MCTS: Windows Server 2008 Applications Infrastructure Configuration Study Guide: Exam 70-643 [Pap/Cdr St ed.] 9780470261705, 0470261706

Citation preview

MCTS Windows Server® 2008 Applications Infrastructure Configuration Study Guide

Joel Stidley

Wiley Publishing, Inc.

MCTS Windows Server® 2008 Applications Infrastructure Configuration Study Guide

MCTS Windows Server® 2008 Applications Infrastructure Configuration Study Guide

Joel Stidley

Wiley Publishing, Inc.

Acquisitions Editor: Jeff Kellum Development Editor: Denise Santoro Lincoln Technical Editor: Pawan K. Bhardwaj Production Editor: Christine O’Connor Copy Editor: Judy Flynn Production Manager: Tim Tate Vice President and Executive Group Publisher: Richard Swadley Vice President and Executive Publisher: Joseph B. Wikert Vice President and Publisher: Neil Edde Project Coordinator, Cover: Lynsey Stanford Media Project Supervisor: Jenny Swisher Media Development Specialist: Josh Frank Media Quality Assurance: Angie Denny Book Designer: Judy Fung and Bill Gibson Compositor: Craig Woods, Happenstance Type-O-Rama Proofreader: Scott Klemp, Word One and Larry West Indexer: Jack Lewis Cover Designer: Ryan Sneed Copyright © 2008 by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-0-470-26170-5 No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions. Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Website is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Website may provide or recommendations it may make. Further, readers should be aware that Internet Websites listed in this work may have changed or disappeared between when this work was written and when it is read. For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. Library of Congress Cataloging-in-Publication Data. Stidley, Joel, 1976MCTS : Windows server 2008 applications infrastructure configuration study guide (Exam 70-643) / Joel Stidley.—1st ed. p. cm. ISBN 978-0-470-26170-5 (paper/cd-rom) 1. Electronic data processing personnel—Certification. 2. Microsoft software—Examinations—Study guides. 3. Microsoft Windows server. I. Title. QA76.3.S749827 2008 005.4'476—dc22 2008026322 TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. Windows Server is a registered trademark of Microsoft Corporation in the United States and/ or other countries. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book. 10 9 8 7 6 5 4 3 2 1

Dear Reader, Thank you for choosing MCTS: Windows Server 2008 Applications Infrastructure Configuration Study Guide. This book is part of a family of premium quality Sybex books, all written by outstanding authors who combine practical experience with a gift for teaching. Sybex was founded in 1976. More than thirty years later, we’re still committed to producing consistently exceptional books. With each of our titles we’re working hard to set a new standard for the industry. From the paper we print on, to the authors we work with, our goal is to bring you the best books available. I hope you see all that reflected in these pages. I’d be very interested to hear your comments and get your feedback on how we’re doing. Feel free to let me know what you think about this or any other Sybex book by sending me an email at [email protected], or if you think you’ve found a technical error in this book, please visit http://sybex.custhelp.com. Customer feedback is critical to our efforts at Sybex. Best regards,

Neil Edde Vice President and Publisher Sybex, an Imprint of Wiley

To my patient and lovely wife, Andrea, and children, Ethan and Jaelyn, who have learned to put up with me, and to my parents, Paul and Gayle, who fostered my love for computers ever since they were told my handwriting would never get any better.

Acknowledgments It took a lot of hard work and patience to complete this book, as it does all publications. Thanks to Jeff Kellum and Denise Santoro Lincoln for being patient and considerate despite the scheduling setbacks and for retraining me on the format changes. Also, the production team of Christine O’Connor and Judy Flynn were top-notch and a joy to work with. They did an impeccable job making sure we were not just technically sound but also grammatically correct! Thanks to Rawlinson Rivera for helping get this book going and for recommending me for this project. I hope you are feeling better and look forward to our next project! One of our pinch hitters was Jabez Gan Ming Teik, who really came through by getting a chapter reworked after a change in objectives on the Microsoft exam. This book was a bit of a test for me and caused me to have to rely on a number of colleagues for a little help with developing the content. Without Erik Gustafson, Mike Hodson, and Siegfried Jagott, this book would not have been possible. Last, I’d like to thank both the Monster Beverage Company and Hearthroast for fueling the late-night writing sessions with Lo-Carb Monster and home-roasted coffee.

About the Author Joel Stidley has been working in the IT field for over 12 years and has been a computer fanatic for much longer. He obtained his first Microsoft certification in 1999 and is currently both an MCSE and MCTS. At the beginning of his IT career, he was supporting MS-DOS and Windows for Workgroups clients on a Novell NetWare network at a small manufacturing company. Shortly thereafter, he discovered the joys of Windows NT Server and led the charge in converting that company from a Novell NetWare directory to a Windows NT domain. He also convinced the company’s engineering department to switch from the SunOS-based workstations to new Windows NT 4.0 Workstation machines. Joel has since taken on numerous other projects, from a number of Active Directory and Exchange Server migrations to deploying large-scale virtualization environments. In 2004, Joel founded ExchangeExchange.com, a Microsoft Exchange–focused community website where he blogs and provides forums for discussing Exchange, PowerShell, certification, and general Windows information. In the last few years, he has also contributed to MCITP: Microsoft Exchange Server 2007 Messaging Design and Deployment Study Guide: Exams 70-237 and 70-238 (Sybex, 2008) and was lead author on Professional PowerShell for Exchange Server 2007 SP1 (Wrox, 2008). Currently he is a solutions architect at Terremark Worldwide Inc. where he works with a variety of directory, storage, virtualization, and messaging technologies. He currently lives in the Dallas area with his wife and two children.

About the Contributors Erik R. Gustafson is a 7-year veteran of the IT consulting and IT support business. He started working professionally with Microsoft products while running a successful signage business in 1995, and after selling the business a few years later, he refocused his career on providing IT services. He obtained his first Microsoft certification in 2002 and is currently an MCSE and an MCSA. The last few years he has spent helping grow an IT consulting business and setting up an IT outsourcing MSP from the ground up. He recently relocated to the Dallas area and now works as a solutions architect for Terremark Worldwide Inc. When not shooting womp rats back home, Erik enjoys drinking piña coladas and getting caught in the rain. Mike Hodson has a bachelor of science in mathematics from Texas Woman’s University and has worked in the IT industry for more than 11 years, receiving his first Microsoft certification in 1998. He has been working with desktop virtualization for more than 6 years and recently has been deeply involved with server virtualization projects. Mike is currently the team lead in the group responsible for storage networking and virtualization at Terremark Worldwide Inc. in Dallas, Texas.

About the Author

ix

Siegfried Jagott works as a senior systems architect and team lead for the Messaging and Collaboration team at Siemens IT Solutions located in Munich, Germany. He is part of the Siemens-central architecture team that works closely together with Microsoft to plan future enhancements of not only Windows and Exchange but also other products. For the past 10 years, he has been involved in planning, designing, and implementing some of the world’s largest Windows and Exchange Server infrastructures for various international customers, including Siemens. In addition, he is hosting a monthly column for Windows IT Magazine called “Exchange & Outlook UPDATE: Outlook Perspectives” and writes about Outlook 2007–related topics. He is also a frequent writer for various international magazines and speaks on conferences about Windows- and Exchange-related topics. He was also a contributing author for MCITP: Microsoft Exchange Server 2007 Messaging Design and Deployment Study Guide: Exams 70-237 and 70-238 (Sybex, 2008). In his spare time, he is actively engaged in a carnival club as a vice president and likes to go skiing in the Alps or traveling around the world. Siegfried is currently living in Rednitzhembach, a small town in southern Germany. He holds an MBA and a Diploma in Management from Open University in England and has been a Microsoft Certified Systems Engineer (MCSE) since 1997. Rawlinson Rivera, an 11-year veteran of the IT consulting and training field, has worked on a variety of technologies ranging from IBM to VMware to Microsoft. He has developed specializations in architecting secure messaging and collaboration infrastructure with Windows Server 2000/2003/2008, Office SharePoint Server 2007, Exchange Server 2000/2003/2007, and VMware Virtual Infrastructure 3. Rawlinson is the founder of RawlsNet Technologies LLC, a firm that focuses on consulting, training, and developing industry content. He is the lead author of Sybex’s MCITP: Microsoft Exchange Server 2007 Messaging Design and Deployment Study Guide: Exams 70-237 and 70-238 (Sybex, 2008). Jabez Gan Ming Teik is a Microsoft MVP for Windows Server File System/Storage. He is currently the senior technical officer for a consulting company that specializes in Microsoft technologies. He is also a writer for Msblog.org (blog) and technology sites and a speaker at technology events. Jabez can be reached at [email protected].

Contents at a Glance Introduction

xxv

Assessment Test

xxxvi

Chapter 1

Windows Server 2008 Storage Services

Chapter 2

Exploring Terminal Services in Windows Server 2008

41

Chapter 3

Terminal Services Licensing, Advance Configuration, and Monitoring for Terminal Services

99

1

Chapter 4

Configuring Web Services Infrastructure

147

Chapter 5

Advanced Web Infrastructure Configuration

185

Chapter 6

Configuring Additional Communication Services

219

Chapter 7

Configuring Windows SharePoint Services (WSS)

267

Chapter 8

Using Virtualization In Windows Server 2008

313

Chapter 9

Deploying Servers

363

Chapter 10

Configuring High Availability in Windows Server 2008

403

Chapter 11

Monitoring Windows Server 2008 for High Availability

443

Appendix A

About the Companion CD

517

Glossary Index

521 529

Contents Introduction

xxv

Assessment Test Chapter

Chapter

1

2

xxxvi Windows Server 2008 Storage Services

1

Storage in Windows Server 2008 Initializing Disks Working with Basic and Dynamic Disks Working with Volume Sets RAID Mount Points Microsoft MPIO (Multipath I/O) iSCSI Internet Storage Name Service (iSNS) Fibre Channel Network Attached Storage (NAS) Managing SANs Virtual Disk Service (VDS) Storage Manger for SANs (SMfS) Storage Explorer Summary Exam Essentials Review Questions Answers to Review Questions

2 2 5 8 11 15 17 19 23 27 28 28 28 29 32 33 34 35 38

Exploring Terminal Services in Windows Server 2008

41

Remote Desktop Connection Display Custom Display Resolutions Monitor Spanning Font Smoothing Display Data Prioritization Desktop Experience Device Redirection Single Sign-On for Terminal Services Prepare and Configure the Use of Terminal Services RemoteApp (TS RemoteApp) Installing Programs to Be Used with TS RemoteApp Configuring Remote Programs to Be Used with TS RemoteApp Creating and Deploying a Windows Installer Package for TS RemoteApp Programs

43 43 44 45 46 47 51 54 55 56 60 63

xiv

Contents

Export or Import RemoteApp Programs and Settings Distributing RemoteApp Applications Prepare and Configure Terminal Services Gateway (TS Gateway) Preparing the Necessary TS Gateway Role Services Obtaining and Configuring a Certificate for TS Gateway Creating Terminal Services Connection Authorization Policies (TS CAPs) Creating Terminal Services Resource Authorization Policies (TS RAPs) Configuring the Terminal Services Client for TS Gateway Configuring Terminal Services Load Balancing Configuring a Terminal Server Farm with TS Session Broker Configuring Network Load Balancing Summary Exam Essentials Review Questions Answers to Review Questions Chapter

3

Terminal Services Licensing, Advance Configuration, and Monitoring for Terminal Services Configuring Terminal Services Licensing Terminal Services Client Access Licenses (TS CALs) Installing TS Licensing and TS Client Access Licenses (CALs) Configuring License Settings on a Terminal Server Managing Terminal Services through Group Policy Group Policy Settings for Terminal Services Configuring Global Deployment Settings for TS RemoteApp Monitoring TS Gateway Using TS Gateway Manager Resource Allocation for Terminal Services Summary Exam Essentials Review Questions Answers to Review Questions

Chapter

4

65 67 72 72 74 77 80 82 84 84 89 91 92 93 96

99 100 100 101 114 125 125 130 135 138 139 140 141 144

Configuring Web Services Infrastructure

147

Configuring Web Applications Installing IIS 7.0 Creating and Configuring Websites

148 150 152

Contents

Configuring a File Transfer Protocol (FTP) Server Configuring Permissions Configuring FTP Site for Extranet Users FTP IPv4 and Domain Restrictions Configuring a Simple Mail Transfer Protocol (SMTP) Server Configuring General SMTP Virtual Server Properties Configuring Access Configuring Message Size and Transfer Limits Configuring Delivery Options Summary Exam Essentials Review Questions Answers to Review Questions Chapter

Chapter

5

6

xv

164 165 165 166 167 168 169 171 172 177 178 179 183

Advanced Web Infrastructure Configuration

185

Managing Internet Information Services (IIS) Configuring Monitoring and Logging Backup and Restore Delegating Administrative Rights Configuring Secure Sockets Layer (SSL) Security Requesting and Renewing SSL Certificates Enabling SSL on a Website Exporting and Importing Certificates Configuring Website Authentication and Permissions Configuring Application Access Client Certificate Mapping Summary Exam Essentials Review Questions Answers to Review Questions

186 188 195 197 201 202 205 206 207 209 211 211 212 213 217

Configuring Additional Communication Services

219

Configuring Fax Services Configuring Fax (Local) Properties Defining a Dialing Rule Defining a Fax Routing Location Configuring Media Server Configuring Basic Streaming Solutions Configuring Advanced Streaming Solutions Options for Configuring Security in a Windows Media Server Configuring Digital Rights Management (DRM) How Does DRM work? Encryption

220 222 225 227 229 232 240 245 249 250 251

xvi

Contents

Sharing Business Rules Configuring License Delivery Configuring Policy Templates Summary Exam Essentials Review Questions Answers to Review Questions Chapter

Chapter

7

8

252 253 256 260 260 261 265

Configuring Windows SharePoint Services (WSS)

267

Configuring Windows SharePoint Services Configuring Incoming Email Settings Configuring Outgoing Email Settings Configuring Workflow Settings Configuring Diagnostic Logging Settings Configuring Antivirus Settings Using the Best Practices Analyzer Tool Configuring Windows SharePoint Services (WSS) Sites Upgrading from WSS 2.0 Creating or Extending Web Applications Configuring Alternate Access Mapping Creating Zones for Web Applications Creating Quota Templates Creating Site Collections Enabling Access For End Users Adding Site Content Configuring Authentication for WSS Configure Digest Authentication Configuring Web SSO Authentication by Using ADFS Summary Exam Essentials Review Questions Answers to Review Questions

269 270 273 277 278 281 282 283 283 284 287 289 290 291 292 295 295 297 300 305 305 306 310

Using Virtualization In Windows Server 2008

313

Hyper-V Overview What Is Virtualization? Hyper-V Features Hyper-V Architecture Hyper-V Requirements Hyper-V Installation and Configuration Install Hyper-V Role Hyper-V in Server Manager Using Hyper-V Manager

314 314 315 316 318 320 320 323 324

Contents

Configure Hyper-V Settings Manage Virtual Networks Managing Virtual Hard Disks Configuring Virtual Machines Creating and Managing Virtual Machines Back Up and Restore Virtual Machines Summary Exam Essentials Review Questions Answers to Review Questions Chapter

9

Deploying Servers Windows Deployment Services Deploying Images by Using Windows Deployment Services Using Windows Deployment Services Configuring WDS Capturing Images Deploying Server Core Configuring Microsoft Windows Activation Installing KMS Configuring KMS Summary Exam Essentials Review Questions Answers to Review Questions

Chapter

10

Configuring High Availability in Windows Server 2008 Components of High Availability Achieving High Availability Achieving High Availability with Failover Clustering Failover Clustering Requirements Cluster Quorum Validating a Cluster Configuration Creating a Cluster Clustered Application Settings Resource Properties Achieving High Availability with Network Load Balancing How Does Network Load Balancing Work? Network Load Balancing Requirements Creating an NLB Cluster Modifying Cluster Properties Managing NLB Clusters

xvii

325 326 329 337 337 347 355 355 357 361 363 364 365 366 369 375 380 381 384 385 397 397 398 401

403 404 405 407 409 410 412 417 422 426 429 429 430 431 433 434

xviii

Contents

Summary Exam Essentials Review Questions Answers to Review Questions Chapter

Appendix

11

A

Monitoring Windows Server 2008 for High Availability

435 436 437 441

443

Monitoring Servers Using Performance Data Working with Data Collector Sets Log Data in Performance Monitor Diagnosis Report View System Stability with Reliability Monitor Monitoring Servers Using Event Logs Using wevtutil.exe to Manage Event Logs Configuring Computers to Forward and Collect Events Reading Events through Custom Views Monitoring Using Task Scheduler Scheduling a Task Managing a Task Managing or Creating a Task on a Remote Computer Using the Command-Line Tool Schtasks.exe Running a Task in Response to a Given Event Monitoring System Activity Monitoring General System Activity Using Resource Monitor Monitoring Specific System Activity Using Performance Monitor Configuring and Monitoring Using Simple Network Management Protocol (SNMP) Install SNMP Services Configuring Agent Properties Configuring Traps Configuring SNMP Security Properties Starting or Stopping the SNMP Service Configuring Event to Trap Translator Summary Review Questions Answers to Review Questions

444 446 456 459 461 467 469 470 472 475 477 481 485 487 488 490

About the Companion CD

517

What You’ll Find on the CD Sybex Test Engine PDF of the Book

490 495 500 500 501 503 504 506 507 507 509 514

518 518 518

Contents

Adobe Reader Electronic Flashcards System Requirements Using the CD Troubleshooting Customer Care

xix

519 519 519 519 520 520

Glossary

521

Index

529

Table of Exercises Exercise 1.1

Initializing Disk Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Exercise 1.2

Converting a Basic Disk to a Dynamic Disk . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Exercise 1.3

Creating a Volume Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Exercise 1.4

Creating Mount Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Exercise 1.5

Installing Microsoft MPIO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Exercise 1.6

Configuring iSCSI Storage Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Exercise 1.7

Installing the iSNS Feature on Windows Server 2008 . . . . . . . . . . . . . . . . 24

Exercise 1.8

Installing Storage Manager for SANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Exercise 2.1

Enabling Font Smoothing on a Client Computer . . . . . . . . . . . . . . . . . . . . 45

Exercise 2.2

Verifying ClearType settings on Window Server 2008 . . . . . . . . . . . . . . . . 46

Exercise 2.3

Enabling the Desktop Experience Feature . . . . . . . . . . . . . . . . . . . . . . . . . 48

Exercise 2.4

Starting the Themes Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Exercise 2.5

Setting the Theme on Windows Server 2008 . . . . . . . . . . . . . . . . . . . . . . . 49

Exercise 2.6

Making Desktop Composition Available on a Vista Client. . . . . . . . . . . . . 50

Exercise 2.7

Redirect Plug and Play Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Exercise 2.8

Configuring Authentication of a Windows 2008 Terminal Server . . . . . . 54

Exercise 2.9

Configuring SSO on a Client Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Exercise 2.10

Installing the Terminal Services Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Exercise 2.11

Adding an application to the TS RemoteApp Program List. . . . . . . . . . . . 60

Exercise 2.12

Packaging a TS RemoteApp Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Exercise 2.13

Exporting the RemoteApp Programs List and Deployment Settings. . . . 65

Exercise 2.14

Installing TS Web Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Exercise 2.15

Adding the Computer Account of the TS Web Access Server to the TS RemoteApp Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Exercise 2.16

Installing the TS Gateway Role Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Exercise 2.17

Installing a Certificate on the TS Gateway Server . . . . . . . . . . . . . . . . . . . 75

Exercise 2.18

Mapping the Certificate to the TS Gateway Server . . . . . . . . . . . . . . . . . . 76

Exercise 2.19

Creating a TS CAP for the TS Gateway Server . . . . . . . . . . . . . . . . . . . . . . 77

Exercise 2.20

Creating a TS RAP and Specifying Computers . . . . . . . . . . . . . . . . . . . . . . 80

Exercise 2.21

Configuring the Terminal Services client for TS Gateway. . . . . . . . . . . . . 83

Exercise 2.22

Installing TS Session Broker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Exercise 2.23

Adding Terminal Servers to the Session Directory Computers Local Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Table of Exercises

Exercise 2.24

xxi

Configuring the Terminal Servers to Join a Farm and Participate in Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Exercise 2.25

Configuring DNS for TS Session Broker Load Balancing . . . . . . . . . . . . . 88

Exercise 2.26

Installing NLB and Creating an NLB Cluster . . . . . . . . . . . . . . . . . . . . . . . . 89

Exercise 3.1

Installing TS Licensing Role Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Exercise 3.2

Installing TS Licensing Manager as a Feature. . . . . . . . . . . . . . . . . . . . . . 105

Exercise 3.3

Activating a TS License Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Exercise 3.4

Install Terminal Services Client Access Licenses . . . . . . . . . . . . . . . . . . . 111

Exercise 3.5

Creating a Report for TS Per User CAL Issuance . . . . . . . . . . . . . . . . . . . 119

Exercise 3.6

Revocation of Per Device CALs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Exercise 3.7

Running Licensing Diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Exercise 3.8

TS RemoteApp Global Deployment Settings . . . . . . . . . . . . . . . . . . . . . . 131

Exercise 3.9

TS RemoteApp TS Gateway Global Deployment Settings . . . . . . . . . . . 132

Exercise 3.10

TS RemoteApp Common RDP Global Deployment Settings. . . . . . . . . . 133

Exercise 3.11

TS RemoteApp Digital Signature Global Deployment Settings . . . . . . . 135

Exercise 3.12

Specifying TS Gateway Events to Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Exercise 3.13

Viewing User Connection Information through TS Gateway Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Exercise 3.14

Installing Windows System Resource Manager . . . . . . . . . . . . . . . . . . . . 138

Exercise 3.15

Configuring WSRM for Terminal Services. . . . . . . . . . . . . . . . . . . . . . . . . 139

Exercise 4.1

Installing IIS 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Exercise 4.2

Creating a Site Using Host Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Exercise 4.3

Installing IIS Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Exercise 5.1

Using AppCmd.exe to List Configured Websites . . . . . . . . . . . . . . . . . . . . 186

Exercise 5.2

Enabling Failed Request Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Exercise 5.3

Modifying Configuration History Settings . . . . . . . . . . . . . . . . . . . . . . . . 195

Exercise 5.4

Delegating Administrative Permissions for Remote Administration of a Website . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Exercise 5.5

Enabling SSL on a Web Server:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Exercise 6.1

Configuring a Fax Device to Receive Faxes . . . . . . . . . . . . . . . . . . . . . . . . 222

Exercise 6.2

Configuring Fax Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

Exercise 6.3

Configuring a Dialing Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Exercise 6.4

Configuring Incoming Fax Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Exercise 6.5

Adding a Routing Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

Exercise 6.7

Creating a Broadcast Publishing Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Exercise 6.7

Configuring a Multicast Stream . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

xxii

Table of Exercises

Exercise 6.8

Enabling Fast Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Exercise 6.9

Enabling Advanced Fast Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

Exercise 6.10

Enabling FEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Exercise 6.11

Setting Client Connect Attempts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Exercise 6.12

Changing the Anonymous Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

Exercise 6.13

Enabling ACL Authorization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Exercise 6.14

Allowing or Denying IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Exercise 6.15

Creating an ACL List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

Exercise 6.16

Using AD DRM to Protect a Document. . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Exercise 6.17

Configuring Users’ Exclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Exercise 6.18

Configuring Application Exclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Exercise 6.19

Configuring Policy Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Exercise 7.1

Configuring Incoming Email Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

Exercise 7.2

Configuring Outgoing Email Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

Exercise 7.3

Configuring Outgoing Email Settings for a Specific Web Application. . 276

Exercise 7.4

Configuring Diagnostic Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

Exercise 7.5

Configuring Digest Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

Exercise 7.6

Configuring Web SSO authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Exercise 8.1

Installing Hyper-V on Full Installation Mode . . . . . . . . . . . . . . . . . . . . . . . 320

Exercise 8.2

Creating an internal Virtual Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

Exercise 8.3

Creating a Differencing Hard Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

Exercise 8.4

Creating a Fixed Size Disk and Cloning a Local Drive. . . . . . . . . . . . . . . . 332

Exercise 8.5

Adding a Pass-Through Disk to a Virtual Machine . . . . . . . . . . . . . . . . . . 335

Exercise 8.6

Creating a new Virtual Machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

Exercise 8.7

Installing Hyper-V Integration Components . . . . . . . . . . . . . . . . . . . . . . . 346

Exercise 8.8

Creating a Snapshot of a Virtual Machine . . . . . . . . . . . . . . . . . . . . . . . . . 351

Exercise 8.9

Applying a Snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

Exercise 9.1

Installing the WDS Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

Exercise 9.2

Configuring WDS Server for First Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

Exercise 9.3

Configuring WDS Server Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372

Exercise 9.4

Creating a Capture Image Using the Wizard . . . . . . . . . . . . . . . . . . . . . . . 376

Exercise 9.5

Using WDSUTIL to Create a Capture Image . . . . . . . . . . . . . . . . . . . . . . . 379

Exercise 9.6

Installing Server Core. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

Exercise 9.7

Installing a KMS Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Exercise 9.8

Configuring DNS Permissions for a KMS Host . . . . . . . . . . . . . . . . . . . . . 387

Table of Exercises

xxiii

Exercise 9.9

Publishing in Multiple Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Exercise 9.10

Creating a KMS SVR Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392

Exercise 9.11

Capturing data for Install from Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395

Exercise 10.1

Installing the Failover Cluster Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413

Exercise 10.2

Running the Validate a Configuration Wizard . . . . . . . . . . . . . . . . . . . . . . 415

Exercise 10.3

Creating a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418

Exercise 10.4

Clustering the Print Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420

Exercise 10.5

Using the Dependency Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

Exercise 10.6

Creating a Network Load Balancing Cluster . . . . . . . . . . . . . . . . . . . . . . . 431

Exercise 11.1

Assigning the “Log On as a Batch Job” User Right . . . . . . . . . . . . . . . . . 446

Exercise 11.2

Creating a Data Collector Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447

Exercise 11.3

Creating a New Data Collector Set from a Template . . . . . . . . . . . . . . . . 449

Exercise 11.4

Manually Creating a New Data Collector Set . . . . . . . . . . . . . . . . . . . . . . 450

Exercise 11.5

Scheduling the Start Condition for a Data Collector Set . . . . . . . . . . . . . 451

Exercise 11.6

Scheduling the Stop Condition for a Data Collector Set . . . . . . . . . . . . . 453

Exercise 11.7

Configuring Data Management for a Data Collector Set . . . . . . . . . . . . . 454

Exercise 11.8

Loading Log Data in Performance Monitor . . . . . . . . . . . . . . . . . . . . . . . . 458

Exercise 11.9

Navigating the Log View in Performance Monitor . . . . . . . . . . . . . . . . . . 459

Exercise 11.10

Viewing the System Diagnostics Report . . . . . . . . . . . . . . . . . . . . . . . . . . 460

Exercise 11.11

Viewing System Availability in Performance Monitor . . . . . . . . . . . . . . . 463

Exercise 11.12

Configuring Computers to Forward and Collect Events . . . . . . . . . . . . . 470

Exercise 11.13

Filtering Only Informational Events in the Current Log . . . . . . . . . . . . . . 473

Exercise 11.14

Creating a Custom View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

Exercise 11.15

Scheduling a Basic Task by Using a Wizard . . . . . . . . . . . . . . . . . . . . . . . 477

Exercise 11.16

Scheduling a Task Manually by Using the Windows Interface . . . . . . . . 480

Exercise 11.17

Scheduling a Task Manually by Using the Command Line . . . . . . . . . . . 481

Exercise 11.18

Displaying All Running Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

Exercise 11.19

Exporting Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

Exercise 11.20

Importing Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

Exercise 11.21

Viewing the History of a Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484

Exercise 11.22

Managing or Creating a Task on a Remote Computer Using Task Scheduler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485

Exercise 11.23

Managing or Creating Task on a Remote Computer Using Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486

Exercise 11.24

Running a Task in Response to an Event . . . . . . . . . . . . . . . . . . . . . . . . . . 488

xxiv

Table of Exercises

Exercise 11.25

Monitoring General System Activity Using Resource Monitor. . . . . . . . 491

Exercise 11.26

Adding Counters to the Current Performance Monitor View . . . . . . . . . 495

Exercise 11.27

Changing the Graph Type for the Log Data in Performance Monitor. . . 499

Exercise 11.28

Installing SNMP Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500

Exercise 11.29

Configuring Agent Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502

Exercise 11.30

Configuring Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503

Exercise 11.31

Configuring SNMP Security Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . 504

Exercise 11.32

Starting or Stopping SNMP Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506

Exercise 11.33

Configuring Event to Trap Translator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507

Introduction Microsoft has recently changed its certification program to contain three primary series: Technology, Professional, and Architect. The Technology Series of certifications is intended to allow candidates to target specific technologies and is the basis for obtaining the Professional Series and Architect Series of certifications. The certifications contained within the Technology Series consist of one to three exams, focus on a specific technology, and do not include job-role skills. By contrast, the Professional Series of certifications focus on a job role and are not necessarily focused on a single technology but rather a comprehensive set of skills for performing the job role being tested. The Architect Series of certifications offered by Microsoft includes premier certifications that consist of passing a review board made up of previously certified architects. To apply for the Architect Series of certifications, you must have a minimum of 10 years of industry experience. When obtaining a Technology Series certification, you are recognized as a Microsoft Certified Technology Specialist (MCTS) on the specific technology or technologies that you have been tested on. The Professional Series certifications include Microsoft Certified IT Professional (MCITP) and Microsoft Certified Professional Developer (MCPD). Passing the review board for an Architect Series certification will allow you to become a Microsoft Certified Architect (MCA). This book has been developed to give you the critical skills and knowledge you need to prepare for the exam requirement for obtaining the MCTS: Windows Server 2008 Applications Infrastructure, Configuring (Exam 70-643).

The Microsoft Certified Professional Program Since the inception of its certification program, Microsoft has certified more than 2 million people. As the computer network industry continues to increase in both size and complexity, this number is sure to grow—and the need for proven ability will also increase. Certifications can help companies verify the skills of prospective employees and contractors. Microsoft has developed its Microsoft Certified Professional (MCP) program to give you credentials that verify your ability to work with Microsoft products effectively and professionally. Several levels of certification are available based on specific suites of exams. Microsoft has recently created a new generation of certification programs: Microsoft Certified Technology Specialist (MCTS) The MCTS can be considered the entry-level certification for the new generation of Microsoft certifications. The MCTS certification program targets specific technologies instead of specific job roles. You must take and pass one to three exams. Microsoft Certified IT Professional (MCITP) The MCITP certification is a Professional Series certification that tests network and systems administrators on job roles rather than only on a specific technology. The MCITP generally consists of passing one to three exams in addition to obtaining an MCTS-level certification.

xxvi

Introduction

Microsoft Certified Professional Developer (MCPD) The MCPD certification is a Professional Series certification for application developers. Similar to the MCITP, the MCPD is focused on a job role rather than on a single technology. The MCPD generally consists of passing one to three exams in addition to obtaining an MCTS-level certification. Microsoft Certified Architect (MCA) The MCA is Microsoft’s premier certification series. Obtaining the MCA requires a minimum of 10 years of experience and requires the candidate to pass a review board consisting of peer architects.

How Do You Become Certified on Windows Server 2008 Applications Infrastructure? Attaining a Microsoft certification has always been a challenge. In the past, students have been able to acquire detailed exam information—even most of the exam questions—from online “brain dumps” and third-party “cram” books or software products. For the new generation of exams, this is simply not the case. Microsoft has taken strong steps to protect the security and integrity of its new certification tracks. Now prospective candidates must complete a course of study that develops detailed knowledge about a wide range of topics. It supplies them with the true skills needed, derived from working with the technology being tested. The new generations of Microsoft certification programs are heavily weighted toward hands-on skills and experience. It is recommended that candidates have troubleshooting skills acquired through hands-on experience and working knowledge. Fortunately, if you are willing to dedicate the time and effort to learn the Windows Server 2008 applications infrastructure, you can prepare yourself well for the exam by using the proper tools. By working through this book, you can successfully meet the requirements to pass the Windows Server 2008 Applications Infrastructure exam. This book is part of a complete series of Microsoft certification Study Guides, published by Sybex Inc., that together cover the new MCTS, MCITP, and MCPD exams as well as the core MCSA and MCSE operating system requirements. Please visit the Sybex website at www.sybex.com for complete program and product details.

MCTS Exam Requirements Candidates for MCTS certification on Windows Server 2008 Applications Infrastructure must pass one Windows Server 2008 Applications Infrastructure exam. Other MCTS certifications may require up to three exams. For a more detailed description of the Microsoft certification programs, including a list of all the exams, visit the Microsoft Learning website at www.microsoft.com/learning/mcp.

Introduction

xxvii

The Windows Server 2008 Applications Infrastructure, Configuring Exam The Windows Server 2008 Applications Infrastructure exam covers concepts and skills related to installing, configuring, and managing Windows Server 2008 applications. This includes the following applications: NÛ

SharePoint Services

NÛ

Windows Deployment Services

NÛ

Terminal Services

NÛ

Internet Information Services 7.0

It emphasizes the basic Windows Server 2008 roles and features required to configure and support this functionality.

Microsoft provides exam objectives to give you a general overview of possible areas of coverage on the Microsoft exams. Keep in mind, however, that exam objectives are subject to change at any time without prior notice and at Microsoft’s sole discretion. Please visit the Microsoft Learning website ( www.microsoft.com/learning/mcp) for the most current listing of exam objectives.

Types of Exam Questions In an effort to both refine the testing process and protect the quality of its certifications, Microsoft has focused its newer certification exams on real experience and hands-on proficiency. There is a greater emphasis on your past working environments and responsibilities and less emphasis on how well you can memorize. In fact, Microsoft says that certification candidates should have hands-on experience before attempting to pass any certification exams.

Microsoft will accomplish its goal of protecting the exams’ integrity by regularly adding and removing exam questions, limiting the number of questions that any individual sees in a beta exam, limiting the number of questions delivered to an individual by using adaptive testing, and adding new exam elements.

Exam questions may be in a variety of formats. Depending on which exam you take, you’ll see multiple choice questions, as well as drag-and-drop, build list and reorder, and hot area questions. Simulations and case study-based formats are included as well. You may also find yourself taking what’s called an adaptive format exam. Let’s take a look at the types of exam questions and examine the adaptive testing technique so you’ll be prepared for all of the possibilities.

xxviii

Introduction

With the release of Windows 2000, Microsoft stopped providing a detailed score breakdown. This is mostly because of the various and complex question formats. Previously, each question focused on one objective. However, recent exams, such as the Windows Server 2008 Active Directory exam, contain questions that may be tied to one or more objectives from one or more objective sets. Therefore, grading by objective is almost impossible. Also, Microsoft no longer offers a score. Now you will only be told if you pass or fail.

Multiple Choice Questions Multiple choice questions come in two main forms. One is a straightforward question followed by several possible answers, of which one or more is correct. The other type of multiple choice question is more complex and based on a specific scenario. The scenario may focus on several areas or objectives.

Drag-and-Drop Questions Drag-and-drop exam questions involve graphical elements that you must manipulate to successfully answer the question. For example, you might see a diagram of a computer network, as shown in the following graphic taken from the select-and-place demo downloaded from Microsoft’s website.

Introduction

xxix

A typical diagram will show computers and other components next to boxes that contain the text “Place here.” The labels for the boxes represent various computer roles on a network, such as a print server and a file server. Based on information given for each computer, you are asked to select each label and place it in the correct box. You need to place all of the labels correctly. No credit is given for the question if you correctly label only some of the boxes.

Build List and Reorder Questions In another drag-and-drop problem you might be asked to put a series of steps in order by dragging items from boxes on the left to boxes on the right and placing them in the correct order. One other type requires that you drag an item from the left and place it under an item in a column on the right.

For more information on the various exam question types, go to www.microsoft.com/learning/mcpexams/policies/innovations.mspx.

Simulations Simulations are the kinds of questions that most closely represent actual situations and test the skills you use while working with Microsoft software interfaces. These exam questions include a mock interface on which you are asked to perform certain actions according to a given scenario. The simulated interfaces look nearly identical to what you see in the actual product, as shown in the following example.

xxx

Introduction

Because of the number of possible errors that can be made on simulations, be sure to consider the following recommendations from Microsoft: NÛ

NÛ

NÛ

NÛ

Do not change any simulation settings that don’t pertain to the solution directly. When related information has not been provided, assume that the default settings are used. Make sure that your entries are spelled correctly. Close all the simulation application windows after completing the set of tasks in the simulation.

The best way to prepare for simulation questions is to spend time working with the graphical interface of the product on which you will be tested.

Case Study-Based Questions Case study-based questions first appeared in the MCSD program. These questions present a scenario with a range of requirements. Based on the information provided, you answer a series of multiple-choice and select-and-place questions. The interface for case study-based questions has a number of tabs, each of which contains information about the scenario. At present, this type of question appears only in most of the Design exams.

Microsoft will regularly add and remove questions from the exams. This is called item seeding. It is part of the effort to make it more difficult for individuals to memorize exam questions that were passed along by previous test-takers.

Tips for Taking the MCTS: Windows Server 2008 Applications Infrastructure Configuring Exam Here are some general tips for achieving success on your certification exam: NÛ

NÛ

NÛ

NÛ

NÛ

Arrive early at the exam center so that you can relax and review your study materials. During this final review, you can look over tables and lists of exam-related information. Read the questions carefully. Do not be tempted to jump to an early conclusion. Make sure you know exactly what the question is asking. Answer all questions. If you are unsure about a question, mark it for review and come back to it at a later time. On simulations, do not change settings that are not directly related to the question. Also, assume default settings if the question does not specify or imply which settings are used. For questions you’re not sure about, use a process of elimination to get rid of the obviously incorrect answers first. This improves your odds of selecting the correct answer when you need to make an educated guess.

Introduction

xxxi

Exam Registration You may take the Microsoft exams at any of more than 1,000 Authorized Prometric Testing Centers (APTCs) around the world. For the location of a testing center near you, call Prometric at 800-755-EXAM (755-3926). Outside the United States and Canada, contact your local Prometric registration center. You may also register for your exams online at www.prometric.com. Find out the number of the exam you want to take, and then register with the Prometric registration center nearest to you. At this point, you will be asked for advance payment for the exam. The exams are $125 each and you must take them within one year of payment. You can schedule exams up to six weeks in advance or as late as one working day prior to the date of the exam. You can cancel or reschedule your exam if you contact the center at least two working days prior to the exam. Same-day registration is available in some locations, subject to space availability. Where same-day registration is available, you must register a minimum of two hours before test time. When you schedule the exam, you will be provided with instructions regarding appointment and cancellation procedures, ID requirements, and information about the testing center location. In addition, you will receive a registration and payment confirmation letter from Prometric. Microsoft requires certification candidates to accept the terms of a nondisclosure agreement before taking certification exams.

