm dlet s using script s. For a good explanat ion of how t o achieve t his, see ht t p: / / www.leeholm es.com / blog/ Accept ingPipelineI nput I nPowerShellScript sAndFunct ions.aspx.
Ext end PowerShell wit h addit ional snap- ins and new providers
I f PowerShell cm dlet s or providers do not provide you wit h what you need, or if you are creat ing your own LOB applicat ions and want PowerShell support , you can easily add new cm dlet s and providers. See ht t p: / / m sdn2.m icrosoft .com / en- us/ library/ m s714598.aspx for inform at ion on creat ing cm dlet s and see ht t p: / / m sdn2.m icrosoft .com / en- us/ library/ m s714636.aspx for m ore det ails on writ ing your own providers.
1 3 .1 4 . Le a r n in g M or e Abou t Pow e r Sh e ll PowerShell is a very rich and pot ent ially com plex product —or it can be, if you st art t o t ake int o account som e of t he advanced opt ions described in t he previous list . There is a large am ount of m at erial available t o help you learn m ore about PowerShell, including books, web sit es/ blogs, and t raining courses. PowerShell- relat ed books include:
Bruce Payet t e, Windows PowerShell in Act ion ( Manning Publicat ions)
Don Jones and Jeffrey Hicks, PowerShell: TFM ( Sapien Press)
PowerShell e- book ( ht t p: / / download.m icrosoft .com / download/ a/ 9/ 4/ a94270c7- ed16- 4c72- 8280658c66315719/ Windows% 20Powershell% 20- % 20EN.zip) ; sam ples of t his e- book are available at ht t p: / / download.m icrosoft .com / download/ a/ 9/ 4/ a94270c7- ed16- 4c72- 8280- 658c66315719/ PowerShellDem ofiles.zip
Here are som e PowerShell- relat ed web sit es and blogs:
Windows PowerShell Team Blog ( ht t p: / / blogs.m sdn.com / powershell/ default .aspx)
The PowerShell Guy (ht t p: / / t hepowershellguy.com / blogs/ posh/ )
Keit h Hill's blog ( ht t p: / / keit hhill.spaces.live.com / )
Thom as Lee's Under The St airs blog (ht t p: / / t fl09.blogspot .com )
Reskit .net ( ht t p: / / www.reskit .net .powershell)
Microsoft 's PowerShell Script reposit ory (ht t p: / / www.m icrosoft .com / t echnet / script cent er/ script s/ m sh/ default .m spx?m fr= t rue)
There are also a num ber of t raining classes t o consider. First , t here's t he Microsoft Official Course 6434, which is due for release early in 2008. This is a t hree- day, hands- on int roduct ion t o t he fundam ent als of PowerShell for Windows Server 2008 adm inist rat ors. Sapien Press has a set of t hree courses ( PowerShell Fundam ent als, a t wo- day class; PowerShell I nt erm ediat e, a one- day class; and PowerShell Advanced, a t wo- day class) . These are run by a variet y of providers worldwide, including Global Knowledge across Europe and t he Middle East . There is also likely t o be a variet y of addit ional local courses you can find. There is a wealt h of funct ions, cm dlet s, providers, and ot her t ools you can download and use. Sources include:
Quest AD cm dlet s
Quest has produced a set of free downloadable cm dlet s you can use t o access Act ive Direct ory. You can download t hese for free from ht t p: / / www.quest .com / act iveroles- server/ arm s.aspx.
PowerShell Com m unit y Ext ensions
Free ext ensions t o PowerShell t hat provide a widely useful set of addit ional cm dlet s, providers, aliases, filt ers, funct ions, and script s. You can get t hese at ht t p: / / www.codeplex.com / PowerShellCX.
Reskit .net
Som e sam ple script s and ot her reference m at erial at ht t p: / / www.reskit .net / powershell.
PowerGUI
A nice edit ing t ool for developing PowerShell Script s. This is free and can be found at ht t p: / / powergui.org/ downloads.j spa.
1 3 .1 5 . Th e La st W or d PowerShell is an am azingly rich and useful product . I t 's aim ed at adm inist rat ors of all t ypes and is designed t o work wit h j ust about all current Microsoft and t hird- part y applicat ions. And if you don't find what you need, PowerShell enables you t o add new funct ions and feat ures relat ively easily. I n short : PowerShell rocks!
Ch a pt e r 1 4 . H ype r - V Com panies of all sizes worldwide are looking t o virt ualizat ion as a seem ingly gam e- changing scenario. Server consolidat ion, energy efficiency, sim pler m anagem ent and deploym ent , and increased capacit y are all t angible benefit s t o be gained from a m ove t o virt ual servers and virt ually host ed services. Microsoft has seen t he light and is here t o help wit h Hyper- V ( form erly known by it s codenam e, " Viridian," or by t he previous brand nam e, Windows Server Virt ualizat ion) , which, according t o t he com pany, " is a next - generat ion Hypervisor- based virt ualizat ion plat form int egrat ed wit h t he operat ing syst em t hat allows you t o dynam ically add physical and virt ual resources." You m ight know about virt ualizat ion in general, but you m ight not be fam iliar wit h what t he buzz is about . Let 's break Hyper- V down in t his chapt er: how it works, it s m aj or benefit s, and when you can expect t o be able t o deploy t his feat ure in product ion environm ent s. I 'll also present a virt ualizat ion st rat egy out line as you consider how t o int egrat e Hyper- V or ot her virt ualizat ion t echnologies int o your workflow.
The idea behind t his chapt er is t o give you a fresh look at Hyper- V in it s prerelease st at e as close t o t he release of Windows Server 2008 as possible. Som e of t he inform at ion and specific procedures in t his chapt er m ay change before Hyper- V is released t o t he public, but t he archit ect ure inform at ion and t he general st eps t o m anage Hyper- V should be very sim ilar.
1 4 .1 . H ow I t W or k s To underst and Hyper- V, consider it s t hree m ain com ponent s: t he hypervisor, t he virt ualizat ion st ack, and t he new virt ualized I / O m odel. The Windows hypervisor basically act s t o creat e t he different " part it ions" t hat each virt ualized inst ance of code will run wit hin. The virt ualizat ion st ack and t he input / out put ( I / O) com ponent s provide int eract ivit y wit h Windows it self and t he various part it ions t hat are creat ed. All t hree of t hese com ponent s work in t andem . Using servers wit h processors equipped wit h I nt el VT or AMD- V enabled t echnology, Hyper- V int eract s wit h Hypervisor, which is a very sm all layer of soft ware t hat is present direct ly on t he processor. This soft ware offers hooks int o t he m anagem ent of processes and t hreads on t he processor t hat t he host operat ing syst em can use t o efficient ly m anage m ult iple virt ual m achines, and m ult iple virt ual operat ing syst em s, running on a single physical processor. Since t here are no t hird- part y soft ware product s or drivers t o inst all, you get nearly guarant eed com pat ibilit y wit hout t he difficult problem s t hat soft ware bugs can int roduce int o your syst em . Along wit h efficient process m anagem ent , you can hot - add resources t o t he m achine host ing your virt ualized services. From processors t o m em ory t o net work cards t o addit ional st orage m edia, you can add t hese devices t o t he m achine wit hout needing t o bring down any services and int errupt user sessions. You can also host 64- bit guest sessions, which is a big boon t o organizat ions m oving t oward adopt ion of 64- bit soft ware. You can virt ualize your m igrat ion, save m oney on deploym ent cost s, and t hen assess how m any physical m achines you'll need when you finish your m igrat ion.
1 4 .1 .1 . H igh Ava ila bilit y Part of t he idea behind virt ualizat ion is not only t o elim inat e m achine duplicat ion and save on cost s, but also t o ensure t hat services are m ore available t han t hey ot herwise would be on unvirt ualized servers. I n t hat cont ext , Hyper- V includes support for clust ering across m ult iple guest s. Addit ionally, you can clust er m ult iple physical m achines running t he Hyper- V com ponent , so t hat virt ualized inst ances can fail over t o anot her host should som et hing occur wit h t he prim ary host . Finally, you can m igrat e virt ualized guest s from one physical host t o anot her wit h no downt im e, easing servicing, planning, and reorganizat ion, while significant ly lim it ing
det rim ent al effect s on product ion services. You can also t ake advant age of t he new disk quorum feat ures in Windows Server 2008, which allow you t o have clust ers in m ult iple locat ions—say, on bot h coast s of t he U.S., or on different cont inent s across t he world—wit hout necessarily having t o have a single shared disk bet ween t hem , som et hing t hat 's required for clust ering using Windows Server 2003. Addit ionally, you can inst all Hyper- V on a Server Core inst allat ion of Windows Server 2008 and t ake advant age of t he st abilit y and reduced overhead benefit s ( which are, of course, t angent ial wit h high availabilit y obj ect ives) of t hat st yle of deploym ent as well.
Ch a pt e r 1 4 . H ype r - V Com panies of all sizes worldwide are looking t o virt ualizat ion as a seem ingly gam e- changing scenario. Server consolidat ion, energy efficiency, sim pler m anagem ent and deploym ent , and increased capacit y are all t angible benefit s t o be gained from a m ove t o virt ual servers and virt ually host ed services. Microsoft has seen t he light and is here t o help wit h Hyper- V ( form erly known by it s codenam e, " Viridian," or by t he previous brand nam e, Windows Server Virt ualizat ion) , which, according t o t he com pany, " is a next - generat ion Hypervisor- based virt ualizat ion plat form int egrat ed wit h t he operat ing syst em t hat allows you t o dynam ically add physical and virt ual resources." You m ight know about virt ualizat ion in general, but you m ight not be fam iliar wit h what t he buzz is about . Let 's break Hyper- V down in t his chapt er: how it works, it s m aj or benefit s, and when you can expect t o be able t o deploy t his feat ure in product ion environm ent s. I 'll also present a virt ualizat ion st rat egy out line as you consider how t o int egrat e Hyper- V or ot her virt ualizat ion t echnologies int o your workflow.
The idea behind t his chapt er is t o give you a fresh look at Hyper- V in it s prerelease st at e as close t o t he release of Windows Server 2008 as possible. Som e of t he inform at ion and specific procedures in t his chapt er m ay change before Hyper- V is released t o t he public, but t he archit ect ure inform at ion and t he general st eps t o m anage Hyper- V should be very sim ilar.