Is This Book for You? If you want to acquire a solid foundation in Windows Server 2008 applications, and your goal is to prepare for the exam by learning how to use and manage the new operating system functions in practical ways, this book is for you. You’ll find clear explanations of the fundamental concepts you need to grasp and plenty of help to achieve the high level of professional competency you need to succeed in your chosen field. If you want to become certified as an MCTS, this book is definitely for you. However, if you just want to attempt to pass the exam without really understanding Windows Server 2008 applications, this Study Guide is not for you. It is written for people who want to acquire hands-on skills and in-depth knowledge of Windows Server 2008 applications.

What’s in the Book? What makes a Sybex Study Guide the book of choice for hundreds of thousands of MCPs? We took into account not only what you need to know to pass the exam, but what you need to know to take what you’ve learned and apply it in the real world. Each book contains the following: Objective-by-objective coverage of the topics you need to know Each chapter lists the objectives covered in that chapter.

xxxii

Introduction

The topics covered in this Study Guide map directly to Microsoft’s official exam objectives. Each exam objective is covered completely.

Assessment test Directly following this introduction is an assessment test that you should take. It is designed to help you determine how much you already know about Windows Server 2008 Active Directory. Each question is tied to a topic discussed in the book. Using the results of the assessment test, you can figure out the areas where you need to focus your study. Of course, we do recommend you read the entire book. Exam essentials To highlight what you learn, you’ll find a list of exam essentials at the end of each chapter. The exam essentials section briefly highlights the topics that need your particular attention as you prepare for the exam. Glossary Throughout each chapter, you will be introduced to important terms and concepts that you will need to know for the exam. These terms appear in italic within the chapters, and at the end of the book, a detailed glossary gives definitions for these terms as well as other general terms you should know. Review questions, complete with detailed explanations Each chapter is followed by a set of review questions that test what you learned in the chapter. The questions are written with the exam in mind, meaning that they are designed to have the same look and feel as what you’ll see on the exam. Exercises In each chapter, you’ll find exercises designed to give you the important handson experience that is critical for your exam preparation. The exercises support the topics of the chapter, and they walk you through the steps necessary to perform particular functions. Real World Scenarios Because reading a book isn’t enough for you to learn how to apply these topics in your everyday duties, we have provided Real World Scenarios in special sidebars. These explain when and why a particular solution would make sense, in a working environment you’d actually encounter. Interactive CD Every Sybex Study Guide comes with a CD complete with additional questions, flashcards for use with an interactive device, and the book in electronic format. Details are in the following section.

What’s on the CD? With this new member of our best-selling Study Guide series, we are including quite an array of training resources. The CD offers bonus exams and flashcards to help you study for the exam. We have also included the complete contents of the Study Guide in electronic form. The CD’s resources are described here: The Sybex E-book for Windows Server 2008 Applications Infrastructure Many people like the convenience of being able to carry their whole Study Guide on a CD. They also like being able to search the text via computer to find specific information quickly and easily.

Introduction

xxxiii

For these reasons, the entire contents of this Study Guide are supplied on the CD, in PDF. We’ve also included Adobe Acrobat Reader, which provides the interface for the PDF contents as well as the search capabilities. The Sybex Test Engine This is a collection of multiple-choice questions that will help you prepare for your exam. There are four sets of questions: NÛ

NÛ

NÛ

Two bonus exams designed to simulate the actual live exam. All the questions from the Study Guide, presented in a test engine for your review. You can review questions by chapter, or you can take a random test. The assessment test.

Here is a sample screen from the Sybex Test Engine:

Sybex Flashcards for PCs and Handheld Devices The “flashcard” style of question offers an effective way to quickly and efficiently test your understanding of the fundamental concepts covered in the exam. The Sybex Flashcards set consists of 100 questions presented in a special engine developed specifically for this Study Guide series. Here’s what the Sybex Flashcards interface looks like:

xxxiv

Introduction

Because of the high demand for a product that will run on handheld devices, we have also developed, in conjunction with Land-J Technologies, a version of the flashcard questions that you can take with you on your Palm OS PDA (including the PalmPilot and Handspring’s Visor).

Hardware and Software Requirements You should verify that your computer meets the minimum requirements for installing Windows Server 2008. We suggest that your computer meets or exceeds the recommended requirements for a more enjoyable experience. The exercises in this book assume that your computer is configured in a specific manner. Your computer should have at least a 20GB drive that is configured with the minimum space requirements and partitions. Other exercises in this book assume that your computer is configured as follows: NÛ

20GB C: partition with the NTFS filesystem

NÛ

Optional D: partition with the NTFS filesystem

NÛ

15GB or more of free space

Introduction

xxxv

Of course, you can allocate more space to your partitions if it is available. The first exercise in the book assumes that you have installed Windows Server 2008. Many of the exercises, including the failover clustering exercises in Chapter 10, assume that you have an Active Directory domain configured and that you have administrative rights on that domain.

Contacts and Resources To find out more about Microsoft Education and Certification materials and programs, to register with Prometric, or to obtain other useful certification information and additional study resources, check the following resources: Microsoft Learning Home Page www.microsoft.com/learning

This website provides information about the MCP program and exams. You can also order the latest Microsoft Roadmap to Education and Certification. Microsoft TechNet Technical Information Network www.microsoft.com/technet

(800) 344-2121 Use this website or phone number to contact support professionals and system administrators. Outside the United States and Canada, contact your local Microsoft subsidiary for information. Prometric www.prometric.com฀

(800) 755-3936 Contact Prometric to register to take an exam at any of more than 800 Prometric Testing Centers around the world. MCP Magazine Online www.mcpmag.com฀

Microsoft Certified Professional Magazine is a well-respected publication that focuses on Windows certification. This site hosts chats and discussion forums and tracks news related to the MCTS and MCITP program. Some of the services cost a fee, but they are well worth it. WindowsITPro Magazine www.windowsITPro.com

You can subscribe to this magazine or read free articles at the website. The study resource provides general information on Windows Vista, Server, and .NET Server.

Assessment Test 1.

You have been given a server with three hard disks, all with the same capacity. The first drive contains the operating system files. You must provide data redundancy while providing the most amount of capacity. To accomplish this, which of the following would you do? A. Select the first drive, right-click, and select New RAID 5 Volume.

2.

B.

Select the first drive, right-click, and select New Mirrored Volume.

C.

Select the first drive, right-click, and select New Striped Volume.

D.

Select the first drive, right-click, and select New Simple Volume.

You have been given a server that contains three HBAs. Each card can access the storage over a separate path. The application that runs on the server can exceed the usage of a single path. Which of the following MPIO options should be selected to provide the needed bandwidth as well as minimal redundancy? A. Failover

3.

B.

Dynamic Least Queue Depth

C.

Weighted path

D.

Round robin

A server named TSrv1 running Windows Server 2008 has the Terminal Server role installed and you have deployed a remote application from this server. You have already contacted the vendor to verify that the application is supported in a Terminal Server environment, but the installation package does not use an MSI installer package. After you have deployed the remote application, users report remote application time-outs and various disconnected sessions. How can you ensure that the application has been installed to support multiple sessions? A. Run the change฀user฀/disable command on TSrv1, install the application, and run the change฀user฀/enable command on TSrv1. B.

Run mstsc฀/v:TSrv1฀/admin from you client computer to log on to the TSrv1 and install the application.

C.

Run the change฀user฀/execute command on TSrv1, install the application, and run the change฀user฀/install command on TSrv1.

D.

Run the change฀user฀/install command on TSrv1, install the application, and run the change฀user฀/execute command on TSrv1.

Assessment Test

4.

xxxvii

You are a server administrator with two servers running Windows 2008 with the Terminal Services role installed, TSrv1 and TSrv2. TSrv1 is currently publishing remote applications and distributing them through RDP files through a web virtual directory. You want the program lists and deployment settings to be the same on both servers, so you import the RemoteApp programs settings from TSrv1. Users complain that they cannot access the remote applications on TSrv2 but can on TSrv1. Which of the following procedures would you do to ensure that users can access the applications on TSrv2? A. Copy the RDP files from TSrv1 to a new web virtual directory for TSrv2.

5.

B.

Configure TSrv1 and TSrv2 to participate in TS Session Broker Load Balancing.

C.

Re-create the RDP files on TSrv2 and distribute them to the users.

D.

Re-create the RDP files on TSrv1 and distribute them to the users.

Your company runs Window Server 2008 Terminal Service servers and all the clients are Windows Vista. There is a new company video broadcast that the clients will be running from these terminal servers. Which of the follow action would you take to ensure that Media Player 11 is enabled on the terminal servers? A. Install the Desktop Experience feature on the Terminal Service servers. B.

6.

Install the Vista theme on the Terminal Service servers.

C.

Check the Desktop composition box on the RDC client of the user’s computer.

D.

Install Windows Media Server 2008 on the Terminal Service servers.

You have an Active Directory domain and the TS Licensing service role is installed on a server named TSrv1 that is in a workgroup. You cannot enable TS Per User CALs on this license server. What do you need to do to enable TS Per User CALs? A. Get license keys from the Microsoft Clearinghouse and enter the keys into the license server.

7.

B.

Join TSrv1 to the domain.

C.

Install the Terminal Services Role on TSrv1.

D.

Install the TS Gateway role on TSrv1.

You are running the Terminal Services role on a server and are publishing RemoteApps and using GPOs to set the policies on the server. You check Terminal Services Manager and notice that there are disconnected sessions that are several days old. How in the future can you ensure that disconnected sessions do not exist? A. Log into Terminal Services Manager and reset each disconnected session. B.

In the Group Policy Management Console, enable the policy Restrict Terminal Service users to a remote session.

C.

In the Group Policy Management Console, enable the policy Set time limit for disconnected sessions.

D.

Set the terminal server to drain mode.

Assessment Test

xxxviii

8.

You have installed a TS license server and you wish to activate it. You choose the automatic connection to activate the server with the Microsoft Clearinghouse but it fails. You suspect that your firewall is configured incorrectly, and you want the activation process to happen automatically. How can you ensure this? A. Open port 443 on your firewall.

9.

B.

Open port 80 on your firewall.

C.

Open port 3389 on your firewall.

D.

Open port 1494 on your firewall.

You have just deployed a new .NET web application and need to provide it with the least amount of privileges. The application needs to be able to access the Registry. Which of the following .NET trust levels will provide the least amount of privileges required? A. Full B.

High

C.

Medium

D.

Low

E.

Minimal

10. You have configured an SMTP server to be the smart host for a number of servers so that the server can send all outbound email out to the Internet. None of the messages that have been sent have been received by the recipient. What must be done to allow email to be delivered? A. Enable TLS encryption. B.

Add the sending servers to the exceptions list on the connection control.

C.

Add the sending servers to the allow list in the relay restrictions.

D.

Enable LDAP Routing.

11. You must configure a website to allow Windows user credentials based on file system permissions to provide access to a single virtual directory. Which authentication modules must you disable on the virtual directory if the IUSR_ServerName account has permissions on the site content? A. Basic Authentication B.

Anonymous Authentication

C.

Digest Authentication

D.

Integrated Windows Authentication

12. You must restore the server’s configuration to before the last set of configuration changes you made. Which command should you run? A. AppCmd฀restore฀backup฀“Last฀Backup” B.

AppCmd฀restore฀backup฀“CFGHISTORY_0000000001”

C.

AppCmd฀restore฀backup฀“CFGHISTORY_0000000100”

D.

AppCmd฀add฀backup฀“CFGHISTORY_0000000100”

Assessment Test

xxxix

13. You are the administrator for an engineering firm. The chief information officer (CIO) informs you that the president of the company wants to make a live broadcast to all employees. The CIO informs you that he does not want the employees to be able to record the broadcast or pause it. In addition, he wants you to reduce the impact that the broadcast will have on the server. What two options should you choose to meet the CIO’s requirements? A. Deliver the content with a unicast stream. B.

Use on-demand publishing points.

C.

Deliver the content with a multicast stream.

D.

Use a broadcast publishing point.

14. Your company has a shared directory that contains files created with Word, Excel, PowerPoint, and Publisher. The senior network administrator wants you to use the newly installed Windows 2008 Server to provide better control over who has access to those files and to limit the amount of time the files can be used. In addition, he wants you to reduce the amount of administration effort that is currently being spent used to change rights on user files. What options should you choose to install and configure? (Choose all that apply.) A. Windows SharePoint Services B.

Active Directory Rights Management Service Role (AD RMS)

C.

Configure Rights Policy Templates

D.

Configure Active Directory Security Groups

15. After deploying your WSS 3.0 site, you get a request from management to create a document library for the human resources department. Management has also requested that the human resources department should only be able to view and add content to the site. What level of security permissions should you provide to the human resources group? A. Owner B.

Visitor

C.

Member

D.

Administrator

16. You deploy a new WSS 3.0 site in your company intranet. The sales department asks you to create a new web application for this new site. After you create the new web application, users in the sales department report that they cannot access it. What step do you need to perform so that the application is available to your users in the sales department? A. Manually reset IIS on all servers within your SharePoint farm. B.

Ask users in the sales department to log off and then log on to their workstations.

C.

Change permissions on the sales user group to administrator level.

D.

Give sales users site owners permissions to the web application.

17. When is an operating system Hyper-V hypervisor aware? A. Automatically, if you install a Microsoft operating system B.

When you install the VM components

C.

After you install the Integration Components

D.

When you turn on hypervisor awareness in Hyper-V

Assessment Test

xl

18. What types of virtual hard disks can you configure in Hyper-V Manager? (Choose all that apply.) A. Dynamically expanding B.

Fixed size

C.

Differencing

D.

Pass-through

19. What statement is correct when you create an internal only virtual network for your virtual machines on a Hyper-V server? A. The virtual machines can communicate with each other and with the host machine. B.

The virtual machines can communicate with each other only.

C.

The virtual machines can communicate with each other, with the host machine, and with the network.

D.

The virtual machines cannot communicate with each other.

20. You are an IT administrator for a medium-size company. This company has 250 Vista computers and 15 Windows 2008 Server machines. One of your users puts in a service request stating that he is no longer able to open certain programs or access some functions. When the user logs into another machine, he is able to access the programs and features. He also states that he has been getting a Windows Activation popup from time to time. What would you do to resolve this issue? A. Check the user’s permissions in Active Directory and assign admin rights to his machine. B.

Scan for viruses.

C.

Activate his copy of Windows Vista.

D.

Restore the machine from a backup.

21. The CIO of your company informs you that you have 80 machines to replace this year and every year going forward as part of the technology refresh program the company has just adopted. He also informs you that this needs to be done with your current staff and you need to stay within the budgeted hours. The CIO also wants you to find a way to enforce standards because he claims that many of the builds by some of the new technicians are not up to company standards. Your company has 500 Windows XP machines and 10 Windows 2003 Server machines and two newly deployed Windows Server 2008 machines. How can you meet the CIO’s requests? A. Install an RIS server and use Norton Ghost to create a image to be deployed to the new machines. B.

Install Windows 2008 Server on a machine and install the WDS role. Create images based on the company standards and then use those images to deploy the new machines.

C.

Modify the ntuser file to meet the standards of the company. Then include this file in the users login script.

D.

Have the vendor create a machine that includes all the standards required by the company.

Assessment Test

xli

22. To meet your company’s growing demands, you have installed WDS on a Windows Server 2008 machine. This machine is also used for DNS, DHCP, and print services. This WDS install will allow you to deploy images to new computers and servers and provide a tool for the help desk in case they need to reinstall the operating system. Your network administrator has created the proper images and placed them in the image folder. The administrator reports that he is not able to PXE boot into the WDS server. He is sure that the boot and deploy images are configured properly and in the right location. You check the services and they are all running. What could be the issue? A. Check the DNS server to make sure its running. B.

Boot image has not been added to the server.

C.

You need to run WDSUTIL฀/start-server.

D.

Change the DHCP port.

23. A failover cluster contains two nodes, and a business requires the cluster’s application to remain active and not have a single point of failure. Which of the following quorum models would work in a two-node failover cluster? (Choose all that apply.) A. No Majority: Disk Only B.

Node Majority

C.

Node and Disk Majority

D.

Node and File Share Majority

24. A two-node failover cluster has two clustered services. Each node should have only one clustered service running when both nodes are operational or have returned to operation. Which two options must be configured on each clustered service? (Choose all that apply.) A. Set the Allow failback option. B.

Set the Prevent failback option.

C.

Set each service to have a different preferred owner.

D.

Set each resource to attempt restart on the current node.

25. An NLB cluster has three nodes. One of the cluster nodes has less hardware resources than the other two nodes and cannot handles as many connections. What would you need to do to reduce the number of connections that the NLB attempts to handle? A. Change the port rules on each node and set an appropriate load. B.

Change the port rule on the underpowered server and set a higher number for load.

C.

Change the port rule on the underpowered server and set a lower number for load.

D.

Change the Affinity setting on the underpowered server to be Single.

Answers to Assessment Test

xlii

Answers to Assessment Test 1.

B. Using RAID-1 is only correct option because OS files and boot files cannot reside on RAID-5 disks. Striped and simple volumes are not redundant.

2.

D. A round robin configuration uses all available active paths and will distribute I/O in a balanced round robin fashion. Failover only uses a primary and standby paths, allowing for link failure. Weighted path assigns requests to the path with the least weight value. Dynamic Least Queue Depth routes requests to the path with the least number of outstanding requests.

3.

D. To install an application that does not use an MSI package, you must change the server mode to install mode. After the installation is complete, the server must be placed back in execute mode. A is incorrect because the disable command changes the mode so the user cannot establish a connection to the terminal server. B is incorrect because installing an application from the administrator’s session does not place the server into the correct mode. C is incorrect because the commands are in reversed order.

4.

C. Because the original RDP files where created on TSrv1, they will connect only to TSrv1, thus new RDP files will have to be created and distributed from TSrv2. Copying or re-creating the RDP files from TSrv1 won’t work because it will not change the connection path for the users. Configuring TS Session Broker Load Balancing won’t work because all the RDP files would have to point to the terminal server farm name.

5.

A. To enable Media Player 11 for the remote clients, the Desktop Experience feature must be installed. B and C are incorrect because they involve setting up the Aero desktop for remote desktop sessions. D is incorrect because there is no need for Media Server on the server.

6.

B.

7.

C. If you enable and configure Set time limit for disconnected sessions, a time limit for disconnected session will be set and when the time limit is reached the session will be deleted from the server. The policy is useful to ensure that resources are released on the server. Although option A is possible, it is not the best way to accomplish this task. Restricting the user’s remote session will remove disconnected sessions. Putting the server in drain mode will not allow users to connect at all.

8.

A. The automatic connection requires an SSL connection (TCP port 443) to activate the license server with Microsoft Clearinghouse over the Internet.

9.

B. Medium and lower trust levels do not allow access to the Registry, so they would not be suitable levels for this application. High is the first level that allows the required access. Full allows too much access, so it is also not a valid answer.

Per User CALs are available if only the TS license server is a member of a domain.

10. C. The messages are not being delivered because the default setting is to not allow relaying. The sending servers must be added to be allowed to relay. Enabling TLS encryption may secure the SMTP transmission, but it will not affect message delivery. Adding the servers to the exceptions will not allow the servers to communicate to the SMTP server at all. Enabling LDAP routing will allow email address lookups but will not affect delivery of email to the Internet.

Answers to Assessment Test

xliii

11. B. Since the IUSR_ServerName account has permission, Anonymous authentication will keep the server for prompting for credentials. 12. C. The highest configuration number is the latest backup, so that would be correct backup to restore. The backup set named “Last฀Backup” would not be correct as it would have been manually run instead of done when a configuration change was made. When AppCmd฀add฀ backup is run, it creates a new backup, not a restore, so it would also be an incorrect choice. 13. C, D. C and D are correct because multicast streams reduce the impact on the server by producing a single stream that multiple users can connect to and broadcast publishing only allows the user to play the content. A and B are incorrect because unicast streams would not decrease the load on the server and on-demand publishing is for delivering content that the users can control. 14. B, C. B and C are correct because AD RMS is the role that allows for better control of files and configuring rights policy templates would reduce the amount of administration needed because it allows the user to apply a preconfigured rights template. A is incorrect because, while SharePoint can control content access, it is not used to limit the amount of time a file is on a user’s computer or can be accessed. D is wrong because Active Directory Security Groups would still have to be administered by the IT staff and wouldn’t reduce the time spent on rights management. 15. C. Options A and D would give the group more than the requested permissions. Option B would not allow the group to add content. Option C would allow them to contribute content. 16. A. Option A is correct because any new applications require an IIS reset before they will be available to the end user. Option B is wrong because it is related to the Active Directory account and not the web application. Options C and D are incorrect because if the problem have been related to permissions, the WSS page that the users saw would have stated that they did not have permission to view this page. 17. C. An operating system running in a virtual machine gets hypervisor aware once the Hyper-V Integration Components or Services are installed because it will support using the VMBus. 18. A, B, C, D.

All options are correct.

19. A. The virtual machines can communicate with each other and with the host machine. That’s the definition for an internal only network. If they communicate only with each other, that’s called a private virtual network. If the virtual machines also can communicate with the external network, that’s called external. The last option assumes that no virtual network is configured at all, thus virtual machines cannot communicate with each other 20. C. C is the correct answer because when a Windows Vista product is not activated, it will reduce the functionality of the machine until it is activated. Option A is incorrect because we have no indication that this is related to his user account. B is wrong because there is no solid evidence that this user has a virus. D is incorrect because this would not solve the issue of loss of functions.

xliv

Answers to Assessment Test

21. B. A and D are incorrect because they do not meet the request by the CIO to stay with normal budget. C is wrong because it would not reduce the time to install the operating systems. B is correct because it would meet the needs of the CIO. 22. D. When WDS and DHCP are running on the same machine, it causes a conflict. Changing the port in the WDS server properties will resolve the issue. B and C are wrong because the image was added to the server and running WDSUTIL฀/start-server will start all the WDS services, but you have confirmed them as running. Option A is wrong because you have not been informed of any other issues related to DNS. 23. C, D. Node and Disk Majority and Node and File Share Majority both allow for one of the nodes to be offline and still have quorum. Although No Majority: Disk Only allows for a node to be offline, the quorum shared disk is a single point of failure. Since there are only two nodes, both nodes have to be up if only Node Majority were chosen. 24. A, C. The preferred owner would need to be set for each clustered service so that each service would have a different preferred owner. Also, the allow failback would have to be set to make sure that after a failure has been recovered, the clustered service would automatically fail back to the preferred owner. The prevent failback option would not allow the clustered service to automatically fail back to the preferred owner. Also, setting the resources to attempt to restart on the current node will not ensure that the clustered application is on the preferred node. 25. A. For the load to be changed, each node would need to have compatible load settings. If load was changed on only one of the nodes, convergence would never complete. Also, changing the Affinity setting does not affect the number of connections to a particular node.

Chapter

1

Windows Server 2008 Storage Services MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: ÛÛ Configure storage. May include but is not limited to: RAID types, Virtual Disk Specification (VDS) API, Network Attached Storage, iSCSI and fibre channel Storage Area Networks, mount points.

Disk storage is a requirement for just about every computer and application used in any corporate environment. Administrators have some familiarity with storage, whether it is internal storage, a locally attached set of disks, or network attached storage (NAS). In this chapter, we will examine the various aspects of Windows Server 2008 Storage Services. We’ll discuss the various types of storage technologies, but this chapter will primarily focus on iSCSI because of the new native features in Windows Server 2008. This chapter includes the following main topics: NÛ

Initializing disks

NÛ

Dynamic and basic disks

NÛ

Volume sets

NÛ

RAID types

NÛ

Mount points

NÛ

Storage technologies (iSCSI, Fibre Channel, NAS)

NÛ

Virtual Disk Specification (VDS)

NÛ

Storage Manager for SANS

NÛ

Storage Explorer

Storage in Windows Server 2008 What type of disks should be used? What type of RAID sets should be made? What type of hardware platform should be purchased? These are all questions that many administrators have to make when planning for storage in Windows Server 2008. In the following sections, we will attempt to answer these questions so that administrators can make the best decisions for their storage environment. We’ll cover the basics to prepare you to make these decisions when you’re either purchasing or configuring your storage solutions.

Initializing Disks To begin this section, we must first discuss how to add disk drives to a server. Once a disk drive has been installed, it must be initialized by selecting the type of partition. There are

Storage in Windows Server 2008

3

two types of partition styles used to initialize disks: Master Boot Record (MBR) and GUID Partition Table (GPT). MBR has a partition table that indicates where the partitions are located on the disk drive, and with this particular partition style, only volumes up to two terabytes (1,024 gigabytes) are supported. An MBR drive can have up to four primary partitions or three primary partitions and one extended partition that can be divided into unlimited logical drives. Windows Server 2008 can boot off only an MBR disk unless it is based on the Extensible Firmware Interface (EFI); then it can boot from GPT. An Itanium server is an example of EFI-based system. GPT is not constrained by the same limitations MBR is. In fact, a GPT disk drive can support volumes of up to 18 exabytes (1 million terabytes) and 128 partitions. As a result, GPT is recommended for disks larger than 2TB or disks used on Itanium-based computers. Exercise 1.1 demonstrates the process of initializing additional disk drives to an active computer running Windows Server 2008. E X E R C I S E 1 .1

Initializing Disk Drives Follow these steps to initialize disk drives:

1.

Click Start  Administrative Tools  Server Manager.

2.

Click and then expand Storage.

3.

Select Disk Management.

4.

After disk drives have been installed, right-click Disk Management and select Rescan Disks.

4

Chapter 1

N

Windows Server 2008 Storage Services

E X E R C I S E 1 .1 ( c o n t i n u e d )

5.

A pop-up box appears indicating that the server is scanning for new disks.

6.

After the server has completed the scan, the new disk appears as Unknown.

7.

Right-click the Unknown disk and select Initialize Disk.

Storage in Windows Server 2008

5

E X E R C I S E 1 .1 ( c o n t i n u e d )

8.

A pop-up box appears asking for the partition style. For this exercise, choose MBR.

9.

Click OK.

The disk will now appear online as a basic disk with unallocated space.

Working with Basic and Dynamic Disks Windows Server 2008 supports two types of disk configurations: basic and dynamic. Basic disks are divided into partitions and can be used with previous versions of Windows. Dynamic disks are divided into volumes and can be used with Windows 2000 Server and later releases. When a disk is initialized, it is automatically created as a basic disk, but when a new fault-tolerant volume set is created, the disks in the set are converted to dynamic disks. Fault-tolerance features and the ability to modify disks without having to reboot the server are what distinguish dynamic disks from basic disks. A basic disk can simply be converted to a dynamic disk without loss of data. When a basic disk is converted, the partitions are automatically changed to the appropriate volumes. However, converting a dynamic disk back to a basic disk is not as simple. First, all the data on the dynamic disk must be backed up or moved. Then all the volumes on the dynamic disk have to be deleted. The dynamic disk can then be converted to a basic disk. Partitions and logical drives can be created and the data restored. The following are actions that can be performed on basic disks: NÛ

Format partitions.

NÛ

Mark partitions as active.

NÛ

Create and delete primary and extended partitions.

NÛ

Create and delete logical drives.

NÛ

Convert from a basic disk to a dynamic disk.

6

Chapter 1

N

Windows Server 2008 Storage Services

The following are actions that can be performed on dynamic disks: NÛ

Create and delete simple, striped, spanned, mirrored, or RAID-5 volumes.

NÛ

Remove or break a mirrored volume.

NÛ

Extend simple or spanned volumes.

NÛ

Repair mirrored or RAID-5 volumes.

NÛ

Convert from a dynamic disk to basic after deleting all volumes. In Exercise 1.2, you’ll convert a basic disk to a dynamic disk.

E X E R C I S E 1. 2

Converting a Basic Disk to a Dynamic Disk Follow these steps to convert a basic disk to a dynamic disk:

1.

Click Start  Administrative Tools  Server Manager.

2.

Click and then expand Storage.

3.

Select Disk Management.

4.

Right-click a basic disk that you want to convert and select Convert to Dynamic Disk.

Storage in Windows Server 2008

E X E R C I S E 1. 2 (continued)

5.

The Convert to Dynamic Disk dialog box appears. From here, select all the disks that you want to convert to dynamic disks. In this exercise, only Disk 2 will be converted.

6.

Click OK.

7.

The Convert to Dynamic Disk dialog box changes to the Disks to Convert dialog box and show the disk/disks that will be converted to dynamic disks.

8.

Click Convert.

9.

Disk Management will warn that if you convert the disk to dynamic, you will not be able to start the installed operating system from any volume on the disk (except the current boot volume).

10. Click Yes. The converted disk will now show as dynamic in Disk Management.

7

8

Chapter 1

N

Windows Server 2008 Storage Services

E X E R C I S E 1. 2 (continued)

Microsoft recommends using basic disks if you do not require spanned volumes, striped volumes, mirrored volumes, or RAID-5 volume sets.

Working with Volume Sets A volume set is created from volumes that span multiple drives by using the free space from those drives to construct what will appear to be a single drive. The following list includes the various types of volume sets and their definitions: Simple volume uses only one disk or a portion of a disk. Spanned volume is a simple volume that spans multiple disks, with a maximum of 32. Use a spanned volume if the volume needs are too great for a single disk. Striped volume stores data in stripes across two or more disks. A striped volume gives you fast access to data but is not fault tolerant, nor can it be extended or mirrored. If one disk in the striped set fails, the entire volume fails.

Storage in Windows Server 2008

9

Mirrored volume duplicates data across two disks. This type of volume is fault tolerant because if one drive fails, the data on the other disk is unaffected. RAID-5 volume stores data in stripes across three or more disks. This type of volume is fault tolerant because if a drive fails, the data can be re-created from the parity off the remaining disk drives. Operating system files and boot files cannot reside on the RAID-5 disks. Exercise 1.3 illustrates the procedure for creating a volume set. E X E R C I S E 1. 3

Creating a Volume Set Follow these steps to create a volume set:

1.

Click Start  Administrative Tools  Server Manager.

2.

Click and then expand Storage.

3.

Select Disk Management.

4.

Select and right-click a disk that has unallocated space. If there are no disk drives available for a particular volume set, that volume set will be grayed out as a selectable option. In this exercise, you’ll choose a spanned volume set, but the process after the volume set selection is the same regardless of which kind you choose. The only thing that differs is the amount of disk drives chosen.

10

Chapter 1

N

Windows Server 2008 Storage Services

E X E R C I S E 1. 3 (continued)

5.

The Welcome page of the New Spanned Volume Wizard appears and explains the type of volume set chosen. Click Next.

6.

The Select Disks page appears. Select the disk that will be included with the volume set and click Add. Repeat this process until all the desired disks have been added. Click Next.

7.

The Assign Drive Letter or Path page appears. From here you can select the desired drive letter for the volume, mount the volume in an empty NTFS folder, or choose to not assign a drive letter. The new volume is labeled as E. Click Next.

8.

The Format Volume page appears. Choose to format the new volume. Click Next.

9.

Click Finish.

10. If the disks have not been converted to dynamic, you will be asked to convert the disks. Click Yes. The new volume will appear as a healthy spanned dynamic volume with the new available disk space of new volume set.

Storage in Windows Server 2008

11

E X E R C I S E 1. 3 (continued)

RAID Built into Windows Server 2008 is the ability to support drive sets and arrays using Redundant Array of Independent Disks (RAID) technology. RAID can be used to enhance data performance, or it can be used to provide fault tolerance to maintain data integrity in case of a hard disk failure. Windows Server 2008 supports three different types of RAID technologies: RAID-0, RAID-1, and RAID-5. RAID-0 is also known as disk striping. Disk striping is using two or more volumes on independent disks created as a single striped set. There can be a maximum of 32 disks. In a striped set, data is divided into blocks that are disturbed sequentially across all the drives in the set. With RAID-0, disk striping, you get very fast read and write performance because multiple blocks of data can be accessed off of multiple drives simultaneously. However, RAID-0 does not offer the ability to maintain data integrity during a single disk failure. In other words, RAID-0 is not fault tolerant; a single disk event will cause the entire striped set to be lost, and it will have to be re-created through some type of recovery process, such as a tape backup.

12

Chapter 1

N

Windows Server 2008 Storage Services

RAID-1 is also known as disk mirroring. Disk mirroring is two logical volumes on two separate identical disks created as a duplicate disk set. Data is written on two disks at the same time; that way, in the event of a disk failure, data integrity is maintained and available. Although this fault tolerance gives administrators data redundancy, it comes with a price because it diminishes the amount of available storage space by half. For example, if an administrator wants to create a 300GB mirrored set, they would have to install two 300GB hard drives into the server, thus doubling the cost for the same available space. RAID-5 is also known as disk striping with parity. With disk striping with parity, you use three or more disks (with a maximum of 32) striped across all the disks with an additional block of error-correction called parity, which is used to reconstruct the data in the event of a disk failure. RAID-5 has slower write performance than the other RAID types because the OS must calculate the parity information for each stripe that is written, but the read performance is equivalent to a stripe set, RAID-0, because the parity information is not read. Like RAID-1, RAID-5 comes with additional cost considerations. For every RAID-5 set, roughly an entire hard disk is consumed for storing the parity information. For example, a minimum RAID-5 set requires three hard disks, and if those disks are 300GB each, approximately 600GB of disk space is available to the OS and 300GB is consumed by parity information, which equates to 33.3 percent of the available space. Similarly, in a five-disk RAID-5 set of 300GB disks, approximately 1200GB of disk space is available to the OS, which means that 20 percent of the total available space is consumed by the parity information. The words roughly and approximately are used when calculating disk space because a 300GB disk will really be only about 279GB of space. This is because vendors define a gigabyte as one billion bytes, but the OS defines it as 2^30(1,073,741,824) bytes. Also remember that file systems and volume managers have overhead as well. Table 1.1 breaks down the various aspects of the supported RAID types in Window Server 2008. TA B L E 1 .1

Supported RAID Level Properties on Windows Server 2008

Advantages

Minimum Number of Disks

Maximum Number of Disks

No

Fast reads and writes

2

32

Disk mirroring

Yes

Data redundancy and faster writes than RAID-5

2

2

Disk striping with parity

Yes

Data redundancy with less overhead and faster reads than RAID-1

3

32

RAID Level

RAID Type

Fault Tolerant

0

Disk striping

1

5

Storage in Windows Server 2008

13

RAID-1 total available disk space is calculated by taking one half of the sum of both disks in the disk set, and RAID-5 total available disk space is calculated by subtracting the space of one entire disk from the sum of all the disks in the disk set.

Creating RAID Sets Now that you understand the fundamental concepts of RAID sets and how to use them, we can now look at the creation of RAID sets in Windows Server 2008. The process of creating a RAID set is the same as the process for creating a simple or spanned volume set except for the minimum disk requirements associated with each RAID type. Creating a mirrored volume set is the same as creating a volume set, as shown in Exercise 1.3, except you will select New Mirrored Volume in the fourth step. It is after the disk select wizard appears that you’ll begin to see the difference. Since a new mirrored volume is being created, the volume requires two disks. During the disk select process, if only one disk is selected, the Next button will be unavailable because the disk minimum has not been met. Refer to Figure 1.1 to view the Select Disks page of the New Mirrored Wizard during the creation of a new mirrored volume and notice that the Next button is not available. F I G U R E 1 .1

Select Disks page of the New Mirrored Volume Wizard

To complete the process, you must select a second disk by highlighting the appropriate disk and adding it to the volume set. Once the second disk has been added, the Add button becomes unavailable and the Next button is available to complete the mirrored volume set creation (see Figure 1.2).

14

Chapter 1

F I G U R E 1. 2

N

Windows Server 2008 Storage Services

Adding the second disk to complete a mirrored volume set

After you clicking Next, the creation of the Mirrored Volume set is again just like the rest of the steps, 7 through 11, in Exercise 1.3. A drive letter will have to be assigned and the volume will need to be formatted. The new mirrored volume set will appear in Disk Management. In Figure 1.3, notice that the capacity of the volume equals one disk even though two has been selected. F I G U R E 1. 3

Newly created mirrored volume set

Storage in Windows Server 2008

15

To create a RAID-5 volume set, you use the same process you use to create a mirrored volume set. The only difference is that a RAID-5 volume set requires that a minimum of three disks be selected to complete the volume creation. The process is simple: Select New RAID-5 Volume and then select the three disks that will be used in the volume set. Assign a drive letter and format the volume. Figure 1.4 shows a newly created RAID-5 volume set in Disk Management. F I G U R E 1. 4

Newly created RAID-5 volume set

Mount Points With the ever increasing demands of storage, mount points are used to surpass the limitation of 26 drive letters and to join to volumes into a folder on a separate physical disk drive. A mount point allows you to configure a volume to be accessed from a folder on another existing disk. Through Disk Management, a mount point folder can be assigned to a drive instead of using a drive letter and can be used on basic or dynamic volumes that are formatted with NTFS. However, mount point folders can be created only on empty folders within a volume. Additionally, mount point folder paths cannot be modified; they can only be removed once they have been created. Exercise 1.4 shows steps to create a mount point.

16

Chapter 1

N

Windows Server 2008 Storage Services

E X E R C I S E 1. 4

Creating Mount Points Follow these steps to create a mount point:

1.

Click Start  Administrative Tools  Server Manager.

2.

Click and then expand Storage.

3.

Select Disk Management.

4.

Right-click the volume where the mount point folder will be assigned and select Change Drive Letter and Paths.

5.

Click Add.

6.

Either type the path to an empty folder on an NTFS volume or click Browse to select or make a new folder for the mount point.

When you explore the drive, you’ll see the new Folder created. Notice that the icon indicates that it is a mount point.