1 4 .1 . H ow I t W or k s To underst and Hyper- V, consider it s t hree m ain com ponent s: t he hypervisor, t he virt ualizat ion st ack, and t he new virt ualized I / O m odel. The Windows hypervisor basically act s t o creat e t he different " part it ions" t hat each virt ualized inst ance of code will run wit hin. The virt ualizat ion st ack and t he input / out put ( I / O) com ponent s provide int eract ivit y wit h Windows it self and t he various part it ions t hat are creat ed. All t hree of t hese com ponent s work in t andem . Using servers wit h processors equipped wit h I nt el VT or AMD- V enabled t echnology, Hyper- V int eract s wit h Hypervisor, which is a very sm all layer of soft ware t hat is present direct ly on t he processor. This soft ware offers hooks int o t he m anagem ent of processes and t hreads on t he processor t hat t he host operat ing syst em can use t o efficient ly m anage m ult iple virt ual m achines, and m ult iple virt ual operat ing syst em s, running on a single physical processor. Since t here are no t hird- part y soft ware product s or drivers t o inst all, you get nearly guarant eed com pat ibilit y wit hout t he difficult problem s t hat soft ware bugs can int roduce int o your syst em . Along wit h efficient process m anagem ent , you can hot - add resources t o t he m achine host ing your virt ualized services. From processors t o m em ory t o net work cards t o addit ional st orage m edia, you can add t hese devices t o t he m achine wit hout needing t o bring down any services and int errupt user sessions. You can also host 64- bit guest sessions, which is a big boon t o organizat ions m oving t oward adopt ion of 64- bit soft ware. You can virt ualize your m igrat ion, save m oney on deploym ent cost s, and t hen assess how m any physical m achines you'll need when you finish your m igrat ion.
1 4 .1 .1 . H igh Ava ila bilit y Part of t he idea behind virt ualizat ion is not only t o elim inat e m achine duplicat ion and save on cost s, but also t o ensure t hat services are m ore available t han t hey ot herwise would be on unvirt ualized servers. I n t hat cont ext , Hyper- V includes support for clust ering across m ult iple guest s. Addit ionally, you can clust er m ult iple physical m achines running t he Hyper- V com ponent , so t hat virt ualized inst ances can fail over t o anot her host should som et hing occur wit h t he prim ary host . Finally, you can m igrat e virt ualized guest s from one physical host t o anot her wit h no downt im e, easing servicing, planning, and reorganizat ion, while significant ly lim it ing
det rim ent al effect s on product ion services. You can also t ake advant age of t he new disk quorum feat ures in Windows Server 2008, which allow you t o have clust ers in m ult iple locat ions—say, on bot h coast s of t he U.S., or on different cont inent s across t he world—wit hout necessarily having t o have a single shared disk bet ween t hem , som et hing t hat 's required for clust ering using Windows Server 2003. Addit ionally, you can inst all Hyper- V on a Server Core inst allat ion of Windows Server 2008 and t ake advant age of t he st abilit y and reduced overhead benefit s ( which are, of course, t angent ial wit h high availabilit y obj ect ives) of t hat st yle of deploym ent as well.
1 4 .2 . Ge t t in g St a r t e d w it h H ype r - V To get st art ed wit h Hyper- V, you'll need som e hardware—specifically, a m achine capable of support ing a 64- bit operat ing syst em . You need a clean inst allat ion of Windows Server 2008 Ent erprise Edit ion in t he 64- bit version, as it will not run wit hin a virt ual m achine because of t he need for hardware- assist ed virt ualizat ion. Once you have accum ulat ed t he hardware, t ake a few precaut ions, since you are working wit h prerelease soft ware. Specifically:
Back up all dat a on your syst em .
Take an invent ory of any virt ual m achines you are t hinking of m igrat ing t o your Hyper- V m achine, including all of t heir virt ual hardware set t ings.
Back up any virt ual hard disks ( VHDs) t hat you m ay m igrat e as well.
Enable hardware- assist ed virt ualizat ion. This is usually found in your com put er's BI OS, and you m ay need t o consult t he m anufact urer or t he docum ent at ion t hat cam e wit h your m achine t o find t he appropriat e feat ure nam e and how t o enable it .
I nst all Windows Server 2008. For our purposes, we'll be using t he full inst allat ion opt ion, alt hough HyperV can be used on a Server Core inst allat ion.
Do not inst all anot her role ont o t he t arget m achine. Hyper- V should be t he only role used on a m achine t hat will host virt ual m achines. I n part icular, wit h one build of Hyper- V prerelease, you receive a blue screen error if you t ry t o st art a virt ual m achine on a host wit h Act ive Direct ory Dom ain Services inst alled.
1 4 .2 .1 . I n st a llin g t h e H ype r - V Now t hat you're ready, let 's inst all t he Hyper- V role. Log in as an adm inist rat or and t hen do t he following:
1 . St art Server Manager from t he Adm inist rat ive Tools m enu off t he St art m enu.
2 . Under Roles Sum m ary, click Add Roles, and t hen select Hyper- V.
3 . Follow t he rest of t he wizard. You do not have t o allow virt ual m achines t o access net work resources, alt hough one net work card needs t o be select ed, so t hat it can be bound t o a virt ual swit ch. You'll also get a warning if your com put er has only a single net work adapt er; t wo are recom m ended.
4 . Rest art t he com put er once t he wizard has com plet ed.
5.
5 . Once t he syst em is rest art ed, reload Server Manager, expand Roles in t he left pane, and choose Hyper- V.
6 . I n t he right pane, verify t hat " vhdsvc" and " vm m s" are running. I f t hey are, t he inst allat ion of t he Hyper- V role com plet ed successfully.
I f you are using t he Server Core inst allat ion opt ion, inst allat ion is very sim ple. Use t he following com m and at t he com m and line, and rest art when prom pt ed.
start /w ocsetup Microsoft-Hyper-V
1 4 .2 .2 . Ge t t in g Acqu a in t e d w it h H ype r - V M a n a ge m e n t Tools You can m anage m ost of Hyper- V's set t ings and configurat ion from wit hin t he Hyper- V Manager MMC console. Figure 14- 1 shows t he Hyper- V Manager console, accessible in t he Adm inist rat ive Tools group off t he St art m enu.
Figu r e 1 4 - 1 . Th e H ype r - V M a n a ge r con sole
The Hyper- V Manager console can be used t o m anage t he Hyper- V role inst alled on t he local com put er or anot her, rem ot e com put er. During t he prerelease st ages, you're not able t o use Hyper- V Manager over a Rem ot e Deskt op connect ion from anot her com put er. To creat e a new virt ual m achine:
1 . Launch t he New Virt ual Machine m anager wit hin t he Hyper- V Manager console.
2 . The Before You Begin screen appears. You can creat e a virt ual m achine here wit hout com plet ing t he rest of t he wizard; if you click Finish, a new virt ual m achine will show up wit h a default configurat ion. Ot herwise, click Next .
3 . The Specify Nam e and Locat ion screen appears. Here, choose a nam e for your virt ual m achine and t he pat h where it should be st ored. Click Next .
4 . The Assign Mem ory screen appears. Make sure you specify an appropriat e am ount of m em ory t o allocat e t o t he VM. Click Next .
5 . The Configure Net working screen appears. You can connect t his m achine t o virt ual net works t hat you have creat ed elsewhere, or you can leave t he virt ual m achine disconnect ed. Click Next .
6 . The Connect Virt ual Hard Disk screen appears. You can connect a new virt ual hard disk or an exist ing one t o t his new virt ual m achine. Click Next .
7 . The I nst allat ion Opt ions screen appears. I f you want t o inst all your guest OS j ust aft er com plet ion of t his wizard, specify t he pat h t o t he inst allat ion disc for t hat OS here. Click Next .
8 . Click Finish aft er reviewing your set t ings t o close t he wizard.
When creat ing new virt ual m achines, t here are som e it em s t o consider. For one, Hyper- V support s bot h 32- and 64- bit guest operat ing syst em s, and will support a variet y of st orage m echanism s, including iSCSI and SANs over fiber channel. You can allocat e up t o 64 GB of m em ory t o any given virt ual m achine, and you can enable an int egrat ed virt ual swit ch t o elim inat e t he need t o t raverse t he virt ual- physical- virt ual layers in order t o get net work int erface act ivit y done. I f you are using t he early prerelease version of Hyper- V, you'll get good result s from using eit her Windows Server 2003 or Windows Server 2008. SUSE Ent erprise Linux Server 10 wit h Service Pack 1 has also been t est ed and recom m ended for use. Ot her operat ing syst em s m ay work, but you m ay suffer perform ance and com pat ibilit y difficult ies while running on a prerelease version of Hyper- V. You can also, on t he prerelease version, only run four virt ual processors wit h a guest copy of Windows Server 2008, or one virt ual processor wit h any ot her guest operat ing syst em .
1 4 .2 .3 . Re m ovin g H ype r - V Rem oving Hyper- V at t his st age is quit e sim ple: sim ply load Server Manager, and in t he right pane under Roles Sum m ary, click Rem ove Roles. Then, select Hyper- V in t he Rem ove Roles Wizard, and rest art t he syst em , and your inst allat ion is com plet e. I f you're a best pract ices follower, you can now inst all ot her roles ont o t his m achine wit hout necessarily having t o blow away your current inst allat ion, alt hough since Hyper- V is prerelease soft ware t hat is inst alled in t he m ost fundam ent al part s of your syst em , it m ight be sm art not t o t rust product ion dat a t o it .
1 4 .3 . Vir t u a liza t ion St r a t e gy Virt ualizat ion—t he m ove from real, physical hardware t o virt ual hardware—is seen as one of t he " next big t hings" in I T. And Hyper- V is cert ainly fant ast ic soft ware, even in it s prerelease st at e. But if you're new t o t his part y, you m ight not know how t o get st art ed. A lot of professionals have asked m e what a valid st rat egy is for int roducing virt ualizat ion, in product ion, int o t heir organizat ion, and I 've writ t en about t his in Com put er w or ld. Here's a freshened version of t he workflow and procedure I recom m end for assessing whet her virt ualizat ion is right for you and, if it is, for get t ing t hings m oving.
1 . Det erm ine whet her your servers are ripe for consolidat ion. Consolidat ing hardware is t he num ber one reason for considering virt ualizat ion. Aging hardware, burst ing dat a cent ers, and burgeoning power needs have all played a part in t he m ove t o virt ualizat ion. Why should you cont inue t o acquire dist inct physical m achines when you can m ove real servers t o even bigger m achines at rat ios of 3- t o- 1 or even 10- t o- 1? The first st ep in virt ualizat ion is det erm ining whet her you have t he right t ype of infrast ruct ure t o support it . Look for a lot of m achines doing sim ilar t asks and m ake sure you have m ore t han 10 of t hem . For 10 or fewer, t he payoff is quest ionable.
2 . Get t he adm inist rat ive headaches out of t he way. Any com plex m ove like server consolidat ion is likely t o affect som e int ernal processes. As in any m aj or proj ect , it 's im port ant t o get st akeholder support and m anagem ent buy- in. You'll m ost likely need t o present a business case for m oving t o virt ual services, including t ot al financial out lay and m oney saved. You m ay also have t o address st affing: as t he num ber of physical servers is reduced, som e budget s dict at e t hat st aff size m ust be reduced proport ionally. You m ay be required t o ant icipat e workloads and quant ify t he effect t hat fewer physical servers—but m ore virt ual servers—would have on your depart m ent 's overall workload. Also, exam ine your licensing needs. Depending on which soft ware you'll be running on your virt ual m achines and what t heir configurat ions are, you m ay need t o adj ust licensing.