Storage in Windows Server 2008

17

Microsoft MPIO (Multipath I/O) Multipath I/O (MPIO) is associated with high availability because a computer will be able to use a solution with redundant physical paths connected to a storage device. So if one path fails, an application will continue to run because it can access the data across the other path. The MPIO software provides the functionality needed for the computer to take advantage of the redundant storage paths. MPIO solutions can also load-balance data traffic across both paths to the storage device, virtually eliminating bandwidth bottlenecks to the computer. What allows MPIO to provide this functionality is the new native Microsoft Drive Specific Module (Microsoft DSM). The Microsoft DSM is a driver that communicates with storage devices—iSCSI, Fibre Channel or SAS—and provides the chosen loadbalancing policies. Windows Server 2008 supports the following load-balancing policies: Failover In a failover configuration, there is no load balancing. There is a primary path that is established for all requests and subsequent standby paths. If the primary path fails, one of the standby paths will be used. Failback This is similar to failover in that it has primary and standby paths. However, with failback you designate a preferred path that will handle all process requests until it fails, after which, the standby path will become active until the primary reestablishes a connection and will automatically regain control. Round robin In a round robin configuration, all available paths will be active and will be used to distribute I/O in a balanced round robin fashion. Round robin with a subset of paths In this configuration, a specific set of paths will be designated as a primary set and another as standby paths. All I/O will use the primary set of paths in a round robin fashion until all the sets fail. Only at this time will the standby paths become active. Dynamic Least Queue Depth In a Dynamic Least Queue Depth configuration, I/O will route to the path with the least number of outstanding requests. Weighted path In a weighted path configuration, paths are assigned a numbered weight. I/O requests will use the path with the least weight. The higher the number, the lower the priority. Exercise 1.5 demonstrates the process of installing the Microsoft MPIO feature for Window Server 2008. E X E R C I S E 1. 5

Installing Microsoft MPIO Follow these steps to install Microsoft MPIO:

1.

Click Start  Administrative Tools  Server Manager.

2.

Right-click Features and select Add Features.

18

Chapter 1

N

Windows Server 2008 Storage Services

E X E R C I S E 1. 5 (continued)

3.

In the Add Features Wizard, check Multipath I/O and click Next.

4.

On the Confirm Installation Selections page, verify that Multipath I/O is the feature that will be installed. Click Install.

5.

After the installation completes, the Installation Results page appears stating that the server must be rebooted to finish the installation process.

6.

Click Close.

7.

Click Yes to restart.

8.

After the restart, the installation will resume. Once it’s complete, click Close.

9.

To open MPIO, click Start  Administrative Tools  MPIO.

Typically, most storage arrays work with the Microsoft DSM. However, some hardware vendors require DSM software that is specific to their products. Third-party DSM software is installed through the MPIO utility: 1.

Click Start  Administrative Tools  MPIO.

2.

Select the DSM Install tab (Figure 1.5).

3.

Add the path of the INF file and click Install.

Storage in Windows Server 2008

F I G U R E 1. 5

19

The DSM Install tab on the MPIO Properties dialog box

iSCSI Internet Small Computer System Interface (iSCSI) is an interconnect protocol used to establish and manage a connection between a computer (initiator) and a storage device (target) by using an existing network through TCP port 3260, which allows it to be used over a LAN, a WAN, or the Internet. Each initiator is identified by its iSCSI Qualified Name (iqn) and is used to establish its connection to an iSCSI target. iSCSI was developed to allow block-level access to a storage device over a network instead of using a Network Attached Storage (NAS) device that connects with through the use of Common Internet File System (CIFS) or Network File System (NFS). Block-level access is important to many applications that require direct access to storage, applications like MS Exchange and MS SQL, for example. By being able to leverage the existing network infrastructure, iSCSI was also developed as an alternative to Fibre Channel storage by alleviating the additional hardware costs associated with a Fibre Channel storage solution. iSCSI also has another advantage over Fibre Channel in that it can provide security for the storage devices by using Challenge Handshake Authentication Protocol (CHAP) for authentication and Internet Protocol security (IPSec) for encryption. Windows Server 2008 is able to connect an iSCSI storage device out of the box with no additional software that needs to be downloaded. This is because the Microsoft iSCSI initiator is built into the operating system. Windows Server 2008 supports two different ways to initiate an iSCSI session. NÛ

NÛ

Through the native Microsoft iSCSI software initiator that resides on Windows Server 2008. Through using a hardware iSCSI host bus adapter (HBA) that is installed in the computer.

20

Chapter 1

N

Windows Server 2008 Storage Services

Both the Microsoft iSCSI software initiator and iSCSI HBA present an iSCSI Qualified Name (iqn) that identifies the host initiator. When the Microsoft iSCSI software initiator is used, the CPU utilization may be as much as 30 percent higher than on a computer with a hardware iSCSI HBA. This is because all of the iSCSI process requests are handled within the operating system. Using a hardware iSCSI HBA, process requests can be offloaded to the adapter, thus freeing the CPU overhead associated with the Microsoft iSCSI software initiator. However, iSCSI HBAs can be expensive, whereas the Microsoft iSCSI software initiator is free. It is worthwhile to install the Microsoft iSCSI software initiator and perform load testing to see how much overhead the computer will have prior to purchasing an iSCSI HBA or HBAs, depending on the redundancy level. Exercise 1.6 explains how to install and configure an iSCSI connection. E X E R C I S E 1.6

Configuring iSCSI Storage Connection Follow these steps to configure iSCSI storage connection:

1.

Click Start  Administrative Tools  iSCSI Initiator.

2.

Click the Discovery tab.

3.

In the Target Portals portion of the tab, click Add Portal.

Storage in Windows Server 2008

E X E R C I S E 1.6 (continued)

4.

Enter the IP address of the target portal and click OK.

5.

The IP address of the target portal appears in the Target Portals box.

21

22

Chapter 1

N

Windows Server 2008 Storage Services

E X E R C I S E 1.6 (continued)

6.

Next select the Targets tab and then click the Refresh button. The iqn of the target appears. Notice that the target’s status is Inactive.

7.

Select the iqn and click the Log On button.

8.

Check Automatically Restore This Connection When the Computer Starts. Don’t check Enable Multi-Path. Remember, only select Enable Multi-Path if the iSCSI multipath software has already been installed. Refer to Exercise 1.5 for details on how to install the MPIO feature for Windows Server 2008.

9.

Click OK.

Storage in Windows Server 2008

23

E X E R C I S E 1.6 (continued)

Notice that the target’s status has now changed to Connected.

To use the storage that has now been presented to the server, you must create a volume on it and format the space. Refer to Exercise 1.3 to review this process.

Internet Storage Name Service (iSNS) Internet Storage Naming Service (iSNS) allows for central registration of an iSCSI environment because it automatically discovers available targets on the network. The purpose of iSNS is to help find available targets on a large iSCSI network. The Microsoft iSCSI initiator includes an iSNS client that is used to register with the iSNS. The iSNS feature maintains a database of clients that it has registered either through DCHP discovery or through manual registration. iSNS DHCP is available after the installation of the service and used to allow iSNS clients to discover the location of the iSNS. However, if iSNS DHCP is not configured, iSNS clients must be registered manually with the iscsicli command. To execute the command, launch a command prompt on a computer hosting the Microsoft iSCSI and type the following: iscsicli฀addisnsserver฀, where is the name of the computer hosting iSNS. Exercise 1.7 walks through the steps to install the iSNS feature on Windows Server 2008.

24

Chapter 1

N

Windows Server 2008 Storage Services

E X E R C I S E 1.7

Installing the iSNS Feature on Windows Server 2008 Follow these steps to install the iSNS feature on Windows Server 2008:

1.

Click Start  Administrative Tools  Server Manager.

2.

Right-click Features and select Add Features.

3.

In the Add Features Wizard, check Internet Storage Name Server and click Next.

4.

On the Confirm Installation Selections page, verify that Internet Storage Name Server is the feature that will be installed. Click Install.

5.

After the installation completes and the Installation Results page appears, verify that the installation was successful and click Close.

6.

Launch iSNS Server by clicking Start  Administrative Tools  iSNS Server.

Storage in Windows Server 2008

E X E R C I S E 1.7 (continued)

7.

Click the General tab. This tab displays the list of registered initiators and targets. In addition to their iSCSI Qualified Name (iqn), it lists storage node type (Target or Initiator), alias string, and entity identifier (the Fully Qualified Domain Name (FQDN) of the machine hosting the iSNS client).

8.

Click the Discovery Domains tab. The purpose of Discovery Domains is to provide a way to separate and group nodes. This is very similar to zoning in Fibre Channel. The following options are available on the Discovery Domains tab: Create

Used to create a new discovery domain.

Refresh Used to repopulate the Discovery Domain drop-down list. Delete

Used to delete the currently selected discovery domain.

Add Used to add nodes that are already registered in iSNS to the currently selected discovery domain. Add New Used to add nodes by entering the iSCSI Qualified Name (iqn) of the node. These nodes do not have to be currently registered. Remove Used to remove selected nodes from the discovery domain.

25

Chapter 1

26

N

Windows Server 2008 Storage Services

E X E R C I S E 1.7 (continued)

9.

Click the Discovery Domain Sets tab. The purpose of discovery domain sets is to further separate discovery domains. Discovery domains can be enabled or disabled, giving administrators the ability to further restrict the visibility of all initiators and targets. The options on the Discovery Domain Sets tab are as follows: Enable A check box used to indicate the status of the discovery domain sets and to turn them off and on. Create

Used to create new discovery domain sets.

Refresh Used to repopulate the Discovery Domain Sets drop-down list. Delete

Used to delete the currently selected discovery domain set.

Add Used to add discovery domains to the currently selected discovery domain set. Remove Used to remove selected nodes from the discovery domain sets.

Storage in Windows Server 2008

27

E X E R C I S E 1.7 (continued)

Fibre Channel Fibre Channel storage devices are similar to iSCSI storage devices in that they both allow block-level access to their data sets and can provide MPIO policies with the proper hardware configurations. However, Fibre Channel requires a Fibre Channel HBA, fibre optic cables, and Fibre Channel switches to connect to a storage device. A World Wide Name (WWN) from the Fibre Channel HBA is used from the host and device so they can communicate directly with each other, similar to using a NIC’s MAC address. In other words, a logical unit number (LUN) is presented from a Fibre Channel storage device to the WWN of the host’s HBA. Fibre Channel has been the preferred method of storage because of the available connection bandwidth between the storage and the host. Fibre Channel devices supports 1Gb/s, 2Gb/s, and 4Gb/s connections and soon will support 8Gb/s connections, but now that 10Gb/s Ethernet networks are becoming more prevalent in many datacenters, iSCSI can be a suitable alternative. It is important to consider that 10Gb/s network switches can be more expensive than comparable Fibre Channel switches.

28

Chapter 1

N

Windows Server 2008 Storage Services

Network Attached Storage (NAS) The concept of a Network Attached Storage (NAS) solution is that it is a low-cost device for storing data and serving files through the use of an Ethernet LAN connection. A NAS device accesses data at the file level via a communication protocol such as NFS, CIFS, or even HTTP, which is very different from iSCSI or FC Fibre Channel storage devices that access the data at the block level. NAS devices are best used in file storing applications, and it does not require a storage expert to install and maintain the device. In most cases, the only setup that is required is an IP address and an Ethernet connection.

Managing SANs In the following sections, we will discuss the tools in Windows Server 2008 that will help manage the various aspects of storage: Storage Manager for SANs (SMfS) and Storage Explorer. These tools are used independently of one another, but they both provide a very powerful and centralized interface to administer a storage environment. Storage Manager for SANs manages the physical storage arrays; conversely, Storage Explorer views and manages the Fibre Channel and iSCSI connections available in the environment.

Virtual Disk Service (VDS) Virtual Disk Server (VDS) has been created to ease the administration efforts of managing all the various type of storage devices. Many storage hardware providers used their own applications for installation and management, and this made administering all these various devices very cumbersome. VDS is a set of application programming interfaces (APIs) that provide a centralized interface for managing all the various storage devices. The native VDS API enables the management of disks and volumes at an OS level, and hardwarevendor-supplied APIs manage the storage devices at a RAID level. These are known as software and hardware providers. A software provider is host based and interacts with Plug and Play Manager because each disk is discovered and operates on volumes, disks, and disk partitions. VDS includes two software providers: basic and dynamic. The basic software provider manages basic disks with no fault tolerance, whereas the dynamic software providers manage dynamic disks with fault management. A hardware provider translates the VDS APIs into instructions specific to the storage hardware. This how storage management applications are able to communicate with the storage hardware to create LUNs or Fibre Channel HBAs to view the WWN. The following are Windows Server 2008 storage management applications that use VDS: Disk Management snap-in This application configures and manages the disk drives on the host computer. You have already seen this application in use when you initialized disks and created volume sets.

Managing SANs

29

DiskPart is a command-line utility that configures and manages disks, volumes, and partitions on the host computer. It can also be used to script many of the storage management commands. DiskPart is a very robust tool and should be studied on your own because it beyond the scope of this book. Figure 1.6 shows the various commands and their function for the DiskPart utility. F I G U R E 1. 6

DiskPart commands

DiskRAID is also a scriptable command-line utility that configures and manages hardware RAID storage systems. However, at least one VDS hardware provider must be installed for DiskRAID to be functional. DiskRAID is another useful utility and should be studied on your own because it’s beyond the scope of this book. Storage Manager for SANs Storage Manager for SANs is a graphical user interface utility that is used to manage SANs. It will be discussed further in the following section.

Storage Manger for SANs (SMfS) Storage Manager for SANs is a utility that is used to create and manage LUNs on both Fibre Channel and iSCSI storage arrays that support Virtual Disk Service (VDS). A LUN is similar to a volume in that it is a logical representation of a disk drive that is a part of a storage array. A SAN using Storage Manager simplifies the management of these resources in a SAN environment because it is a centralized location were LUNs can be assigned

30

Chapter 1

N

Windows Server 2008 Storage Services

access and control privileges even though Fibre Channel and iSCSI use different types of hardware and network protocols. To use Storage Manager for SANs, you must make sure the server and the storage array meet the following requirements: NÛ

The server must have the Storage Manager for SANs feature installed.

NÛ

The storage array must support VDS.

NÛ

NÛ

NÛ

The VDS hardware provider’s software for the storage array must be installed on the server. The storage array must be directly attached or accessible over the network. In order to manage an iSCSI array through Storage Manager for SANs, you must install an iSCSI initiator on the server.

Exercise 1.8 demonstrates the procedures for installing the Storage Manager for SANs feature on Windows Server 2008. E X E R C I S E 1. 8

Installing Storage Manager for SANs Follow these steps to install Storage Manager for SANs:

1.

Click Start  Administrative Tools  Server Manager.

2.

Right-click Features and select Add Features.

3.

In the Add Features Wizard, check Storage Manager for SANs and click Next.

Managing SANs

31

E X E R C I S E 1. 8 (continued)

4.

On the Confirm Installation Selections page, verify that Storage Manager for SANs is the feature that will be installed. Click Install.

5.

After the installation, when the Installation Results page appears, verify that the installation was successful and click Close.

6.

To launch Storage Manager for SANs, click Start  Administrative Tools  Storage Manager for SANs.

Opening Storage Manager for SANs, you will notice three main sections: LUN Management, Subsystems, and Drives. All the tasks that can be preformed are performed within these three sections. In the LUN Management section, the following tasks can be preformed: NÛ

View information about the LUNs on your Fibre Channel and iSCSI storage systems.

NÛ

Create, rename, extend, delete, assign, and unassign LUNs.

NÛ

Add servers to your SAN and enable HBAs and iSCSI initiators.

NÛ

Create, remove, and configure security settings and log on to iSCSI targets.

32

Chapter 1

N

Windows Server 2008 Storage Services

In the Subsystems section, the following tasks can be preformed: NÛ

View information about the storage systems that have been discovered by VDS.

NÛ

Rename a storage system. In the Drives section, the following tasks can be preformed:

NÛ

NÛ

View information about the disk drives in the storage systems that have been discovered. Make a drive light blink.

Storage Explorer Storage Explorer is used by administrators to view and manage Fibre Channel and iSCSI fabrics available in the environment. The Storage Explorer interface provides a tree-structured view of the components by using APIs to collect data about the storage devices. The following detailed information can be found in Storage Explorer: NÛ

HBA information

NÛ

Fibre Channel switches

NÛ

iSCSI initiators

NÛ

iSCSI targets An administrator can also perform various iSCSI-related tasks from Storage Explorer:

NÛ

Log on to iSCSI targets.

NÛ

Configure iSCSI security.

NÛ

Add iSCSI target portals.

NÛ

Add iSNS servers.

NÛ

Manage discovery domains.

NÛ

Manage discovery domain sets.

Figure 1.7 shows the Storage Explorer interface with an iSCSI initiator selected and also illustrates the management options that are available.

Summary

F I G U R E 1.7

33

Storage Explorer interface

Summary In this chapter, we examined the various aspects of Windows Server 2008 Storage Services as well as the various types of storage technologies and native Windows Server 2008 storage management tools. We started the chapter with initializing disks and choosing a partition type, MBR or GPT. We then discussed the types of disk configurations, dynamic and basic, that are supported in Windows Server 2008. You learned that there are various properties associated with each type of configuration. Then we discussed the different types of RAID and the properties of each. The next section explored storage technologies, namely iSCSI, Fibre Channel, and NAS. We primarily focused on iSCSI because of the native support in Window Server 2008. You learned how to configure an iSCSI initiator and a connection to an iSCSI target. After that we looked at its iSNS server and how to configure it. We concluded the chapter by looking at Storage Manager for SANs and Storage Explorer, which are built-in management tools in Windows Server 2008 for storage devices.

34

Chapter 1

N

Windows Server 2008 Storage Services

Exam Essentials Know the disk types. Know how to initialize disks and the type of partitioning to chose. Also know the difference between dynamic and basic disks and when to use them. Understand what RAID is and how it works. Know the various RAID types, the requirements for each, and when it is appropriate to use each type. Know the storage technologies. Understand how to use the storage technologies Fibre Channel, iSCSI, and NAS. Know how to configure an iSCSI initiator and how to establish a connection to a target. Know the various MPIO policies. Know how to manage storage. Know want type of administrative features are available for Storage Manager for SANs and Storage Explorer.

Review Questions

Review Questions 1.

What are the various supported RAID types in Windows Server 2008? (Choose three.) A. RAID-5

2.

B.

RAID-1

C.

RAID-0

D.

RAID-1+0

What type of MPIO policy allows load balancing across multiple active paths? A. Failover

3.

B.

Round robin

C.

Dynamic Least Queue Depth

D.

Weighted path

What is the minimum number of disks required in a RAID-5 set? A. One

4.

B.

Two

C.

Three

D.

Four

What is the minimum number of disks required in a RAID-1 set? A. One

5.

B.

Two

C.

Three

D.

Four

What is the default TCP port for iSCSI? A. 3389

6.

B.

1433

C.

21

D.

3260

What is the largest partition size available for MBR? A. 1TB B.

2TB

C.

3TB

D.

4TB

35

Chapter 1

36

7.

N

Windows Server 2008 Storage Services

How many primary partitions can be made on a disk drive with MBR? A. One

8.

B.

Two

C.

Three

D.

Four

Which of the following names/terms identifies a Fibre Channel HBA? A. WWN

9.

B.

iqn

C.

UNC

D.

MAC

True/False: A basic disk can be configured in a RAID-5 volume set. A. True B.

False

10. Five 100GB disk drive are used in a RAID-5 set. Approximately how much disk space is available? A. 200GB B.

100GB

C.

500GB

D.

400GB

E.

300GB

11. Calculate the available disk space on RAID 1 set using 100GB disk drives. A. 200GB B.

100GB

C.

500GB

D.

400GB

E.

300GB

12. If an administrator would like to create a LUN on a storage device, what management tool would they use? A. Storage Explorer B.

MPIO

C.

Storage Manager for SANs

D.

iSCSI initiator

Review Questions

37

13. Which of the following is an alternative term used for RAID-0? A. Disk striping B.

Disk striping with parity

C.

Disk mirroring

D.

Disk mirroring in a striped set

14. True/False: A computer with the Microsoft iSCSI software initiator has less CPU overhead than a computer using an iSCSI HBA. A. True B.

False

15. Which of the follow management tools is used to log off of a current iSCSI connection? A. MPIO B.

iSNS

C.

iSCSI initiator

D.

Storage Manager for SANs

16. True/False: VDS is a set of APIs that provide a centralized interface for managing all the various storage devices. A. True B.

False

17. What command would be used to manually register an iSCSI initiator to an iSNS server? A. iscsicli฀refreshisnsserver฀ B.

iscsicli฀listisnsservers฀

C.

iscsicli฀removeisnsserver฀

D.

iscsicli฀addisnsserver฀

18. True/False: Mount points are assigned drive letters. A. True B.

False

19. Each iSCSI initiator and target must have a unique name. What is the designation of this name? A. WWN B.

MAC

C.

iqn

D.

SCSI ID

20. True/False: The Microsoft iSCSI initiator does not have built-in security features. A. True B.

False

Chapter 1

38

N

Windows Server 2008 Storage Services

Answers to Review Questions 1.

A, B, C. Windows Server 2008 supports only software RAID levels 0, 1, and 5. Other types of RAID, such as RAID-1+0, are available with hardware RAID controllers.

2.

B. Round robin uses all available paths and all paths will be active. Failover, Dynamic Least Queue Depth, and weighted path will not load-balance across the paths.

3.

C.

The minimum number disks required in a RAID-5 set is three.

4.

B.

The minimum number of disks requires in a RAID-1 set is 2.

5.

D. The iSCSI default port is TCP 3260. Port 3389 is used for RDP, port 1433 is used for MS SQL, and port 21 is used for FTP.

6.

B.

7.

D. MBR supports only primary partitions, but the fourth partition can be made into an extended partition when many logical partitions can be created.

8.

A. Fibre Channel HBAs use the WWN (World Wide Name) to identify itself from other HBAs in a Fibre Channel fabric. An iqn is used by iSCSI initiators to identify themselves. MAC addresses are used with NICs. A UNC (Universal Naming Convention) is use to designate file locations on a network.

9.

B. When you’re creating a RAID-5 volume set, a basic disk will be converted into a dynamic disk.

The largest available partition available with MBR is 2 terabytes.

10. D. To calculate RAID-5 disk space, add the total available space across all disks and subtract the space of one disk. In this case, 500 - 100 = 400. 11. B. A RAID-1 set uses only two disks, and the available disk space is only on one of the disks. 12. C. Storage Manager for SANs is used to manage the actual storage devices. Storage Explorer is used to manger the fabric. MPIO is used to manage the multipath software. iSCSI initiator is used to configure the host’s iSCSI settings. 13. A. RAID-0 is disk striping. RAID-5 is disk striping with parity. RAID-1 is disk mirroring. RAID-1+0 is disk mirroring in a striped set. 14. B. A computer uses an iSCSI HBA to offload the iSCSI request to the card so it will not consume any extra CPU cycles. 15. C. iSCSI initiator is used to log off and on of iSCSI connections. iSNS is used to register iSCSI initiators. MPIO is used to manage the multipath software. Storage Manager for SANs is used to manage storage devices. 16. A.

VDS is used in conjunction with Storage Manager for SANs to manage storage devices.

Answers to Review Questions

39

17. D. The iscsicli฀addisnsserver฀ command manually registers the host server to an iSNS server. refreshisnsserver refreshes the list of available servers. removeisnsserver removes the host from the iSNS server. listisnsservers lists the available iSNS servers. 18. B. The purpose of a mount point is to logically assign a path to an existing drive without using a drive letter. 19. C. The iqn (iSCSI Qualified Name) applies to all iSCSI HBAs and the Microsoft iSCSI software initiator. MACs are associated with NICs, and WWN names are associated with FC HBAs. 20. B.

The Microsoft iSCSI initiator supports both CHAP and IPSec.

Chapter

2

Exploring Terminal Services in Windows Server 2008 MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: ÛÛ Configure Terminal Services client connections. May include but is not limited to: connecting local devices and resources to a session, Terminal Services profiles, Terminal Services home folders, Remote Desktop Connection (RDC), single sign-on, Remote Desktop SnapIn, MSTSC.exe ÛÛ Configure Windows Server 2008 Terminal Services RemoteApp (TS RemoteApp). May include but is not limited to: Configuring Terminal Services Web Access, configuring Terminal Services Remote Desktop Web Connection ÛÛ Configure Terminal Services Gateway. May include but is not limited to: certificate configuration, Terminal Services Gateway Manager (TS Gateway Manager), specifying resources that users can access through TS Gateway by using Terminal Services resource authorization policy (TS RAP) and Terminal Services connection authorization policy (TS CAP) ÛÛ Configure Terminal Services load balancing. May include but is not limited to: Terminal Services Session Broker redirection modes, DNS registration; setting through group policy

Whether it’s publishing a remote desktop or remotely logging into a server for maintenance, you have probably used or heard of Terminal Services for Windows. In Windows NT 4 Terminal Server Edition, using the services for business applications without third-party tools was very cumbersome. With advances over the years and even updates in Windows Server 2003 to the previous version of Terminal Services, Terminal Services for Windows Server 2008 is a much more attractive option for some business applications or, at the very least, worth a look. The client computer communicates to a terminal server over TCP port 3389 using client software called Remote Desktop Connection (RDC). Many of the new features available with Windows Server 2008 require the most recent update to the RDC client software, although older RDC clients will continue to work. These older RDC clients will have more or less the same functionality as Terminal Services for Windows Server 2003. If you are using Windows Vista pre Service Pack 1, the client is RDC 6.0 (Control Version 6.0.6000). The client will be able to connect to Terminal Services Server on Windows Server 2008 and have some of the same functionality, but not all the functionality is available. For example, to access TS RemoteApp programs through TS Web Access, the client computer must be running RDC 6.1, but higher resolutions, monitor spanning, font smoothing, and Desktop Experience are all available on both RDC 6.0 and RDC 6.1. RDC 6.1, which supports Remote Desktop Protocol version 6.1, is available with Windows Server 2008, Windows Vista Service Pack 1, and Windows XP Service Pack 3. To find out the version of RDC that is installed, open the Remote Desktop Connection client by clicking Start  All Programs  Accessories  Remote Desktop Connection. Once the client is open, right-click the compute icon in the upper-left corner and choose About. A dialog box appears with version information and supported features on the RDC client installed, such as Network Level Authentication. Figure 2.1 shows the version information of an RDC 6.1 client.

RDC 6.1 (Control Version 6.0.6001) supports Remote Desktop Protocol 6.1.

Remote Desktop Connection Display

F I G U R E 2 .1

43

RDC version information

Remote Desktop Connection Display The new RDC software enables the use of higher-resolution displays with multiple-monitor spanning on the client computer and clearer text with font smoothing. In conjunction with Terminal Server running Windows Server 2008, the new RDC software will give the users a Windows Vista look and feel with the new Desktop Experience. In addition, Display Data Prioritization will give display, mouse, and keyboard traffic better performance.

Custom Display Resolutions In previous versions, the only supported display resolution was 4:3 with the maximum resolution of 1600×1200. Now, with widescreen monitors, 16:9 and 16:10 are available with resolutions of 1680×1050 and 1920×1200 and a new maximum supported resolution of 4096×2048. Figure 2.2 shows the Display tab of the Remote Desktop Connection client, accessed via the Options button.

44

Chapter 2

FIGURE 2.2

N

Exploring Terminal Services in Windows Server 2008

The RDC Display tab

Custom display resolutions can also be set in an RDP file or from a command prompt: NÛ

Open the RDP file in a text editor and edit the following settings, where is the resolution (for example, 1920 or 1200): desktopwidth:i: desktopheight:i:

NÛ

Use mstsc.exe at the command prompt with the following settings: mstsc.exe฀/w:฀/h:

Monitor Spanning Monitor spanning allows the display of the remote desktop session to stretch across multiple monitors. For monitor spanning to function, all the monitors must have the same resolution and their total resolution cannot exceed 4096×2048. Another limitation is that spanning only occurs horizontally (side by side), not vertically. You can set monitor spanning in an RDP file or from a command prompt. NÛ

Open the RDP file in a text editor. Change the following setting, where = 0 indicates that monitor spanning is disabled and = 1 indicates that monitor spanning is enabled: Span:i:

NÛ

Use mstsc.exe at the command prompt with the following settings: mstsc.exe฀/span

Remote Desktop Connection Display

Font Smoothing If you’re using an LCD monitor, font smoothing is a feature that will be of interest. Windows Server 2008 now supports ClearType, which is a Microsoft technique that improves the readability of text. For users to take advantage of this feature, terminal servers must have ClearType enabled and font smoothing must be enabled in the RDC client. The following operating systems support font smoothing: NÛ

Windows Vista

NÛ

Windows Server 2003 Service Pack 1 or 2 with RDC 6.0

NÛ

Windows XP Service Pack 2 with RDC 6.0 In Exercise 2.1, you’ll enable font smoothing on a Windows Vista client.

E X E R C I S E 2 .1

Enabling Font Smoothing on a Client Computer Follow these steps to enable font smoothing on a Windows Vista client:

1.

Click Start  All Programs  Accessories  Remote Desktop Connection. (It is also possible to start the RDC client software by typing mstsc in the Run line.)

2.

In the Remote Desktop Connection dialog box, click Options.

3.

On the Experience tab, check Font Smoothing.

4.

Click Connect to launch the new session.

45

46

Chapter 2

N

Exploring Terminal Services in Windows Server 2008

By default, ClearType is enabled in Windows Server 2008. To ensure that ClearType is enabled, follow the steps in Exercise 2.2. EXERCISE 2.2

Verifying ClearType settings on Window Server 2008 Follow these steps to verify ClearType is enabled:

1.

Click Start  Control Panel  Personalization  Window Color and Appearance.

2.

On the Appearance tab, select Effects.

3.

Check the Use the Following Method to Smooth Edges of Screen Fonts check box,

4.

Select ClearType from the drop-down menu.

5.

Click OK.

Although ClearType increases the overall user experience, enabling it will increase the bandwidth consumed between 4 to 10 times over a similarly configured TS server with ClearType disabled.

Display Data Prioritization Another new feature to help with network utilization is Display Data Prioritization. Display Data Prioritization automatically controls and sets the precedence higher for the display, keyboard, and mouse virtual channel traffic than it is for virtual channel traffic for copying

Remote Desktop Connection Display

47

files and printing. This alleviates the issue of having a slow or unresponsive mouse cursor after sending a large print job. By default, the Display Data Prioritization bandwidth ratio is 70:30. Seventy percent of the available bandwidth goes to operations in which data is input, such as display, mouse, and keyboard operations, while file transfers, print jobs, and Clipboard operations can consume only 30 percent. Of course, these settings are modifiable by editing the Registry and changing the DWORD entry values located under the HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\TermDD subkey. Here is a list the values and the characteristics of each: FlowControlDisable Default value is 0. To disable Display Prioritization, set this value to 1. Once it’s disabled, all requests are first in, first out. FlowControlDisplayBandwidth Default value is 70. This value changes the relative bandwidth priority for display and other input data. The maximum allowed value is 255. FlowControlChannelBandwidth Default value is 30. This value changes the relative bandwidth priority for Clipboard operations, file transfers, and print jobs. The maximum allowed value is 255. FlowControlChargePostCompression This value determines if flow control calculates the bandwidth allocation based on precompression or postcompression bytes. The default is precompression, which is 0. Display Data Prioritization is based on the ratio of the Registry values FlowControlDisplayBandwidth and FlowControlChannelBandwidth. For example, if FlowControlDisplayBandwidth is set to 200 and FlowControlChannelBandwidth is set 50, the Display Data Prioritization ratio is 200:50, so 80 percent of the available bandwidth will go to display and other input data. Remember that the default ratio is 70:30, so 70 percent of the available bandwidth will go to display and other input data.

Desktop Experience In previous versions of Terminal Services, the Desktop was bland and dull and had limited features. Terminal Services for Windows Server 2008 and Remote Desktop Connection 6.0 gives users features like an improved Desktop that can be customized using themes, Windows Media Player 11, and even photo management. For a user to benefit from the new Desktop experience, the client computer must have the Remote Desktop Connection 6.0 software, at a minimum, and the Windows Server 2008 Terminal Server must have the Desktop Experience feature enabled, which will be covered later in this section. To complete the desktop experience, Microsoft has introduced Desktop Composition in Windows Server 2008. Windows 2008 Terminal Server is configurable to provide the functionality of a Windows Aero desktop by using Remote Desktop Connection with a Windows Vista client computer. With features such as Windows Flip 3D, translucent windows (Aero glass), and thumbnail-sized Taskbar button window previews, a user no longer has to look at a dull lifeless Desktop. However, with this new functionality also come limitations because Desktop Composition is supported only when you’re connecting to a Windows 2008 TS server running in single-user mode or with a host client running Windows Vista.

48

Chapter 2

N

Exploring Terminal Services in Windows Server 2008

Three things must occur to enable Desktop Composition. First, you must enable Desktop Experience on the Windows 2008 Terminal Services server. Second, you must use the Windows Vista theme on the Windows 2008 TS server. Third, you must enable Desktop Composition on the Windows Vista host client.

It is important to note that the Windows Vista client must have the hardware capable of supporting Windows Aero to benefit from the Desktop Composition feature. However, the 2008 TS server does not need to have hardware that is capable of running Windows Aero.

Exercises 2.3, 2.4, 2.5, and 2.6 walk you through the necessary steps to enable Desktop Experience for Terminal Services on Windows Server 2008. EXERCISE 2.3

Enabling the Desktop Experience Feature Follow these steps to install Desktop Experience on Windows Server 2008

1.

Open Server Manager. Click Start  Administrative Tools  Server Manager.

2.

Right-click Features and select Add Feature from the menu.

3.

Check Desktop Experience in the Feature Wizard.

4.

Click Next.

5.

Verify that the Desktop Experience feature is checked and click Install.

6.

Reboot after installation is complete.

Remote Desktop Connection Display

49

In Exercise 2.4, you’ll continue the configuration of the Desktop Experience by enabling the Themes service. EXERCISE 2.4

Starting the Themes Service Follow these steps to start the Themes service for Windows Server 2008

1.

Click Start  Administrative Tools  Services.

2.

Right-click Themes and choose Properties.

3.

On the General tab, change the startup type to Automatic.

4.

Click Apply.

5.

Click  Administrative Tools  Services.

6.

Double-click Themes.

7.

On the General tab, change the startup type to Automatic.

8.

Click OK.

9.

Right-click Themes and choose Start to start the Themes service.

Now that you have enabled the Themes service, you must select the Windows Vista theme (Exercise 2.5). EXERCISE 2.5

Setting the Theme on Windows Server 2008 Follow these steps to set the Theme on Windows Server 2008

1.

Click Start  Control Panel  Personalization  Theme.

2.

On the Themes tab, change the theme to Windows Vista.

50

Chapter 2

N

Exploring Terminal Services in Windows Server 2008

E XE RC I SE 2 .5 (continued)

3.

Click OK.

The final step is to enable Desktop Composition and Themes on the client. Exercise 2.6 shows you how. EXERCISE 2.6

Making Desktop Composition Available on a Vista Client Follow these steps to enable Desktop Composition on a Vista client

1.

Click Start  All Programs  Accessories  Remote Desktop Connection. (It is also possible to start the RDC client software by typing mstsc in the run line.)

2.

In the Remote Desktop Connection dialog box, click Options.

3.

On the Experience tab, check Desktop Composition and Themes.

Remote Desktop Connection Display

51

E XE RC I SE 2 .6 (continued)

4.

Click Connect to launch the new session.

Remember that Windows Aero will require more resources on your terminal server, so careful consideration must be made on how many concurrent user connections a single terminal server’s hardware will be able to support. This will be critical to overall user experience and server performance.

Device Redirection The following sections are about the device redirection framework for Windows Server 2008. Device redirection gives users the ability to connect physical devices on their local computer and use them within their Terminal Services session. The first section discusses Plug and Play device redirection for media players and digital cameras based on the Picture Transfer Protocol (PTP). The second section introduces Microsoft Point of Services for .NET device redirection. In third section, we discuss printing redirection with TS Easy Print.

Plug and Play Device Redirection for Media Players and Digital Cameras New to Windows Server 2008 and RDC 6.0 is the ability to redirect specific Plug and Play (PNP) Windows portable devices. These devices include media players and digital cameras

52

Chapter 2

N

Exploring Terminal Services in Windows Server 2008

based on the Media Transfer Protocol (MTP) and the Picture Transfer Protocol (PTP), respectively. Plug and Play device redirection allows applications to access devices whether the application is running in a TS remote desktop or with TS RemoteApp. Another new feature is the ability to attach Plug And Play devices after a session has already been established with the Devices that I plug in later option within the Remote Desktop Connection client software. When a new session is launched, Plug and Play notifications will appear in the Taskbar on the client computer. The newly detected device is attached to that particular session and is not accessible from any other session. Exercise 2.7 walks us through the process of enabling Plug and Play device redirection. E XERCISE 2.7

Redirect Plug and Play Devices Follow these steps to enable Plug and Play device redirection.

1.

Click Start  All Programs  Accessories  Remote Desktop Connection. (It is also possible to start the RDC client software by typing mstsc in the run line.)

2.

In the Remote Desktop Connection dialog box, click Options.

3.

On the Local Resources tab, click More.

4.

Under Local devices and resources expand Supported Plug and Play Devices.

5.

Choose the device you want to redirect.

6.

To make Plug and Play device that you will plug in later available, select the Devices that I plug in later check box.

7.

Click Connect to launch the new session.

Remote Desktop Connection Display

53

It is also possible to redirect drives that have been connected after a new session has been established by selecting the Drives that I connect to later check box.

Microsoft Point of Service for .NET Device Redirection Microsoft Point of Service (POS) for .NET Device Redirection allows peripheral devices such as bar code scanners and magnetic card readers to interface with Terminal Services for Windows 2008. Microsoft POS for .NET 1.1 is available to download at the Microsoft Download Center. Once it’s installed, the Terminal Services UserMode Port Redirector service must be restarted.

Microsoft Point of Service for .NET Device Redirection is supported only when you’re running the x86 version of Windows Server 2008.

Terminal Services Easy Print Microsoft has improved printing in Terminal Services for Windows 2008 by adding Terminal Services Easy Print and group polices that enable the redirection of only the default client printer. In the past, the client computer and the Terminal Services server had to have the proper driver installed in order to successfully print. Now matching the drivers on the two different systems is no longer necessary because the TS Easy Print driver proxies all requests to the client’s actual driver. This feature will please many administrators who had to support printer drivers in the previous version of Terminal Services. Another perk for administrators is that TS Easy Print will increase the scalability and decrease the complexity of the TS server by limiting the number of printers the spooler has to enumerate. When a TS session is created, Winlogon will redirect a particular printer instead of redirecting all printers. The last benefit of TS Easy Print is that administrators will appreciate the support for legacy print drivers. Although TS Easy Print has decreased administrator headaches with printing in Terminal Services, only a select client base will receive its benefit. TS Easy Print is available only on client computers running Windows Vista SP1 or Windows Server 2008 using the RDC 6.1 and either the Microsoft .NET Framework 3.0 Service Pack 1 or Microsoft .NET Framework 3.5 or later.

Terminal Services Easy Print is enabled by default.

54

Chapter 2

N

Exploring Terminal Services in Windows Server 2008

Single Sign-On for Terminal Services With Single Sign-On for Terminal Services, a domain user can enter their credentials once and gain access to a terminal server or their remote application. The current credentials of the logged-on user will be passed to the connecting TS server without the user having to retype their password. To use Single Sign-On (SSO), the client must be running on Windows Vista or another Windows 2008 Server machine, the user must have the appropriate rights to log on, and the client computer and TS server must be in the same domain. Exercise 2.8 demonstrates the process to configuring the Authentication level of Windows Server 2008. EXERCISE 2.8

Configuring Authentication of a Windows 2008 Terminal Server Follow these steps to set Authentication type for Window Sever 2008 Terminal Server.

1.

Open Terminal Server Configuration. Click Start  Administrative Tools  Terminal Services  Terminal Services Configuration.

2.

Under Connections, right-click RDP-TCP and choose Properties.

3.

On the General tab, verify that the Security Layer value is either Negotiate or SSL (TLS 1.0) and then click OK.

Prepare and Configure the Use of Terminal Services RemoteApp (TS RemoteApp)

55

Exercise 2.9 walks us through the procedures to configure Single Sign-On on a Windows Vista computer. EXERCISE 2.9

Configuring SSO on a Client Computer Follow these steps to configure Single Sign-On on a Windows Vista computer.

1.

Open Local Group Policy Editor. Click Start  Run  type gpedit.msc, and press Enter.

2.

Expand and navigate to Computer Configuration  Administrative Templates  System  Credentials Delegation.

3.

Double-click Allow Delegating Default Credentials.

4.

In Properties on the Setting tab, click Enable and click Show.

5.

In Show Contents, click Add and add the terminal servers to the policy list by typing the prefix termsrv/ in front of the server name (for example, termsrv/TServ1).

6.

Click OK three times to close all the dialog boxes.

Prepare and Configure the Use of Terminal Services RemoteApp (TS RemoteApp) In the following sections, we’ll discuss a new feature of Terminal Services for Windows 2008 called Terminal Services RemoteApp (TS RemoteApp). In previous versions of Terminal Services, the only option was to publish the full Desktop, but with TS RemoteApp, now individual applications can be published. What this means is that, instead of launching a new Desktop session to run an application that is running on the terminal server, you can publish an individual application from the terminal server and it will appear as if is it is running on the client’s local computer. No longer will users have to deal with the confusion of running two different Desktops to run all their applications. Before we dive too deep into TS RemoteApp and its features, we need to install the Terminal Server role on our Windows 2008 server.

56

Chapter 2

N

Exploring Terminal Services in Windows Server 2008

Installing Programs to Be Used with TS RemoteApp TS RemoteApp is made available through the installation of Terminal Services on Windows Server 2008. As the administrator of the server installs applications on the server, they can be added to a published list of programs that users will be able to access. In Exercise 2.10, you’ll install the Terminal Services role and change the user mode to allow applications to be installed correctly on a TS server. E X E R C I S E 2 .1 0

Installing the Terminal Services Role Follow these steps to install the Terminal Services Role for Window Server 2008.

1.

Open Server Manager. Click Start  Administrative Tools  Server Manager.

2.

Under Roles Summary, click Add Roles.

3.

In the Add Role Wizard, on the Before You Begin page, click Next.

4.

On the Select Server Roles page, check Terminal Services. If Terminal Services is already installed, this check box will be grayed out.

Prepare and Configure the Use of Terminal Services RemoteApp (TS RemoteApp)

E X E R C I S E 2 .1 0 ( c o n t i n u e d )

5.

Click Next.

6.

On the Introduction to Terminal Services page, click Next.

7.

On the Select Role Services page, select Terminal Server and click Next.

8.

On the Uninstall and Reinstall Applications for Compatibility page, click Next.

9.

On the Specify Authentication Method for Terminal Server page, select the authentication you will be using and click Next. If you select Require Network Level Authentication, only computers running Windows Vista with RDC 6.0 or higher will be allowed to connect to the server. If you select Do Not Require Network Level Authentication, any RDC client can connect to the TS server.

57

58

Chapter 2

N

Exploring Terminal Services in Windows Server 2008

E X E R C I S E 2 .1 0 ( c o n t i n u e d )

10. On the Specify Licensing Mode page, select the licensing mode you will be using and click Next.

Prepare and Configure the Use of Terminal Services RemoteApp (TS RemoteApp)

59

E X E R C I S E 2 .1 0 ( c o n t i n u e d )

11. On the Select User Groups Allowed Access to this Terminal Server page, add the users or groups that you will allow to connect and click Next.

12. On the Confirm Installation Selections page, verify settings and click Install.

13. After the installation, you will be prompted to restart the server to finish the installation process. Click Close and Yes to restart the server.

After you install the Terminal Services role, you need to install the programs that are going to be published. Before you install a program on a terminal server, the server needs to be placed in install mode, and after installation is complete, the server needs to placed back into execute mode (see Figure 2.3). NÛ

NÛ

NÛ

To change the system to install mode, type change฀user฀/install at the command prompt. To change the system to execute mode, type change฀user฀/execute at the command prompt. To get additional information or help, type change฀user or change฀user฀/? at the command prompt.

60

Chapter 2

FIGURE 2.3

N

Exploring Terminal Services in Windows Server 2008

User mode commands

Configuring Remote Programs to Be Used with TS RemoteApp Now that the Terminal Services role is installed and you know how to change the user mode to install an application, you need to make an application available for remote users by adding the program to the RemoteApps list. To add a program, you’ll use TS RemoteApp Manager, which specifies the programs installed on the terminal server that users will be able to access. Exercise 2.11 walks you through the process of adding a program to the RemoteApps list. E X E R C I S E 2 .11

Adding an application to the TS RemoteApp Program List Follow these steps to add an application to the TS RemoteApp Program List.

1.

Launch Server Manager. Click Start  Administrative Tools  Server Manager.

2.

Expand Roles. Expand Terminal Services.

3.

Click TS RemoteApp Manager.

Prepare and Configure the Use of Terminal Services RemoteApp (TS RemoteApp)

E X E R C I S E 2 .11 ( c o n t i n u e d )

4.

In the Actions pane, click Add RemoteApp Programs.

5.

In the RemoteApp Wizard, click Next.

6.

Select the application to add to the RemoteApp program list and click Next.

7.

Click Finish.

8.

If you examine the TS RemoteApp Manager, you’ll see that the programs that have been added to the TS RemoteApp program list are now visible. You will notice here that TS Web Access is enabled. It’s enabled by default; we’ll discuss TS Web Access later in this chapter in “Distributing RemoteApp Applications.” If you double-click a RemoteApp program, a new Actions pane will appear on the right. This is where you can change the properties of the program, disable TS Web Access, create an RDP file or an MSI installer package, and even remove the RemoteApp program.

61

62

Chapter 2

N

Exploring Terminal Services in Windows Server 2008

E X E R C I S E 2 .11 ( c o n t i n u e d )

9.

Clicking Properties in the Actions pane shows various attributes of the RemoteApp program. From the Properties tab, you can see the RemoteApp program name, its location, whether it is available through TS Web Access, and what command-line arguments are available.

Prepare and Configure the Use of Terminal Services RemoteApp (TS RemoteApp)

63

Creating and Deploying a Windows Installer Package for TS RemoteApp Programs Now that you have installed an application that will be used for a TS RemoteApp program, you need to know how to deploy a package that contains the TS RemoteApp program connection information. There are two different ways to package TS RemoteApp programs: a Windows Installer file (MSI) or a Remote Desktop file (RDP). The focus in this section will be on using an MSI file because most administrators are used to using group policies to deploy Windows Installer packages to client computers. In order for the client computer to run these packages, they must be running RDC 6.0 or 6.1. In Exercise 2.12, you will follow the procedures to package TS RemoteApp programs. E X E R C I S E 2 .1 2

Packaging a TS RemoteApp Program Follow these steps to package a TS RemoteApp Program.

1.

In TS RemoteApp Manager, under RemoteApp Programs, select the application for which you will create a package.

2.

In the Actions pane, click Create Windows Installer Package.

3.

In the RemoteApp Wizard, click Next on the Welcome screen.

4.

On the Specify Package Settings screen, you can change the default location to save packages to as well as the server name, the RDP port, the TS Gateway setting and certificate settings. (TS Gateway and certificate settings are discussed later in this chapter.)

64

Chapter 2

N

Exploring Terminal Services in Windows Server 2008

E X E R C I S E 2 .1 2 ( c o n t i n u e d )

5.

Click Next.

6.

On the Configure Distribution Package page, you will place the RemoteApp program into the user’s Start menu under a folder named Remote Programs, and you can also select Desktop. This screen also specifies whether or not to take over client extensions. What this means is that whenever the user opens a file with this extension, it will automatically launch the RemoteApp program. This setting is necessary only when the application is not installed locally on the client.

7.

Click Next.

8.

Review Settings, click Finish.

By default, the package will be save in C:\Program฀Files\Pack฀Programs with a .rap฀ .msi filename extension. Now that you have the .rap.msi file, Group Policy procedures can be used to deploy the package to users within the domain.

Prepare and Configure the Use of Terminal Services RemoteApp (TS RemoteApp)

65

Using TS RemoteApp in large environments There are some rules that should be considered when using TS RemoteApp in a large server farm. First, think about applications that are similar in nature or share data using Dynamic Data Exchange, DDE (for example, copy and paste); these should reside on the same server. Second, place silo applications that conflict with other applications onto separate terminal servers; your users will thank you in long run by not complaining about poor performance or errors in their sessions. Third, consider other factors that are not technology related, such as groups like HR always wanting their applications segregated from everyone else. A good rule of thumb is an 80/20 split. Try to maintain and keep the software consistent on the majority of the terminal servers with the main subset of your applications, usually MS Office and the like.

Export or Import RemoteApp Programs and Settings With Terminal Services for Windows 2008, you have the ability to export and import the RemoteApp Programs list from one TS server to another. This is a benefit when you have to configure a larger server farm with an identical RemoteApp Programs list. Any RDP or MSI packages that were created will not be exported or imported and will have to be recreated to reflect the name of the terminal server. However, if a server is a member of a TS server farm and during the creation of the packages the farm name was specified instead of the name of an individual server, you can manually copy the packages. In Exercise 2.13, you will to export the RemoteApp Programs list and deployment settings. E X E R C I S E 2 .1 3

Exporting the RemoteApp Programs List and Deployment Settings Follow these steps to Export the TS Remote program list and deployment settings to other Windows Server 2008 Terminal Servers.

1.

Start TS RemoteApp Manager.

66

Chapter 2

N

Exploring Terminal Services in Windows Server 2008

E X E R C I S E 2 .1 3 ( c o n t i n u e d )

2.

In the Actions pane, click Export RemoteApp Settings.

3.

Select Export the RemoteApp Program List and Settings to Another Terminal Server or Export the RemoteApp Programs List and Settings to a File.

4.

Click OK.

Prepare and Configure the Use of Terminal Services RemoteApp (TS RemoteApp)

67

When the TS ReportApp settings are exported to a file, the location is specified by the administrator and the file itself is saved with the .tspub extension. To import the TS RemoteApp programs list and deployment settings, use the same procedure except use Import RemoteApp settings instead. It is important to note that importing the settings to another server will overwrite the settings.

Distributing RemoteApp Applications There are several ways to deploy RemoteApps, and we have already touched on two of them: distributing an RDP file through a file share or distributing a MSI through a GPO. In the following sections, you’ll learn about distributing TS RemoteApp programs with Terminal Services Web Access. Microsoft has enhanced Terminal Services Web Access (TS Web Access) in Windows 2008 by imbedding the ActiveX controls into a web page hosted on Internet Information Services (IIS). A user can create a session using the client’s web browser. To take advantage of TS Web Access, the client computer must be running Remote Desktop Client (RDC) 6.1, which is available on Windows Server 2008, Windows Vista SP1, and Windows XP SP3.

Installing TS Web Access TS Web Access must be installed as a role on a server that users will to connect to access their RemoteApp programs. As result of installing TS Web Access as a role, Internet Information Services 7.0 is also installed. The server that has the TS Web Access role acts as a web server and does not have to be a terminal server. In Exercise 2.14, you’ll install TS Web Access. E X E R C I S E 2 .1 4

Installing TS Web Access Follow these steps to install TS Web Access.

1.

Open Server Manager. Click Start  Administrative Tools  Server Manager.

2.

Click Roles and Expand.

3.

Right click Terminal Server and click Add Roles Services.

68

Chapter 2

N

Exploring Terminal Services in Windows Server 2008

E X E R C I S E 2 .1 4 ( c o n t i n u e d )

4.

Select TS Web Access. If all the roles required for TS Web Access are not installed, you will receive a prompt to install them. Click Add Required Role Services.

5.

Click Next.

6.

If installing IIS is required, click Next on the Introduction to Web Server page.

7.

On the Roles Services Selections for IIS page, click Next.

Prepare and Configure the Use of Terminal Services RemoteApp (TS RemoteApp)

69

E X E R C I S E 2 .1 4 ( c o n t i n u e d )

8.

On the Confirm Installation Selections page, click Install.

9.

On the Installation Results page, verify that the installation was successful and click Close.

If the TS RemoteApp server and the TS Web Access server are separate, the computer account of the TS Web Access server must be added the TS Web Access Computer security group on the TS RemoteApp server. In Exercise 2.15, you’ll add the computer account to the TS Web Access group.

70

Chapter 2

N

Exploring Terminal Services in Windows Server 2008

E X E R C I S E 2 .1 5

Adding the Computer Account of the TS Web Access Server to the TS RemoteApp Server Follow these steps to add the computer account to the TS Web Access group.

1.

Click Start  Administrative Tools  Computer Management.

2.

Expand Local Users and Groups and click Groups.

3.

Double-click TS Web Access Computers.

4.

Click Add.

5.

Click Objects Types, select Computers, and click OK.

6.

Type the computer name of the TS Web Access server and click OK.

7.

Click OK.

By default, the TS Web Access website is฀http:///ts, where is the NetBIOS or the fully qualified domain name of the TS Web Access server. Launching the site, you can see the TS RemoteApp programs that are TS Web Access enabled. Figure 2.4 shows the TS Web Access page with the available program list. FIGURE 2.4

TS Web Access published application list

Prepare and Configure the Use of Terminal Services RemoteApp (TS RemoteApp)

71

When you launch an application as a TS RemoteApp and launch an application from the local computer, it becomes very difficult to tell the difference between the TS RemoteApp and the local application. Figure 2.5 shows WordPad launched as a TS RemoteApp and launched locally. FIGURE 2.5

Side-by-side comparison of a RemoteApp and a local application

Using Task Manager, you can see which application is running locally and which application is running as a TS RemoteApp. Figure 2.6 shows the WordPad in Task Manager and indicates which application is running remotely. FIGURE 2.6

Task Manager view of a RemoteApp

72

Chapter 2

N

Exploring Terminal Services in Windows Server 2008

Prepare and Configure Terminal Services Gateway (TS Gateway) Terminal Services Gateway is a role for Windows Server 2008 that encapsulates Remote Desktop Protocol (RDP) traffic over HTTP with SSL encryption (HTTPS) and provides a secure link for authorized remote users on the Internet to access internal terminal server applications without creating a virtual private network (VPN) connection. Instead of using TCP port 3389, TS Gateway transmits the RDP traffic over TCP port 443, so little or no modification is needed to the external firewall because this port is usually already open for other HTTPS traffic. The TS Gateway server sits behind the external firewall, and when the firewall receives RDP over HTTP traffic, it strips off the HTTP header and passes the RDP packets to the TS Gateway sever. The TS Gateway server will then check the Network Policy Server (NPS) service and Active Directory to authenticate the remote user. Once authentication has completed, the user will be allowed access to the internal terminal servers to run the TS Web Access–enabled TS RemoteApp programs.

Preparing the Necessary TS Gateway Role Services Very similar to installing TS RemoteApps, TS Gateway requires that additional roles be installed on the Windows 2008 server. To install the TS Gateway role, the following roles services are also required: NÛ

Remote Procedure Call (RPC) over HTTP Proxy

NÛ

Web Server (Internet Information Services 7.0)

NÛ

Network Policy and Access Services Exercise 2.16 explains how to install and configure the TS Gateway role.

E X E R C I S E 2 .1 6

Installing the TS Gateway Role Service Follow these steps to install the TS Gateway Role Server on Windows Server 2008.1. Open Server Manager.

2.

Right-click Roles  Add Role.

3.

Under Select Server Roles, check Terminal Services and click Next.

4.

Click Next on the Introduction to Terminal Services page.

5.

Under Select the Role Services to Install for Terminal Services, check TS Gateway. An Add Roles Wizard appears to install the required role services and features. Click Add Required Role Services.

Prepare and Configure Terminal Services Gateway (TS Gateway)

E X E R C I S E 2 .1 6 ( c o n t i n u e d )

6.

Click Next.

7.

On the Choose a Server Authentication Certificate for SSL Encryption page, select the appropriate SSL encryption. (In the next section, we will discuss how to create, obtain, and configure a certificate.)

73

74

Chapter 2

N

Exploring Terminal Services in Windows Server 2008

E X E R C I S E 2 .1 6 ( c o n t i n u e d )

8.

Click Next.

9.

On the Create Authorization Polices for TS Gateway page, accept the default to create authorization polices now. Click Next.

10. Select the user groups that can connect through TS Gateway by clicking Add. Then click Next.

11. On the Create a TS CAP for TS Gateway page, accept the default name TS_CAP_01 or specify a new name, select supported Windows authentication methods, and then click Next.

12. On the Create a TS RAP for TS Gateway page, accept the default name TS_RAP_01 or specify a new name. Then either specify whether to allow users to connect only to computers in one or more computer groups, and then specify the computer groups, or specify that users can connect to any computer on the network. Click Next.

13. On the Network Policy and Access Services page, click Next. 14. Verify that the Network Policy Server role service is selected and click Next. 15. On the Web Server (IIS) page, click Next. 16. Accept the default roles to install for Web Server (IIS). Click Next. 17. Confirm the installation selections and click Install.

Obtaining and Configuring a Certificate for TS Gateway TS Gateway requires a valid digital certificate so that it can use SSL to encrypt the traffic to the remote clients. The purpose of the digital certificate is to prove the identity of a remote person or a remote resource. In TS Gateway, there are two methods of obtaining a certificate. The first is to purchase a digital certificate from a third-party certificate authority (CA). Microsoft has a list of approved CAs at the following site: http://support.microsoft฀ .com/kb/931125. The second option is to create a self-signed certificate. Although the option to create a self-signed certificate is available, it not recommend for other than testing and evolution purposes because the certificate must be copied and installed in the Trusted Root Certification Authorities store on each client computer. Exercise 2.17 walks you through the installation of a certificate on a TS Gateway server.

The procedure in Exercise 2.17 is not required if you have created a selfsigned certificate.

Prepare and Configure Terminal Services Gateway (TS Gateway)

E X E R C I S E 2 .17

Installing a Certificate on the TS Gateway Server Follow these steps to install a certificate on a TS Gateway server.

1.

Click Start  Run. Type mmc and press Enter.

2.

On the File menu, click Add/Remove Snap In.

3.

From the available snap-ins, select Certificates and click Add.

4.

In Certificates Snap-in, select Computer Account and click Finish.

5.

Click OK.

6.

Expand Certificates.

7.

Right-click Personal  All Tasks  Import.

8.

On the Welcome to the Certificate Import Wizard page, click Next.

9.

On the File to Import page, enter the name of the certificate that will be imported. Click Next.

10. On the Password page, do the following: NÛ

If you specified a password for the private key associated with the certificate earlier, type the password.

NÛ

If you want to mark the private key for the certificate as exportable, ensure that Mark This Key as Exportable is selected.

NÛ

If you want to include all extended properties for the certificate, ensure that Include All Extended Properties is selected.

11. Click Next. 12. On the Certificate Store page, accept the defaults and click Next. 13. Confirm that the correct certificate has been selected and click Finish. 14. A confirmation message appears when the certificate has been imported successfully.

Exercise 2.18 guides you through the mapping of the certificate to the TS Gateway server.

75

76

Chapter 2

N

Exploring Terminal Services in Windows Server 2008

E X E R C I S E 2 .1 8

Mapping the Certificate to the TS Gateway Server Follow these steps to map a certificate to a TS Gateway server.

1.

Open TS Gateway Manager. Click Start  Administrative Tools  Terminal Services  TS Gateway Manager.

2.

Right-click the TS Gateway server and choose Properties.

3.

On the SSL Certificate tab, click Select an Existing Certificate for SSL Encryption.

4.

Click Browse Certificates.

5.

Click the appropriate certificate, and click Install.

Prepare and Configure Terminal Services Gateway (TS Gateway)

77

E X E R C I S E 2 .1 8 ( c o n t i n u e d )

6.

Click OK.

Creating Terminal Services Connection Authorization Policies (TS CAPs) Terminal Services connection authorization policies (TS CAPs) must be created after the TS Gateway role service has been installed. The purpose of TS CAPs is to set conditions that remote users must meet in order to gain access to a TS Gateway server. You can set criteria such as whether users connecting must be a member of a particular security group, whether computers requesting a connection must be a member of a security group, and who has the ability to disable some or all device redirections. Polices are placed in numerical order, which are shown in TS Gateway Manager. Access to the TS Gateway server is granted by matching the first policy that meets all the set conditions. For example, if a remote client does not meet the requirements of the first TS CAP in the list, it will move to the second TS CAP and will keep going down the list until it locates a TS CAP whose requirements it matches. If a remote client does not meet any of the requirements in the TS CAPs list, TS Gateway denies access. Exercise 2.19 shows you how to create a TS CAP for the TS Gateway server. E X E R C I S E 2 .1 9

Creating a TS CAP for the TS Gateway Server Follow these steps create a TS CAP for a TS Gateway server.

1.

Open TS Gateway Manager. Click Start  Administrative Tools  Terminal Services  TS Gateway Manager.

78

Chapter 2

N

Exploring Terminal Services in Windows Server 2008

E X E R C I S E 2 .1 9 ( c o n t i n u e d )

2.

Expand the TS Gateway server.

3.

Expand Policies and click Connection Authorization Policies.

4.

In the Actions pane, click Create New Policy and select Custom.

5.

On the General tab, type the name of the policy, and verify that Enable This policy is checked.

6.

On the Requirements tab, check the Supported Windows authentication methods, either Password or Smart Card or both.

7.

In User Group Membership, click Add Group to specify the user group(s) that can connect to the TS Gateway server. Note that at least one user group must be listed.

Prepare and Configure Terminal Services Gateway (TS Gateway)

E X E R C I S E 2 .1 9 ( c o n t i n u e d )

8.

In Client Computer Group Membership, click Add Group if computer groups are going to be users. Computer groups are optional.

9.

On the Device Redirection tab, enable or disable the redirection for client devices. The following screen shot shows one possible configuration for device redirection.

79

80

Chapter 2

N

Exploring Terminal Services in Windows Server 2008

E X E R C I S E 2 .1 9 ( c o n t i n u e d )

10. Click OK. 11. The policy will appear in the Connection Authorization Policies pane.

Creating Terminal Services Resource Authorization Policies (TS RAPs) Like TS CAPs, Terminal Services resource authorization polices (TS RAPs) also must be created after the TS Gateway role service has been installed. The purpose of TS RAPs is to specify computers that remote users can connect to through the TS Gateway server. TS RAPs associates specific user groups with computer groups, which grants access to the computers listed in the group. For example, members of the Accounting Users user group are allowed to connect only to computers that are members of the Accounting Computers computer group. Exercise 2.20 shows you how to create a TS RAP for the TS Gateway server.

Remote users connecting through a TS Gateway server are granted access only when they meet at least one TS CAP and one TS RAP.

EXERCISE 2.20

Creating a TS RAP and Specifying Computers Follow these steps to create a TS RAP for a TS Gateway server and add computers to the policy.

1.

Open TS Gateway Manager. Click Start  Administrative Tools  Terminal Services  TS Gateway Manager.

2.

Expand the TS Gateway server.

3.

Expand Policies and click Resource Authorization Polices.

4.

In the Actions pane, click Create New Policy and select Custom.

5.

On the General tab, type the name of the policy, add a brief description, and verify that Enable This Policy is checked.

Prepare and Configure Terminal Services Gateway (TS Gateway)

E XE RC I SE 2 . 20 (continued)

6.

On the User Groups tab, click Add to select the user groups.

7.

On the Computer Group tab, specify the computer group that the users will connect to through TS Gateway.

81

82

Chapter 2

N

Exploring Terminal Services in Windows Server 2008

E XE RC I SE 2 . 20 (continued)

8.

On Allowed Ports tab, specify the TCP ports users will be using.

9.

Click OK. The new TS RAP appears in the Resource Authorization Policies pane.

Configuring the Terminal Services Client for TS Gateway The client computer must verify and trust the TS Gateway server before a user can complete their authentication. They must have the CA of the TS Gateway server in their Trusted Root Certification Authorities store. This is accomplished in a similar manner that’s similar to importing the CA to TS Gateway through the use of the Certificates snap-in on the client computer. Remember, if a CA is issued by a third-party certificate authority, the digital certificate does not need to be added to the client’s Trusted Root Certification Authorities store. In Exercise 2.21, we will walk through the client’s Remote Desktop Connection settings to established a connection through the TS Gateway server.

Prepare and Configure Terminal Services Gateway (TS Gateway)

E XE RC ISE 2. 21

Configuring the Terminal Services client for TS Gateway Follow these steps configure RDC connection properties for TS Gateway.

1.

Click Start  All Programs  Accessories  Remote Desktop Connection.

2.

In the Remote Desktop Connection dialog box, click Options.

3.

On the Advanced tab, under the Connect from Anywhere section, click Settings.

4.

On the TS Gateway Server Settings page, select the appropriate option. NÛ

Automatically Detect TS Gateway Server Settings is the default. The option is used if the client is configured to use Group Policy settings. Group Policy settings will be covered in the next chapter.

NÛ

Use These TS Gateway Server Settings is used if the TS Gateway server name or TS Gateway server farm and a logon method are not being enforced by a Group Policy.

NÛ

Do Not Use a TS Gateway Server is used if the client is always connected to the LAN or if the client does not need to pass through a firewall.

5.

Click OK.

6.

Click Connect to launch the new session.

83

84

Chapter 2

N

Exploring Terminal Services in Windows Server 2008

Configuring Terminal Services Load Balancing Terminal Services Session Broker (TS Session Broker) is new and improved in Windows Server 2008. Many of you will remember this feature from Windows Server 2003 as Terminal Services Session Directory. In its latest incarnation, it allows users to reconnect to a disconnected session in a load-balanced terminal server farm. TS Session Broker stores various session state information, like session ID and user name, so a user can reconnect and resume work right where they left off even if the user has reconnected from a different client computer. With Windows Server 2003, Session Directory required the Enterprise Edition, but TS Session Broker is available on the Standard Edition of Windows Server 2008 and on Windows Server 2008 Enterprise and Datacenter editions. Another change to the feature is that Windows Server 2008 has integrated the TS Session Broker Load Balancing feature to include out-of-the-box load balancing designed to replace Microsoft Network Load Balancing (NLB), although TS Session Broker will continue to work with other third-party solutions, like hardware load balancers, and with Microsoft NLB. The final new feature introduced with TS Session Broker is Terminal Server Draining; a terminal server in a TS Session Broker load-balanced terminal server farm can be placed in drain mode, aka maintenance mode, where users can reconnect to disconnected sessions but not establish new sessions.

Configuring a Terminal Server Farm with TS Session Broker TS Session Broker Load Balancing works in two stages: DNS Load Balancing (DNS round robin) or Microsoft Network Load Balancing (NLB) and a query to the TS Broker server to determine user redirection. After the initial connection is made with DNS round robin or NLB, the TS Session Broker checks for the existence of a user session. If the user has an existing session, they will connect back to the same terminal server and continue working in their original session, whereas if there is no existing session, the user will connect to the terminal server that has the fewest sessions and create a new session. To prevent a single server from being overwhelmed by new logon requests, TS Session Broker Load Balancing sets a limit of 16 maximum pending logon requests to any one terminal server. It is important to note that when using DNS round robin, the client will connect to the first DNS record initially but the TS Session Broker service will direct the connection to the appropriate server based on the farm settings. It is also possible to assign a relative weight value to each server that can help distribute the load of the servers within the terminal server farm. The default relative weight value is 100. When you change the relative weight value to 200, the server with the new value of 200 will receive twice as many connections. This is a way to distribute users to servers that have greater hardware capabilities.

Configuring Terminal Services Load Balancing

85

There are some specific requirements to utilize TS Session Broker Load Balancing. A TS Session Broker server and terminal servers in the farm all must be running Windows Server 2008 to participate in TS Session Broker Load Balancing. All the terminals must have identical RemoteApp program lists, they must have the same server configuration, and they must be in the same domain. The client computers must be running RDC 5.2 or later. Now that you have an understanding of what TS Session Broker Load Balancing is, you need to learn how to deploy it. There are four tasks to complete the install and setup: 1.

Install the TS Session Broker role.

2.

Add terminal servers in the farm to the Session Directory Computers local group on the TS Session Broker server.

3.

Configure the terminal servers to join a farm and participate in load balancing.

4.

Configure DNS for TS Session Broker Load Balancing.

You cannot use the TS Session Broker Load Balancing feature on Windows Server 2003 terminal servers.

Installing the TS Session Broker Role Service The Session Broker server tracks and manages load balancing based on the number of user sessions. Once a TS server researches the maximum session limit, users will no longer be able to establish sessions with that TS server. The maximum session limit is the maximum amount of sessions a particular TS server can host. This setting is disabled by default and has to be configured manually in the Registry by creating and setting the value of the following key: HKLM\System\CurrentControlsSet\Control\Terminal Server\ UserSessionLimit. The TS Session Broker server does not have to have to be a terminal server, but it does have to be a member of the domain. Additionally, the TS Session Broker role can be installed on a domain controller. In Exercise 2.22, you’ll install TS Session Broker. EXERCISE 2.22

Installing TS Session Broker Follow these steps to install TS Session Broker for Windows Server 2008.

1.

Open Server Manager. Click Start  Administrative Tools  Server Manager.

2.

Right-click Roles  Add Role.

3.

Under Select Server Roles, check Terminal Services and click Next.

4.

Click Next on the Introduction to Terminal Services page.

86

Chapter 2

N

Exploring Terminal Services in Windows Server 2008

E XE RC I SE 2 . 22 (continued)

5.

On the Select Role Services page, check TS Session Broker.

6.

Confirm the installation selections and click Install.

7.

Confirm the installation results and click Close.

Now that the TS Session Broker has been installed, you need to add the terminal servers to the Session Directory Computer local group. This group is created during the installation of the TS Session Broker role. Exercise 2.23 walks you through the process. EXERCISE 2.23

Adding Terminal Servers to the Session Directory Computers Local Group Follow these steps to add Terminal Servers to the Session Directory Computer Local Group.

1.

Click Start  Administrative Tools  Computer Management.

2.

Expand Local Users and Groups and click on Groups.

3.

Open Session Directory Computers.

Configuring Terminal Services Load Balancing

87

E XE RC I SE 2 . 23 (continued)

4.

Click Add.

5.

In the Select Users, Computers or Groups window, click Object Types.

6.

Check Computers.

7.

Add the computer accounts for each terminal server.

8.

Click OK.

For a TS server to join a TS Session Broker farm, you must know the following: NÛ

NÛ

TS Session Broker server name or IP address. This is the name or the IP address of the TS Session Broker server. TS Session Broker farm name. This is the name of the farm that you want to join in.

TS Session Broker uses a farm name to determine which servers are in the farm. The same farm name must be use for all server that are participating in the same load-balanced farm. In Exercise 2.24, you’ll use the Terminal Services Configuration tool to configure a TS server to join a TS Session Broker farm and to participate in TS Session Broker Load Balancing. EXERCISE 2.24

Configuring the Terminal Servers to Join a Farm and Participate in Load Balancing Follow these steps to configure Terminal Servers to join a TS Broker Farm and participate in TS Session Broker Load Balancing.

1.

Start Terminal Service Configuration. Click Start  Administrative Tools  Terminal Services  Terminal Services Manager.

2.

In Edit Settings, under TS Session Broker, double-click Member of Farm in TS Session Broker. NÛ

On the TS Session Broker tab, select the Join a Farm in TS Session Broker check box.

NÛ

In the TS Session Broker Server Name or IP Address text box, type the name or the IP address of the TS Session Broker server.

NÛ

In the Farm Name in TS Session Broker text box, type the name of the farm that you want to join in TS Session Broker.

NÛ

In the Select IP Addresses to Be Used for Reconnection list, select the check box next to each IP address that you want to use.

88

Chapter 2

N

Exploring Terminal Services in Windows Server 2008

E XE RC I SE 2 . 24 (continued)

3.

Click OK.

The next step in the configuration of TS Session Broker is to configure DNS. Exercise 2.25 shows you how to configure DNS for TS Session Broker Load Balancing. EXERCISE 2.25

Configuring DNS for TS Session Broker Load Balancing Follow these steps to configure DNS for TS Session Broker Load Balanicng.

1.

Click Start  Administrative Tools  DNS.

2.

Expand Server Name.

3.

Expand Forward Lookup Zones.

4.

Right-click the zone, and select New Host (A or AAAA).

5.

In the Name (use parent domain if blank) field, type the terminal server farm name. Do not use the name of an existing server for the farm name.

6.

In the IP Address field, type the IP address of the terminal server in the farm.

7.

Click Add Host.

Configuring Terminal Services Load Balancing

89

E XE RC I SE 2 . 25 (continued)

8.

Click OK when the message host record is successfully created.

9.

Add each terminal server that is in the farm. If you have six terminal servers in the farm, you should have six farm entries.

10. Click Done.

Configuring Network Load Balancing As stated previously, TS Session Broker can also take advantage of Microsoft NLB instead of DNS round robin to distribute clients over the terminals. The requirements for NLB are as follows: NÛ

All hosts in the NLB cluster must reside on the same subnet.

NÛ

The cluster’s clients must be able to access that subnet.

NÛ

All terminal servers in the TS farm are in the same domain.

Just as we did in the section on TS Session Broker Load Balancing, we can break down the installation of TS Session Broker with Microsoft NLB into separate tasks: 1.

Set up a terminal server farm with TS Session Broker. Refer to Exercise 2.22 for how to install TS Session Broker. Remember that the IP address used for reconnection must not be the same as the cluster IP address.

2.

Install NLB.

3.

Create an NLB cluster.

Exercise 2.26 will walk you through the process of installing Microsoft NLB and creating an NLB cluster. EXERCISE 2.26

Installing NLB and Creating an NLB Cluster Follow these steps to install NLB and create an NLB Cluster.

1.

Open Server Manger. Click Start  Administrative Tools  Server Manager.

2.

Right-click Features and choose Add Features.

3.

Check Network Load Balancing.

4.

Click Next.

Chapter 2

90

N

Exploring Terminal Services in Windows Server 2008

E XE RC I SE 2 . 26 (continued)

5.

Confirm the installation selections and click Install.

6.

Confirm the installation results and click Close.

7.

Open Network Balancing Manager. Click Start  Administrative Tools  Network Load Balancing Manager.

8.

Rick-click Network Load Balancing Clusters and choose New Cluster.

9.

Enter the hostname and click Connect.

10. Select the interface you want to cluster. 11. Click Next. 12. In the Host Parameters , select Priority (Unique Host Identifier). This value is a unique ID for each host. Click Next.

13. In the Cluster IP Address , click Add to enter the IP address that will be shared with all terminal servers in the farm. Click Next.

14. In the Cluster Parameter , verify that Unicast is selected and click Next. 15. In the Port Rules , click Edit and configure the following: NÛ

Port Range: 3389 to 3389

NÛ

Protocols: TCP

NÛ

Filtering Mode: Multiple Host

NÛ

Affinity: None

16. Click OK. 17. Click Finish. 18. To add more hosts to the cluster, right-click the new cluster and then click Add Host to Cluster. Do this for every terminal server in the farm.

Summary

91

Summary In this chapter, we discussed the features, roles, and enhancements in Windows Server 2008 Terminal Services. The first section of this chapter focused on new RDC display features, new device redirection features, and Single Sign-On. The new RDC display features discussed in this chapter include monitor spanning, support for higher resolutions, font smoothing, Display Data Prioritization, and the new Desktop Experience. Device redirection includes Plug and Play device redirection for media players and digital cameras, Microsoft Point of Service (POS) for .NET, and TS Easy Print. We rounded out discussion of Windows Server 2008 features with the topic of Single Sign-On, which is method of authentication that allows user to only log on once. All these new improvements in Windows Server 2008 give users options and customization within their sessions that will ultimately increase their experience working in a terminal server environment. We looked at roles and features included with Windows Server 2008. The section started by introducing TS RemoteApps, which allows users to access applications from their client computer and makes it appear as if the application is running locally. You learned how to install the Terminal Services roles and configure the Remote Programs list through TS RemoteApp Manager as well as export and import the TS RemoteApp settings from one server to another. And we explored the different ways to distribute remote applications using an MSI or RDP file or using a web browser to launch an application through TS Web Access. This chapter also discussed securing your Terminal Server environment by utilizing TS Gateway. TS Gateway encapsulates Remote Desktop Protocol (RDP) traffic over HTTP with SSL encryption (HTTPS) and provides a secure link for authorized remote users on the Internet to access internal terminal server applications without creating a virtual private network (VPN) connection. We installed and discussed the various roles as well how to configure a TS Gateway server through the TS Gateway Manger. You learned how to obtain and configure a digital certificate for the TS Gateway server. And you learned how to create TS CAPs and TS RAPs that ensure that the client computers comply with the businesses security standards. The chapter concluded with a discussion of TS Session Broker and how to provide load balancing to the Terminal Server environment. The TS Session Broker enables users to reconnect to an existing session in a load-balanced environment as well as evenly distributing the session load across the terminal servers. We explored how to configure and join a TS Session Broker farm using the Terminal Services Configuration utility. Finally, we set up two different options for load balancing with TS Session Broker: DNS Load Balancing and Microsoft NLB. With all the new features, Terminals Services for Windows 2008 has made huge leaps over the previous versions. It is a much more appealing offering and a viable solution for many businesses. We believe Microsoft is heading the right direction with the continuing development of Terminal Services; it will be interesting to see what the next steps in the product’s evolution will be.