3 . Select your hardware and soft ware. There are several choices at a variet y of prices. I t all com es down t o whet her you need sim ple server consolidat ion or advanced host ing and net work configurat ion capabilit ies. Several vendors have st art er kit s t hat let you pilot and explore t he t echnology for a relat ively low cost .
4 . St art m oving t o virt ualizat ion. When t he t im e com es t o act ually m ove from physical t o virt ual, t here are som e m igrat ion t ools t hat can help. Microsoft will soon release t ools t hat let you m ove a fully inst alled server running a support ed version of Windows t o a virt ual hard- disk form at t hat is fully support ed by it s Virt ual Server product . VMware has a sim ilar t ool in t he works. These m igrat ion ut ilit ies can save you hours, if not days, when you're perform ing t he act ual m ove. Ot her t hings t o consider:
Take advant age of clust ering capabilit ies. Using high- perform ance clust ers gives your virt ual m achines higher availabilit y and im proved perform ance.
Think about m anagem ent . How will your st aff m anage t he virt ual m achines? What script ing languages and API s does your virt ual server soft ware support ? Are you able t o access cert ain cont rols via t he com m and line for sim ple rem ot e- access- based adm inist rat ion?
Don't forget about st orage. You'll need a very fast disk subsyst em t o get m axim um perform ance from your virt ualized servers. Typically, you'll find t hat iSCSI - based disk offerings are a good value. They are fast , reasonably priced, and have great configurabilit y.
5 . Monit or, assess, t weak, and im prove. When t he final boot int o t he virt ualized operat ing syst em is finished, your j ob st ill isn't over. Keep t abs on t he proj ect as you begin m oving users and services t o t he new plat form . Est ablish perform ance and usage guidelines and t hresholds, m onit or t hem , and t ie t hose m et rics t o fut ure enhancem ent s. Consider t weaking hardware configurat ions and net work set ups or increasing bandwidt h as needed.
1 4 .4 . Th e La st W or d So, when can you get your hands on all of t he feat ures and benefit s of Hyper- V? The good news is, you can get st art ed exploring t he product t oday: t here is a bet a release available right now, which you can download at Microsoft .com . Microsoft plans t o sign off on t he final build of Hyper- V wit hin 180 days of t he release t o m anufact uring of Windows Server 2008, and it will offer m ult iple SKUs of Windows Server 2008, wit h and wit hout Hyper- V included in t he box. I f you're concerned about t he t im e and m oney you've invest ed in your virt ualizat ion infrast ruct ure already, you'll be pleased t o know t hat users of Microsoft Virt ual Server 2005 can m ove relat ively seam lessly over t o Hyper- V when it 's ready, wit hout losing t he effort put in t o Virt ual Server t hus far. However, you m ay need som e new hardware in som e inst ances, as Hyper- V will require 64- bit hardware and will not be released in an x86 ( 32- bit ) edit ion. Hyper- V is t he nat ural next st ep in Microsoft 's virt ualizat ion st ory. Wit h properly equipped hardware, you st and ready t o enj oy a num ber of benefit s t hat weren't possible before.
Appe n dix . Coloph on The anim al on t he cover of Windows Server 2008: The Definit ive Guide is an albat ross ( Diom edeidae) . Albat rosses are am ong t he largest of t he seabirds; t he wandering albat ross (Diom edea exulans) weighs up t o 20 pounds and has a wingspan of alm ost 12 feet . Widely considered t he m ost m aj est ic of Ant arct ic birds, albat rosses have long, narrow wings and large heads wit h dist inct ive hooked bills. Though t heir coloring varies som ewhat depending on species, albat rosses are t ypically whit e wit h gray, brown, or black accent s. Albat rosses are highly efficient gliders, effort lessly covering t housands of m iles in a day as t hey forage for fish, squid, and krill. I n fact , one grey- headed albat ross ( Diom edea chrysost om a) is on record as circum navigat ing Ant arct ica in j ust 46 days. An albat ross's wings have t he unique abilit y t o " lock" int o an ext ended posit ion, t hereby reducing t he st rain of such long- dist ance t ravels. Albat rosses are best observed during rough weat her, when high waves creat e powerful uplift ing air current s t hat enable t hem t o rem ain aloft wit h hardly a wing beat for several hours. Wandering albat rosses are known t o follow visit ing ships in t he Sout hern Ocean, and indeed t hey have a long hist ory wit h seafarers. I n folklore, t hey were t hought t o carry t he souls of dead m ariners; should a sailor kill t he bird, bad luck would fall upon him for t he rest of his nat ural life. Many albat ross species are current ly t hreat ened. Biologist s report t hat alm ost 100,000 of t he birds are killed every year by fishing fleet s, m any of which are illegal. Wandering albat rosses get caught on bait ed long- line hooks set by t una fisherm an, and are pulled under t he wat er and drowned. Fat al collisions wit h t rawl net cables are also a fact or in t heir st eadily dwindling num bers. Governm ent s, conservat ionist s, and t he fishing indust ry have worked t oget her t o develop solut ions t o com bat t his problem , such as weight ed lines t hat sink quickly and are t hus less visible t o albat rosses, or bright ly colored " t ori" lines t hat st art le t he birds away from t he vessels. The cover im age is from Wood's Anim at e Creat ion. The cover font is Adobe I TC Garam ond. The t ext font is Linot ype Birka; t he heading font is Adobe Myriad Condensed; and t he code font is LucasFont 's TheSans Mono Condensed.
I n de x [ SYMBOL] [ A] [ B] [ C] [ D] [ E] [ F] [ G] [ H] [ I ] [ J] [ K] [ L] [ M] [ N] [ O] [ P] [ Q] [ R] [ S] [ T] [ U] [ V] [ W] [ X] [ Z ]
I n de x [ SYM BOL] [ A] [ B] [ C] [ D] [ E] [ F] [ G] [ H] [ I ] [ J] [ K] [ L] [ M] [ N] [ O] [ P] [ Q] [ R] [ S] [ T] [ U] [ V] [ W] [ X] [ Z ] .NET Fram ework applicat ion pools and I I S support PowerShell support 2nd 3rd Server Core and Windows Server 2008 support .NET obj ect s 2nd
I n de x [ SYMBOL] [ A] [ B] [ C] [ D] [ E] [ F] [ G] [ H] [ I ] [ J] [ K] [ L] [ M] [ N] [ O] [ P] [ Q] [ R] [ S] [ T] [ U] [ V] [ W] [ X] [ Z ] A ( host ) records DHCP and 2nd DNSLint support dynam ic DNS and ent ering int o zones funct ionalit y glue records ABE ( access- based enum erat ion) 2nd ACC ( Aut om at ic Client Configurat ion) access- based enum erat ion ( ABE) 2nd account lockout policies 2nd 3rd ACLs ( access cont rol list s) anonym ous users effect ive perm issions GPO support 2nd act ivat ion, product Act ive Direct ory audit ing com m unicat ions creat ing nam espaces DHCP support DNS support 2nd dom ain cont roller replicat ion fault t olerance support file services support Group Policy net work opt ions LDS feat ure 2nd 3rd publishing shares 2nd replicat ion groups RODC support Server Core support 2nd split DNS archit ect ure SRV records and TS support 2nd Windows Server 2008 support Act ive Direct ory Dom ains and Trust s t ool 2nd Act ive Direct ory Services I nt erface ( ADSI ) Act ive Direct ory Sit es and Services t ool funct ionalit y GP guidelines replicat ion t opologies 2nd sit e links Act ive Direct ory Users and Com put ers ( ADUC) t ool Account t ab Address t ab adm inist rat ive t asks audit ing support COM+ t ab configuring user environm ent 2nd creat ing groups 2nd 3rd creat ing users Dial- in t ab Environm ent t ab funct ionalit y General t ab 2nd infrast ruct ure m ast er role
logon t im e rest rict ion Mem ber Of t ab Mem bers t ab m oving PDC em ulat or role m oving RI D m ast er role Organizat ion t ab Profile t ab Rem ot e Cont rol t ab Sessions t ab Telephones t ab Term inal Services Profile t ab TS support Act ive Direct ory- int egrat ed zones 2nd AD DS ( Act ive Direct ory Dom ain Services) cleaning direct ory m et adat a 2nd com ponent s support ed cont act s defragm ent ing NTDS dat abase 2nd delegat ion support dom ain cont rollers dom ains 2nd 3rd event logs forest s funct ionalit y global cat alog groups 2nd 3rd Hyper- V support I nst allat ion Wizard m aint enance considerat ions m anaging users operat ions m ast er roles organizat ional unit s 2nd rest art ing Rest ore Mode password RODC support Server Core support 2nd shared folders shared print ers sit es t ools support ed 2nd 3rd t rees t r oubleshoot ing Add Feat ures Wizard Add Roles Wizard 2nd 3rd ADMI N$ default share adm inist rat ion ut ilit y 2nd 3rd adm inist rat ive shares Adm inist rat ive Tools applet Adm inist rat or account 2nd 3rd Adm inist rat ors group creat ing shared folders DNSCm d ut ilit y exam ple deploym ent Group Policy net work opt ions NTFS perm issions adprep com m and ADSI ( Act ive Direct ory Services I nt erface) ADSI Edit affinit y ( NLB) alert s ( FSRM) 2nd Alias provider ( PowerShell) aliases cm dlet support 2nd CNAME records as 2nd
virt ual direct ories and Allow perm ission Deny perm ission and inherit ance and 2nd ANONYMOUS USER account Apache web server API PA ( Aut om at ic Privat e I P Addressing) API s ( applicat ion program m ing int erfaces) I SAPI 2nd 3rd RSoP support VSS support AppCm d.exe ut ilit y 2nd 3rd Append Dat a special perm ission 2nd Applicat ion log 2nd applicat ion pools Applicat ion Server role ( I I S) 2nd applicat ionHost .config file applicat ions defining obj ect t ypes server clust ering and Server Core support server securit y and web Apply Group Policy perm ission ASP.NET 2nd associat ions 2nd at t ribut es defined DHCP opt ions dom ain cont rollers updat ing group support password policies version num bers and audit ing AD DS support 2nd Group Policy net work opt ions obj ect access 2nd opt ions for policies recom m ended it em s Aut hent icat ed Users group aut hent icat ion audit ing support aut om at ic logoff and I I S support Kerberos prot ocol 2nd logon process and NAP support net work level aut hent icat ion spoofing and unaut horized access and Windows Firewall wit h Advanced Securit y aut horit at ive nam eservers defined 2nd SOA records and 2nd split DNS archit ect ure TTL default values aut horizat ion Aut om at ic Client Configurat ion ( ACC) aut om at ic logoff Aut om at ic Privat e I P Addressing ( API PA) aut om at ic updat es availabilit y Hyper- V and server securit y and
AXFRs ( full zone t ransfers) 2nd
I n de x [ SYMBOL] [ A] [ B] [ C] [ D] [ E] [ F] [ G] [ H] [ I ] [ J] [ K] [ L] [ M] [ N] [ O] [ P] [ Q] [ R] [ S] [ T] [ U] [ V] [ W] [ X] [ Z ] backup dom ain cont rollers ( BDCs) 2nd 3rd backup procedure DNS support 2nd GPO support shadow copy support backward com pat ibilit y BAT file ext ension BDCs ( backup dom ain cont rollers) 2nd 3rd BI OS PowerShell support virt ualizat ion support Bit Locker feat ure funct ionalit y Server Core support 2nd boot im ages Boot m enu Bourne shell
I n de x [ SYMBOL] [ A] [ B] [ C] [ D] [ E] [ F] [ G] [ H] [ I ] [ J] [ K] [ L] [ M] [ N] [ O] [ P] [ Q] [ R] [ S] [ T] [ U] [ V] [ W] [ X] [ Z ] C$ default share C- shell caching I I S support m anaging offline folders RODC support 2nd swit ches and CAPs ( connect ion aut horizat ion policies) capt ure im ages 2nd Capt ure Ut ilit y ( WDS) CardSpace web t echnology cent ralized configurat ion cert ificat e aut horit ies Cert ificat e provider ( PowerShell) change logon ut ilit y Change Perm issions perm ission 2nd change port ut ilit y change user ut ilit y child dom ains adding cleaning direct ory m et adat a t rees and child obj ect s CI A principle of server securit y Class A address class Class B address class 2nd Class C address class classes defined 2nd DHCP support Clear- I t em cm dlet Clear- I t em Propert y cm dlet ClearType font client side ext ensions ( CSEs) CLR ( com m on language runt im e) clussvc com m and clust er ut ilit y clust ering com m and- line ut ilit ies fault t olerance and NLB support 2nd server clust ers 2nd Server Core support 2nd t erm inology 2nd 3rd t ypes support ed Windows Server 2008 support CMD.EXE shell cm dlet s ( PowerShell) adding help inform at ion defined defining obj ect t ypes downloadable funct ionalit y get t ing help 2nd pipelines
script support 2nd st andard cm dlet s list ed Cn at t ribut e ( password policy) CNAME ( canonical nam e) records aliases and 2nd DNSLint support funct ionalit y m anipulat ing COM file ext ension COM obj ect s PowerShell support 2nd 3rd regist ering com m a- separat ed values ( CSVs) com m and shells com m and- line ut ilit ies AD DS support 2nd 3rd DNS support file services Group Policy support I I S support 2nd server clust er support Server Core support TS support TSM support com m ent ing ( GPMC) com m on language runt im e ( CLR) com pliance policies 2nd com pr ession com put er policies device inst allat ion cont rol GPO support logon t im e rest rict ion m anaging firewalls offset int erval refresh int erval refreshing soft ware inst allat ion st orage locat ion condit ional forwarding confident ialit y, server securit y configur at ion cent ralized disk quot as file servers FSRM 2nd I I S im provem ent s 2nd init ial inst allat ion t asks NAP script support secondary nam eservers 2nd Server Core WDS Configure Your DNS Server Wizard connect ion aut horizat ion policies ( CAPs) cont act s, AD DS Copy- I t em cm dlet Copy- I t em Propert y cm dlet cprofile ut ilit y CPU speed requirem ent s Creat e Files special perm ission Creat e Folders special perm ission 2nd CSEs ( client side ext ensions) CSVs ( com m a- separat ed values) Ct rl- Alt - Del com binat ion
I n de x [ SYMBOL] [ A] [ B] [ C] [ D] [ E] [ F] [ G] [ H] [ I ] [ J] [ K] [ L] [ M] [ N] [ O] [ P] [ Q] [ R] [ S] [ T] [ U] [ V] [ W] [ X] [ Z ] dat a st ores dat a- level securit y Dat e and Tim e applet DC securit y.inf file dcprom o ut ilit y adding dom ains building first dom ain RODC support Server Core support DCPROMO Wizard dead gat eway det ect ion algorit hm dedicat ed forest root m odel 2nd default dom ain cont roller policy 2nd default dom ain policy 2nd 3rd default shares Default Regist rat ionRefreshI nt erval value ( Regist ry) defragm ent ing NTDS dat abase delegat ion AD DS support defined 2nd 3rd 4t h dom ains Group Policy adm inist rat ion 2nd lam e 2nd nam e resolut ion organizat ional unit s and Delegat ion of Cont rol Wizard Delet e Shadows com m and Delet e special perm ission 2nd Delet e Subfolders and Files perm ission 2nd Deny perm ission Allow perm ission and assigning I I S support inherit ance and 2nd deploym ent exam ple 2nd fine- t uning propert ies GP considerat ions 2nd redeploying soft ware rem oving soft ware Server Core 2nd services packs wit h GP WDS support 2nd WI M support DES encrypt ion Det ailed Direct ory Service Replicat ion event DFS ( Dist ribut ed File Syst em ) event logs fault t olerance and folder redirect ion and funct ionalit y 2nd replicat ion support 2nd 3rd Server Core support DFS Nam espace Server DFS nam espaces
adding folders creat ing funct ionalit y publishing shares DFS Replicat ion log DFSR ( Dist ribut ed File Syst em Replicat ion) 2nd DHCP ( Dynam ic Host Configurat ion Prot ocol) aut horizing servers classes and clust ering support conflict det ect ion creat ing new scope DNS and dynam ic DNS and funct ionalit y inst alling servers reservat ions RODC support Server Core support 2nd 3rd 4t h super scope WDS requirem ent s 2nd DHCPACK packet s DHCPDI SCOVER m essage DHCPOFFER packet s DHCPREQUEST packet s DHCPServerCore role digest aut hent icat ion digit al signat ures recom m endat ions script s and securit y policies and DI R com m and 2nd 3rd direct ories configuring list ings defined virt ual 2nd Direct ory Service Access event Direct ory Service Changes event Direct ory Service log Direct ory Service Replicat ion event Direct ory Services Rest ore Mode DisableDynam icUpdat e value ( Regist ry) discover im ages disk part it ions 2nd disk quot as configuring enabling 2nd feat ure funct ionalit y fsut il.exe support 2nd set t ing default disks defined m onit oring capacit y 2nd Offline Files and Folders support Windows Server 2008 requirem ent s Dist ribut ed File Syst em Replicat ion ( DFSR) 2nd Dist ribut ed Transact ion Coordinat or ( DTC) dist ribut ion groups DLLs ( dynam ic- link libraries) DNS ( Dom ain Nam e Syst em ) Act ive Direct ory- int egrat ed DNS backup and recovery 2nd building nam eservers com m and- line ut ilit ies
defined delegat ion and DHCP and dom ain cont roller replicat ion dynam ic DNS forwarding support funct ionalit y 2nd nam eservers NLB support resource records RODC support Server Core support 2nd split archit ect ure subdom ains and t roubleshoot ing GP WDS requirem ent s zones versus dom ains DNS Managem ent snap- in DNS Server log DNSCm d ut ilit y 2nd DNSLint ut ilit y funct ionalit y lam e delegat ion t roubleshoot ing AD DS DnsUpdat eProxy group $ ( dollar sign) 2nd dollar sign ( $) 2nd Dom ain Adm inist rat ors group Dom ain Com put ers group 2nd dom ain cont rollers AD DS support 2nd adding BDCs 2nd 3rd default shares defined dynam ic DNS GPO support GPT files groups support ed logon t im e rest rict ions m anaging policies offset int erval operat ions m ast er roles originat ing USNs and 2nd PDCs 2nd refresh int erval replicat ion am ong RODC 2nd 3rd script st orage securit y t em plat es Server Core support 2nd updat ing at t ribut es USNs and 2nd version num bers and 2nd viewing securit y policies dom ain global groups dom ain local groups dom ain nam ing m ast er role dom ain- based Group Policy audit ing support deploym ent considerat ions filesyst em opt ions folder redirect ion refreshing
Regist ry opt ions rest rict ed groups opt ions 2nd service packs soft ware inst allat ion dom ain- based nam espaces 2nd dom ains AD DS support 2nd adding adding dom ain cont rollers adding t o t rees defined 2nd 3rd delegat ing em pt y dom ain m odel 2nd expirat ion policy GPO support lockout policies nam eservers and operat ions m ast er roles organizat ional unit s and 2nd Server Core support t rees and t rust s and viewing default policies zones and dr ainst opping drives adm inist rat ive shares defined m apped Drvload ut ilit y DSADD ut ilit y 2nd DSREVOKE t ool DTC ( Dist ribut ed Transact ion Coordinat or) dynam ic DNS dom ain cont rollers and funct ionalit y prevent ing regist rat ion 2nd scavenging t riggering regist rat ion dynam ic- link libraries ( DLLs)
I n de x [ SYMBOL] [ A] [ B] [ C] [ D] [ E] [ F] [ G] [ H] [ I ] [ J] [ K] [ L] [ M] [ N] [ O] [ P] [ Q] [ R] [ S] [ T] [ U] [ V] [ W] [ X] [ Z ] EFS ( Encrypt ing File Syst em ) 2nd 3rd em ail not ificat ions 2nd EMC ( Exchange Managem ent Console) em pt y dom ain m odel 2nd Encrypt ing File Syst em ( EFS) 2nd 3rd encr y pt ion Bit Locker support 2nd 3rd EFS support 2nd 3rd firewalls and Group Policy net work opt ions Server Core support TS support Ent erprise Adm ins group aut horizing DHCP servers delegat ing GP dom ain nam ing m ast er role m anaging GP across forest s Environm ent provider ( PowerShell) event logs det ailed disk- based quot as Event Viewer Group Policy net work opt ions I I S support opt ions for policies 2nd recom m ended audit s Event Viewer Exchange Managem ent Console ( EMC) Exchange Server ( Microsoft ) EXE files 2nd Execut e File special perm ission expirat ion dat e 2nd Explorer GUI ex por t ing GPOs zones t o files