92

Chapter 2

N

Exploring Terminal Services in Windows Server 2008

Exam Essentials Know the RDC Client settings. It is important to know all the client setting tabs and how to use the settings. Also remember that there are different client versions and which one works with the appropriate Terminal Services features. Know how to use TS RemoteApps. TS RemoteApps is a great new feature in Windows Server 2008. Know how to configure and maintain the remote programs list. It’s also important to know how to export and import the RemoteApp settings and as well as knowing the different ways to deploy the RemoteApp programs. Know how to use TS Gateway. TS Gateway is a wonderful way to secure your Terminal Services environment. You should know how to use the TS Gateway Manager to configure and maintain the connections to the TS Gateway server. Also know how to get and configure a digital certificate for your TS Gateway server. Last, know how to configure and maintain your TS CAPs and TS RAPs. Know TS Session Broker. Know how a user can reconnect to a session and how to set up NLB for a terminal server farm. Remember that there are different ways to accomplish load balancing with TS Session Broker and know how to configure them.

Review Questions

93

Review Questions 1.

What is the default TCP port for the Remote Desktop Protocol? A. 1337

2.

B.

1494

C.

3389

D.

2598

What it the default website for TS Web Access? A. http://server_name

3.

B.

http://ts

C.

http://server_name/ts

D.

http://server_name/terminal

What does TS Gateway require so that it can use SSL to encrypt traffic to remote clients? A. A valid digital certificate

4.

B.

Digitally signed files

C.

USB Token

D.

Firewall

When you’re using TS Web Access, the client must have what version on the Remote Desktop client to establish a connection? A. 6.0

5.

B.

5.2

C.

3.14

D.

6.1

What is the name of the Windows Server 2008 feature that allows users to reconnect to a disconnected session in a load-balanced terminal server farm? A. TS Gateway

6.

B.

TS Session Broker

C.

TS Web Access

D.

TS RemoteApp

True/False: Monitor spanning support vertical displays. A. True B.

False

Chapter 2

94

7.

N

Exploring Terminal Services in Windows Server 2008

So users can take advantage of the Aero desktop when connecting to a remote desktop, what feature must be installed on the Windows Server 2008 computer? A. High-performance video card

8.

B.

Desktop Experience

C.

2GB of memory

D.

Updated video drivers

True/False: One of the new features for RDC and Terminal Services for Window Server 2008 is the ability to connect and use a USB drive after a Remote Desktop session has already been established. A. True B.

9.

False

When deploying a TS RemoteApp, what that are the two packaging methods? (Choose two.) A. MSI file B.

MSA file

C.

RDP file

D.

Zip file

10. What TCP port does TS Gateway use to create a secure connection with the remote client? A. 1433 B.

443

C.

6453

D.

22

11. What is the command to switch the Terminal Server modes to be able to install an application? A. change฀user฀/execute B.

change฀user฀/add

C.

change฀user฀/install

D.

change฀user฀/mode

12. When you’re connecting to TS Gateway, what are the two type of policies that a must match in order to gain access? (Choose two.) A. TS CAP B.

TS RAP

C.

TS SSL

D.

TS CAT

13. True/False: Servers in a terminal server farm that participate in Terminal Server Session Broker Load Balancing do not have to be in the same domain. A. True B.

False

Review Questions

95

14. Font smoothing is support on which of the follow operating systems? (Choose all that apply.) A. Windows Vista B.

Windows Vista SP1

C.

Windows XP SP3

D.

Windows XP SP2

E.

Windows Server 2008

15. True/False: Applications listed in the TS RemoteApp Programs list are by default enabled for TS Web Access? A. True B.

False

16. If the TS RemoteApp server and the TS Web Access server are separate servers, to what local group must the TS Web Access server computer account be added on the TS RemoteApp server? A. Remote Desktop User B.

TS Web Access Computer Security

C.

Administrators

D.

Session Directory Computers

17. True/False: TS Session Broker requires Windows Server 2008 Enterprise Edition. A. True B.

False

18. Single Sign-On is supported on which of the following operating systems? (Choose all that apply.) A. Windows XP B.

Windows Vista

C.

Windows Server 2003

D.

Windows Server 2008

19. True/False: The use of ClearType decreases the bandwidth between the client computer and the terminal server. A. True B.

False

20. What is the new service role for Windows Server 2008 that allows users to access applications without using a published desktop? A. TS RemoteApp B.

TS Session Broker

C.

TS PublishedApp

D.

TS Gateway

96

Chapter 2

N

Exploring Terminal Services in Windows Server 2008

Answers to Review Questions 1.

C. The default port for RDP is 3389. Port 80 is the common port for HTTP traffic. Ports 1494 and 2598 are ports Citrix Presentation server use. Port 1337 is not a common port associated with any application.

2.

C. The default website for TS Web Access is http://server_name/ts.

3.

A. The digital certificate proves the identity of a remote person or remote resource.

4.

D. RDC 6.1 is required to connect to TS Web Access. RDC 6.1 is available on Windows Vista SP1, Windows XP SP3, and Windows Server 2008.

5.

B. TS Session Broker allows users to reconnect to a disconnected session in a load-balanced terminal server farm.

6.

B. False. Monitor spanning supports only horizontal displays (i.e., side-by-side displays).

7.

B. For users to receive the windows Vista Aero desktop, the Desktop Experience feature must be installed in Server Manger and the Windows Vista theme must be set.

8.

A. True. With the Drives I Connect Later setting on the Remote Desktop client, a user can connect a USB drive after the connection has already been established.

9.

B, C. In the TS RemoteApp Manager, the only two options available to package a remote application is to create an MSI file or an RDP file.

10. B. TCP port 443 is used to establish an HTTPS connection between the client and the TS Gateway server. 11. C. For an application not packaged with MSI Installer to be installed on a terminal server, the mode must be changed from execute to install. After installation is complete, the mode needs be change back to execute. 12. A, B. A user must match at least one policy in each of the TS CAPs and TS RAPs to gain access to the internal terminal servers. 13. B. False. All servers participating in Terminal Server Session Broker Load Balancing have to be in the same domain. 14. A, B, C, D, E. Font smoothing is available for any client running RDC 6.0. 15. A. True. To change the default setting for web access, you have to disable TS Web Access in the programs’ properties in TS RemoteApp Manager. 16. B. To present a published application, the TS Access Web server computer account has to be in the local security group TS Web Access Computer Security on the TS RemoteApp server. 17. B. False. TS Session Broker requires only Windows Server 2008 Standard Edition. In fact, all the terminal server roles are available with the standard edition.

Answers to Review Questions

97

18. B, D. To use SSO, the client must be Windows Vista or another Windows 2008 server, the user must have the appropriate rights to log on, and the client computer and TS server must be in the same domain. 19. B. False. ClearType can increase the bandwidth to from 4 to 10 times than terminal servers with ClearType disabled. 20. A. TS RemoteApp is the new feature that will publish an individual application from the terminal server so it appears as if is it is running on the client’s local computer.

Chapter

3

Terminal Services Licensing, Advance Configuration, and Monitoring for Terminal Services MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: ÛÛ Configure Terminal Services licensing. May include but is not limited to: deploy licensing server, connectivity between terminal servers and Terminal Services licensing server, recovering Terminal Services licensing server, managing Terminal Services client access licenses (TS CALs) ÛÛ Configure and monitor Terminal Services resources. May include but is not limited to: allocate resources by using Windows Server Resource Manager, configure application logging ÛÛ Configure Terminal Services server options. May include but is not limited to: logoff, disconnect, reset, remote control, monitor, Remote Desktop Protocol (RDP) permissions, connection limits, session time limits, managing by using GPOs, viewing processes, session permissions, display data prioritization ÛÛ Configure Terminal Services client connections. May include but is not limited to: connecting local devices and resources to a session, Terminal Services profiles, Terminal Services home folders, Remote Desktop Connection (RDC), single sign-on, Remote Desktop Snap-In, MSTSC.exe

In the previous chapter we discussed the new features of Terminal Services for Windows Server 2008, installed various server roles, and then configured them. These roles give us the functionality we need for users to access their applications remotely, but without proper management of the server roles, a Terminal Server environment can quickly get out of hand and become an administrative nightmare. This chapter shows you how to alleviate headaches by managing TS CALs, how to perform advanced configurations on the clients and servers, and how to customize your Terminal Server environment. In this chapter, we will cover the following topics: NÛ

Configuring Terminal Services Licensing

NÛ

Managing through Group Policy

NÛ

Configuring global deployment settings for TS RemoteApp

NÛ

Monitoring TS Gateway using TS Gateway Manager

NÛ

Resource allocation for Terminal Services

Configuring Terminal Services Licensing Terminal Services Licensing (TS Licensing) is one of those necessary evils that we all want to dismiss, but without proper licensing, your terminal server will stop accepting connections after a period of time. This time period depends on the OS version you are using. What TS Licensing does is manage the client access licenses (TS CALs) that are required of a user or a device to connect to a terminal server. TS Licensing in Windows Server 2008 has some new features that will ease management, enable the administrator to revoke licenses, and provide more effective ways to diagnose licensing issues.

Terminal Services Client Access Licenses (TS CALs) There are two types of client access licenses (CALs), TS Per Device CALs and TS Per User CALs, and they must match the licensing mode that has been configured on the Terminal Services license server. With the Per Device licensing mode, a client computer connecting for the first time is issued a temporary license. At the next connection, the license server verifies that there are enough TS Per Device CALs and issues the client computer a permanent CAL. Inversely, TS Per User CALs give users the ability to connect to a terminal server

Configuring Terminal Services Licensing

101

from any client computer and are not enforced by the TS license server. To ensure that you are complaint with the license terms, you can use the TS Licensing Manager tool to track and generate reports of the TS Per User CALS that have been issued by the TS license server. This will be covered later in the chapter when we learn how to create TS Per CAL usage reports.

Installing TS Licensing and TS Client Access Licenses (CALs) To use Terminal Services, there must be at least one license server deployed in the environment. As mentioned earlier, there is a licensing grace period within which the license server will issue temporary TS CALs and does not have to be activated. The grace period begins when a terminal server accepts its first client connection and ends when the number of days in the grace period is exceeded or when the first permanent TS CAL is issued by the license server. The length of the grace period is dependent on the OS the terminal server is running (see Table 3.1). Before the grace period ends, the appropriate number of TS CALs must be purchases and installed. A message stating the number of days left in the licensing grace period appears in the lower-right corner of a terminal server’s desktop when an administrator logs on. TA B L E 3 .1

Licensing Grace Periods of Terminal Services by OS

Operating System

Grace Period

Windows Server 2008

120 days

Windows Server 2003 R2

120 days

Windows Server 2003

120 days

Windows 2000

90 days

Remote Desktop supports two concurrent connections for remote administration that do not require licenses.

Terminal Services License Server Discovery Before you install a TS license server, you need to decide on the type of discovery scope you will select during the installation of the TS Licensing role service. Terminal Services license server discovery determines how the license server will be discovered by terminal servers. There are three discovery scopes available: Workgroup, Domain, and Forest. If the

102

Chapter 3

N

Terminal Services Licensing, Advance Configuration, and Monitoring

TS Licensing role service is being installed on a computer that is not a member of a domain, choose the Workgroup discovery scope. In this scenario, terminal servers and the license servers have to be in the same workgroup and on the same local subnet for the autodiscovery process to work. However, if the license server is later joined to a domain, the discovery scope will be changed from Workgroup to Domain. Domain and Forest discovery scopes are available only if the TS Licensing service role is installed on servers that are domain members. For terminal servers to automatically discover a license server with the Domain discovery scope, the license server must be installed on a domain controller and the person installing the role must have domain administrator credentials. It is possible to install the TS Licensing role service on a computer that doesn’t serve as a domain controller; however, the terminal servers in the domain will not automatically discover the license server. License servers configured with the Forest discovery scope are published in Active Directory Domain Services, which allows terminal servers within the same forest to discover the license server automatically. To install the license server with the Forest discovery scope, the person installing the role must have enterprise administrator’s credentials. Regardless of the discovery scope type, Domain or Forest, a license server issuing TS Per User CALs must be a member of the Terminal Server License Servers group. TS servers attempt to contact license servers in the follow order: 1.

License servers in Terminal Services Configuration tool or using GPOs.

2.

License servers installed on the same computer as the TS server.

3.

License servers published in Active Directory Domain Services.

4.

License servers installed on domain controllers in the same domain as the TS server.

Once you have decided what type of TS CALs to use, purchased the type and number of TS CALs required in the environment, and determined the method of license server discovery, you need to ensure that the license server is supported by the terminal server OS. A terminal server running Windows Server 2008 is able to talk to only a license server running Windows Server 2008. However, a Windows Server 2008 TS Licensing Server supports terminal servers on the following operating systems: NÛ

Windows Server 2008

NÛ

Windows Server 2003 R2

NÛ

Windows Server 2003

NÛ

Windows Server 2000

Installing TS Licensing Role Service Now that we have discussed TS CALs and how Terminal Services License Server Discovery works, you can begin installing the TS Licensing role server (see Exercise 3.1).

Configuring Terminal Services Licensing

E X E R C I S E 3 .1

Installing TS Licensing Role Service Follow these steps to install the TS Licensing role service:

1.

Click Start  Administrative Tools  Server Manger.

2.

Right-click Roles and choose Add Roles.

3.

On the Select Server Roles page of the Add Roles Wizard, select Terminal Services.

4.

Click Next.

5.

On the Introduction to Terminal Services page, click Next.

6.

On the Select Role Services page, select TS Licensing.

103

104

Chapter 3

N

Terminal Services Licensing, Advance Configuration, and Monitoring

E X E R C I S E 3 .1 ( c o n t i n u e d )

7.

Click Next.

8.

On the Configure Discovery Scope for TS Licensing page, select the appropriate discovery scope for your installation. Leave the TS Licensing database location as the default, C:\Windows\system32\LServer.

Configuring Terminal Services Licensing

105

E X E R C I S E 3 .1 ( c o n t i n u e d )

9.

Click Next.

10. On the Confirm Installation Selections page, review the TS Licensing information that has been selected.

11. Click Install. 12. On the Installation Results page, verify that the TS Licensing role service installation succeeded.

13. Click Close.

Connecting to the license server in Windows Server 2008 is done through the TS Licensing Manager tool, which is automatically installed when the TS Licensing role service has been installed. However, you can manage the license server from a remote computer running Windows Server 2008 by adding the TS Licensing Manager feature from Server Manager. Exercise 3.2 demonstrates how to install TS Licensing Manager as a feature. EXERCISE 3.2

Installing TS Licensing Manager as a Feature Follow these steps to install TS Licensing Manager as a Feature in Windows Server 2008:

1.

Click Start  Administrative Tools  Server Manger.

2.

Right-click Features and choose Add Features.

106

Chapter 3

N

Terminal Services Licensing, Advance Configuration, and Monitoring

E XE RC I SE 3. 2 (continued)

3.

On the Select Features page of the Add Features Wizard, expand Remote Server Administration Tools.

4.

Expand Role Administration Tools.

5.

Expand Terminal Services Tools.

6.

Select TS Licensing Tools.

7.

Click Next.

10. On the Confirm Installation Selections page, click Install. 11. On the Installation Results page, verify that the installation of TS Licensing Tools succeeded.

12. Click Close. 13. To Start TS Licensing Manager, click Start  Administrative Tools  Terminal Services  TS Licensing Manager.

Configuring Terminal Services Licensing

107

Activating Terminal Services License Server As you know, a Terminal Services license server must be activated to issue TS CALs. The activation process uses the Activate Server Wizard within the TS Licensing Manager tool. There are three methods to activate a license server: Automatic connection Microsoft recommends using this method to activate the license server. However, it requires an SSL connection (TCP port 443) because the license server will connect to the Microsoft Clearinghouse over the Internet. Web browser This method is used when the license server does not have Internet access. A URL to the Microsoft Clearinghouse is displayed in the Activate Server Wizard and accessed through a computer that does have Internet access. Telephone This method is used is used if no Internet access is available. The telephone number is displayed in the Activate Server Wizard after the appropriate country or region is selected. The following exercise, Exercise 3.3, illustrates the process for activating a TS license server. EXERCISE 3.3

Activating a TS License Server Follow these steps to activate a TS license server:

1.

Click Start  Administrative Tools  Terminal Services  TS Licensing Manager.

2.

Right-click the license server that requires activation and click Activate Server. Notice that the server will have a red X and that Activation Status is set to Not Activated.

3.

On the first page of the Activate Server Wizard, click Next.

4.

On the Connection Method page, select the appropriate method for your environment.

108

Chapter 3

N

Terminal Services Licensing, Advance Configuration, and Monitoring

E XE RC I SE 3.3 (continued)

5.

Click Next. (From here it will depend on the method chosen. In this scenario, the chosen method is Web Browser.)

6.

On the License Server Activation page, copy the product ID.

7.

From a computer with Internet access, use the URL provided to go to the Terminal Server Licensing website.

8.

On the Terminal Server Licensing website, select your language and activate a license server.

Configuring Terminal Services Licensing

E XE RC I SE 3.3 (continued)

9.

Click Next.

10. Enter all the required information.

11. Click next. 12. Review and confirm all the information that you provided. Click Next. 13. You will now receive your license server ID, which you enter into the Terminal Server License Server Activation Wizard. Copy or print this web page so that you have the information.

14. At this point you can request the license tokens by clicking Yes. We are going to click No because we will install the tokens in Exercise 3.4.

15. Go back to the TS Licensing Manager and Activate Server Wizard. 16. Enter the license server ID you received from the Terminal Server Licensing website. Refer to step 6 of this exercise.

17. Click Next. 18. On the Completing the Activate Server Wizard page, you will see the status message “The license server has been successfully activated.” Uncheck Start Install Licenses Wizard Now, for we will be installing the TS CALs later.

109

110

Chapter 3

N

Terminal Services Licensing, Advance Configuration, and Monitoring

E XE RC I SE 3.3 (continued)

19. Click Finish. 20. Notice that in the TS Licensing Manager, the red X has changed to a green check mark and the activation status has changed to Activated.

Installing Terminal Services Client Access Licenses The same three methods you use when you activate a Terminal Services license server apply when installing Terminal Services client access licenses. However, when you’re installing licenses, the Install Licenses Wizard retains the connection method used when you activated the license server. In our case, the connection method is web browser. The connection method can be changed in TS Licensing Manager by right-clicking the appropriate server and selecting Properties. The three methods (automatic connection, web browser, and telephone) are available under the Connection Method tab. You must activate the TS license server have the license code to install TS CALs. Exercises 3.4 walks you through the process.

Configuring Terminal Services Licensing

EXERCISE 3.4

Install Terminal Services Client Access Licenses Follow these steps to install TS CALs:

1.

Start TS Licensing Manager by clicking Start  Administrative Tools  Terminal Services  TS Licensing Manager.

2.

Right-click the license server and choose Install Licenses.

3.

On the Welcome to the Install Licenses Wizard page, click Next. Notice that the connection method is Web Browser.

4.

On the Obtain Client License Key Pack page, copy the license server ID and go to the Terminal Services Licensing website from a computer with Internet access.

111

112

Chapter 3

N

Terminal Services Licensing, Advance Configuration, and Monitoring

E XE RC I SE 3. 4 (continued)

5.

On the Terminal Services Licensing website, select the appropriate language and select Install Client Access License Tokens.

Configuring Terminal Services Licensing

E XE RC I SE 3. 4 (continued)

6.

Click Next.

7.

Enter all the required fields, including the license server ID, and select the license program. Notice that there are number of choices for the license program.

8.

Click Next.

9.

The license program you chose in step 7 determines what information will be needed on this page. Normally a license code or an agreement number is all that will be required. Also, you must select the type and quantity of TS CALs to install on the license server.

113

114

Chapter 3

N

Terminal Services Licensing, Advance Configuration, and Monitoring

E XE RC I SE 3. 4 (continued)

10. Click Next. 11. The web page displays a key pack ID generated by the Microsoft Clearinghouse. Make sure you keep a copy in case assistance is needed recovering TS CALs.

12. Go back to the TS Licensing Manager and the Activate Server Wizard. 13. Enter the license key pack ID you received from the Terminal Server Licensing website. Refer to step 4.

14. Click Next. 15. On the Completing the Install License Wizard page, click Finish. The TS license server can now issues TS CALs to clients.

Configuring License Settings on a Terminal Server Now that the TS license server has been installed and activated, you can specify the Terminal Services licensing mode and discovery mode. Remember, the TS licensing mode determines the type of TS CALs a terminal server requests for a connecting client; a terminal server must also be configured to match the type of TS CAL available from the TS license server. The discovery mode determines how a terminal server will find the TS license servers so it can request TS CALs for the connecting clients.

Specifying the TS Licensing Mode The TS licensing mode can be configured in three ways. The first way is to set the licensing mode during the installation of the Terminal Services role (see Figure 3.1). The second way is to configure the TS licensing mode is to use the Terminal Services Configuration tool. 1.

Open the Terminal Services Configuration tool by clicking Start  Administrative Tools  Terminal Services  Terminal Services Configuration.

2.

In the center frame in the Edit settings area on the General tab, double-click User Logon Mode or right-click User Logon mode and select Properties.

3.

On the Licensing tab, specify the Terminal Services licensing mode, either Per Device or Per User. See Figure 3.2.

Configuring Terminal Services Licensing

115

F I G U R E 3 .1

Specifying the licensing mode when installing the TS server role

FIGURE 3.2

Specifying the licensing mode from the Terminal Services Configuration tool

116

Chapter 3

N

Terminal Services Licensing, Advance Configuration, and Monitoring

The third way to configure the TS licensing mode is to enable the Set Terminal Service licensing mode group policy. It is important to note that Group Policy settings will take precedence over the settings in the Terminal Services Configuration tool. 1.

Open Group Policy Management Editor. This can be done through the Local Group Policy Editor or the Group Policy Management Console.

2.

Navigate to Computer Configuration  Administrative Templates  Windows Components  Terminal Services  Terminal Server  Licensing  Set the Terminal Service licensing mode. See Figure 3.3.

FIGURE 3.3

Terminal Services licensing mode Group Policy

3.

Double-click Set the Terminal Service licensing mode.

4.

Click Enabled. See Figure 3.4

5.

Specify the licensing mode for the terminal server. (Per Device or Per User).

6.

Click OK.

Specifying the TS License Server Discovery Mode The TS License server discovery mode can be set two ways. The first way is to use the Terminal Services Configuration tool. 1.

Click Start  Administrative Tools  Terminal Services  Terminal Services Configuration.

2.

In the center frame in the Edit settings area on the General tab, double-click User Logon Mode or right-click User Logon Mode and select Properties.

Configuring Terminal Services Licensing

FIGURE 3.4

117

Settings for the Set Terminal Services licensing mode Group Policy

3.

On the Licensing tab, specify the license server discovery mode. Either select Automatically Discover a License Server or identify a particular server by typing its name within the Use the Specified License Server box.

4.

Click OK.

The second way to configure the TS discovery mode is to set it with the Use the specified Terminal Services license servers group policy. 1.

Open Group Policy Management Editor. This can be done through the Local Group Policy Editor or the Group Policy Management Console.

2.

Navigate to Computer Configuration  Administrative Templates  Windows Components  Terminal Services  Terminal Server  Licensing  Use the specified Terminal Services license servers. See Figure 3.5.

3.

Double-click Use the specified Terminal Services license servers.

4.

Click Enabled and enter the name of the license servers. See Figure 3.6.

5.

Click OK.

Tracking the Issuance of Terminal Services Per User Client Access Licenses New to Windows Server 2008 is the ability to track the TS Per User CALs that have been issued by a TS license server. TS Per User CALs can be tracked only if the terminal server and TS license server are members of a domain. Therefore, Workgroup mode is not supported when tracking and reporting TS Per User CALs. When a user logs into a terminal server, the terminal server checks the license server mode and then checks in with the license server. The license server modifies the terminalServer attribute for the user within Active Directory and the CAL becomes associated with the user account object. This is why the license server must be a member of the Terminal Server License Servers security group in the domain because

118

Chapter 3

N

Terminal Services Licensing, Advance Configuration, and Monitoring

this group grants the right to modify user attributes within Active Directory. If a license server is going to be used in multiple domains, it must be a member of the Terminal Server License Servers group for each domain. Because the issued Per User CALs are stored in Active Directory Domain Services (AD DS), the only way to obtain the most current information is to create a report using the TS Licensing Manager. Exercise 3.5 walks you through the process of creating a report for TS Per User Cal issuance. FIGURE 3.5

Specifying the Terminal Services license servers with a Group Policy

FIGURE 3.6 Group Policy

Settings for the Use the specified Terminal Services license servers

Configuring Terminal Services Licensing

EXERCISE 3.5

Creating a Report for TS Per User CAL Issuance Follow these steps to create a TS Per User CAL issuance report:

1.

Click Start  Administrative Tools  Terminal Services  TS Licensing Manager.

2.

Select the license server. Right-click the server and select Create Report.

3.

Click Per User CAL-Usage.

4.

Select how the report will search Active Directory. There are three options:

5.

NÛ

Entire Domain. This will create a report based on the domain in which the license server is a domain member.

NÛ

Organizational Unit. This will create a report based on a specific OU in the domain in which the license sever is a domain member.

NÛ

Entire Domain and All Trusted Domains. This will only create a report on license servers that are in that are in the Terminal Server License Server security group.

Click Create Report. The created report will be in the Reports section under the license server. The report provides the following information: NÛ

Report date

NÛ

Report scope (domain, OU, or all trusted domains)

NÛ

TS CAL type

NÛ

Installed TS CALs

NÛ

TS CALs in use

NÛ

TS CAL availability

119

Chapter 3

120

N

Terminal Services Licensing, Advance Configuration, and Monitoring

E XE RC I SE 3.5 (continued)

It is also possible to save a report as a comma-delimited file (CSV). To save the report as a CSV, right-click the report choose and Save As. Enter a filename and a location. The CSV file includes additional information about the TS Per User CALs issued, as shown in Figure 3.7. NÛ

Issued to User

NÛ

TS CAL Version

NÛ

Expires On

F I G U R E 3 .7

CSV output for TS Per User CAL report

Configuring Terminal Services Licensing

121

Revocation of Client Access Licenses Before Windows Server 2008, there was no way to revoke issued licenses from systems that have been replaced and no way to make those licenses available immediately. Issued licenses would expire in 52 to 89 days, and after that they would become part of the available license pool. To address this, Microsoft has introduced a method to revoke licenses manually in Windows Server 2008. However, there are some small caveats to the revocation process. The revocation process supports only Per Device CALs, and you can revoke only a maximum of 20 percent of a specific version. For example, if you have 100 Windows Server 2008 Per Device CALs and 50 Windows Server 2003 CALs installed on your license server, you can revoke 20 of the Windows Server 2008 CALs and 10 of the Windows Server 2003 CALs; each type of Per Device CAL can be revoked at any time because operating system Per Device CALs are independent of each other. Exercise 3.6 demonstrates the revocation process for Per Device CALs.

Although the CAL revocation is very handy and certainly alleviates some administrative headaches, it is not a substitute for proper planning and ensuring that there are enough CALs for your environment.

EXERCISE 3.6

Revocation of Per Device CALs Follow these steps to revoke Per Device CALs:

1.

Start  Administrative Tools  Terminal Services  TS Licensing Manager.

2.

Expand the license server for which you want to revoke licenses.

3.

Right-click on the CAL you want revoke and choose Revoke CAL.

4.

The revoked CAL is now available. Its status has changed from Active to Revoked.

Terminal Services Licensing Diagnosis With Windows Server 2008, Microsoft has introduced a Licensing Diagnosis tool that will help manage and identify possible licensing problems by analyzing and highlighting potential terminal server configuration issues. Terminal Services Licensing Diagnosis can also determine the license servers that are discoverable by the Terminal Services server. It can also provide suggested resolutions to specific problems for a license server. Exercise 3.7 shows the procedures to run the Terminal Services Licensing Diagnosis tool.

Chapter 3

122

N

Terminal Services Licensing, Advance Configuration, and Monitoring

E XERCISE 3.7

Running Licensing Diagnosis Follow these steps to run licensing diagnosis:

1.

Click Start  Administrative Tools  Terminal Services  Terminal Services Configuration.

2.

Click Licensing Diagnosis in the left pane. The Licensing Diagnosis tool automatically discovers the license servers and identifies licensing configuration problems and display the results. License Diagnosis is split into four sections: NÛ

Terminal Server Configuration Details displays status and configuration information for the Terminal Services server.

NÛ

Licensing Diagnosis Information displays licensing problems and suggests resolutions.

NÛ

Terminal Services License Server Information displays license servers that are discoverable by the Terminal Services server.

Configuring Terminal Services Licensing

123

E XE RC I SE 3.7 (continued)

NÛ

License Server Configuration Details displays status and configuration information about the TS license server.

How Do I Remotely Administer Windows Server 2008? Now that know how to install and configure Terminal Services and TS Licensing, we’ll look at how you connect to remotely administer your servers running Windows Server 2008. Remote administration in Windows Server 2008 is changing. In Windows Server 2003, to remotely connect a Terminal Services server, you would use RDC with mstsc.exe฀ /console and this would give you access to the console session on the server. With Window Server 2008, the /console switch is ignored and replaced with RDC switch mstsc.exe฀฀ /admin, which will allow you to administer the server. The /admin switch has been introduced with RDC 6.1 and is available only on Windows Server 2008, Windows Vista Service Pack 1, and Windows XP Service Pack 3. To start a remote administration session, you

124

Chapter 3

N

Terminal Services Licensing, Advance Configuration, and Monitoring

must be a member of the Administrators groups on the server. After you start your remote administration session with /admin, the following are true: NÛ

There can be two active remote administration sessions and they do not require a TS CAL.

NÛ

Time zone redirection is disabled.

NÛ

TS Session Broker redirection is disabled.

NÛ

Plug and Play device redirection is disabled.

NÛ

The remote session theme is changed to Windows Classic.

NÛ

Terminal Services Easy Print is disabled.

Why the change? In Windows Server 2003, all services and some user applications ran in the same session as the first user who logged on to the console, which is called Session 0. Session 0, or console session, is always the first to load and is configured with Windows display, mouse, and keyboard drivers. After creating Session 0, the terminal server calls Windows Session Manager (smss.exe); the Session Manager is what creates and manages all sessions. The Session Manager would then start the Client-Server Runtime Subsystem (csrss.exe), which in turn invokes the Winlogon process (winlogon.exe). The ClientServer Runtime Subsystem manages all the process and threads for all logon sessions, and Winlogon handles all user logons and logoffs and is responsible for starting the Windows shell, explorer.exe. Winlogon now launches the Local Security Authority Subsystem Service (lsass.exe) and the Service Control Manager (services.exe). The Local Security Authority Subsystem Service is responsible for enforcing the security policies on the system, and the Service Control Manager manages the all the Windows services. What does all this really mean? Here’s an example. In this scenario, we have a service belonging to a particular application and it generates a dialog box that requires user interaction on Session 0, such as click OK or Cancel. The application is now waiting on this user interaction to proceed, and the only way to see the dialog box is to log on with /console. From the perspective of the other clients logged on to the server, the application appears to be hung when in fact it is waiting for a user response. So to alleviate those types of issues, Microsoft has made Session 0 noninteractive in Windows Server 2008, but by doing so, it has made us have to change the way we administer our servers. How are things different in Windows Server 2008? As in previous versions, the Session Manager (smss.exe) is still the first process created during the boot process. However, the Session Manager now launches a second instance of itself, making a dedicated Session 0 process. This dedicated process in Session 0 then launches the Windows Startup Application (wininit.exe) and a Client-Server Runtime System (csrss.exe) for Session 0. The Client-Server Runtime System exits, but the Windows Startup Application continues by starting the Service Control Manager (services.exe) and the Local Security Authority Subsystem Service (lsass.exe) as well as a new process called the Local Session Manager (lsm.exe). The Local Session Manager administers TS Server

Managing Terminal Services through Group Policy

125

connections for the computer. While all this happening, a console session is also being initialized. Just as with Session 0, the Session Manager creates a new instance and starts the Client-Server Runtime System and the Winlogon process (winlogon.exe). The console’s Winlogon process now launches the Logon User Interface Host (logonui.exe) and displays the Ctrl+Alt+Delete logon to the users.

Managing Terminal Services through Group Policy A Terminal Services server is different than other servers in that it also acts as a user workstation. In the following sections, we are going to discuss how to utilize Group Policy Objects (GPO) to help administer the Terminal Services server in your environment. The topics that we will discuss include Group Policy settings for Terminal Services, TS Gateway, TS RemoteApp, and TS Session Broker.

Group Policy Settings for Terminal Services In this section, you’ll learn about some of the generic settings for Terminal Services that will help you administer the server. These include user disconnects, remote control, RDP permissions, connection limits, and session time limits. For simplicity, the section is written with the assumption that you already know the basics of Group Policy and Active Directory configurations. All of the policies for Terminal Services can be found in Group Policy Management Editor under Computer฀ Configuration\Administrative฀Templates\Windows฀Components\Terminal฀Services or under User฀Configuration\Administrative฀Templates\Windows฀Components\Terminal฀Services. There are a number of policy settings under the Terminal Services location and we will not be able to cover them all, so we will just highlight the most common settings. We will begin by looking at the policies under Computer฀Configuration\Administrative฀ Templates\Windows฀Components\Terminal฀Services\Connections. These policies are as follows: Automatic reconnection Enabling this policy allows clients to reconnect to a disconnected session if the network link go down. By default, the terminal server tries to reconnect every 5 seconds and continues trying up to 20 times. This policy should be used in conjuction with the next policy, Configure keep-alive connection interval. Configure keep-alive connection interval This policy is a useful setting for networks that are unreliable, such as WAN links, and will set how often, in minutes, the server checks the session state. If this policy is left disabled or not configured, the server will not check the session state. See Figure 3.8.

126

Chapter 3

FIGURE 3.8

N

Terminal Services Licensing, Advance Configuration, and Monitoring

Keep-alive connection interval properties

Set rules for remote control of Terminal Services user sessions This sets the level of remote control for a session. If it’s left disabled or not configured, remote control rules are determined by the Terminal Services Configuration tool. See Figure 3.9. Restrict Terminal Service users to a remote session This policy can limit the resources used by limiting users to one session on the terminal server. If it’s left disabled, users are allowed unlimited concurrent remote connections. FIGURE 3.9

Set rules for remote control of Terminal Services user sessions properties

Managing Terminal Services through Group Policy

127

Some policies can be set in both Computer Configuration and User Configuration. If both policies are set, the Computer Configuration policy takes precedence.

The next set of policies that we will examine is under Computer฀Configuration\ Administrative฀Templates\Windows฀Components\Terminal฀Services\Remote฀Session฀ Environment: Limit maximum color depth By setting this policy, you can reduce network bandwidth and also decrease the resource load on the terminal server. The setting specifies the maximum color depth allowed for a session. If Client Compatible is selected, the highest color depth supported by the client will be used. See Figure 3.10. F I G U R E 3 .1 0

Properties for Limit maximum color depth

Remove “Disconnect” option from Shut Down dialog Enabling this policy removes the Disconnect option from the Shut Down Windows dialog box. The reason for this is to prevent users from disconnecting the session instead of terminating the session. If a session is in a disconnected state, the session continues to run and consume server resources. After a user connects to a terminal server, it’s a good idea to change their profile path and home directory. This is done through Computer฀Configuration\Administrative฀฀ Templates\Windows฀Components\Terminal฀Services\Terminal฀Server\Profiles. These policies are as follows: Set TS User Home Directory Enabling this policy specifies whether Terminal Services uses a network or a local drive for a user’s home directory. You must choose a location on the network or the local machine by designating the location with a UNC path or local drive.

128

Chapter 3

N

Terminal Services Licensing, Advance Configuration, and Monitoring

If you chose On the Network, you must also specify the drive letter that the user’s session will use. Use mandatory profiles on the terminal server Enabling this policy allows the terminal server to enforce a mandatory profile for all users connecting to the terminal server. If you enable this policy, you must all enable the Set path for TS Roaming User Profile policy. Set path for TS Roaming User Profile By default, Terminal Services stores all user profiles locally. Enabling this policy allows the administrator to set a specific network path for roaming user profiles. The profile path is set with a UNC path, \\Computername\ Sharename. Moving down the policy list, the next set will be Computer฀Configuration\฀ Administrative฀Templates\Windows฀Components\Terminal฀Services\Session฀฀ Time฀Limits: Set time limit for disconnected sessions If this policy is enabled, a time limit for disconnected session will be set and when the time limit is reached the session will be deleted from the server. The policy is useful to ensure that resources are released on the server. See Figure 3.11. F I G U R E 3 .11

Properties for Set time limit for disconnected sessions

Set time limit for active but idle Terminal Services sessions Enabling this policy will put idle session into a disconnected state after a period of time. It’s similar to the time limits that are available in the preceding policy.

Managing Terminal Services through Group Policy

129

Set time limit for logoff of RemoteApp sessions Enabling this policy specifies how long a RemoteApp session will remain in a disconnected state before the session in logged off. If this policy is disabled or not configured, a closed RemoteApp will be disconnected from the terminal server. Before moving on, we need to mention that the TS Session Broker policies are also available is this area. The TS Session Broker policies are located under Computer฀Configuration\฀ Administrative฀Templates\Windows฀Components\Terminal฀Services\TS฀Session฀Broker. Here are the available TS Session Broker policies: Join TS Session Broker Enabling this policy tell the terminal server to join the farm that is specified in the Configure TS Session Broker farm name policy. Configure TS Session Broker farm name farm for TS Session Broker.