I n de x [ SYMBOL] [ A] [ B] [ C] [ D] [ E] [ F] [ G] [ H] [ I ] [ J] [ K] [ L] [ M] [ N] [ O] [ P] [ Q] [ R] [ S] [ T] [ U] [ V] [ W] [ X] [ Z ] failback policy 2nd failed request s, t racing Failover Clust er Managem ent Failover Clust er Validat ion Report failover policy 2nd fast logon opt im izat ion Fast CGI FAT filesyst em audit ing support disk quot as fault t olerance Act ive Direct ory support clust ering and DFS support file servers FAZAM t ool FC ( Full Cont rol) perm ission 2nd FDDI prot ocol Federal I nform at ion Processing St andard ( FI PS) file groups File Replicat ion Service log file services clust ering support com m and- line ut ilit ies creat ing shares m anually default shares DFS support 2nd 3rd disk- based quot as File Server Resource Manager funct ionalit y hidden shares key feat ures NTFS perm issions Offline Files and Folders 2nd previous versions publishing shares 2nd Server Core support 2nd set t ing up file sharing file sharing creat ing shares m anually default shares exam ples 2nd hidden shares offline files perm ission considerat ions publishing shares 2nd set t ing up services file t ypes FSRM screening support PowerShell support ed file- level perm issions ABE support audit ing defined det erm ining effect ive 2nd
funct ionalit y inherit ance/ ownership securit y and set t ing files audit ing access export ing zones t o offline 2nd renam ing FileSyst em provider ( PowerShell) filesyst em s audit ing support net work environm ent PowerShell exam ple securit y policies filt ering firewalls and GPMC support WMI filt ers 2nd 3rd FI PS ( Federal I nform at ion Processing St andard) firewalls exam ining set up inst allat ion considerat ions schem a m ast er role and slaving process and split DNS archit ect ure 2nd Windows Firewall wit h Advanced Securit y Windows Server 2008 support flat t em p ut ilit y FlowCont rolChannelBandwidt h value ( Regist ry) FlowCont rolDisplayBandwidt h value ( Regist ry) folder redirect ion funct ionalit y groups and I nt elliMirror support rem oving policies folder- level perm issions ABE support audit ing defined det erm ining effect ive 2nd funct ionalit y inherit ance/ ownership securit y and set t ing folders adding t o nam espaces audit ing access creat ing replicat ion groups offline 2nd 3rd shared t em porary font sm oot hing 2nd forest s dedicat ed root m odel 2nd defined 2nd group support m anaging GPs across t ransit ive t rust s t rees and 2nd Form at - Cust om cm dlet 2nd Form at - List cm dlet 2nd 3rd Form at - Table cm dlet 2nd 3rd Form at - Wide cm dlet 2nd
forward lookup zones 2nd 3rd Forwarded Event s log forwarding condit ional defined set t ing up slaving and 2nd FQDN ( fully qualified dom ain nam e) CNAME records defined delegat ing dom ains MX records NS records PTR records FSRM ( File Server Resource Manager) accessing configuring configuring quot as 2nd funct ionalit y screening file t ypes st orage report s fsut il.exe ut ilit y 2nd Full Cont rol ( FC) perm ission 2nd full zone t ransfers ( AXFRs) 2nd Funct ion provider ( PowerShell)
I n de x [ SYMBOL] [ A] [ B] [ C] [ D] [ E] [ F] [ G] [ H] [ I ] [ J] [ K] [ L] [ M] [ N] [ O] [ P] [ Q] [ R] [ S] [ T] [ U] [ V] [ W] [ X] [ Z ] GCI com m and Generic Service resource t ype Get - ChildI t em cm dlet 2nd Get - Com m and cm dlet Get - Hash cm dlet Get - Help cm dlet 2nd 3rd 4t h Get - Hist ory cm dlet Get - Host cm dlet Get - HTTP cm dlet Get - I t em cm dlet Get - I t em Propert y cm dlet Get - Mem ber cm dlet 2nd Get - Process cm dlet 2nd Get - WMI cm dlet Get - WMI Obj ect cm dlet 2nd Global Assem bly Cache global cat alog ( GC) AD DS support defined dom ain nam ing m ast er role schem a m ast er role SRV records and globally unique ident ifier ( GUI D) 2nd 3rd glue record GPMC ( Group Policy Managem ent Console) adm inist rat ive t asks com m ent ing cont rolling GPO scope creat ing/ edit ing GPOs 2nd Delegat ion t ab Det ails t ab disabling port ions of policies 2nd filesyst em and Regist ry policy filt ering GP preferences GPO inherit ance m anaging GP across forest s m anipulat ing GPOs navigat ing policy enforcem ent over net works refreshing policies rest rict ed groups policy RSoP support Scope t ab Set t ings t ab st art er GPOs t roubleshoot ing wit h WMI filt ers GPOs ( Group Policy Obj ect s) account lockout policies backing up Block Policy I nherit ance opt ion 2nd cont rolling scope copying cr eat ing/ edit ing 2nd
default defined deploym ent considerat ions disabling port ions 2nd Enforced opt ion ex por t ing im plem ent at ion guidelines im port ing inherit ance and m anaging securit y set t ings m odifying audit ing propert ies prot ect ed Regist ry keys refreshing policies searching for 2nd Server Core support soft ware rest rict ion policies st art er GPOs t ransform files and t r oubleshoot ing WMI filt ers GPOTOOL t ool GPRESULT t ool 2nd GPT file ext ension GPUPDATE ut ilit y 2nd grace writ es Greenwich Mean Tim e Group Policy ( GP) Act ive Direct ory support adm inist rat ive t asks ADUC support audit ing support 2nd com m and- line ut ilit ies com ponent s 2nd Com put er Configurat ion node delegat ing adm inist rat ion 2nd deploying service packs deploym ent considerat ions 2nd device inst allat ion cont rol disabling port ions 2nd dynam ic DNS regist rat ion enfor cing funct ionalit y GPO inherit ance GPO scope im plem ent at ion guidelines local GP m anagem ent t ools m anaging across forest s m anipulat ing preferences MSI file support net work securit y opt ions organizat ional unit s or ganizing password policies PowerShell support refreshing RSoP support script support Server Core support 2nd soft ware rest rict ion policies t r oubleshoot ing TS support User Configurat ion node WMI filt ers
Group Policy Creat or Owners group Group Policy Modeling Wizard Group Policy Obj ect Edit or Advanced t ab Cat egories t ab deploym ent propert ies Deploym ent t ab exam ple deploym ent folder redirect ion 2nd General t ab 2nd logon/ logoff script s Modificat ions t ab pat ching deploym ent Securit y t ab 2nd st art up/ shut down script s Target t ab Upgrades t ab Group Policy Preferences feat ure Group Policy Result s Wizard Group Policy Slow Link Det ect ion policy GroupPolicyRefreshTim e value ( Regist ry) GroupPolicyRefreshTim eDC value ( Regist ry) GroupPolicyRefreshTim eOffset value ( Regist ry) GroupPolicyRefreshTim eOffset DC value ( Regist ry) groups AD DS support 2nd adm inist rat ive t asks aut horizat ion rules creat ing defined dist r ibut ion file folder redirect ion and forest s as nest ing 2nd r eplicat ion rest rict ed 2nd 3rd scopes list ed 2nd universal 2nd user classes and Guest account 2nd 3rd GUI D ( globally unique ident ifier) 2nd 3rd
I n de x [ SYMBOL] [ A] [ B] [ C] [ D] [ E] [ F] [ G] [ H] [ I ] [ J] [ K] [ L] [ M] [ N] [ O] [ P] [ Q] [ R] [ S] [ T] [ U] [ V] [ W] [ X] [ Z ] HAL ( hardware abst ract ion layer) hardware det ect ing x64- based device inst allat ion cont rol product act ivat ion and Windows Server 2008 requirem ent s hardware abst ract ion layer ( HAL) Hardware Event s log Healt h I nsurance Port abilit y and Account abilit y Act ( HI PAA) healt h policies 2nd 3rd Hello World script Hicks, Jeffrey High Availabilit y Wizard Hill, Keit h HI PAA ( Healt h I nsurance Port abilit y and Account abilit y Act ) hisecdc.inf file hisecws.inf file host - level securit y host nam es ent ering records int o zones nam e resolut ion 2nd 3rd 4t h resource records and reverse lookup zones HTTP st at us code HTTPS prot ocol 2nd 3rd hubs, swit ches and Hyper- V basic archit ect ure 2nd com ponent s high availabilit y inst alling m anagem ent t ools precaut ions st art ing rem oving Server Core support 2nd hypervisor 2nd - ( hyphen) 2nd hyphen ( - ) 2nd
I n de x [ SYMBOL] [ A] [ B] [ C] [ D] [ E] [ F] [ G] [ H] [ I ] [ J] [ K] [ L] [ M] [ N] [ O] [ P] [ Q] [ R] [ S] [ T] [ U] [ V] [ W] [ X] [ Z ] I ANA ( I nt ernet Assigned Nam es Aut horit y) I CANN ( I nt ernet Consort ium of Assigned Nam es and Num bers) I EEE 802.1x st andard 2nd iesacls.inf file I I S ( I nt ernet I nform at ion Services) adj ust ing web sit e propert ies applicat ion pools cent ralized configurat ion clust ering support com m and- line ut ilit ies 2nd creat ing web sit es 2nd graphical m anagem ent ut ilit y im pr ov em ent s 2nd new archit ect ure roles securit y problem s Server Core support virt ual direct ories 2nd Web Managem ent Service Windows Server 2008 support I I S Manager adj ust ing web sit e propert ies Advanced Set t ings dialog applicat ion pools cent ralized configurat ion creat ing web sit es 2nd depict ed 2nd virt ual direct ories 2nd Web Managem ent Service I m port Set t ings Wizard im port ing GPOs in- addr.arpa TLD 2nd increm ent al zone t ransfers ( I XFRs) 2nd I ndexing Service 2nd infrast ruct ure m ast er role inher it ance defined GP support GPOs and perm issions and 2nd t roubleshoot ing GP inst all im ages 2nd 3rd inst allat ion AD DS on Server Core device cont rol DHCP servers event logs Hyper- V I I S Applicat ion Server role I I S Web Server role init ial configurat ion t asks nam eserver soft ware PowerShell 2nd product act ivat ion script support
Server Core 2nd soft ware 2nd st eps in process Term inal Services unat t ended WDS I nst allShield inst allat ion soft ware inst ances int egrit y, server securit y I nt elliMirror deploying service packs folder redirect ion MSI file support soft ware inst allat ion I nt er- Sit e Topology Generat or ( I STG) int ernal net work- level securit y I nt ernet Assigned Nam es Aut horit y ( I ANA) I nt ernet Aut hent icat ion Service I nt ernet Consort ium of Assigned Nam es and Num bers ( I CANN) I nt ernet Services Applicat ion Program m ing I nt erface ( I SAPI ) 2nd 3rd I nt erNI C I nt roduct ion t o File Services wizard I nvoke- I t em cm dlet I P addresses DHCP support 2nd 3rd dynam ic DNS ent ering records int o zones I I S support nam e resolut ion 2nd 3rd 4t h NAP support NLB support resource records and reverse lookup zones I PC$ default share ipconfig / all com m and I PSec ( I P Securit y) firewall support Group Policy net work opt ions NAP support net working im provem ent s Server Core support server securit y and I Pv4 prot ocol I Pv6 prot ocol I SA Server I SAPI ( I nt ernet Services Applicat ion Program m ing I nt erface) 2nd 3rd iSNS Server I STG ( I nt er- Sit e Topology Generat or) I USR account I XFRs ( increm ent al zone t ransfers) 2nd
I n de x [ SYMBOL] [ A] [ B] [ C] [ D] [ E] [ F] [ G] [ H] [ I ] [ J] [ K] [ L] [ M] [ N] [ O] [ P] [ Q] [ R] [ S] [ T] [ U] [ V] [ W] [ X] [ Z ] Jones, Don JS file ext ension Jscript language
I n de x [ SYMBOL] [ A] [ B] [ C] [ D] [ E] [ F] [ G] [ H] [ I ] [ J] [ K] [ L] [ M] [ N] [ O] [ P] [ Q] [ R] [ S] [ T] [ U] [ V] [ W] [ X] [ Z ] KCC ( Knowledge Consist ency Checker) 2nd Kerberos Key Dist ribut ion Cent er ( KDC) Kerberos prot ocol AD DS support 2nd aut hent icat ion support 2nd Group Policy net work opt ions viewing securit y policies Key Managem ent Service ( KMS) 2nd keywords, filt ering by kiosks KMS ( Key Managem ent Service) 2nd Knowledge Consist ency Checker ( KCC) 2nd
I n de x [ SYMBOL] [ A] [ B] [ C] [ D] [ E] [ F] [ G] [ H] [ I ] [ J] [ K] [ L] [ M] [ N] [ O] [ P] [ Q] [ R] [ S] [ T] [ U] [ V] [ W] [ X] [ Z ] L ( List Folder Cont ent s) perm ission 2nd lam e delegat ion 2nd LDAP ( Light weight Direct ory Access Prot ocol) AD DS support creat ing users m anagedBy concept SRV records and LDS ( Light weight Direct ory Services) 2nd 3rd lease durat ion 2nd Lee, Thom as license keys 2nd licensing reading agreem ent soft ware policies and Term inal Services Configurat ion TS support 2nd Light weight Direct ory Services ( LDS) 2nd 3rd List Folder Cont ent s ( L) perm ission 2nd List Folder special perm ission List Shadows com m and load balancing MX records and round- robin DNS 2nd 3rd 4t h Server Core support SRV records and local Group Policy local securit y policy account lockout policies audit ing support aut om at ic logoff locking down Windows password policies locking down Windows account lockout policies local opt ions net work opt ions password policies logoff com m and logoff process logoff ut ilit y logon process audit ing 2nd Ct rl+ Alt + Delet e com binat ion displaying usernam es Term inal Services Configurat ion loop replicat ion m et hod 2nd LS com m and 2nd 3rd
I n de x [ SYMBOL] [ A] [ B] [ C] [ D] [ E] [ F] [ G] [ H] [ I ] [ J] [ K] [ L] [ M] [ N] [ O] [ P] [ Q] [ R] [ S] [ T] [ U] [ V] [ W] [ X] [ Z ] M ( Modify) perm ission 2nd MAC addresses caching DHCP support NAP support product act ivat ion and m achine local groups MAKs ( m ult iple act ivat ion keys) m alware 2nd Manage Policy Links perm ission m anageabilit y im provem ent s m anaged resources 2nd m anagedBy concept ( LDAP) m ap persist ency feat ure m apped drives MaskSourceMAC value ( Regist ry) Mast er Browser service MaxCacheEnt ryTt lLim it value ( Regist ry) m em ory applicat ion pools and Server Core requirem ent s Windows Server 2008 requirem ent s m esh replicat ion m et hod 2nd m essage queuing m et adat a, cleaning 2nd Microsoft Exchange Server Hyper- V 2nd 3rd PowerShell script reposit ory Microsoft Com put e Clust er provider ( PowerShell) Microsoft I nst aller packages Microsoft log Microsoft Updat e m m c com m and Modify ( M) perm ission 2nd m odularit y, I I S 2nd 3rd MOF file ext ension Move- I t em cm dlet Move- I t em Propert y cm dlet m sDS- Lockout Durat ion at t ribut e m sDS- Lockout Observat ionWindow at t ribut e m sDS- Lockout Threshold at t ribut e m sDS- Maxim um PasswordAge at t ribut e m sDS- Minim um PasswordAge at t ribut e m sDS- Minim um PasswordLengt h at t ribut e m sDS- PasswordCom plexit yEnabled at t ribut e m sDS- PasswordHist oryLengt h at t ribut e m sDS- PasswordReversible- Encrypt ionEnabled at t ribut e m sDS- PasswordSet t ings- Precedence at t ribut e m sg com m and 2nd MSI file ext ension exam ple deploym ent packaging soft ware pat ching deploym ent TS support
MST file ext ension m ult icast m ode ( NLB) 2nd m ult im ast er environm ent m ult im ast er replicat ion 2nd m ult iple act ivat ion keys ( MAKs) MX ( m ail exchanger) records DNSLint support 2nd funct ionalit y m anipulat ing My Docum ent s folder My Pict ures subfolder
I n de x [ SYMBOL] [ A] [ B] [ C] [ D] [ E] [ F] [ G] [ H] [ I ] [ J] [ K] [ L] [ M] [ N] [ O] [ P] [ Q] [ R] [ S] [ T] [ U] [ V] [ W] [ X] [ Z ] nam e resolut ion changing nam eservers defined delegat ing point ing nam eservers resource records and zones and 2nd 3rd nam eservers Act ive Direct ory- int egrat ed zones aut horit at ive 2nd 3rd 4t h 5t h building cont rolling zone t ransfers edit ing zone files ent ering records int o zones expirat ion dat e forward lookup zones forwarding support 2nd funct ionalit y increm ent al t ransfers lam e delegat ion m anipulat ing CNAME records m anipulat ing MX records 2nd m anipulat ing NS records m anipulat ing PTR records m anipulat ing SOA records NS record support refresh int erval 2nd 3rd ret ry int erval 2nd reverse lookup zones 2nd round- robin balancing 2nd slaving process and 2nd 3rd split DNS archit ect ure TTL default value nam espaces adding folders creat ing defined DFS support dom ain- based 2nd NAP ( Net work Access Prot ect ion) benefit s/ draw backs 2nd configuring defined enforcem ent m echanism s funct ionalit y healt h policy com pliance 2nd healt h policy validat ion 2nd 3rd lim it ing access 2nd phased im plem ent at ion 2nd processes for sessions NAQC ( Net work Access Quarant ine Cont rol) nest ing process 2nd net user ut ilit y Net I Q Group Policy Adm inist rat or NETLOGON default share
net sh com m and 2nd net sh int erface ipv4 com m and Net work Access Quarant ine Cont rol ( NAQC) net work environm ent clust ering and configuring securit y opt ions folder redirect ion im pr ov em ent s NLB support policy enforcem ent Server Core support server securit y TCP/ I P st ack enhancem ent s Term inal Services changes net work int erface card ( NI C) 2nd net work level aut hent icat ion ( NLA) Net work Load Balancing Manager 2nd Net work Policy and Access Services role Net work Policy Server 2nd New Cert ificat e Rule New Delegat ion Wizard New Hash Rule New I nt ernet Zone Rule New Pat h Rule New Scope Wizard New Zone Wizard 2nd 3rd 4t h New- I t em cm dlet New- I t em Propert y cm dlet New- Obj ect cm dlet New- PSDrive cm dlet Next Generat ion Net working NFS prot ocol 2nd NI C ( net work int erface card) 2nd NLA ( net work level aut hent icat ion) NLB ( net work load balancing) clust ering support 2nd Server Core support 2nd t erm inology Windows Server 2008 support NLB clust ers adding nodes 2nd affinit y creat ing m ult icast m ode 2nd 3rd NLB drivers overview perform ance opt im izat ion port rules 2nd 3rd rem oving nodes unicast m ode 2nd 3rd NLB drivers no- refresh int erval nodes adding t o clust ers 2nd defined m anaging rem oving from clust ers Not epad 2nd not ificat ions FSRM support 2nd sending via TSM 2nd zone m odificat ion NS ( nam eserver) records delegat ing dom ains
funct ionalit y lam e delegat ion m anipulat ing nslookup com m and NTDS dat abase, defragm ent ing NTDSUt il t ool 2nd NTFS filesyst em audit ing support disk quot as EFS support enabling disk quot as securit y t em plat es TS support WDS requirem ent s 2nd NTFS perm issions ABE support audit ing creat ing shares 2nd defined det erm ining effect ive 2nd funct ionalit y inherit ance/ ownership securit y and set t ing
I n de x [ SYMBOL] [ A] [ B] [ C] [ D] [ E] [ F] [ G] [ H] [ I ] [ J] [ K] [ L] [ M] [ N] [ O] [ P] [ Q] [ R] [ S] [ T] [ U] [ V] [ W] [ X] [ Z ] obj ect access audit ing 2nd obj ect s defined 2nd defining t ypes groups support ed inst ances of perm ission inherit ance PowerShell support oclist ut ilit y ocset up com m and Offline Files and Folders 2nd offset int erval One- Not e provider ( PowerShell) operat ing syst em file prot ect ion Operat ingSyst em SKU propert y operat ions m ast er roles defined dom ain nam ing m ast er role infrast ruct ure m ast er role PDC em ulat or m ast er role 2nd RI D m ast er role schem a m ast er role t ransferring m anually opt ions ( DHCP) originat ing USNs OUs ( organizat ional unit s) AD DS support 2nd adding defined deploym ent considerat ions GPO support publishing shares Server Core support Out - Default cm dlet ownership, perm issions and
I n de x [ SYMBOL] [ A] [ B] [ C] [ D] [ E] [ F] [ G] [ H] [ I ] [ J] [ K] [ L] [ M] [ N] [ O] [ P] [ Q] [ R] [ S] [ T] [ U] [ V] [ W] [ X] [ Z ] param et ers, cm dlet 2nd parent obj ect s part it ions, disk 2nd passphrases password m anagem ent AD DS support 2nd Group Policy net work opt ions password expirat ion prom pt password policies 2nd Server Core support St ored User Nam es and Passwords applet Password Replicat ion Policy 2nd password set t ings obj ect ( PSO) 2nd Payet t e, Bruce PDC em ulat or m ast er role 2nd PDCs ( prim ary dom ain cont rollers) 2nd perform ance I I S support 2nd im pr ov em ent s 2nd 3rd NLB clust ers Perform ance Diagnost ics Console Perform ance Monit or perim et er- level securit y perm issions ABE support applying t o shared folders audit ing audit ing changes creat ing shares m anually det erm ining effect ive 2nd dom ain GPs exam ple deploym ent filesyst em and Regist ry policy funct ionalit y Group Policy net work opt ions I I S support inherit ance/ ownership 2nd m anaging GPOs NAP support rem ot e cont rol set t ing physical securit y level pipeline ( PowerShell) Plug and Play ( PnP) policies, procedures, and awareness- level securit y POP3 ( Post Office Prot ocol 3) port rules ( NLB) 2nd 3rd Post Office Prot ocol 3 ( POP3) Power Users group 2nd PowerGUI t ool PowerShell addit ional resources 2nd advanced t asks 2nd background 2nd changing form at t ing