Enabling this policy specifies the name of the

Use IP Address Redirection Enabling this policy specifies the redirection method used when a client reconnects to an existing session. This setting applies to a terminal server that is configured to use TS Session Broker, not the TS Session Broker server. Configure TS Session Broker server name Enabling this policy specifies the TS Session Broker server that the terminal servers will use to track and redirect user session in a loadbalanced terminal server farm. Use TS Session Broker load balancing Enabling this policy specifies whether to use the TS Session Broker load balancing feature. It is important to note that when you enable this policy, you must also enable and configure the Join TS Session Broker, Configure TS Session Broker server name, and Configure TS Session Broker farm name group policies. To configure the TS Gateway settings through Group Policy, you must use the User Configuration settings for Terminal Services, which are located under User฀Configuration\฀ Administrative฀Templates\Windows฀Components\Terminal฀Services\TS฀Gateway. Here are the available TS Gateway policies: Enable connection through TS Gateway Enabling this policy will cause clients to attempt to connect to the TS Gateway server that is specified in the Set TS Gateway server address policy. Set TS Gateway authentication method Enabling this policy specifies the authentication method used when a user is connected to a terminal server through a TS Gateway server. If this policy is disabled or not configured, the authentication method specified by the user is used, and if the user has not specified a method, the NTLM protocol that is enabled on the client or a smart card can be used. See Figure 3.12. Set TS Gateway server address Enabling this policy specifies the address of the TS Gateway server that the clients will use when connecting to a terminal server.

Chapter 3

130

F I G U R E 3 .1 2

N

Terminal Services Licensing, Advance Configuration, and Monitoring

Properties for Set TS Gateway authentication method

Configuring Global Deployment Settings for TS RemoteApp We have already configured the basics to publish a TS RemoteApp. In the following sections, we will discuss the options available for configuring the global deployment settings that apply to all RemoteApp programs. The following settings are global deployment settings: NÛ

Terminal server settings

NÛ

TS Gateway settings

NÛ

Remote Desktop Protocol (RDP) settings

NÛ

Digital signature settings

Configuring Terminal Server Settings In this section, we will discuss how to configure the following RemoteApp deployment settings: NÛ

Server name

NÛ

RDP port

NÛ

Remote desktop access

NÛ

Access to unlisted programs

Managing Terminal Services through Group Policy

The settings in Exercise 3.8 define how users connect to a terminal server to access TS RemoteApp programs. EXERCISE 3.8

TS RemoteApp Global Deployment Settings Follow these steps to configure TS RemoteApp global deployment settings:

1.

Click Start  Administrative Tools  Terminal Services  TS RemoteApp Manager.

2.

In the Actions pane, click Terminal Server Settings.

3.

On the Terminal Server tab under Connection Settings, you can change the server name, RDP port, and whether or not server authentication is required.

4.

Under Remote Desktop Access, check Show a Remote Desktop Connection to This Terminal Server in TS Web Access if you would like to provide a link to the full terminal server desktop through TS Web Access.

5.

Under Access to Unlisted Programs, choose either Do Not Allow Users to Start Unlisted Programs on Initial Connection or Allow Users to Start Both Listed and Unlisted Programs on Initial Connection. By not allowing users to start unlisted programs, you help protect against users starting a program from an RDP file.

131

Chapter 3

132

N

Terminal Services Licensing, Advance Configuration, and Monitoring

E XE RC I SE 3.8 (continued)

Remember, you can use Group Policy and AD DS to centralize and simplify the administration of the client settings.

Configuring TS Gateway Settings The TS Gateway settings define how clients will connect to the TS Gateway server when using TS RemoteApp programs on the terminal server, as shown in Exercise 3.9. There are three TS Gateway settings that are configurable: NÛ

Automatically Detect TS Gateway Server Settings.

NÛ

Use the TS Gateway Server Settings.

NÛ

Do Not Use a TS Gateway Server.

EXERCISE 3.9

TS RemoteApp TS Gateway Global Deployment Settings Follow these steps to configure TS RemoteApp’s TS Gateway global deployment settings:

1.

Click Start  Administrative Tools  Terminal Services  TS RemoteApp Manager.

2.

In the Actions pane, click TS Gateway Settings.

Managing Terminal Services through Group Policy

133

E XE RC I SE 3.9 (continued)

3.

On the TS Gateway tab, there are three server settings. NÛ

Automatically Detect TS Gateway Server Settings. If this is selected, the client tries to use Group Policy settings to determine the behavior of the client connection to the TS Gateway server.

NÛ

Use These TS Gateway Server Settings. This selection will allow you to configure the TS Gateway server name and logon method. The server name must match the SSL certificate you acquired for the TS Gateway server.

NÛ

Do Not Use a TS Gateway Server. Use this selection if the client is not accessing the TS servers from the Internet.

Configuring RDP Settings Using these RDP selections will specify settings users will get when connecting to a RemoteApp, such as device and resource redirection and some display settings. Exercise 3.10 shows the available user RDP selections. E X E R C I S E 3 .1 0

TS RemoteApp Common RDP Global Deployment Settings Follow these steps to configure TS RemoteApp’s common RDP global deployment settings:

1.

Click Start  Administrative Tools  Terminal Services  TS RemoteApp Manager.

2.

In the Actions pane, click Terminal Server Settings and then click the Common RDP Settings tab.

Chapter 3

134

N

Terminal Services Licensing, Advance Configuration, and Monitoring

E X E R C I S E 3 .1 0 ( c o n t i n u e d )

3.

4.

Under the Devices and Resources section, you can choose what will be available when a user connects to a remote session: NÛ

Printers

NÛ

Disk drives

NÛ

Clipboard

NÛ

Smart cards

NÛ

Supported Plug and Play devices

Under User Experience, you can select Allow Font Smoothing as well as the color depth for the remote session.

Configuring Digital Signature Settings The digital signature settings allow the digital certificate signing of RDP files that are use for RemoteApp connections. By using a server authentication certificate (SSL certificate) or a code signing certificate, you can better protect the server from malicious users and applications. If you’re already using an SSL certificate for a terminal server or TS Gateway server, you can use the same certificate to sign the RDP files. Exercise 3.11 explains how to configure TS RemoteApp Digital Signature global deployment settings.

Managing Terminal Services through Group Policy

135

E X E R C I S E 3 .11

TS RemoteApp Digital Signature Global Deployment Settings Follow these steps to configure TS RemoteApp Digital Signature global deployment settings:

1.

Click Start  Administrative Tools  Terminal Services  TS RemoteApp Manager.

2.

In the Actions pane, click Digital Signature Settings.

3.

Select Sign with a Digital Certificate.

4.

In the Digital Certificate detail box, click Change.

5.

In the Select Certificate dialog box, chose the certificate you want to use.

Monitoring TS Gateway Using TS Gateway Manager After completing the configuration options for the client connections to TS Gateway, it is important to know how to monitor active connections and look for errors specific to the TS Gateway server. This discussion will be focused on the events that will be logged and how to view active connections using TS Gateway Manager. The discussion will be split into the following topics: NÛ

Specifying TS Gateway events to log.

NÛ

Viewing details about active connections through a TS Gateway server.

Specifying TS Gateway Events to Log The TS Gateway Manager is used to specify the type of events that will be monitored, and when an event does occur, the event can be viewed with Windows Event Viewer. TS Gateway server events are located under Application฀and฀Service฀Logs\Microsoft\Windows\ TerminalServices-Gateway. Exercise 3.12 shows how to select which events will be logged as TS Gateway events. E X E R C I S E 3 .1 2

Specifying TS Gateway Events to Log Follow these steps to specify TS Gateway events logs:

1.

Click Start  Administrative Tools  Terminal Services  TS Gateway Manager.

2.

Select the TS Gateway server.

3.

Right-click the name of the server and choose Properties.

136

Chapter 3

N

Terminal Services Licensing, Advance Configuration, and Monitoring

E X E R C I S E 3 .1 2 ( c o n t i n u e d )

4.

On the Auditing tab, select the appropriate events to monitor.

Table 3.2 shows the name, description, and event ID of the various TS Gateway event types. TA B L E 3 . 2

TS Gateway Event Types

Event Name

Description

Event ID

Successful User Disconnection from the Resource

This event allows you to verify the user session time and the amount of data (in kilobytes) that was sent and received by the remote client through the TS Gateway server.

303: When the client disconnects from the resource 202: When an administrator disconnects the client

Failed User Connection to the Resource

The client met the conditions for the TS CAP and TS RAP but could not connect to a computer because it was unavailable.

304

Failed Connection Authorization

The client could not connect because it did not meet the conditions of the TS CAPs.

201

Managing Terminal Services through Group Policy

TA B L E 3 . 2

137

TS Gateway Event Types (continued)

Event Name

Description

Event ID

Failed Resource Authorization

The remote client could not connect to 301 the specified computer because no TS RAPs are configured to allow the user access to it.

Successful User Connection to the Resource

The remote client successfully connected to a computer.

Successful Connection Authorization

The client met the condition of one TS 200 CAP and connected successfully.

Successful Resource Authorization

The client met the condition of one TS 300 RAP and connected successfully.

302

Viewing Details about Active Connection through a TS Gateway Server Another use of TS Gateway Manager is to view detailed information about the user connections that have been granted access. Administrators can use the information displayed in the TS Gateway Manager to troubleshoot specific user connection issues. Exercise 3.13 details the steps to view user connection information through TS Gateway Manager as well as the type of information that is displayed. E X E R C I S E 3 .1 3

Viewing User Connection Information through TS Gateway Manager 1.

Click Start  Administrative Tools  Terminal Services  TS Gateway Manager.

2.

Select the TS Gateway server.

3.

Expand the server and select Monitoring. In the Results pane, a summary of the number of connections will be displayed. When you select a connection, the connection detail will appear in the lower pane. For this exercise, disconnect a specific connection or all the connections for a user.

4.

To refresh the connections display, click Refresh in the Actions pane. The following information is displayed in the Monitoring pane: NÛ

Connection ID

NÛ

User ID

NÛ

User Name

Chapter 3

138

N

Terminal Services Licensing, Advance Configuration, and Monitoring

E X E R C I S E 3 .1 3 ( c o n t i n u e d )

NÛ

Connected On

NÛ

Connection Duration

NÛ

Idle Time

NÛ

Target Computer

NÛ

Client IP Address

NÛ

Target Port

Resource Allocation for Terminal Services Windows System Resource Manager (WSRM) is a feature of Windows Server 2008 that can control how CPU and memory resources are allocated to applications, services, and processes. WSRM is not a feature of Terminal Services, but if it’s used on a terminal server, the ability to control resource allocation will give the users a better experience. This is accomplished through resource allocation policies that determine how computer resources are used. When installed on a terminal server, WSRM presents two policies: Equal_Per_User CPU allocation is divided into equal shares among the users, and processes created by the user are able to consume only as much as the total CPU allocation reserved for that user. Equal_Per_Session New to Windows Server 2008, this policy allocates an equal share of CPU resources among each user session. For example, there is a user that has two sessions running on the same terminal server and a second user running one session. When you use the Equal_Per_User resource allocation policy, the user with two sessions will get the same amount of CPU resources as the user with only one session. If you use the Equal_Per_Session resource allocation policy, the user with two sessions will receive twice the CPU resource allocation as the user with only one session. Exercise 3.14 walks through the process of installing Windows System Resource Manager. E X E R C I S E 3 .1 4

Installing Windows System Resource Manager Follow these steps to install Windows System Resource Manager:

1.

Click Start  Administrative Tools  Server Manager.

2.

Right-click Features.

Summary

139

E X E R C I S E 3 .1 4 ( c o n t i n u e d )

3.

Select Add Features.

4.

On the Select Features page, select Windows System Resource Manager.

5.

A dialog box appears stating that Windows Internal Database also needs to be installed.

6.

Click Add Required Features.

7.

Click Next.

8.

On the Confirm Installation Selections page, click Install.

9.

On the Installation Results page, click Close.

Exercise 3.15 demonstrates how to configure WSRM for Terminal Services by setting either the Equal_Per_User or Equal_Per_Session resource allocation policy. E X E R C I S E 3 .1 5

Configuring WSRM for Terminal Services Follow these steps to configure WSRM for Terminal Services:

1.

Start  Administrative Tools  Windows System Resource Manager.

2.

On the Connect to Computer page, select This Computer. Click Connect.

3.

Expand the Resource Allocation Policies node.

4.

Right-click Equal_Per_User or Equal_Per_Session, and then click Set as Managing Policy.

5.

A dialog box appears warning that the calendar will be disabled. Click OK.

Summary In this chapter, we examined various aspects of TS license servers as well as the different deployment configurations for TS RemoteApps. We started the chapter by looking at the various configuration aspects of a TS license server, and then we examined TS CALs and the differences between TS Per User CALs and TS Per Device CALs. Next we discussed the

140

Chapter 3

N

Terminal Services Licensing, Advance Configuration, and Monitoring

temporary grace period prior to activating a TS license server. After that we studied the TS license server discovery process for workgroups, domains, and forests. After we discussed the various aspects of TS CALs and the discovery process, we moved on to the actual installation and activation of a TS license server. We first walked through the process of installing the TS Licensing service role and the installation of the TS Licensing Manager tool. We then stepped through the process of activating the TS license server and installing the appropriate TS CALs. Next we looked at the TS Licensing discovery mode and the different ways to configure it. You then learned how to track and report TS Per User CALs and how to revoke TS device CALs. We looked at some of the more common GPO settings and what value they provided. After that we looked the different configuration options with the Terminal Sever settings, TS Gateway settings, and RDP settings. Finally, we looked at how to monitor TS Gateway and how to control resource allocation in Terminal Services through Windows System Resource Manger.

Exam Essentials Know the features of Terminal Services licensing. Understand all the different discovery options and the processes to activate the server and TS CALs. Know TS remote program settings. It is important to understand all the different configuration options that are available in TS RemoteApp Manager. Know TS Gateway monitoring and events. Remember how to set the event logging features and where to find them when events do occur. Know Windows System Resource Manager (WSRM). a Terminal Services server environment.

Understand how WSRM is used in

Review Questions

141

Review Questions 1.

Which of the following operating systems has the incorrect licensing grace period? A. Windows Server 2008 - 120 days

2.

B.

Windows Server 2003 - 120 days

C.

Windows Server 2003 R2 - 120 days

D.

Windows Server 2000 - 120 days

What are the three ways to activate a TS license server? (Choose three.) A. Telephone

3.

B.

Purchasing the licensing from a retail store

C.

Web browser

D.

Automatic connection

When viewing user the connections through TS Gateway Manager, which of the following is information will be displayed? (Choose all that apply.) A. Connection ID

4.

B.

Idle Time

C.

Client IP Address

D.

User Name

E.

Target Computer

When configuring the TS Session Broker group policy Use TS Session Broker load balancing, which of the following Group Policy objects must also be configured? (Choose three.) A. Join TS Session Broker

5.

B.

Configure TS Session Broker server name

C.

Configure TS Session Broker farm name

D.

Use IP Address Redirection

TS Licensing Manager can create a TS Per User CAL issuance report by all of the following organizational specifications except which one? A. Organizational unit

6.

B.

Entire domain

C.

Work group

D.

Entire domain and all trusted domains

True/False: To remotely administer Windows Server 2008, the following command is used: mstsc.exe฀/console. A. True B.

False

Chapter 3

142

7.

N

Terminal Services Licensing, Advance Configuration, and Monitoring

True/False: The revocation process works on all TS Per User CALs. A. True B.

8.

False

In TS RemoteApp Manager, it is possible to set the properties a user will receive when connecting to a RemoteApp. Which of the following is not configurable in TS RemoteApp Manager? A. Supported Plug and Play devices

9.

B.

Disk drives

C.

COM port

D.

Printers

When using TS RemoteApp Manager to configure the deployment settings, where can you set the RDP port? A. Terminal Server tab B.

TS Gateway tab

C.

Digital Signature tab

D.

Common RDP Settings tab

10. What Windows System Resource Manger resource allocation policy is new to Windows Server 2008 Terminal Services? A. Equal_Per_Process B.

Equal_Per_User

C.

Equal_Per_IISAppPool

D.

Equal_Per_Session

11. What are the two ways the Terminal Services discovery mode can be set? (Choose two.) A. Through the Terminal Services Configuration tool B.

Through TS Licensing Manager

C.

Through the Group Policy Management Console

D.

Through TS Gateway Manger

12. What is the maximum percentage of Per Device CALs that can be manually revoked? A. 25% B.

20%

C.

10%

D.

15%

13. True/False: A TS license server can be remotely administered for any other server running Windows Server 2008. A. True B.

False

Review Questions

143

14. How many concurrent administration sessions can be active without requiring a TS CAL? A. 1 B.

2

C.

3

D.

4

15. True/False: All events for TS Gateway are viewed in the TS Gateway Manager. A. True B.

False

16. True/False: The GPO Set time limit for disconnected session deletes a session when a time limit has been reached. A. True B.

False

17. Which two discovery scopes are available only if the TS Licensing service role is installed on servers that are domain members? (Choose two.) A. Workgroup B.

Domain

C.

Forest

18. In the TS Licensing Manger, what does a red X on the license server indicate? A. The server has been activated. B.

The server has not been activated.

C.

The server is out of licenses.

D.

The server must be restarted.

19. In what order should the following options be to indicate the order in which terminal servers attempt to contact a license server? A. License server installed on the same computer as the TS server B.

License servers published in Active Directory Domain Services

C.

License servers listed in the Terminal Services Configuration tool or group policies

D.

License servers installed on domain controllers in the same domain as the TS server

20. Regardless of the discovery scope type, Domain or Forest, a license server issuing TS Per User CALs must be a member of which AD security group? A. Administrators B.

Remote Desktop Users

C.

Terminal Server License Servers

D.

Window Authorization Access Group

144

Chapter 3

N

Terminal Services Licensing, Advance Configuration, and Monitoring

Answers to Review Questions 1.

D. Windows Server 2000 has only a 90-day grace period before the licensing server becomes inactive. The grace period for all the other operating systems is correct.

2.

A, C, D. A licensing server can be activated by automatic connection through the Internet, using a web browser to activate the product ID through a website, or calling the Microsoft Clearinghouse by telephone.

3.

A, B, C, D, E. All of the information listed is displayed when you’re viewing user connections through the TS Gateway Manager.

4.

A, B, C. The Join TS Session Broker, TS Session Broker server name, and TS Session Broker farm name must also be configured and enabled when the Use TS Session Broker load balancing group policy is configured. Use IP Address Redirection is used to set the method of redirection when the server is use TS Session Broker not the TS Session Broker server name.

5.

C. TS Per User CAL reporting supports only license servers that are in a domain.

6.

B. With RDP 6.0, the /console command has been replaced with /admin.

7.

B. The revocation process works only on TS Per Device CALs, not TS Per User CALs.

8.

C. Supported Plug and Play devices, disk drives, and the printer are configurable in TS RemoteApp Manager. COM port connections are configured in Terminal Services Configuration Manger.

9.

A. The Terminal Server tab in the deployment setting is where the RDP port can be changed. All the other tabs are used for other configuration settings.

10. D. Equal_Per_Session allocates an equal share of CPU resources to each user session and is new to Windows Server 2008 Terminal Services. Equal_Per_Process and Equal_ Per_IISAppPool are not Terminal Services specific. 11. A, C. The two ways to set the discovery mode are through the Terminal Services Configuration tool or the Group Policy Management Console. TS Licensing Manager is incorrect because it manages the license server itself. TS Gateway Manager has nothing to do with the terminal server license server discovery process. 12. B. The revocation process supports only Per Device CALs and only a maximum of 20 percent of a specific version of a CAL can be revoked. 13. A. Managing the license server from a remote computer running Windows Server 2008 can be done by adding the feature from Server Manager. 14. B. Remote Desktop supports two concurrent connections that do not require licenses for remote administration. 15. B. All TS Gateway events are viewed with Windows Event Viewer and are located under Application฀and฀Service\Logs\Microsoft\Windows\TerminalServices-Gateway.

Answers to Review Questions

145

16. A. When this policy is enabled, disconnected sessions will reach a time limit and will be deleted from the server. The policy is useful to ensure that resources are released on the server. 17. B, C. Domain and Forest discovery scopes are available only if the TS Licensing service role is installed on servers that are domain members. However, if the licensing server with the Workgroup discovery scope is later joined to a domain, the discovery scope will be changed from Workgroup to Domain. 18. B. When the server changes to a green check mark, it indicates that the license server has been activated. 19. C, A, B, D. Terminal servers first attempt to contact license server listed in the Terminal Services Configuration tool or group polices. Next, they try contact the license server installed on the same computer as the TS server. Then they try to contact license server published in Active Directory Domain services. Finally, terminal servers try to contact a license server install on domain controllers in the domain. 20. C. When a user logs into a terminal server, the terminal servers checks the license server and the license server then modifies the terminalServer attribute for the user within Active Directory. The CAL then becomes associated with the user account object. This is why the license server must be a member of the Terminal Server License Servers security group in the domain. This group grants the right to modify user attributes within Active Directory.

Chapter

4

Configuring Web Services Infrastructure MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: ÛÛ Configure Web applications. May include but is not limited to: directory-dependent; publishing; URL-specified configuration; Microsoft .NET components, for example, .NET and aspx; configure application pools ÛÛ Manage Web sites. May include but is not limited to: migrate sites and Web applications; publish IIS Web sites; configure virtual directories ÛÛ Configure a File Transfer Protocol (FTP) server. May include but is not limited to: configure for extranet users; configure permissions ÛÛ Configure Simple Mail Transfer Protocol (SMTP). May include but is not limited to: setting up smart hosts; configuring size limitations; setting up security and authentication to the delivering server; creating proper service accounts; authentication; SMTP relay

Windows Server 2008 introduces a new version of Internet Information Services (IIS). IIS 7.0 has a completely new management interface and is more flexible and more tightly integrated with the .NET Framework. This chapter will cover how to configure and manage websites, FTP services, and Simple Mail Transport Protocol (SMTP) servers. This chapter covers the following topics: ■฀

Configuring Web applications

■฀

Configuring a File Transfer Protocol (FTP) Server

■฀

Configuring Simple Mail Transfer Protocol (SMTP)

Configuring Web Applications At the heart of IIS are web applications. A web application may not be what you might think it is. In IIS 7.0, a web application is a collection of files that delivers content. It may be a virtual directory with a specific set of files and configuration. Although there are a lot of complex and advanced things IIS can do, creating and managing websites are the most basic tasks. Previous versions of IIS all had very similar management interfaces, and it was a pretty smooth transition between versions for administrators because even though the inner workings of IIS changed, the changes to the management interface were not that significant. In this version, however, both have changed significantly. The first change that takes some getting used to is that IIS is now based on small singlepurposed loadable components called modules. Modules are loaded to add features and functionality. The modules are loaded as role features in Server Manager. Rather than building all of the functionality of IIS into just a couple of core modules, Microsoft provided over 30 built-in modules. Using modules instead of creating a monolithic stack has quite a few advantages: NÛ

It’s easier for administrators to control which modules should be running.

NÛ

Modules can be replaced with custom modules to change behavior and/or add features.

NÛ

Higher security is possible if unnecessary modules are removed because there are fewer possible vulnerabilities.

NÛ

There is less administrative and system resource overhead when unnecessary modules are removed.

Configuring Web Applications

149

To find out more about the available IIS 7.0 modules, go to http://learn.iis฀ .net/page.aspx/101/introduction-to-iis7-architecture/.

First, the type of web applications and the functions required needs to be determined. Then, during the installation of IIS, the required modules can be selected. The second change that takes some getting used to is all of the IIS configuration is now stored in XML-based files. Gone are the days of the notorious metabase that plagued administrators trying to run a Web farm in previous versions of IIS with complexity and difficulty. The following list describes the main configuration settings and which file they are stored in: NÛ

Global (computer-wide) settings NÛ

NÛ

NÛ

NÛ

NÛ

Lets you define settings for individual websites, web applications, or directories. You can store this file in the same directory with application code and content. The settings can be overridden or locked from higher levels. %windir%\Microsoft.NET\Framework\\config\machine.config.

This contains settings for the entire server. The settings are inherited by all other .NET configuration files, including IIS configuration files.

ASP.NET configuration NÛ

NÛ

NÛ

Web.config (in root of each website or directory).

.NET Framework configuration NÛ

NÛ

System.webServer. Contains configuration settings such as security, HTTP compression, and logging.

Website, application, and directory settings NÛ

NÛ

System.applicationHost. Contains configuration settings for sites, applications, virtual directories, and application pools.

%windir%\Microsoft.NET\Framework\\config\web.config

This defines the default settings for individual websites, web applications, or directories. This file can also be stored in the same directory with the application code and content.

FTP settings NÛ

Original version is stored in IIS 6.0–style metabase.bin.

NÛ

Updated version is stored in %windir%\system32\inetsrv\config\฀ ApplicationHost.config.

Knowing where settings are stored is important as you dig further into configuration tasks. This will help to determine how settings affect one another and the object that must be configured.

150

Chapter 4

N

Configuring Web Services Infrastructure

Installing IIS 7.0 Installing IIS 7.0 is similar to installing other Windows Server 2008 roles. The process is started from within Server Manager and the Add Roles Wizard is used to select the Web Server (IIS) role. If any dependant feature or role service is required, you will be prompted to add them. Exercise 4.1 walks through the basic installation of IIS. E X E R C I S E 4 .1

Installing IIS 7.0 Follow these steps to install Internet Information Services (IIS) 7.0:

1.

Click Start  Administrative Tools  Server Manager.

2.

From the Action menu, choose Add Roles.

3.

Click Next on the Before You Begin window.

4.

Select Web Server (IIS) from the list of available roles.

5.

Click Add Required Features on the modal box that prompts the user to add the features required to support IIS.

Configuring Web Applications

E X E R C I S E 4 .1 ( c o n t i n u e d )

6.

Click Next on the Select Server Roles page.

7.

Click Next on the Web Server (IIS) page.

8.

On the Select Role Services page, select any additional role services and any required dependencies (for example, FTP or ASP.NET) that will be required and click Next.

151

152

Chapter 4

N

Configuring Web Services Infrastructure

E X E R C I S E 4 .1 ( c o n t i n u e d )

9.

Click Install and wait for the installation to complete.

10. Click Close.

Testing the installation is as simple as opening a web browser and typing in http://127.0.0.1. During the installation of IIS 7, a default web page is added to the root directory of the Default Web Site. As shown in Figure 4.1, the displayed default web page confirms that the installation was successful.

Creating and Configuring Websites Once IIS is installed, the server is able to serve Web content to clients. A default website is created when IIS is installed. It can be modified and used to serve content, and additional websites can be created as long as each site has a unique binding. A basic binding consists of an IP address and a TCP port. The well-known port for Hypertext Transfer Protocol (HTTP), the protocol used to transfer web pages, is 80. Also, the well-known port for Secure Hypertext Transfer Protocol (HTTPS) is 443. HTTPS uses certificates to provide authenticated and encrypted website data. When a website is hosted on TCP port 80, no port needs to be specified in the web browser because if no port is specified, port 80 is

Configuring Web Applications

153

assumed. The Default Web Site, created during the installation, is set to bind to port 80 on all IP addresses assigned to the server that aren’t already bound to another Web site. A binding configures the server to listen for clients to request information on that IP address and at that port. The Default Web Site bindings, which includes the IP addresses and ports the site is bound to, are shown in Figure 4.2. F I G U R E 4 .1

The displayed default web page confirming installation was successful

FIGURE 4.2

Default Web Site bindings

Creating a New Website from Internet Information Services (IIS) Manager To create a new website from Internet Information Services (IIS) Manager, select the Sites node underneath the local server from the Connections pane and then click the Add Web Site option in the Actions pane. You will be prompted to provide a name for the website, the path to where the content will be stored, and the IP binding information.

154

Chapter 4

N

Configuring Web Services Infrastructure

When you’re adding websites to a server, you will need to provide a unique binding from other websites that are already configured. It is possible to bind additional sites at other unused TCP ports; however, this is not a recommended solution, especially for websites accessible from the Internet. In most cases, another IP address can be added to the network adapter of the server, and that IP address can be bound to the new site. For example, WebServer1 has a base IP address of 192.168.19.66 and the Default Web Site is already hosting content. To add another site, you can add another available IP address to the server, like 192.168.19. 91, and then the new website can be created with a binding for the new IP address and port 80, as shown in Figure 4.3. FIGURE 4.3

Viewing website bindings

Using Host Headers There is actually one more way to create a unique binding, by using what are called host headers. Host headers allow multiple sites to share a single IP address and port for sites that do not require Secure HTTP connections. IIS listens for connections on the assigned IP address and port and then inspects the Uniform Resource Locator (URL) requested. It then directs the request to the website with the configured binding information. Since host headers rely on the name in the URL, the name of the site must resolve in DNS to the server IP address. Many low-cost web-hosting companies employ host headers to reduce the number of IP addresses that are needed. As mentioned, however, HTTPS does not support host headers, so if any site on the server requires HTTPS, a dedicated IP address should be assigned. In Exercise 4.2, you will be creating a second website using host headers for a help desk application called helpdesk.mcts.local on an internal Web server. The DNS entry for helpdesk.mcts.local has already been created.

Configuring Web Applications

155

EXERCISE 4.2

Creating a Site Using Host Headers Follow these steps to create a site using host headers:

1.

Click Start  Administrative Tools  Internet Information Services (IIS) Manager.

2.

In the Connections pane, select Sites under the server name.

3.

In the Actions pane, click Add Web Site.

4.

In the Add Web Site dialog box, type the following information:

5.

NÛ

Site name: Help Desk

NÛ

Physical Path: C:\inetpub\helpdesk

NÛ

Host name: helpdesk.mcts.local

Click OK

Configuring Virtual Directories Virtual directories are directories underneath the root of the site. They might contain distinct web applications or just additional content, much like directories on a hard drive. If the root site is www.microsoft.com a virtual directory might be /windows. To connect to this virtual directory and view the content, the end users would specify www.microsoft[.com]/windows. Virtual directories can be located on a different drive or network share than the root of the site, and certain configuration settings can be adjusted. Virtual directories can also be nested;

156

Chapter 4

N

Configuring Web Services Infrastructure

for example, at www.microsoft.com/windows/downloads, /downloads is a nested virtual directory underneath the /windows virtual directory. To create a virtual directory, do this in the Connections pane: 1.

Right-click on the website or virtual directory underneath which you’re creating the new virtual directory.

2.

Choose Add Virtual Directory.

3.

From there, you will be prompted to provide a virtual directory name and the physical path to the files.

Similar to virtual directories in function are web applications. They are created in the same way, although unlike virtual directories, applications contain another set of content as well as code. To configure how the code will run, you create an application in IIS.

Configuring Redirection Redirection is used to send users from one site or URL to a new URL. In previous versions of IIS, redirecting a site or directory was as easy as modifying the virtual directory or website settings. This is especially useful during migrations and software upgrades. Often companies will change their websites to add fresh content or a new look. This can break the old links that customers have saved. One way to help users trying to navigate to old links is to use a redirect to guide them to the new URL. Since IIS 7.0 is modular, the first step to enable redirection is to install the HTTP Redirection module. Exercise 4.3 shows the steps required. This exercise specifically installs the HTTP Redirection module; to install other modules, follow the same steps but choose the module that is required. EXERCISE 4.3

Installing IIS Modules Use the following steps to install an IIS module:

1.

Click Start  Administrative Tools  Server Manager.

2.

In the Server Manager pane, select Web Server under Roles.

3.

In the Content pane, click Add Role Services.

4.

Select the module or modules that need to be installed. In this case, select HTTP Redirection under Common HTTP Features (Installed) and click Next.

Configuring Web Applications

157

E XE RC I SE 4 .3 (continued)

5.

Confirm the selections and click Install.

6.

Click Close.

Once the HTTP Redirection module is installed, a new HTTP Redirect option will be available for each website, virtual directory, and web application. This option is shown in Figure 4.4. The options for redirecting using the HTTP Redirection module are shown in Figure 4.5: Redirect Requests to This Destination This is the URL that the clients will be redirected to. This can be another site, another page, or another virtual directory in the same site. Redirect All requests to Exact Destination (Instead of relative to Destination) This option is selected to redirect to the exact URL listed in the first text box regardless of the original URL. If this option is unchecked, the portion of the request URL after the redirection will be appended to the redirected URL. Leaving this option unchecked would be great if an application was moved from one server to another. If the user requests http://oldserver฀ .sybex.com/books/ExchangeServer.apx and the redirect was put on the book’s virtual directory set to http://newserver.sybex.com/books, the user would be redirected to http:// newserver.sybex.com/books/ExchangeServer.aspx. This would bring the user to a list of the books they are interested in. If this option was checked in this scenario, the user would be redirected to http://newserver.sybex.com/books and would be given a list of all books rather than what he was looking for.

158

Chapter 4

FIGURE 4.4

N

Configuring Web Services Infrastructure

Using HTTP Redirect option

Only Redirect Requests to Content in This Directory (Not Subdirectories) This option can be used when the preceding option is not enabled. When this option is enabled, any requests that are for subdirectories of the redirected directory will not be redirected but will be served by the local web server. Status Code There are three options for status code, and they affect the status code that is returned to the browser as it is being redirected. Found (302) Notifies the browser to request the new location. Permanent (301) redirection.

Notifies the browser that this new location is a permanent

Temporary (307) Notifies the browser that this new location is temporary and allows any HTTP POST request to retain data for the redirection.

Setting Website Limits When you’re hosting a number of websites on one server, it may be advantageous to limit the number of connections a site may have. This will help to limit the amount of resources the site can consume. Restrictions can be set on the following criteria: NÛ

The amount of bandwidth the website can use.

NÛ

The number of concurrent connections to the website.

NÛ

The time before an inactive connection is disconnected from the server.

Configuring Web Applications

FIGURE 4.5

159

Configuring a HTTP redirect

The default setting is to not limit the amount of bandwidth or the number of connections to the website; however, the default time-out for idle sessions is 120 seconds. When a bandwidth limit is reached, no additional bandwidth will be available to service requests. Similar too, when a connection limit is reached, new connections cannot be made until the number of sessions fall below the limit. Figure 4.6 shows an example of configuring these settings. FIGURE 4.6

Setting website limits

Chapter 4

160

N

Configuring Web Services Infrastructure

Microsoft .NET Components Many people that use IIS will leverage the .NET Framework for developing applications. Many of the options set in the Internet Information Services (IIS) Manager tool will modify settings for how .NET components function, such as .NET Compilation, Globalization, Profiles, Roles, Users, Applications Pools, and the list goes on and on. The next two sections will cover .NET trust levels and application pools in more detail.

.NET Trust Levels .NET trust levels set the level of code access security (CAS). Using code access security is a way of controlling the access that an application has as it runs. The rule of thumb is to provide an application with the least amount of access required. Application developers should be able to help qualify the specific actions or functions the application requires, which should help to determine which .NET trust level is required. Trust levels are configured in the Internet Information Services (IIS) Manager; however, the information is stored in the applicationHost.config file. To set the .NET trust levels, you must select one of the following options: Full This option sets unrestricted permissions. The ASP.NET application has permissions to access any resource that is subject to operating system security. All privileged operations are supported. High This option sets a high level of code access security so that the application is unable to do any one of the following: NÛ

Run unmanaged code.

NÛ

Write to the event log.

NÛ

Access Message Queuing service queues.

NÛ

Call serviced components.

NÛ

Access data sources.

Medium This option sets a medium level of code access security that, in addition to the High trust level restrictions, prevent the ASP.NET application from doing any of the following: NÛ

Access files outside the application directory.

NÛ

Access the Registry.

NÛ

Make network or web service calls.

Low This option sets a low level of code access security that, in addition to the Medium trust level restrictions, prevents the application from doing any of the following: NÛ

Write to the file system.

NÛ

Call the Assert method.

Minimal This option sets a minimal level of code access security so that the application has only execute permissions. The .NET trust level is set by selecting one of the options in Figure 4.7.

Configuring Web Applications

F I G U R E 4 .7

161

Setting the .NET trust level

Configuring Application Pools An application pool is a collection of web applications that share a worker process or a set of worker processes. An application pool segments the applications so that they are unable to affect applications in other application pools. Although application pools can contain .NET applications, they can also be used to group non-.NET (nonmanaged code) applications as well. Application pools have several real benefits. They allow an administrator to do the following: NÛ

Dedicate an application pool for applications that require a higher number of resources so that the performance of other applications does not decrease.

NÛ

Isolate unstable applications so when the application fails, it does not also take down other applications.

NÛ

Configure application pools to automatically restart when memory, time, or other performance indicators are met, improving recovery and application stability.

Application pools are configured in the Internet Information Services (IIS) Manager; however the information is stored in the applicationHost.config file. To create an application pool, select the Application฀Pools folder in the Connections pane of Internet Information Services (IIS) Manager and then click Add Application Pool from the Actions pane. As shown in Figure 4.8, there are four options in the Add Application Pool dialog box. Name

This text box is for the name of the application pool that is being created.

.NET Framework Version This option defines either the version of .NET Framework all of the applications in the application pool will run that no managed code will be used in the application pool.

162

Chapter 4

N

Configuring Web Services Infrastructure

Managed Pipeline Mode This option sets whether the application will run in integrated or classic mode. If an application is set to Integrated mode, the integrated request-processing pipelines of IIS and ASP.NET will be used to handle requests. If an application is set to Classic mode, the server will process requests through the Aspnet_isapi.dll library, as was done in IIS 6.0. The Classic mode should be used only with legacy applications that do not work in Integrated mode. Start Application Pool Immediately This sets whether the application will be started when the Windows Process Activation Service (WPAS) is started. If this is not set, the application pool will need to be started manually before any applications in the pool will run. FIGURE 4.8

Creating an application pool

Once an application pool is created, a number of other settings are available to wrangle the applications in the pool into submission. If the applications in the pool are misbehaving due to bad code, database connection problems, or user error, there are a number of methods to have IIS automatically recover from those problems. One way is to set the recycling conditions of the application pool. To configure the recycling conditions in Internet Information Services (IIS) Manager, complete the following steps: 1.

Select the Application฀Pools folder in the Connections pane.

2.

Select the application pool that you want to adjust in the Content pane.

3.

Click Recycling in the Actions pane.