cm dlet support dat a st ores ext ending 2nd form at t ing basics funct ionalit y get t ing help wit h 2nd im pr ov em ent s inst alling 2nd obj ect support pipeline feat ure script support 2nd 3rd securit y and 2nd Server Core and st art ing up variables and PowerShell providers pre- boot execut ion environm ent ( PXE) 2nd 3rd previous versions alt ering schedules enabling funct ionalit y rest oring vssadm in.exe support 2nd prim ary dom ain cont rollers ( PDCs) 2nd prim ary nam eservers Act ive Direct ory- int egrat ed zones funct ionalit y SOA records and split DNS archit ect ure upgrading secondary t o zone t ransfers and print services funct ionalit y key feat ures server clust ering Server Core support 2nd 3rd PRI NT$ default share privileges, audit ing use 2nd product act ivat ion product keys 2nd Provision a Shared Folder Wizard PS com m and ( Unix) PS1 file ext ension 2nd PS1XML file ext ension 2nd PSC1 file ext ension PSO ( password set t ings obj ect ) 2nd PTR ( point er) records DNSLint support dynam ic DNS and ent ering records int o zones funct ionalit y m anipulat ing public keys PXE ( pre- boot execut ion environm ent ) 2nd 3rd
I n de x [ SYMBOL] [ A] [ B] [ C] [ D] [ E] [ F] [ G] [ H] [ I ] [ J] [ K] [ L] [ M] [ N] [ O] [ P] [ Q] [ R] [ S] [ T] [ U] [ V] [ W] [ X] [ Z ] query process com m and 2nd query session com m and 2nd query t erm server com m and 2nd query user com m and 2nd Quest Act iveRoles t ool Quest .com quorum quorum disk 2nd
I n de x [ SYMBOL] [ A] [ B] [ C] [ D] [ E] [ F] [ G] [ H] [ I ] [ J] [ K] [ L] [ M] [ N] [ O] [ P] [ Q] [ R] [ S] [ T] [ U] [ V] [ W] [ X] [ Z ] R ( Read) perm ission 2nd 3rd RADI US prot ocol 2nd 3rd random num bers RDC ( Rem ot e Deskt op Connect ion) Advanced t ab Display t ab Experience t ab funct ionalit y General t ab Hyper- V support Local Resources t ab new feat ures 2nd Program s t ab RDP support TS client - side considerat ions RDC ( Rem ot e Different ial Com pression) 2nd rdeskt op RDP client RDP ( Rem ot e Deskt op Prot ocol) creat ing connect ion list eners rest rict ing connect ions 2nd Server Core support TS support 2nd 3rd RDP file ext ension Read ( R) perm ission 2nd 3rd Read and Execut e ( RX) perm ission 2nd Read At t ribut es perm ission Read Dat a perm ission Read Ext ended At t ribut es perm ission Read Perm issions perm ission 2nd read- only dom ain cont roller ( RODC) 2nd 3rd receive- side scaling recovery procedures 2nd refresh int erval com put er policies defined dom ain cont rollers dynam ic DNS GP support nam eservers 2nd 3rd user account s zone t ransfers Regional and Language Opt ions applet regist er ut ilit y Regist ry backing up DNS services Default Regist rat ionRefreshI nt erval value DisableDynam icUpdat e value FlowCont rolChannelBandwidt h value FlowCont rolDisplayBandwidt h value Group Policy net work opt ions GroupPolicyRefreshTim e value GroupPolicyRefreshTim eDC value GroupPolicyRefreshTim eOffset value GroupPolicyRefreshTim eOffset DC value MaskSourceMAC value
MaxCacheEnt ryTt lLim it value PowerShell and 2nd RunDiagnost icLoggingGroupPolicy value securit y policies soft ware rest rict ion policies Regist ry provider ( PowerShell) regsvr32 com m and relat ive ident ifier ( RI D) reliabilit y im provem ent s Reliabilit y Monit or rem ot e adm inist rat ion Server Core support TS support Rem ot e Assist ance ut ilit y 2nd rem ot e cont rol Act ive Direct ory support NBL clust ers set t ing perm issions syst em policies Term inal Services Configurat ion Rem ot e Deskt op Client for Mac Rem ot e Deskt op m ode ( TS) enabling 2nd new feat ure Rem ot e Deskt op Users group Rem ot e Different ial Com pression ( RDC) 2nd Rem ot e I nst allat ion Services ( RI S) 2nd Rem ove- I t em cm dlet Rem ove- I t em Propert y cm dlet Renam e- I t em cm dlet Renam e- I t em Propert y cm dlet renam ing files repacking t ool REPADMI N ut ilit y Replicat e Folder Wizard replicat ion groups replicat ion process audit ing defined 2nd 3rd forcing handling updat e conflict s loops and m eshes 2nd m ult im ast er replicat ion 2nd originat ing USNs REPADMI N support single- m ast er replicat ion sit e support sit es t im e synchronizat ion 2nd USNs in UTD vect ors replicat ion t opologies 2nd REPLMON t ool report s DNSLint support Failover Clust er Validat ion Report FSRM support 2nd 3rd scheduling reservat ions reset com m and 2nd Reskit .net 2nd resource records A records 2nd 3rd 4t h 5t h CNAME records 2nd 3rd
defined DNSCm d ut ilit y host ( A) records MX records 2nd 3rd 4t h NS records 2nd 3rd 4t h PTR records 2nd 3rd 4t h 5t h SOA records 2nd 3rd 4t h 5t h SRV records 2nd Resource View resources defined groups of m anaged 2nd rest ore procedure rest rict ed groups 2nd 3rd ret ry int erval 2nd reverse lookup zones defined ent ering records int o funct ionalit y 2nd gener at ing 2nd st ub zones and RFC 1995 2nd RFC 1996 RI D ( relat ive ident ifier) RI D m ast er role RI S ( Rem ot e I nst allat ion Services) 2nd RODC ( read- only dom ain cont roller) 2nd 3rd roles adding for TS 2nd I I S support operat ions m ast er roles Server Core support web server services and root sec.inf file round- robin DNS balancing 2nd 3rd 4t h Rout ing and Rem ot e Access Service RPC prot ocol 2nd RSoP ( Result ant Set of Policy) defined deploym ent considerat ions effect ive perm issions logging m ode planning m ode wit hout GUI RunDiagnost icLoggingGroupPolicy value ( Regist ry) RX ( Read and Execut e) perm ission 2nd
I n de x [ SYMBOL] [ A] [ B] [ C] [ D] [ E] [ F] [ G] [ H] [ I ] [ J] [ K] [ L] [ M] [ N] [ O] [ P] [ Q] [ R] [ S] [ T] [ U] [ V] [ W] [ X] [ Z ] SACL ( syst em access cont rol list ) SAM ( Securit y Account s Manager) 2nd 3rd SCA ( Securit y Configurat ion and Analysis) 2nd scaling, NI Cs scavenging process ( DNS) schem a Schem a Adm ins group Schem a Managem ent console schem a m ast er role schm m gm t .dll snap- in scregedit .wsf script Script om at ic ut ilit y script s cm dlet s and 2nd cont rol st ruct ures delegat ing GPO adm inist rat ion Group Policy support 2nd PowerShell reposit ory PowerShell support 2nd 3rd server clust ering and Server Core support unat t ended inst allat ion SDM ( secure developm ent m odel) searching for GPOs 2nd SECEDI T ut ilit y secondary nam eservers configuring 2nd funct ionalit y split DNS archit ect ure upgrading t o prim ary zone t ransfers and 2nd secure developm ent m odel ( SDM) Securit y Account s Manager ( SAM) 2nd 3rd Securit y Configurat ion and Analysis ( SCA) 2nd securit y groups defined Group Policy net work opt ions password policies 2nd soft ware deploym ent and 2nd Securit y log 2nd 3rd securit y m anagem ent applicat ion- level securit y audit ing support 2nd Bit Locker support business considerat ions CI A principle device inst allat ion cont rol firewalls and FSRM file screening I I S problem s I I S support 2nd im pr ov em ent s 2nd layered approach local opt ions NAP support
offline access and OS file prot ect ion PowerShell and 2nd script s and Server Core support split DNS archit ect ure TS support securit y policies account lockout policies audit ing support 2nd aut om at ic logoff and CI A principle considerat ions event log support filesyst em set t ings im plem ent at ion guidelines local opt ions m igrat ion process net work opt ions or ganizing password policies refreshing set t ings Regist ry set t ings rest rict ed groups 2nd 3rd securit y t em plat es viewing dom ain viewing dom ain cont roller securit y t em plat es Securit y Tem plat es snap- in 2nd SEI ZE com m and Select - Obj ect cm dlet server clust ers applicat ions support ed com m and- line ut ilit ies creat ing 2nd defined failure m anagem ent 2nd funct ionalit y High Availabilit y Wizard planning set up services support ed shared dat a facilit y t erm inology 2nd wit ness disk Server Core act ivat ing server 2nd AD DS support adm inist ering m achines advant ages aut om at ic updat es com m and- line ut ilit ies configuring opt ions deploy ing 2nd enabling Rem ot e Deskt op funct ionalit y Group Policy support 2nd hardware drivers Hyper- V support 2nd inst alling j oining dom ains lack of shell 2nd m anaged code and net work connect ions Not epad support
RODC support set t ing adm inist rat or password t hird- part y applicat ions and Windows Rem ot e Shell 2nd Server Manager configuring file servers creat ing nam espaces default shares File Services com ponent funct ionalit y GPMC support Group Policy Managem ent inst alling Hyper- V inst alling PowerShell inst alling TS inst alling WDS Perform ance Diagnost ics Console rem oving Hyper- V TS adm inist rat ion Server Operat ors group 2nd server securit y service ( SRV) records 2nd service packs sessions connect ing t o cont rolling disconnect ing logging off NAP process 2nd reset t ing rest rict ing users shadowing t em porary folder usage viewing inform at ion 2nd set - execut ionpolicy cm dlet Set - I t em cm dlet Set - I t em Propert y cm dlet Set GPOCreat ionPerm issions.wsf script Set SOMPerm issions.wsf script Set up log set up securit y.inf file set up.iss file Set upCom m and direct ive SHADOW com m and 2nd shadow copies 2nd 3rd Share and St orage Managem ent share perm issions shared folders ABE support AD DS support creat ing 2nd default shares hidden shares offline access publishing shares 2nd shared print ers SHAs ( syst em healt h agent s) 2nd shut down process 2nd SHVs ( syst em healt h validat ors) configuring 2nd 3rd defined NAP lim it at ions SI Ds ( securit y ident ifiers) I I S support