The options available on the first page of the Edit Application Pool Recycling Settings Wizard are shown in Figure 4.9. The options are as follows: Regular Time Intervals (in Minutes) This option specifies the length of time, in minutes, that the application pool worker process should be restarted. This is ideal for applications that tend to perform worse after a long period of time. Fixed Number of Requests This option specifies the number of requests that should be taken by the application pool before recycling the worker process. This is ideal for applications that tend to perform worse after a certain number of requests are handled. Specific Time(s) This option can be used to specify the time or times that the worker process should be recycled. This is ideal for problematic applications that can benefit from having the worker process restarted at specific times.

Configuring Web Applications

FIGURE 4.9

163

Edit Application Pool Recycling Settings Wizard

Virtual Memory Usage (in KB) This option can be used to specify the maximum amount of virtual memory that can be used by the worker process before it is recycled. This is ideal for applications that tend to continue to consume memory and perform worse until they are recycled. Private Memory Usage (in KB) This option can be used to specify the maximum amount of private memory can be used by the worker process before it is recycled. This is ideal for applications that tend to continue to consume memory and perform worse until they are recycled. On the second page, you can configure the options selected on the previous page to generate event log entries when the application pool is recycled, as shown in Figure 4.10. F I G U R E 4 .1 0

The event log settings for recycling events

164

Chapter 4

N

Configuring Web Services Infrastructure

Configuring a Web Farm A web farm is a collection of servers that have the same configuration so they can be load balanced for redundancy and additional performance. In previous versions of IIS, the metabase needed to be restored to each server and then modified extensively, or a custom provisioning tool needed to be leveraged in order to create a Web farm. Products like Microsoft Application Center 2000 tried to address the problem of synchronizing and configuring a web farm, but it was far from perfect. IIS 7 provides true “Robocopy deployment,” the ability to copy a set of files to a share or between servers to configure the websites and application settings. To create a web farm, you should create a network load balanced cluster so that network traffic is loaded across the servers. (More information about NLB can be found in Chapter 10.) After you create an NLB cluster, the servers need to be configured with the websites that will be hosted. IIS 7.0 has a built-in featured called Shared Configuration. This allows an administrator to publish the server configuration to a network share for all of the servers to use. The websites can be configured on this one server and then exported to the file share for other servers to use. To have each of the servers in the web farm use the shared configuration, you need to configure the %windir%\system32\inetsrv\config\redirection.config file to point to the shared configuration. Last, the web content will need to be either on a file share or copied to each web server.

Configuring a File Transfer Protocol (FTP) Server FTP is used to provide file transfers, usually across the Internet. Permissions can be set to allow all users or specific users to have permissions to files. With all of the advancements made in IIS 7, there was very little time for Microsoft to improve the already feature-sparse FTP services that IIS 6.0 contained before releasing Windows Server 2008. If you are familiar with FTP services in IIS 6.0, you should have no problem working with built-in FTP services for IIS 7. To add FTP services to a server that already has the Web Services (IIS) role installed, you must add the FTP Server Role Service. After installation of the FTP Service, all management is done through the Internet Information Services (IIS) 6.0 Manager. If you are fond of the IIS 6.0 management tools, welcome home.

After the installation of the built-in FTP Server is complete, the Default FTP Site is stopped. To start using FTP, you will need to restart it.

Configuring a File Transfer Protocol (FTP) Server

165

On the same day Windows Server 2008 was released to the public, an update was released for IIS 7.0 to include a more feature-rich version of the FTP Server. Here are some of the key features of this updated version: Integrated Management The new IIS Management tools are used to manage the FTP service. Secure Publishing FTP over SSL (FTPS) is now supported. Virtual Host Names Allows multiple FTP sites with different domain names to be hosted on the same IP address. This is similar to the Web Host Headers functionality. User Isolation This feature redirects users to a directory that matches the logon account without having to create a physical directory. This keeps users files hidden from each other. Non-Windows Authentication This allows IIS Web Manager and ASP.NET Membership accounts to log in and use FTP services. Windows accounts are no longer required. To install the updated FTP Service for IIS 7.0, you must first install IIS 7.0 without the built-in FTP Publishing Service. Then the installation package can be downloaded from the Microsoft website. The 32-bit installation package for x86 editions of Windows Server 2008 is available here: go.microsoft.com/fwlink/?LinkId=87847. The 64-bit installation package for x64 editions of Windows Server 2008 is available here: go.microsoft.com/ fwlink/?LinkId=89114. The following sections will deal specifically with the updated version of the FTP Publishing Service for IIS 7.0.

Configuring Permissions To configure the permissions that groups of users have, you must use FTP authorization rules. An Allow authorization rule can be applied to the following: NÛ

All Users

NÛ

All Anonymous Users

NÛ

Specified Roles or user groups

NÛ

Specified Users

Also, the group or users that are defined in the authorization rule can be given read or write permissions. These same criteria can be used to deny users from accessing the content as well, as shown in Figure 4.11. Once a user has access to the files and has been authorized, permissions are based on file system permissions; the more restrictive permissions are combined with the permissions assigned by the authorization rules. If domain accounts are used to log on to the FTP site, assign the file system permissions as you would for other file shares.

Configuring FTP Site for Extranet Users One feature that was lacking in previous versions of the FTP services is that users outside the company had to have either a local Windows account or domain accounts. This was a

166

Chapter 4

N

Configuring Web Services Infrastructure

messy security problem since you really do not want to give FTP users a domain account. The solution is to leverage the IIS 7.0 Management Service or ASP.NET users. F I G U R E 4 .11

Creating an Allow authorization rule

The high-level process for configuring the IIS 7.0 Management Service to handle FTP logons is as follows: 1.

Install FTP Service for IIS 7.0.

2.

Grant the Network Service read access to the IIS configuration.

3.

Add the IIS Management Service Role Service.

4.

Create a new FTP site.

5.

Configured Basic Authentication.

6.

Configure the FTP site to use an IIS 7.0 Manager account.

7.

Enable IIS 7.0 Manager authentication.

8.

Grant access to the site for an IIS 7.0 Manager account.

9.

Create an authorization rule to allow the IIS 7.0 Manager account appropriate permissions to the FTP site.

FTP IPv4 and Domain Restrictions To restrict which servers can connect to the FTP site at a protocol level, IPv4 and domain restrictions can be used. The default is to allow all unspecified IP addresses to access the FTP server. To change the setting so that all IP addresses are denied except those listed, on the FTP IPv4 Address and Domain Restrictions feature page, click Edit Feature Settings on the Actions pane. This will bring up the dialog box shown in Figure 4.12, where you can choose whether unspecified clients will be allowed or denied.

Configuring a Simple Mail Transfer Protocol (SMTP) Server

F I G U R E 4 .1 2

167

The Edit IPv4 Address and Domain Restrictions Settings dialog box

Also, from this dialog box you can enable domain name restrictions so that domain names can be added to allow and deny lists rather than specifying a specific IP address. Figure 4.13 shows an example of adding a Deny Restriction rule based on a domain name. F I G U R E 4 .1 3

Adding a Deny Restriction rule based on a domain name

Configuring a Simple Mail Transfer Protocol (SMTP) Server Simple Mail Transfer Protocol (SMTP) is the email protocol for Internet-based messaging. Just like the built-in FTP services, the SMTP server is largely unchanged from previous versions of IIS. Unlike FTP, however, the SMTP server that has been included in IIS and the base that Exchange 2000 Server and Exchange Server 2003 is built on have a healthy set of features and excellent performance. To install the SMTP server on a Windows Server 2008 computer, you must install the SMTP Server feature. When the SMTP Server feature is installed, the IIS 6.0 Management tools are also installed because they are required to perform configuration.

168

Chapter 4

N

Configuring Web Services Infrastructure

Do I Need a Better SMTP Server? Often people get caught up with judging whether a product works well or not based on its cost. On a number of occasions, customers have tried to determine the best way to send a large amount of legitimate email. One such company was generating a bunch of email messages because of the number of orders its site was processing. A number of SMTP products were reviewed, but IIS was chosen. Using just IIS, the server was able to deliver the entire amount of messages generated by the site, and the company didn’t need to purchase additional hardware or software. If you need a high-performance SMTP server, you should consider IIS.

The SMTP server is a single-purpose message transport agent (MTA); it sends and receives SMTP-based email. It does not generate email, nor does it provide any sort of client connectivity; it just routes email. In the next few sections, we will cover the main areas of the SMTP server that can be configured and when you might want to make the changes.

Configuring General SMTP Virtual Server Properties The management interface for the SMTP server is basic and straightforward. As shown in Figure 4.14, the left pane lists the SMTP virtual servers that are configured on the connected server. To make changes to the SMTP virtual server, right-click and choose Properties. F I G U R E 4 .1 4

Configuring the SMTP virtual server

Configuring a Simple Mail Transfer Protocol (SMTP) Server

169

The General tab, shown in Figure 4.15, includes options to bind the SMTP virtual server to a specific IP address and port number, limit the number of connections to the SMTP virtual server, change the idle time-out time, and enable protocol logging. F I G U R E 4 .1 5

Configuring General properties of the SMTP virtual server

As with websites, it may be important to limit the number of connections and the connection time-out values to keep the SMTP virtual server from negatively impacting other processes on the server. Enabling protocol logging on the SMTP virtual server can aid with troubleshooting delivery problems because it documents the SMTP session information down to the exact information sent and received. These logs are, by default, written in W3C Extended Log format and can be read in any text editor or one of the many W3C log viewers.

Configuring Access You many need to configure access to the SMTP virtual server to restrict the servers or users that connect to it, to configure the type of authentication used, to enable Transport Layer Security (TLS) encryption, or to restrict the users or servers that can relay email through it. All of these can be accomplished from the Access tab on the virtual server Properties dialog box, as shown in Figure 4.16. The default authentication method for an SMTP virtual server is Anonymous access. This means that the SMTP virtual server will not accept any sort of logon attempt and that all anonymous users have access to send email to the server. With Basic authentication enabled, the server will accept Windows or domain usernames and passwords in cleartext for authentication. This is discouraged without first requiring Transport Layer Security (TLS) to encrypt the SMTP conversation and the username and password. The last option is Integrated Windows Authentication, which allows Windows to provide credentials without having to pass them in cleartext. The configuration types are shown in Figure 4.17.

170

Chapter 4

N

Configuring Web Services Infrastructure

F I G U R E 4 .1 6

Configuring access properties on an SMTP virtual server

F I G U R E 4 .17

Configuring authentication types

As mentioned in the previous paragraph, TLS is recommended to protect usernames and passwords from being transmitted in cleartext. To use TLS, you must first install a certificate on the server. Once the certificate is installed, it can be assigned to the SMTP virtual server. It is even possible to require that all connections to the SMTP virtual server be encrypted with TLS. It may be that this server is intended only to transfer email between a limited number of servers or between servers on a specific network. If this is the case, connection control can be set to limit the servers that are allowed to connect by IP address or domain name. As shown in Figure 4.18, there are two options for restricting access: either all servers are allowed except those explicitly defined, or no server has access except those explicitly defined.

Configuring a Simple Mail Transfer Protocol (SMTP) Server

F I G U R E 4 .1 8

171

Configuring connection control

Relaying is a term that means sending email to an SMTP server that will forward the message to its destination. The default setting is to not allow any relaying because relaying is what many spammers use to deliver email. If you decide to allow any type of relaying, be careful not to leave any openings that might allow a spammer to use your server for nefarious purposes. That doesn’t mean that relaying is a bad thing; there are a number of legitimate uses. One such use is to have one server in the datacenter that is allowed access to send SMTP email out through the firewall. You will need to allow the authorized SMTP servers to relay through the authorized server. Relay authorization settings are similar to the connection control settings because you can either allow all servers to relay through with a list of exceptions or deny all relays with a list of exceptions, as shown in Figure 4.19. F I G U R E 4 .1 9

Configuring relay restrictions

Configuring Message Size and Transfer Limits The next configuration options are on the Messages tab. These options help to control the size and number of messages that can be delivered. In many cases, the default settings will

Chapter 4

172

N

Configuring Web Services Infrastructure

be adequate because many email systems today provide similar limits to protect the stability of the server and control bandwidth congestions. The configuration settings control the following options for both receiving and sending messages: NÛ

The size of a single message.

NÛ

The size of all messages delivered in a single SMTP session.

NÛ

The number of messages sent in a single SMTP session.

NÛ

The number of recipients in a single email message.

NÛ

An email address to send all nondelivery reports.

NÛ

The directory to store all email messages that could not be delivered.

These message options are shown in Figure 4.20. FIGURE 4.20

Configuring message options

Configuring Delivery Options There are a number of options that control how email messages are delivered and how long to continue to attempt to deliver messages. The Delivery tab has the following options: First retry Interval This is the length of time the server waits before attempting to resend a message after the initial failure. This is usually a fairly short time frame because transient problems can cause failures. Second Retry Interval This is the length of time the server waits before attempting to resend a message after the second failure.

Configuring a Simple Mail Transfer Protocol (SMTP) Server

173

Third Retry Interval This is the length of time the server waits before attempting to resend a message after the third failure. Subsequent Retry Interval This is the length of time the server waits after the fourth failure, until either the message is delivered or expires. Delay Notification This is the length of time a message will sit in the outbound message queue before an email message is sent to the originator of the message notifying them that the message is still queued. Expiration Timeout This is the length of time a message can be queued before it is removed. These settings, shown in Figure 4.21, can greatly affect the number of messages that are queued on the server. If the email being sent is extremely time sensitive, it may not be important to continue to attempt to retry delivery for two days. On the other hand, if the email messages being sent are important, it may be better to increase the expiration time. This allows for the case when a remote server is down for extended maintenance, because the server will queue the mail until either the server is again available or the expiration time-out is reached. F I G U R E 4 . 21

Configuring delivery options

Outbound Security We discussed the Access tab in the section “Configuring Access.” The Access tab is where the allowed inbound authentication methods are available. In this case, the outbound security option on the Delivery tab allows what options will be used to connect to other SMTP servers. The options for outbound security are as follows: Anonymous This option provides no user authentication when sending messages. This is the default option and is suitable for most Internet communications.

174

Chapter 4

N

Configuring Web Services Infrastructure

Basic Authentication This option allows a user and password to be specified to authenticate against the remote SMTP server. It is important to use TLS encryption to protect the username and password. Integrated Windows Authentication This option allows you to select a user from the domain or from the local server to authenticate. This method does not pass cleartext usernames and passwords, but it still should be protected with TLS encryption. TLS Encryption This option enables TLS encryption for the session. TLS encryption encrypts the entire session with a certificate on the remote SMTP server.

Outbound Connections The Outbound Connections option that is available at the bottom of the Delivery tab allows you to configure the number of connections, time-out settings, and the TCP/IP port that will be used for outbound SMTP sessions. Figure 4.22 shows the dialog box that appears when you click Outbound Connections. FIGURE 4.22

Configuring outbound connection settings

These settings will normally stay at the default configuration. It may be necessary to modify the number of connections to tweak the number of messages the server can send at one time. It may be that the server and the bandwidth you have can handle more than the 1,000 concurrent outbound connections and can deliver messages more quickly if the limit was increased to 5,000 connections.

Advanced Delivery Options The advanced delivery options accessed by clicking the Advanced button at the bottom of the Delivery tab are shown in Figure 4.23. These are very powerful options that often require adjusting. Maximum Hop Count This setting helps to prevent email loops. No, the hop count isn’t the number of people that can attend a 1950s dance party; it is the number of times a message can traverse any SMTP server. If the SMTP server receives the message and the email has already traversed the number of servers in the limit, the email will be deleted. Masquerade Domain This option can be set to replace the local domain name in the From address field to the domain listed here. This is useful if email from the local server needs to appear as if it comes from another business unit or company.

Configuring a Simple Mail Transfer Protocol (SMTP) Server

FIGURE 4.23

175

Configuring Advanced Delivery options

Fully-Qualified Domain Name This option is by default the name of the server. The name listed here is what is announced to other SMTP servers, either when a client connects to it or when it is sending email out. This is important because if you are sending email out to the Internet and the internal server reports its name as WebServer10.MyInternalDomain. local, the receiving server has no way to verify whether your server is valid or you are a flyby-night spammer. It would be better to replace this name with a name that would be able to be resolved by DNS externally, such as email.sybex.com. Some anti-spam vendors will attempt to resolve the sending servers name in DNS; check to see if that host has an MX record because presumably the server that is sending out email should be listed as a mail server for the domain. Smart Host If a smart host is not listed, the server will attempt to deliver the email by looking up the domain names in DNS; however, if a smart host is listed, all email is sent directly to that host or list of hosts for delivery. The check box can also be selected to attempt to use DNS to deliver the message first, and if that is unsuccessful, to send it to the smart host. If you list multiple servers, they should be separated by a comma. If you list servers by their IP address, you must enclose the IP address in brackets, such as, for example, [192.168.19.98]. Perform Reverse DNS Lookup on Incoming Messages This option is often thought of as being an anti-spam measure, but it is not. It will attempt to perform a reverse DNS lookup on the SMTP client’s IP address to see if it matches the server name announced by the client. If the lookup is successful, the messages remain unchanged. If the verification fails, “unverified” appears after the IP address in the message header. If DNS lookup fails completely, “RDNS failed” will appear in the message header. Since this process is done on all incoming messages, it can have a negative impact on server performance.

LDAP Routing The default method for delivering SMTP email is to look up the MX records for the destination domain in DNS. Figure 4.24 shows the Lightweight Directory Access Protocol

Chapter 4

176

N

Configuring Web Services Infrastructure

(LDAP) Routing tab in the SMTP virtual server that provides options for using an LDAP server for resolving senders and recipients. FIGURE 4.24

Configuring LDAP routing

The following is a list of the options that must be configured to enable LDAP routing: Server This option specifies the server that will be used as the LDAP directory. This field should not be necessary when using Active Directory because the server will be able to find the nearest domain controller. Schema This option is used to select the directory service that is being used. The available types are as follows: NÛ

Active Directory

NÛ

Site Server Membership Directory

NÛ

Exchange LDAP Service

Binding This option sets the binding type. The binding type specifies how the SMTP virtual server is authenticated by the directory service. The available types are as follows: NÛ

Anonymous

NÛ

Plaintext

NÛ

Windows SSPI

NÛ

Service account

Domain This sets the domain of the account you want to use to bind to the LDAP directory if you are using the plaintext or Windows SSPI binding types. User Name This options specifies the distinguished name (DN) of the account being used to bind to the LDAP directory if you are using the plaintext or Windows SSPI binding types.

Summary

177

Password This sets the password that is used for logging on to the directory service if you are using the plaintext or Windows SSPI binding types. Base This options specifies the distinguished name of a container in the directory service that will be searched.

Configuring Domains When the SMTP Server feature is installed, a default domain is created and placed in the Domains node that is identical to the local server name. This domain is used to route mail. It is possible to create additional domains as well, as shown in Figure 4.25, if custom settings are required. The domain configuration allows a smart host to be configured for specific domains. This may be beneficial if most email should be sent using DNS with the exception of email that is sent to an internal domain that should be sent to a specific server. A domain can also be used to create outbound security settings that are specific for that domain. FIGURE 4.25

Configuring an additional domain

Summary Internet Information Services 7.0 web services have been completely rewritten from IIS 6.0. Improvements have been made to the configuration that include moving configuration to XML-based files from the metabase. This opens up simple and flexible administration. IIS 7.0 web services are also based on modules. Modules are installed to add functionality. Only the required modules are installed to reduce on server hardware and maintenance. This

178

Chapter 4

N

Configuring Web Services Infrastructure

chapter covered creating websites, applications, virtual directories, and application pools and other configuration tasks. There are two FTP servers available for Windows Server 2008; the one that comes on the installation media, which is very similar to previous versions, and the downloadable update to the FTP service that fully integrates with IIS 7.0 and provides enhanced functionality such as Secure FTP. Although the SMTP server is largely unchanged from previous versions, it provides valuable functionality. This chapter covered configuration for sending and relaying email. Although configuration is simple and straightforward, there are a number of settings that can be used to customize how the SMTP server behaves.

Exam Essentials Know how to add modules. IIS 7.0 has over 30 modules included. To add functionality, you must add modules to IIS. Know when to use application pools. Application pools are used for application isolation, security, and stability. Know why they are created and some basic settings. Know how to configure an SMTP server for relay and smart hosts. Know what the SMTP server does and how to configure it to relay email and to send mail to a smart host. Know what .NET trust levels are. Security is a big problem in today’s environment. Know what the .NET trust levels are and what level of access each provides to .NET code.

Review Questions

179

Review Questions 1.

Which of the following options is used to deliver email when DNS lookup is not available? A. Assign a masquerade domain.

2.

B.

Adjust the fully qualified domain name.

C.

Do not perform DNS lookup on incoming messages.

D.

Assign a smart host.

Which of the following are valid reasons for creating a separate application pool for two web applications? (Choose three.) A. To keep applications from affecting each other.

3.

B.

To reduce overall memory usage.

C.

To increase security.

D.

To create different recovery settings.

What benefits are gained from using modules for IIS 7.0? (Choose two.) A. Reduced management control

4.

B.

Reduced patching requirements

C.

Increased flexibility

D.

Increased system resource

How many built-in modules are available for IIS 7.0? A. Less than 15

5.

B.

16 to 25

C.

25 to 30

D.

More than 30

Which configuration file contains the global IIS settings such as website and logging configuration? A. ApplicationHost.config

6.

B.

Web.config

C.

Machine.config

D.

Metabase.bin

Which of the following files contains the settings for the SMTP configuration? A. ApplicationHost.config B.

Web.config

C.

Machine.config

D.

Metabase.bin

Chapter 4

180

7.

N

Configuring Web Services Infrastructure

Which of the followings TCP/IP ports is used for Secure HTTP communication? A. 25 B.

8.

80

C.

443

D.

3389

You have a web server at your hosting provider and do not have any additional IP addresses to assign. You need to create another website for the company’s marketing department. Which of the following bindings will allow users to access the site from the Internet? A. Bind the website to 127.0.01 on port 80.

9.

B.

Bind the website to the same IP address as the original site and use host headers for both.

C.

Bind the website to the same IP address as the original and use Port 8080.

D.

Bind the website to the same IP address as the original and use port 80.

A new web server has been deployed with a new domain name. All of the content on the new server is identical to the old server. What should be put in place to notify the user of the new URL? A. Application pool B.

Virtual directory

C.

Redirect

D.

Limit

10. Which of the following can be set to limit resources on a website? A. Bandwidth B.

Concurrent connections

C.

Number of pages downloaded

D.

CPU usage

11. Which of the following .NET trust levels provides the application with the least restrictions? A. High B.

Medium

C.

Low

D.

Minimal

12. To create a web farm, which of the following steps must be taken? (Choose all that apply.) A. Create a redirection.config file for each node. B.

Create a load-balanced cluster.

C.

Provide each node with access to the website code.

D.

Export a valid configuration to a network share for all nodes to use.

Review Questions

181

13. To restrict connections that can be made to an FTP server based on a DNS name, what must be enabled? A. IIS Management B.

FTP authorization rules

C.

Domain name restrictions

D.

TLS encryption

14. To protect plaintext username and passwords in an SMTP session, what also must be enabled? A. Basic authentication B.

LDAP routing

C.

TLS

D.

Anonymous authentication

15. Which setting will configure the number of times an email has been sent through a server before it is removed? A. Hop Count B.

Expiration Time-Out

C.

Delay Notification

D.

Smart Host

16. Which of the following options acts as an anti-spam filter? A. Smart host B.

Masquerade domain

C.

Performing reverse DNS lookup on incoming messages

D.

None of the above

17. Which of the following are new features of FTP for IIS 7.0? (Choose three.) A. Download resume B.

Secure FTP

C.

Virtual hostnames

D.

User isolation

18. After installing the built-in version of FTP Server, what must be done to use the Default FTP Site? A. Create the Default FTP Site. B.

Start the Default FTP Site.

C.

Start the FTP service.

D.

Reboot the server.

Chapter 4

182

N

Configuring Web Services Infrastructure

19. Which of the following tools can be used to create a Windows Server 2008 web farm? A. Microsoft Application Center B.

Robocopy

C.

Microsoft Operations Manager

D.

Server Manager

20. How do you install IIS 7.0 modules? A. Add a feature. B.

Add a role.

C.

Add a role service.

D.

Windows Update.

Answers to Review Questions

183

Answers to Review Questions 1.

D.

A smart host defines a server that can be used to deliver messages.

2.

A, B, D. Creating two application pools allows segregation of the applications to a point where they should not be able to affect each other or access each other’s data, which improves security. Also, separate application pools allow different recovery settings to be chosen. Creating separate application pools does not decrease the overall memory usage for the server.

3.

B, C. Using modules to build IIS 7.0 allows administrators to install only the modules required; only the modules installed will need to be patched. Also, since modules can be replaced with custom-written functionality, they are very flexible.

4.

D. There are more than 30 built-in IIS modules.

5.

A. The ApplicationHost.config file contains the global IIS settings.

6.

D. The SMTP server still uses the legacy metabase.bin file to store configuration information.

7.

C. TCP/IP port 443 is used for HTTPS communications.

8.

B. Host headers allow multiple sites to be bound to the same IP address and port and both function. Although binding the site to a nonstandard port will work, it is not best practice because websites running on nonstandard ports require a user to know the port.

9.

C. A redirect can notify the end user of the new server name.

10. A, B. Both the amount of bandwidth and the number of active connections can be limited in IIS. 11. A. The High .NET trust level provides a high level of trust for the application and has fewer limits on what the application can do. 12. A, B, C ,D. All of these steps must be taken to create a web farm. 13. C. To allow DNS lookups for connection restrictions, domain name restrictions must be enabled. 14. C. Transport Layer Security (TLS) provides encryption of the SMTP session. 15. A. The hop count controls the number of time an email can traverse a server before it is removed. 16. D. There are no built-in anti-spam features in the SMTP server that comes with IIS. 17. B, C, D. Secure FTP, virtual hostnames, and user isolation are all new features. This version of FTP still does not have download resume.

184

Chapter 4

N

Configuring Web Services Infrastructure

18. B. With the built-in version of the FTP Server, the installation creates the Default FTP Site; however, it must be started to begin to function. 19. B. Now that IIS 7.0 is based on text files, Robocopy can be used to create a web farm. Application Center is not supported on Windows Server 2008. 20. C. To install IIS modules, the Add a Role service action is used.

Chapter

5

Advanced Web Infrastructure Configuration MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: ÛÛ Manage Internet Information Services (IIS). May include but is not limited to: Web site content backup and restore; IIS configuration backup; monitor IIS; configure logging; delegation of administrative rights ÛÛ Configure SSL security. May include but is not limited to: configure certificates; requesting SSL certificate; renewing SSL certificate; exporting and importing certificates ÛÛ Configure Web site authentication and permissions. May include but is not limited to: configure site permissions and authentication; configure application permissions; client certificate mappings

Chapter 4, “Configuring Web Services Infrastructure,” covered the very basic concepts and tasks for IIS 7. Although not overly complex, IIS is a powerful tool with a lot of functionality. Many volumes can be filled with information about best practices and in-depth tweaking and configuration. This chapter will focus on a number of more advanced IIS functionality: NÛ

Backup and recovery

NÛ

Delegation of Administrative rights

NÛ

Configuring SSL and authentication

Managing Internet Information Services (IIS) In the previous chapter, we covered some of the basics of configuration and management of the IIS components. We’ll now go into more detail on these topics, focusing on monitoring, management logging, and backing up and restoring. In the previous chapter we used only Internet Information Services (IIS) Manager to configure IIS. There is also a command-line configuration tool called AppCmd.exe (or AppCmd). This tool is used to view and configure IIS settings. There are even tasks that must be done in AppCmd, such as setting the automatic history backup and performing a manual configuration backup, both of which we will cover later in this chapter. Even though AppCmd is a command-line administrative tool, it is not based on Windows PowerShell. The AppCmd utility was created before PowerShell was put in to Windows Server 2008. Exercise 5.1 demonstrates how to use AppCmd to list the currently configured websites. E X E R C I S E 5 .1

Using AppCmd.exe to List Configured Websites Follow these steps to use AppCmd.exe to list configured websites:

1.

Open an elevated command prompt.

2.

Change to %System%\System32\InetSrv, the directory where AppCmd.exe resides.

Managing Internet Information Services (IIS)

E X E R C I S E 5 .1 ( c o n t i n u e d )

3.

Run appcmd฀list฀sites to list configured sites.

The following objects are available for administration with AppCmd.exe: NÛ

Site - Manage Web sites

NÛ

App - Manage applications

NÛ

VDir - Manage virtual directories

NÛ

AppPool - Manage application pools

NÛ

Config - Mange server configuration

NÛ

WP - Mange worker processes

NÛ

Request - Manage request settings

NÛ

Module - Manage loaded modules

NÛ

Backup - Manage backup and restores

NÛ

Trace - Manage trace settings.

187

188

Chapter 5

N

Advanced Web Infrastructure Configuration

Many of the options available in AppCmd were covered using the Internet Information Services (IIS) Manager in Chapter 4. For more information on these actions, please refer to Chapter 4. Using Back and Trace will be covered later in this chapter. Each object has a set of commands that can be run to configure it. For example, the Site object has the following available commands: list, set, add, delete, start, and stop. To get a list of the available actions for a specific object, type AppCmd.exe฀฀/?.

Configuring Monitoring and Logging To provide a consistent reliable service, it’s essential to monitor performance. Chapter 11, “Monitoring Windows Server 2008 for High Availability,” covers how to use new tools such as the Windows Performance Diagnostic Console and the Reliability Monitor and the Windows event logs in Windows Server 2008 to monitor performance and stability.

Trace Logging One of the more troublesome tasks is figuring out what exactly is happening when a failure occurs. This can be because the problem is occurring sporadically, or perhaps there are thousands of users connecting to the server simultaneously. Trace logging helps to rectify this problem by watching requests and, if a defined failure occurs, writing a log of the request and the actions involved in the request. Each failed request is stored in a separate XML-based file that is sequentially numbered. The XML file can be opened in Internet Explorer or other XML-capable readers. To use trace logging, you must install the Tracing role service. After the Tracing role service is installed, you can enable failed request tracing for a particular website. See Exercise 5.2. EXERCISE 5.2

Enabling Failed Request Tracing Follow these steps to enable failed request tracing:

1.

Click Start  Administrative Tools  Internet Information Services (IIS) Manager.

2.

In the Connections pane, expand the server name, then expand Sites and click on Default Web Site.

3.

In the Actions pane, click Failed Request Tracing.

Managing Internet Information Services (IIS)

189

E XE RC I SE 5. 2 (continued)

4.

Check the Enable box and type in the name of the directory in which you want to save the log files.

After you enable failed request tracing and define the number of trace files to keep, you must create failure definitions to specify what failures should be logged. For example, if a 500 error occur intermittently in the .NET application on the website, you could create a failed request tracing rule to watch for a status code of 500 on all files with an .aspx filename extension. Failed request tracing rules can be created at the server, website, or virtual directory level. The rules are always inherited from the parent container. You will want to be careful about enabling the rule closest to the problem directory or application because failed request tracing can have a negative impact on server performance.

Chapter 5

190

N

Advanced Web Infrastructure Configuration

The three criteria for a creating a rule are content, conditions, and trace provider, as shown in Figure 5.1. The content criterion specifies the name of the files or path that should be traced. There are four options: NÛ

All content (*)

NÛ

ASP.NET (*.aspx)

NÛ

ASP (*.asp)

NÛ

Custom

F I G U R E 5 .1

Specifying content to trace

Content With the first three content options, it is easy to identify what is going to be traced. The All Content (*) option specifies watching all content below where the rule is created. The ASP. NET (*.aspx) option specifies tracing only requested URLs that end with .aspx, and the ASP (*.asp) option specifies tracing only requested URLs that end in .asp. The last option, Custom, allows you to be more specific. You can specify watching Web pages with a name that has a specific beginning or end. If you need to watch all pages that started with forum, like forum.aspx or forumLogin.aspx, you could add forum* in the Custom field. Of note, though, is that you are allowed only one wild card in this field, meaning you could not add in *forum* to be able to trace StartForumLogin.aspx. Instead, you would need to find a more generic option to trace code on that Web page.

Managing Internet Information Services (IIS)

191

Condition The next criterion that needs to be specified is the condition or conditions that would constitute a failure. If more than one condition is specified, the first condition that is matched will generate the log files. There is no way to specify that multiple conditions must be met to generate the file. You can select three options for conditions: Status Code(s) This option should be selected when you want to generate a trace log based on an HTTP response code. Multiple status codes can be entered; however, they must be separated by commas. Time Taken (in Seconds) This option should be selected when you want to generate a trace log when a specific request takes longer to process than expected. If this is selected, a time interval must also be entered in seconds. Event Severity This option should be selected when you want to generate a trace log based on the severity of an error that occurs. If this is chosen, one of the following options must also be chosen: Error This will provide information when components generate errors and do not continue to process requests. Critical Error

This will provide information when components cause a process to end.

Warning This will provide information when components experience an error and continue to process requests. You can see these options in Figure 5.2. FIGURE 5.2

Defining trace conditions

Chapter 5

192

N

Advanced Web Infrastructure Configuration

Trace Provider The last criterion that must be defined is which trace providers should be used and at which verbosity. There are a number of differences that are not all that obvious. The following four built-in trace providers are shown in Figure 5.3: NÛ

ASP

NÛ

ASPNET

NÛ

ISAPI Extension

NÛ

WWW Server

FIGURE 5.3

Selecting trace providers

As is the case with ASPNET and WWW Server, you are given the option to specify areas that should also be traced. With the ASPNET provider, you can specify the following areas: Infrastructure This option traces requests when the request is going between different tracing areas within ASP.NET. Module This option traces the requests through the HTTP pipeline or managed modules. Page This option traces page events and can also capture Trace.Write and Trace.Warn events. AppServices

This option traces the requests through application services.

WWW Server has the following areas: Authentication This option traces authentication attempts and includes the authenticated user, the scheme (such as Anonymous or Basic), and the results of the attempt. Security This option traces events when the server rejects the requests for security or permission reasons.

Managing Internet Information Services (IIS)

193

Filter This option traces how long it takes an ISAPI filter to process a request. StaticFile This option traces how long static file requests take to be completed. CGI This option traces when a request is made to the CGI Module. Compression Cache

This option traces through the compression modules.

This option traces through the cache compression modules.

RequestNotifications This option traces all request notifications, both on entrance and on exit. Module This option traces the requests through the HTTP pipeline or managed modules. There are also six verbosity settings for each of the providers. To get the information required to pinpoint the problem, you will want to select the minimum verbosity to reduce the impact on the server. In the following list, the verbosity levels are listed in order; the first level results in the least amount of data and the last in the most: NÛ

General

NÛ

Critical Errors

NÛ

Errors

NÛ

Warnings

NÛ

Information

NÛ

Verbose

Tracing failed requests can have a negative impact on server performance. If you must use tracing on a production server, be aware of the impact. Test the configuration in a test lab under load while monitoring standard metrics such as CPU, memory, disk I/O, and application response time.

Access Logging Who is visiting a website and what they are doing when they are there is something most web developers want to know so they can provide a experience to the end user, see how good a job they are doing at getting people to visit the site, and determine how users were referred to the site. This is where access logging is useful. Server administrators can use it too, to determine if there are errors and when the busiest times are for the server. Also, a period when the server is at its least busy so that maintenance can be scheduled, this period is often called a change window. Access logs files store the request activity for each request—information such as time, software client used, amount of data transferred, and the status code from the server. The exact attributes of the request can be modified to meet the needs of your business for reporting and auditing. Access logs can be processed by reporting software to allow a more user-friendly

Chapter 5

194

N

Advanced Web Infrastructure Configuration

and more digestible way of viewing the data. There are now two main ways of storing access logs, on a per-server and on a per-site basis. Per-server logging Per-server logging creates a single log for all of the sites on the server. There are two options to choose from: Centralized Binary Logging and Centralized World Wide Web Consortium (W3C) Extended Log. Binary logging is written in the Internet Binary Log format, which isn’t readable with common text editors but can be read by third-party tools as well as LogParser, which is available from Microsoft. The W3C extended log is written in a text format and can be read with common text editing software. Per-site access logging Per-site access logging, which is similar to the method used in previous versions of IIS, is per-site access logging. There are four types of built-in per-site logging: National Center for Supercomputing Applications (NCSA) Common, Microsoft Internet Information Services (IIS), World Wide Web Consortium (W3C) Extended, and Custom (ODBC) Logging. Both W3C and Custom logging allow configuration of the information that will stored in the access log. Modifying the type of information that will be logged is sometimes necessary for some reporting software to be able to deliver detailed reports. Per-server logging and the default per-site configuration is completed at the server level using the Logging Features options. At the site level, the Logging feature can be used to customize per-site configuration settings. Whether you choose per-server or per-site logging, the base directory for storing the files is %SytemDrive%\inetpub\Logs\Logfiles\W3SVC. If you choose per-site, however, the individual site log files are placed in a directory based on the site number. For example, website 1 would be stored in %SytemDrive%\inetpub\Logs\Logfiles\ W3SVC1. The log file names in those directories depend on the format chosen and rollover settings. Log file rollover sets the criteria for when a log file should split. There are four main rollover criteria: Schedule This option should be selected if a new log file should be created by one of the following time schedules: NÛ

Hourly

NÛ

Daily

NÛ

Weekly

NÛ

Monthly

Maximum File Size (in Bytes) This option should be selected if the log file should reach a specific size before a new one is created. Do Not Create New Log Files This option should be selected if a single log file should be created. Often this is used with legacy web reporting software that has to reference a single filename to create reports. Use Local Time for File Naming and Rollover This option should be selected if the local time should be used. The default is to use Coordinated Universal Time (UTC-Temps Universel Coordonné) for rollover and file naming.

Managing Internet Information Services (IIS)

195

Logging can be stored in either the Unicode Transformation Format (UTF-8) or the ANSI format; however, it can only be selected at the server level. The server format controls all site logging formats.

When log settings are changed, the site must be restarted to activate the new settings.