replicat ion and RI D m ast er role and Sysprep support Sim ple Mail Transfer Prot ocol ( SMTP) 2nd 3rd Sim ple Net work Managem ent Prot ocol ( SNMP) 2nd 3rd single inst ance st orage ( SI S) single- m ast er replicat ion SI S ( single inst ance st orage) sit e links sit es AD DS support creat ing links defined GPO support replicat ing slaving 2nd 3rd slow link t hreshold SMB prot ocol SMTP ( Sim ple Mail Transfer Prot ocol) 2nd 3rd SNMP ( Sim ple Net work Managem ent Prot ocol) 2nd 3rd SOA ( st art of aut horit y) records edit ing zone files funct ionalit y m anipulat ing nam eservers and st ub zones and soft ware inst allat ion 2nd soft ware policies 2nd 3rd soft ware rest rict ion policies Sort - Obj ect cm dlet special perm issions split DNS archit ect ure spoofing t echnique SQL Server provider ( PowerShell) SRV ( service) records 2nd st andalone nam espaces 2nd st andard perm issions 2nd st art er GPOs st art up process 2nd 3rd st orage considerat ions st orage report s 2nd St orage Ut ilizat ion Monit oring St ored User Nam es and Passwords applet st ream ing m edia services 2nd st ub zones subdom ains 2nd super scope swit ches, hubs and Sysprep t ool 2nd syst em access cont rol list ( SACL) syst em healt h agent s ( SHAs) 2nd Syst em log 2nd 3rd syst em policies audit ing support overriding rem ot e cont rol perm issions soft ware inst allat ion st orage locat ion Syst em Volum e I nform at ion folder Syst em .I O.Direct oryI nfo obj ect s Syst em .I O.FileI nfo obj ect s Syst em .Random class Syst em s Managem ent Server 2nd SYSVOL default share
I n de x [ SYMBOL] [ A] [ B] [ C] [ D] [ E] [ F] [ G] [ H] [ I ] [ J] [ K] [ L] [ M] [ N] [ O] [ P] [ Q] [ R] [ S] [ T ] [ U] [ V] [ W] [ X] [ Z ] Take Ownership perm ission 2nd 3rd Task Manager TCP/ I P prot ocol clust ering support nam e resolut ion NLB support node support st ack enhancem ent s Telnet prot ocol t em plat es classes as file screening via Group Policy support local Group Policy securit y t em porary folders Term inal Server role Term inal Service Rem ot e Program s Term inal Services ( TS) AD DS support 2nd adding roles 2nd adm inist er ing client - side considerat ions com m and- line ut ilit ies enhancem ent s funct ionalit y inst alling perm issions support RDP support 2nd soft ware rest rict ion policies TCP port num ber Term inal Services Configurat ion adm inist ering TS changing port s creat ing connect ion list ener encrypt ion support funct ionalit y rem ot e cont rol perm issions rest rict ing connect ions 2nd Term inal Services Licensing Term inal Services Manager ( TSM) adm inist ering TS changing port s connect ing t o sessions cont rolling sessions disconnect ing sessions funct ionalit y logging off sessions reset t ing sessions sending m essages viewing session inform at ion 2nd TFTP ( t rivial file t ransfer prot ocol) t im e synchronizat ion 2nd 3rd t im e t o live ( TTL) 2nd 3rd t im est am ps
TLDs ( t op- level dom ains) 2nd TLS ( Transport Layer Securit y) t op- level dom ains ( TLDs) 2nd TPM ( Trust ed Plat form Module) t racing failed request s t ransform files t ransit ive forest root t rust s t ransit ive t rust s 2nd Transport Layer Securit y ( TLS) Traverse Folder special perm ission t rees 2nd t rivial file t ransfer prot ocol ( TFTP) t r oubleshoot ing AD DS adding dom ains DNSLint support Group Policy Trust ed Plat form Module ( TPM) t rust s AD DS support defined t ransit ive 2nd Trust wort hy Com put ing I nit iat ive TS EasyPrint TS Gat eway funct ionalit y 2nd 3rd 4t h NAP support TS Licensing TS Rem ot eApp 2nd TS Session Broker 2nd TS Web Access 2nd 3rd t scon ut ilit y t sdiscon ut ilit y t skill ut ilit y t sprof ut ilit y t sshut dn ut ilit y TTL ( t im e t o live) 2nd 3rd
I n de x [ SYMBOL] [ A] [ B] [ C] [ D] [ E] [ F] [ G] [ H] [ I ] [ J] [ K] [ L] [ M] [ N] [ O] [ P] [ Q] [ R] [ S] [ T] [ U] [ V] [ W] [ X] [ Z ] UAC ( User Account Cont rol) UDP ( User Dat agram Prot ocol) unat t end file 2nd unat t ended inst allat ion PowerShell script support Server Core UNC ( universal nam ing convent ion) 2nd _ ( underscore) 2nd underscore ( _) 2nd unicast m ode ( NLB) 2nd 3rd universal groups 2nd universal nam ing convent ion ( UNC) 2nd Unix PS com m and up- t o- dat e ( UTD) vect ors updat e sequence num bers ( USNs) UPDATE.EXE t ool UPDATE.MSI file UPDATE.ZAP file UPNs ( user principal nam es) URLScan ut ilit y USB flash drives User Access perm ission User Account Cont rol ( UAC) user account s adm inist rat ive t asks anonym ous users audit ing configuring wit h TS creat ing creat ing wit h LDAP disk- based quot as inst allat ion process and licensing TS lockout policies 2nd 3rd NTFS perm issions offset int erval refresh int erval WDS requirem ent s User Account s applet user classes User Dat agram Prot ocol ( UDP) user principal nam es ( UPNs) usernam es account lockout policies AD DS support displaying for logon St ored User Nam es and Passwords applet Users group USNs ( updat e sequence num bers) UTD ( up- t o- dat e) vect ors
I n de x [ SYMBOL] [ A] [ B] [ C] [ D] [ E] [ F] [ G] [ H] [ I ] [ J] [ K] [ L] [ M] [ N] [ O] [ P] [ Q] [ R] [ S] [ T] [ U] [ V] [ W] [ X] [ Z ] validat ion key Variable provider ( PowerShell) variables, PowerShell support VBS file ext ension 2nd VBScript language vendor classes Verit as WinI nst all LE t ool version num bers VHDs ( virt ual hard disks) virt ual direct ories virt ual hard disks ( VHDs) virt ual m achines, creat ing virt ual privat e net works ( VPNs) 2nd 3rd virt ualizat ion defined Hyper- V support 2nd 3rd st rat egies viruses 2nd Visual Basic Script ing Edit ion Volum e Act ivat ion 1.0 Volum e Act ivat ion 2.0 Volum e Shadow Copy Service ( VSS) 2nd 3rd volum es 2nd VPNs ( virt ual privat e net works) 2nd 3rd VSS ( Volum e Shadow Copy Service) 2nd 3rd vssadm in.exe ut ilit y 2nd
I n de x [ SYMBOL] [ A] [ B] [ C] [ D] [ E] [ F] [ G] [ H] [ I ] [ J] [ K] [ L] [ M] [ N] [ O] [ P] [ Q] [ R] [ S] [ T] [ U] [ V] [ W ] [ X] [ Z ] W ( Writ e) perm ission 2nd WDS ( Windows Deploym ent Services) Boot m enu Capt ure Ut ilit y configuring creat ing im ages funct ionalit y 2nd inst alling m odifying im ages RI S replacem ent 2nd Server Core and unat t ended inst allat ions WI M support Windows PE support 2nd 3rd WDS client unat t end file WDS Configurat ion Wizard 2nd WDSUTI L ut ilit y 2nd web applicat ions applicat ion pools and 2nd NLB clust ering Web Managem ent Service ( WMS) Web Server role ( I I S) web sit es adding virt ual direct ories adj ust ing propert ies creat ing 2nd web.config file Where- Obj ect cm dlet WI M ( Windows I m aging Form at ) Win32_Operat ingSyst em class Windows Aut om at ed I nst allat ion Kit 2nd Windows Com m unicat ion Foundat ion Windows Error Report ing Windows Firewall wit h Advanced Securit y Windows I m aging Form at ( WI M) Windows I nt ernet Nam ing Service ( WI NS) 2nd 3rd Windows Load Balancing Service Windows log Windows Media Player Windows Media Services ( WMS) Windows PE ( Pre Environm ent ) 2nd 3rd Windows Present at ion Foundat ion Windows Process Act ivat ion Service ( WPAS) 2nd Windows Rem ot e Shell ( WinRS) 2nd Windows Search Service 2nd 3rd Windows Server 2008 assessing release edit ions support ed hardware requirem ent s I I S im provem ent s m anageabilit y im provem ent s net working im provem ent s perform ance im provem ent s 2nd 3rd reliabilit y im provem ent s Resource Kit Tools
SDM support securit y im provem ent s Server Core support Windows syst em s account lockout policies local opt ions net work opt ions password policies Windows Tim e Service 2nd Windows Updat e Windows Workflow Foundat ion WI NPOLI CI ES t ool WinRS ( Windows Rem ot e Shell) 2nd WI NS ( Windows I nt ernet Nam ing Service) 2nd 3rd wit ness disk wlbs drainst op com m and wlbs.exe program WMI ( Windows Managem ent I nst rum ent at ion) PowerShell support 2nd Server Core support WMI filt ers 2nd 3rd WMI obj ect s 2nd WMI Query Language ( WQL) WMS ( Web Managem ent Service) WMS ( Windows Media Services WPAS ( Windows Process Act ivat ion Service) 2nd WQL ( WMI Query Language) Writ e ( W) perm ission 2nd Writ e At t ribut es perm ission 2nd Writ e Dat a special perm ission Writ e Ext ended At t ribut es perm ission 2nd
I n de x [ SYMBOL] [ A] [ B] [ C] [ D] [ E] [ F] [ G] [ H] [ I ] [ J] [ K] [ L] [ M] [ N] [ O] [ P] [ Q] [ R] [ S] [ T] [ U] [ V] [ W] [ X] [ Z ] X.509 cert ificat es XCOPY com m and XML applicat ionHost .config file PowerShell support WDS client unat t end file XPS print pat h
I n de x [ SYMBOL] [ A] [ B] [ C] [ D] [ E] [ F] [ G] [ H] [ I ] [ J] [ K] [ L] [ M] [ N] [ O] [ P] [ Q] [ R] [ S] [ T] [ U] [ V] [ W] [ X] [ Z ] ZAP file m et hod 2nd 3rd zone files backup lim it at ions CNAME record form at defined edit ing host record form at MX record form at nam eservers and NS record form at PTR record form at SOA record form at SRV record form at zone m odificat ion not ificat ion zone t ransfers Act ive Direct ory- int egrat ed zones and cont rolling process expirat ion dat e forcing full 2nd increm ent al 2nd nam eservers and refresh int erval secondary nam eservers and zones Act ive Direct ory- int egrat ed DNS defined DNSCm d ut ilit y dom ains and ent ering records int o export ing t o files nam eservers and resource records st ub