Backup and Restore One of the most important configuration and setup steps is to make sure that restores work because doing a backup is useless unless a restore can be accomplished. mentioned in Chapter 4, the configuration for IIS is stored in a number of XML-based files. These files can be backed up and then restored to return the server’s configuration to the point in time the configuration was created. Since an errant configuration change can negatively impact the server’s functionality, a backup is made of the server configuration when an administrator makes changes. The default setting keeps up to 10 configuration backup sets in a uniquely named subdirectory of %SystemDrive%\Inetpub\History before removing the oldest automatic backup. The backup is completed by default every 2 minutes as changes are made. This avoids the need for having a backup for each check box selected and setting tweaked; instead, all changes during the 2 minutes are committed at the same time, with a single backup done.

Configuration backups protect only the server configuration files. They do not back up application Web.config files, nor do they back up website content.

The number of configuration backups is controlled by the maxHistories attribute of the configHistory section of the applicationHost.config file and the interval that the configuration file is backed up is controlled by the Period attribute. The period is specified in the hours:minutes:seconds format. If you want to specify a 10-minute period, you would use 00:10:00. The AppCmd.exe utility can be used to modify both of these attributes. Exercise 5.3 walks you through changing these settings. EXERCISE 5.3

Modifying Configuration History Settings Follow these steps to modify configuration history settings.

1.

Open an elevated command prompt.

2.

Change to %System%\System32\InetSrv, the directory where AppCmd.exe resides.

196

Chapter 5

N

Advanced Web Infrastructure Configuration

E XE RC I SE 5.3 (continued)

3.

Run appcmd฀set฀config฀/section:configHistory฀/maxHistories:50฀/period฀ :00:10:00 to set the maximum number of history backups to 50 with a save interval of 10 minutes.

What if you want to make a manual backup of the configuration to keep for future recovery? This too can be done with the AppCmd.exe utility. Figure 5.4 shows AppCmd.exe being run to manually generate a backup called Server Backup 1. FIGURE 5.4

Manually creating a server configuration backup

To list the automatic and manual configuration backups that have been completed, you would run AppCmd.exe฀list฀backups. Figure 5.5 shows the results of running this command. Now you have configuration backups, but what use are they unless you can perform a restore? When you restore the configuration, you restore IIS settings for all of the sites, application pools, virtual directories, and applications. Figure 5.6 shows an example of running a restore of a manual backup named Server Backup 1 by running AppCmd฀restore฀ backup฀“Server฀Backup฀1”.

Managing Internet Information Services (IIS)

FIGURE 5.5

Listing available backups

FIGURE 5.6

Restoring the configuration from a backup

197

Now that the server configuration is being protected, the next step is to ensure that the content of the websites are protected. There isn’t a whole lot of IIS-specific magic when it comes to backing up content. The new Windows Server Backup feature should be used to perform regular backups of site content, which would include any Web.config files that contain configuration data not captured by the IIS configuration backup.

The Windows Server Backup feature is installed from Server Manager by selecting Add Features from the Action menu.

Delegating Administrative Rights To allow developers, help desk personnel, or non-IT staff to perform specific administrative functions, IIS 7 had feature delegation. Authentication for feature delegation is done by default with Windows credentials; alternatively, IIS Manager credentials can be configured as well. To start off with feature delegation, first the IIS Management Service role service must be installed. The role service can be added using Server Manager. The Management Service role service is used to allow remote administration of IIS, which is the method that delegated IIS administrators must use to connect to get delegated feature rights.

198

Chapter 5

N

Advanced Web Infrastructure Configuration

There are two forms of administrative rights that can be delegated, IIS management and feature management. Either form of delegation affects all sites, directories, or applications below where the delegation takes place. IIS management delegation grants permissions to allow a user to be able to manage specific sites or applications. Exercise 5.4 will demonstrate how to grant a user IIS Manager permissions to manage an entire website remotely. EXERCISE 5.4

Delegating Administrative Permissions for Remote Administration of a Website Follow these steps to delegate administrative permissions for remote administration of a website:

1.

Click Start  Administrative Tools  Internet Information Services (IIS) Management.

2.

Select Default Web Site in the Connections pane.

3.

In the Content pane, double-click on IIS Manager Permissions.

Managing Internet Information Services (IIS)

199

E XE RC I SE 5.3 (continued)

4.

In the Actions pane, click Allow User.

5.

In the Allow User dialog box, type or select the user that you want to grant access to and click OK.

The more granular delegation option available is feature delegation. It allows you to specify whether the feature’s related configuration is locked or unlocked. When a feature is locked the configuration is enforced to all lower levels. Locking a feature is used when you want all conflicting configurations in Web.config files below to be overridden. This may be important for specific features to block developers or administrators from overriding standards that have been set. The default for all feature delegation is to user lower-level configuration files for feature configuration settings.

IIS Manager permissions are delegated for a site or an application because computer administrators automatically have permission at the server level.

Feature delegation is done from the server level; however, the features can be delegated at a variety of levels. To configure feature delegation for all sites on the server, as you would do when you give a user or set of users access to administer all sites, you would perform the delegation at the server level. If you are delegating rights on only a particular site, you would start the delegation at that site. To manage feature delegation, select the local server in the Connections pane and double-click the Feature Delegation icon in the Content pane (Figure 5.7). There are three general settings and one action for each feature: Read/Write This sets the feature to unlocked and allows features to be changed in lower-level Web.config files for the sites and applications below. This also allows all non-administrators to configure the feature in IIS Manager if they have been given permissions to connect.

200

Chapter 5

F I G U R E 5.7

N

Advanced Web Infrastructure Configuration

Managing feature delegation

Read Only This locks the feature’s configuration to the server-level configuration file. The configuration cannot be overridden by any lower-level Web.config files. It also denies all non-administrators the ability to configure these features in IIS Manager; however, the user will be able to view the configuration. Not Delegated This locks the feature’s configuration to the server-level configuration file. The configuration cannot be overridden by any lower-level Web.config files. It also denies all non-administrators from being able to see or modify the feature in IIS Manager. Reset to Inherited This action sets the delegation state to what it is set to at the parent level. Two exceptions are .NET Users and .NET Roles. These features are assigned either Configuration Read/Write or Configuration Read Only and Reset All Delegation. and They are similar to the preceding features except that they affect the configuration for the feature, not the data the feature uses. Figure 5.8 shows an example of configuring the feature delegation options.

Configuring Secure Sockets Layer (SSL) Security

FIGURE 5.8

201

Configuring feature delegation

Configuring Secure Sockets Layer (SSL) Security Security is something that is extremely important to companies today. Improperly protecting sensitive user data can destroy a company’s reputation. Secure Sockets Layer (SSL) is a method of encrypting and authenticating client-to-server communications. It provides reasonable assurance that the information being exchanged between the client and the server is safe from prying eyes. To provide SSL communication, you must install a certificate on the server. SSL certificates are based on Public Key Infrastructure (PKI), which consists of a private key, a public key, and a certificate authority (CA) that is able to validate the keys.

202

Chapter 5

N

Advanced Web Infrastructure Configuration

The public keys provide details about the owner of the certificate, whether it is valid, and how the certificate can be used. The public key is, as its name suggests, public and can be distributed anyone who requests it. The private key, however, should be kept secure and only stored on the server or servers that require it. If the private key is made public or compromised in another way, the certificate should be discarded and a new one generated. The public and private keys are a matched pair of numbers used in asymmetrical computations. It would be like having one key that locks the door and another key that unlocks it. For the certificate, when one key is used to encrypt the data, the other must be is used to decrypt it. If one of the keys is missing, the encryption or authorization process cannot complete. The certificates are authenticated and issued by a CA. A CA can be likened to a passport agency. The passport agency verifies the information the requestor provides and then issues a passport that is valid for a specific period. When a passport holder travels, they provide the passport as a means of identification because governments trust that the government that issued passport has properly verified the identity of the holder. Similarly, when a CA issues a certificate, it verifies that you are who you purport to be by verifying specific information and often requesting documentation. Once the verification is complete, the certificate is issued. For a certificate to be valid, all parties must trust the CA. Windows Server 2008 includes Active Directory Certificate Services (AD CS) as an available role that can act as a CA and issue certificates. If you create your own CA, users on the Internet will not automatically trust your CA and will receive errors when trying to access your site. Using AD CS may be a valid option if all users are under your control or in your domain because you can use Group Policy to force the machines to trust your CA. Third parties such as VeriSign, GeoTrust, and Thawte operate CAs that are trusted by many major operating systems like Windows Server 2008. When you’re requesting a certificate for a website, it is best to obtain the certificate from a widely trusted third party so that Internet users do not have problems when visiting your site.

Requesting and Renewing SSL Certificates The first step in configuring SSL on a website is to obtain a certificate. To protect the private key, a request must be generated and the pertinent information sent to a CA so that the certificate can be generated with the public key. To create a simple certificate request from IIS Manager, follow the steps listed in below. 1.

Choose the server name in the Connections pane and then double-click on the Server Certificates icon.

2.

Choose Create Certificate Request from the Actions menu (Figure 5.9).

Configuring Secure Sockets Layer (SSL) Security

FIGURE 5.9

3.

203

Managing server certificates

In the Request Certificate dialog box, provide information specific to your organization. This information is used by the CA to determine if you are eligible to request a certificate for this organization. Note that the common name must match the hostname of the server. Click Next. (Figure 5.10)

F I G U R E 5 .1 0

Entering Certificate Details

204

4.

Chapter 5

Advanced Web Infrastructure Configuration

On the Cryptographic Service Provide Properties page (Figure 5.11), choose the encryption service provider and the bit length of the encryption. The bit lengths available in this step range from 384 to 16384. The larger the bit length, the higher the level of encryption, but a higher level of encryption also puts more load on the server because the encryption and decryption process requires complicated mathematical functions to complete. It will also require more information to be exchanged between the server and client.

F I G U R E 5 .11

5.

N

Setting the cryptographic service provider Properties

Provide a location to save the certificate request and click Finish.

The process is not over. The next step is to take the certificate request file and submit it along with any other documentation to the CA so that the certificate can be issued. After the CA processes the request, you must use the response to complete the certificate. From Server Certificates in IIS Manager on the server from which the request was generated, choose Complete Certificate Request from the Actions pane. As shown in Figure 5.12, on the Specify Certificate Authority Response dialog, enter the location of the text file containing the response from the CA, assign a name for the certificate, and then click OK. To do testing with SSL certificates, you can also create a self-signed SSL certificate. Since there is no trusted certificate authority, no one other than the server will automatically trust the certificate. To create a self-signed certificate, simply select Create Self-Signed Certificate from the Actions pane from Server Certificates in IIS Manager. After the certificate is issued, it is valid for only a specific amount of time. To renew the certificate, you must generate a renewal request. This request can then be given to the CA, and the CA will issue a new response, which in turn will generate a new certificate.

Configuring Secure Sockets Layer (SSL) Security

F I G U R E 5 .1 2

205

Completing a certificate request

Enabling SSL on a Website Once you have a valid certificate on the server—one issued from a trusted third-party CA, one from a local AD CS server, or a self-signed certificate—you must assign it to a website to enable SSL. EXERCISE 5.5

Enabling SSL on a Web Server: 1.

Select the website for which you would like to enable SSL.

2.

Choose Bindings from the Actions pane.

3.

Click Add in the Site Binding dialog box.

4.

In the Add Site Binding dialog box, set the type to https and select an IP address to bind to if you’re not using the default.

5.

Select the SSL certificate from the drop-down list and click OK.

206

Chapter 5

N

Advanced Web Infrastructure Configuration

After SSL has been enabled, you should be able to visit the site from a browser using https:///. If you want to require that all clients connect to a site or virtual

directory with SSL, navigate to where you want to enforce SSL in the Connections pane and then double-click on SSL Settings in the Content pane. As shown in Figure 5.13, enable Require SSL and, if needed, Require 128-bit SSL to ensure that a stronger encryption standard is met. F I G U R E 5 .1 3

Configuring the Require SSL setting

Exporting and Importing Certificates You may need to export a certificate from one server to another when multiple web servers in a web farm must host the same SSL secured site. When you export a certificate, the private key is also exported, so the exported data should be protected. Allowing the private key for the site to fall into the wrong hands increases the likelihood of compromising the integrity of the certificate. To export a certificate, select the server in the Connections pane and then double-click on Server Certificates in the Content pane. Then choose Export from the Actions pane. As shown in Figure 5.14, specify a filename and a password to protect the certificate.

Configuring Website Authentication and Permissions

F I G U R E 5 .1 4

207

Exporting a certificate

To import a certificate, you follow a similar procedure. Select the server in the Connections pane and then double-click on Server Certificates in the Content pane. Then choose Import from the Actions pane. As shown in Figure 5.15, select the certificate file, type in the password and then select whether you would like the certificate to be exportable from this server. F I G U R E 5 .1 5

Importing a certificate

Configuring Website Authentication and Permissions A number of authentication types are available for IIS 7.0 to meet the needs of your application. A number of native authentication modules are available that enable specific authentication types. AD Client Certificate Authentication This allows authentication using certificates stored in Active Directory. Anonymous Authentication This allows any user who can access the site to view content without having to authenticate. The IUSR[_ServerName] account is used by IIS to access the content on the server.

208

Chapter 5

N

Advanced Web Infrastructure Configuration

ASP.NET Impersonation This allows an ASP.NET application to run under accounts other than the default ASPNET account. Basic Authentication This allows users to access content after providing a username and password. Basic authentication transmits the username and password with weak encryption, so it is best to use this on a trusted network or to provide additional encryption using SSL. Digest Authentication This allows using domain credentials to authenticate; however, all passwords must be stored with reversible encryption. Forms Authentication This uses an HTML form to request credentials from a user. The credentials can be validated to a number of sources, including Active Directory or another database. The username and password are sent in plain text, and it is recommended that you use SSL to provide protection. Windows Authentication This allows authentication with NTLM or Kerberos to domain or local accounts. By default, Anonymous authentication is enabled. If Anonymous is enabled along with other authentication modules, users will be able to view all publicly available content. If someone attempts to access content that isn’t publicly available, they are prompted to provide credentials. To enable an authentication module, you must first install it. All of the authentications modules are listed under the security heading when role services are installed, as shown in Figure 5.16. F I G U R E 5 .1 6

Adding authentication modules

Configuring Website Authentication and Permissions

209

Once you have installed the modules required to provide authentication for your site, only Anonymous authentication is enabled by default. To enable other authentication, navigate to the server, site, or applications for which you want to enable the authentication type in the Connections pane. From there, double-click on Authentication in the Content pane. As shown in Figure 5.17, you will be able to view a list of available authentication types and then enable, disable, and configure each authentication type as needed. F I G U R E 5 .17

Configuring authentication

Configuring Application Access Authorization rules can be used to control access to a website. They can be specific to users, groups, or roles that have access to the site and can optionally apply to specific HTTP commands (verbs). This can be done by creating either an allow or a deny authorization rule. To use authorization rules, you must install the URL Authorization module. The authorization rule is then created at the site or application on which it should be enforced and affects all down-level content unless specifically removed. The Entry Type column lists Inherited for rules applied from the parent and Local for rules created at the selected level. Figure 5.18 shows several inherited rules from the parent container as well as a single rule created at the selected level.

210

Chapter 5

F I G U R E 5 .1 8

N

Advanced Web Infrastructure Configuration

Viewing authorization rules

An authorization rule is applied to one of the following: NÛ

All users

NÛ

All anonymous users

NÛ

Specified user groups or ASP.NET roles

NÛ

Specified users

When creating an authorization rule, you have the option of applying this allow or deny rule to specific HTTP commands known as verbs. You can see these options in Figure 5.19. F I G U R E 5 .1 9

Creating an authorization rule

Summary

211

Client Certificate Mapping Client certificates allow a user to authenticate with the site. To enable a website to accept certificates, you must first install the AD Client Certificate Authentication modules and enable them at the server level. To allow a website or application to accept client certificates, you must configure the SSL settings. To do this, select the site or application in the Connections pane and then double-click on SSL Settings in the Content pane. Then under Client Certificates in the Content pane, choose Accept or Require as shown in Figure 5.20. Choose to accept client certificates if not all users have certificates to authenticate, and choose Require if you want to enforce all users to authenticate with a certificate. If you choose Require, you must also require SSL to connect to the site or applications. FIGURE 5.20

Configuring client certificate settings

Summary Although IIS can be very easy to use and configure, there are a number of more advanced topics that warrant consideration. In this chapter we covered advanced management tasks like backup and restoring, configuring SSL certificates, and configuring authentication types. In several examples, we used the AppCmd.exe command-line tool to work with configuration backup, restores, and configuration history. We also discussed creating failed request tracing rules to be able to pinpoint problems within a web application.

212

Chapter 5

N

Advanced Web Infrastructure Configuration

Access logging can be configured either per site or per server to provide detailed logs that track client access to the site. These logs can be used to identify the popularity of a web application or to determine usage patterns. Feature delegation is used to control the features that can be configured or to allow feature settings to be overridden that are configured at higher levels in the configuration. Next, the chapter covered authentication settings to control access and methods of authenticating users. Last, we discussed requesting, binding, and exporting certificates.

Exam Essentials Know how to perform a manual backup and restore. Using AppCmd to complete backups and restores is important. Know what syntax to use and what scenarios that you would be required to perform a backup or a restore do. Know what an SSL certificate is and how to request a new one. Certificates are used to encrypt and authenticate communications between the server and client. Know the steps required to secure a website and where to obtain an SSL certificate. Know which modules are used for authentications. IIS 7.0 has a number of modules used for authentication. Know which modules to use in specific instances. Know which authentication modules are used for different authentication requirements.

Review Questions

213

Review Questions 1.

What is the name of the tool used to view and configure IIS settings? A. Computer Manager

2.

B.

WDSUTIL

C.

AppCmd

D.

IISmgt

In order to troubleshoot and monitor failures in IIS, what role service needs to be installed? A. Monitoring

3.

B.

Tracing

C.

Event Viewer Service

D.

File Sharing

What must be created to define which failures should be logged? A. Event viewer filter

4.

B.

Event view monitor

C.

System task to monitor log files

D.

Failed request tracing rule

What are three criteria for creating a trace rule? A. Content

5.

B.

Trace provider

C.

Event ID

D.

Conditions

Which of the following trace providers are built in? A. .NET

6.

B.

ASP

C.

HTML

D.

PHP

What log files are used to determine information such as time, software client used, amount of data transferred, and status codes? A. Access log B.

Application logs

C.

Event view log

D.

System logs

Chapter 5

214

7.

N

Advanced Web Infrastructure Configuration

If you have more than one site on your server and you want to keep all the logs in a single file, what type of logging will you use? A. Single access log

8.

B.

Combined log

C.

Per-server logging

D.

Per-domain logging

What is the location where the log files are stored regardless of whether you use per-server or per-site logging? A. %SystemDrive%\inetpub\Logs\Logfiles\W3SVC

9.

B.

%SystemDrive%\inetpub\Logs\Logfiles

C.

%SystemDrive%\inetpub\Logs

D.

%SystemDrive%\Windows\System32\LogFiles

What tool is used to create a manual backup of the IIS server configuration? A. WDSUTIL B.

NTBACKUP

C.

AppCmd

D.

IISState

10. Before you can use the IIS feature delegation, what role needs to be installed? A. IIS Management Service B.

Permissions Verifier

C.

Active Directory Certificate Service

D.

Network Policy and Access Service

11. At what level is feature delegation preformed? A. Application level B.

Workstation level

C.

User level

D.

Server level

12. What method is used to encrypt and provide authentication for client and server communications? A. DRM B.

SSL

C.

Bit Level

D.

NTFS

Review Questions

215

13. What needs to be installed on a server before it can provide SSL communication? A. Bit-level encryption B.

NTFS

C.

DHCP

D.

SSL certificate

14. If the ___________________ is compromised, the SSL certificate must be replaced. A. Private key B.

Public key

C.

Server key

D.

Domain key

15. In order for a certificate to be valid, what must happen? A. It must be issued by Microsoft. B.

It must be at least one year old.

C.

It must be trusted by all parties.

D.

It must be created by an administrator.

16. What are the limitations of creating your own CA? A. None B.

Users on the Internet will not automatically trust your CA and will receive errors when trying to access your site.

C.

You cannot create your own CA. It will cause errors in the Event Viewer.

D.

You will not be able to generate TLS certificates.

17. What are public and private keys? A. Matched pairs of numbers used in asymmetrical computations. B.

Serial numbers used to activate an operating system.

C.

Encryption types.

D.

Keys that are listed on public domains and private domains.

18. What information is listed in public keys? (Choose all that apply.) A. No information is supplied. B.

The private encryption key

C.

Owner of the certificate.

D.

How the certificate can be used.

Chapter 5

216

N

Advanced Web Infrastructure Configuration

19. What two forms of administrative rights can be delegated in IIS? A. IIS management B.

Feature management

C.

Active Directory groups

D.

User creation

20. When changes are made to IIS, what is the default backup schedule? A. 10 minutes B.

2 minutes

C.

30 minutes

D.

60 minutes

Answers to Review Questions

217

Answers to Review Questions 1.

C.

The AppCmd tool is used to configure and view the settings for IIS.

2.

B.

The Tracing role service needs to be installed in order to monitor when failures occur.

3.

D.

Failed request tracing rules will monitor for failures you define.

4.

A, B, D.

5.

B.

6.

A. Access logs are used to collect data that may include time, software client used, amount of data transferred, and status codes.

7.

C. Per-server logging is used when you have multiple sites on a single server and you want a single log for all sites.

8.

D.

Log files are located at %SystemDrive%\inetpub\Logs\Logfiles\W3SVC.

9.

C.

AppCmd is used to create a manual backup of the server configuration.

The criteria for creating a rule are content, conditions, and trace provider.

ASP is a built-in trace provider.

10. A.

IIS Management Service is required for IIS feature delegation.

11. D.

All feature delegation is done at the server level.

12. B.

SSL is a method of encrypting and authenticating client-to-server communications.

13. D. An SSL certificate must be installed on a server before it can provide SSL communication. 14. A.

If the private key is exposed to the public, the SSL certificate must be replaced.

15. C.

For a certificate to be valid, all parties must trust the CA.

16. B. If you create your own CA, users on the Internet will not automatically trust your CA and will receive errors when trying to access your site. Windows Server 2008, Active Directory Certification Services allows generation of TLS and other types of certificates on the proper edition on the product. 17. A. Public and private keys are matched pairs of numbers used in asymmetrical computations. 18. C, D. The public keys provide details about the owner of the certificate, whether it is valid, and how the certificate can be used. The private key is kept separate from the public key and is protected from public access. 19. A, B. There are two forms of administrative rights that can be delegated, IIS management and feature management. 20. B.

Backups are completed by default every 2 minutes as changes are made.

Chapter

6

Configuring Additional Communication Services MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: ÛÛ Configure Windows Media server. May include but is not limited to: on-demand replication; configure timesensitive content; caching and proxy ÛÛ Configure Digital Rights Management (DRM). May include but is not limited to: encryption; sharing business rules; configuring license delivery; configuring policy templates

Windows Server 2008 includes communication services that can benefit your organization, like fax services. Additional services can prove to be valuable to any organization that looks to manage both delivering live or on-demand digital media and sending and receiving faxes. Learning about these services is important not only for the exam, but for real-life applications as well. As organizations grow, the need for better communication management becomes a necessity. IT administrators who not only want to keep pace with the industry but want their organizations to use their resources to the fullest will devote the time needed to configure communication services. In addition to configuration, time should be devoted to understanding each organization’s needs and how it will benefit from these additional tools. Many may argue that the time spent on these additional services is wasted. Anyone who has ever had to work to make a company’s fax services work or figure out how to record meetings and then replay them in either audio or video form will disagree. Most likely the majority of the companies in today’s workforce do value communication services, and this is where the IT administrator can shine. Want to show your employer that you are truly a valuable asset? Take some time to understand the additional communication services and think about how they can make your organization more efficient and productive. This chapter covers the following topics: NÛ

NÛ

NÛ

Configuring Fax Services, including configuring local fax properties and defining a fax routing location Configuring Media Services, including configuring basic streaming solutions and options for configuring security in a Windows Media Server Configuring Digital Rights Management (DRM), including DRM encryption and DRM business rules

For this chapter, we assume you have a basic understanding of Windows Server 2008 and that you understand how to use Server Manager.

Configuring Fax Services Fax services for Windows Server have been around since the days of Windows NT. It has always left something to be desired in becoming an enterprise faxing solution, but over the years it has shown improvements in both features and in instructions on how an IT administrator can configure it.

Configuring Fax Services

221

Is a faxing service still needed, however? Simply put, yes. Even in a world where everything moves at a fast pace and more communication is done via email, faxing is still the first choice in many communications tasks. Perhaps this is because people still like the feel of paper in their hands. In any case, fax services will not be going away anytime soon. Microsoft continues to support this older, but still heavily relied upon, resource. We will endeavor to show you how to configure this service in Windows Server 2008. We assume you have already installed the Fax Service role using Server Manager. After you have completed the installation of the Fax Server Role, can use the Fax Service Manager to do the following: NÛ

Manage users

NÛ

Configure fax devices

NÛ

Set up routing polices for faxes

NÛ

Create rules for outgoing faxes

NÛ

Archive received or sent faxes

NÛ

Track the use of fax resources

It is recommended you install the Windows Fax and Scan on your Windows 2008 Server machine because it will allow you to monitor the activity in the Incoming, Inbox, and Outbox folders. To install the Windows Fax and Scan role from the Server Manager, complete the following steps: 1.

In the left pane, click Features, and then in the right pane, click Add Features (Figure 6.1).

F I G U R E 6 .1

Server Manager

222

Chapter 6

N

Configuring Additional Communication Services

2.

In the Select Features section, select Desktop Experience and click Next.

3.

On the next screen, choose Install.

If your users are using Microsoft’s Windows Vista, they can send and receive faxes using the built-in Windows Fax and Scan utility. Windows XP users can send faxes using the Fax Console utility.

Configuring Fax (Local) Properties After installing the Fax Service role on your Windows Server 2008 machine, it will automatically detect and install any fax device that has been attached to the server. If a fax device does not already exist, a local fax printer connection is created. This fax device represents all the physical fax devices that are connected to the server. By default, all detected fax devices are enabled for sending faxes but not for receiving them. You must specifically enable each device to receive faxes. Server Manager will be used to enable these devices.

After you install the Fax Service role, sharing is not enabled by default. You can share a Fax device within the printers option in Control Panel.

In Exercise 6.1, you will use Server Manager to configure the properties of a fax device and enable it to receive faxes. E X E R C I S E 6 .1

Configuring a Fax Device to Receive Faxes To enable your Fax Device to receive faxes, do the following steps:

1.

In the left pane in Server Manager, expand Roles and expand Fax Server.

2.

Expand Devices and Providers, and click Devices.

Configuring Fax Services

223

E X E R C I S E 6 .1 ( c o n t i n u e d )

3.

In the Content pane, right-click the device you want to configure and then choose whether you want the device to automatically answer a fax call or if the users must manually answer.

4.

Choose OK.

The next step is to configure the properties of the fax server. The following tabs are found in the Fax Properties dialog box: General Within this tab, you can review the current activity and disable sending and/or receiving faxes. Receipts

This tab allows you to configure delivery options.

Event Reports

This is where you specify event tracking levels.

Activity Logging fax activity.

This section allows you to choose to log incoming and outgoing

Chapter 6

224

Outbox Archives

N

Configuring Additional Communication Services

This is the were you can configure the options for the queue of all outgoing faxes. Here you can configure your archive settings for sent and received faxes.

Accounts Here you can choose to assign messages to individual accounts. Security This section allows you to set permissions for users or groups for fax configurations and documents. In Exercise 6.2, you’ll configure the settings for the most common features within the Fax Properties dialog box. EXERCISE 6.2

Configuring Fax Properties To configure the Fax properties, follow the steps below:

1.

Within Server Manager, expand Roles and then expand Fax Server.

2.

Right-click Fax and choose Properties.

3.

On the Receipts tab, click the box labeled Enable SMTP E-Mail Receipts Delivery and enter a From e-mail address, SMTP server address, and port number.

4.

Select the Activity Logging tab. Click the boxes next to Log Incoming Fax Activity and Log Outgoing Fax Activity.

Configuring Fax Services

225

E XE RC I SE 6. 2 (continued)

5.

In the Activity Log Folder text box, enter the path to store the activity log. The default location is C:\ProgramData\Microsoft\Windows฀NT\MSFax\ActivityLog.

6.

Select the Outbox tab, check the Automatically Delete Faxes Older Than option and then choose the number of days to keep faxes.

7.

Select the Archives tab and then check Archive All Faxes to This Folder.

8.

Browse to the location that should be used to store archived faxes. The default is C:\ProgramData\Microsoft\Windows฀NT\MSFax.

9.

To allow faxes to be reassigned, select the Accounts tab and then check the On box under Reassign Settings.

10. Click OK.

Defining a Dialing Rule Setting up dialing rules will help the fax server understand what your area requires. For example, most locations in the United States require dialing a 1 before dialing a number outside a local area code. When dialing within an area code, only 7 digits are needed. Alternatively, if a local area uses 10-digit dialing, a user has to put in an area code plus the 7-digit phone number. As you can see, by setting up the dialing rules first, you keep your users from having to enter numbers such as 1 before the area code.

226

Chapter 6

N

Configuring Additional Communication Services

The you can configure the following options for dialing rules: Dialed Number You can enter a region code and area code. Target Device

Choose to apply your rule to devices.

To configure these options follow the steps in Exercise 6.3. EXERCISE 6.3

Configuring a Dialing Rule Dialing rules can be configured with the following steps:

1.

Under Fax Server in Server Manager, expand Outgoing Routing.

2.

Right-click on Rules and choose New and then Rule.

3.

In the Dialed Number section of the Add New Rule dialog box, enter your region code. If you are unsure, click Select and then choose from the list.

4.

In the Target Device section, choose whether you want this rule to apply to a device or a routing group and then choose from the list in the drop-down box.

5.

Click OK.

Configuring Fax Services

227

Defining a Fax Routing Location As the administrator, you can configure both the incoming and outgoing fax routes. You can route incoming faxes to a particular user group or an individual user. In the Fax Service Manager, you can configure routing extensions that are global, which means they’re applied to all devices, and you can configure others that are associated with only individual devices. For global methods, you can set the order in which they are applied to a received fax. For example, you could have a fax routed first to an email address, then printed, then stored in a folder. For individual routing methods, these are configured per device. After you configure a method, it can be enabled or disabled. More than one incoming route can be applied to a fax. You can configure the following default incoming routing methods: Route through E-Mail You can specify the address for receiving incoming faxes. Store in Folder Print

Choose the folder to store a copy of the incoming fax.

Define the path to which you want the incoming fax printed.

Exercise 6.4 shows you how to configure an incoming fax routing method. EXERCISE 6.4

Configuring Incoming Fax Routing The next steps will configure Incoming Fax routing:

1.

Open the Server Manager.

2.

On the left side, expand Fax and then click on Devices and Providers.

228

Chapter 6

N

Configuring Additional Communication Services

E XE RC I SE 6. 4 (continued)

3.

Now click on Devices, double-click on the device you want to configure, and choose Incoming Methods.

4.

In the Content pane, right-click on the method you want to configure and choose Properties.

5.

Now click the Store in Folder tab, and then either enter the Universal Naming Convention (UNC) path or click Browse to choose the folder.

6.

To configure the routing, choose the Route through E-Mail method and click the Email tab. Type in the address to which you want incoming faxes to be delivered.

7.

For the Print method, click the Print tab and type in the UNC path of the printer you want faxes to be printed to.

8.

After you have configured your incoming methods, you must right-click each method in the Details pane and click Enable.

9.

Click OK.

For outgoing faxes you can also create rules, which will allow you to optimize the use of available fax devices. You can create rules that get associated with a device or group of devices and have faxes sent to a specific domestic area code or specific region. For example, if you have many faxes that go to a vendor in China, you can create a rule that will send faxes to this vendor from a specific device. Meanwhile, your other devices can continue to service other areas or regions and not be affected by the heavy fax traffic to China. Using rules will help ensure that your fax resources are being used efficiently instead of having your faxes sit in long queues. Exercise 6.5 walks you through adding a routing rule for outgoing faxes. EXERCISE 6.5

Adding a Routing Rule Follow these steps to add a Routing rule:

1.

Open Server Manager.

2.

Expand Fax Server and then expand Fax.

3.

Click on Outgoing Routing.

4.

Right-click on Rules, then New, and then Rule.

Configuring Media Server

229

E XE RC I SE 6.5 (continued)

5.

Add the country/region code and the local area code in the Dialed Number section.

6.

Next, choose the target device or routing group in the Target Device section.

7.

Click OK.

Configuring Media Server Fax Server Role not the only valuable service that Windows Server 2008 can provide. Windows Media Server can improve communication and instruction in a organization. A Windows media server delivers digital media to clients across a network using Windows Media Services 2008. What this service does is translate a client’s request for media into a physical path on the server that is hosting the content. Windows Media Services delivers basic streaming functionality, like unicast streaming, and server-side playlists and is included in the following Windows Server editions: NÛ

Windows Server 2008 Standard

NÛ

Windows Web Server 2008

Chapter 6

230

N

Configuring Additional Communication Services

Fax Routing and Archiving When would these features be practical? Well, say your client receives many faxes throughout a given week. These faxes must be acknowledged, processed, completed, and then stored. This can be a time-consuming process when it’s done manually. However, the benefits of using the Fax Service role is that you are able to provide all the steps but in a digital form. If you configure your fax routing to first print to a printer in your sales department, this would allow your sales department to get an immediate hard copy of the order. In the manual process, this document would have to be scanned into an image file and emailed to your processing dept. However, you configure the second step in routing to email a copy to the processing dept. This allows them to get an email instantly after the copy is printed. Now normally this fax would be put into a folder for filing, but again you have configured archiving of faxes on your fax server and the fax is copied to a designated folder on your server. Not only did you reduce the amount of effort required to take an order from a fax, you also just decreased the amount of time before that faxed-in order can be shipped. This results in efficient workflow and happier customers.

It will provide advanced features such as multicast streaming when installed on the following operating systems: NÛ

Windows Server 2008 Enterprise

NÛ

Windows Server 2008 Datacenter

Table 6.1 provides an overview of available features based on what server version is installed. TA B L E 6 .1

Media Services Features

Feature

Windows Server 2008 Standard and Web

Windows Server 2008 Enterprise and Datacenter

Absolute Playlist Time

Yes

Yes

Advanced Fast Start

Yes

Yes

Advanced FF/RW

No

Yes

Advertising server support

Yes

Yes

Broadcast Auto-Start

Yes

Yes

Configuring Media Server

TA B L E 6 .1

Media Services Features

(continued)

Feature

Windows Server 2008 Standard and Web

Windows Server 2008 Enterprise and Datacenter

Cache/Proxy

Yes

Yes

Custom Plug-In

Yes

Yes

Event-based scripting

Yes

Yes

Fast Cache

Yes

Yes

Fast Reconnect

Yes

Yes

Fast Start

Yes

Yes

Fast Streaming

Yes

Yes

Internet authentication

Yes

Yes

Internet Group Management

No

Yes

IPv6

Yes

Yes

Intranet authentication

Yes

Yes

Multicast

No

Yes

Multiple authorization

Yes

Yes

Multiple control protocol

Yes

Yes

Multiple media parser

Yes

Yes

Multiple playlist parser

Yes

Yes

Play while archiving

No

Yes

RTSP streaming

Yes

Yes

Robust event notification

Yes

Yes

Repacketization

Yes

Yes

Unicast

Yes

Yes

231

Chapter 6

232

N

Configuring Additional Communication Services

By default, in Windows Server 2008, Streaming Media Services Role is not available using the Add Roles Wizard. You must download this service add-in from Microsoft’s website at http://microsoft.com/downloads/details.aspx?FamilyID=9ccf6312-723b-4577-be587caab2e1c5b7&displaylang=en. Before installing Media Services, be sure the server meets the following system requirements: Processor One or more processors with a recommended speed of 550MHz; minimum supported speed is 133MHz. Memory

512MB of RAM, minimum of 256MB.

Hard disk space

2GB of free space.

File system configuration

NTFS.

Configuring Basic Streaming Solutions When you think about streaming media basics, you might have a few questions: NÛ

What is streaming media?

NÛ

How do I create content?

NÛ

How do I make this content available to my users?

The following sections will answer those questions and show you how to configure the basic options.

What Is Streaming Media? Let’s look at our first question. What is streaming media? It’s any media that is displayed to the end user while it’s being delivered by a provider. It can be live or prerecorded, and unlike a file that you might download, no data is saved to the user’s hard disk when the content has finished streaming. Like television or radio, the term streaming media refers more to the delivery method than to the actual medium itself. Attempts to display media this way date back to the mid-1900s, but little progress was made for a long time due to the limits in computer hardware and networks.

How Do I Create Content for My Users? Windows Media Encoder, Microsoft Producer, and Windows Movie Maker can create and compress your audio and video content into the Windows Media format so you can create content for users. Table 6.2 shows the tools that are available from Microsoft.

Configuring Media Server

TA B L E 6 . 2

233

Tools to Create Content

Tool

Description

Windows Media Player

Rip content from a CD.

Windows Media Encoder

Convert live and recorded content.

Windows Movie Maker

Use for simple editing of audio and video.

Windows Media Stream Editor

Combine or split streams in existing Media files.

Many third-party programs in addition to the ones listed in Table 6.2 will allow you to encode media as a Windows Media file. Check with your vendor for details on how to perform the encoding.

How Do I Make This Content Available to My Users? Now you understand what streaming media is and how to create it, but how do you make it available to your users or clients? Simply put, you place the content into a directory, create a reference point called a publishing point for the content, and then create an announcement to tell your users about the content. Windows Media Services uses these publishing points to tell a client how to reach the content. After that, the media server manages the connection and streams the content. There are two types of publishing points: broadcast and on-demand. You can use two methods to get the content to your users: unicast stream and multicast stream. In this section, we will look at four basic areas that will allow you to get the content to your users: 1.

Using broadcast publishing points

2.

Using on-demand publishing points

3.

Delivering content as a unicast stream

4.

Delivering content as a multicast stream

Let’s first look at broadcast publishing points. If you are looking for a solution to provide content similar to a television or radio show, then you will choose broadcast publishing. This allows the server to control the content. Most of the time, this would be what you see in a live broadcast of a company meeting. Because it is controlled at the server, a user can join the session and hear the content but they cannot rewind or fast forward. Therefore, users have no control over the session; they can only start and stop the feed.

234

Chapter 6

N

Configuring Additional Communication Services

Using on-demand publishing points, users are able to stream a video file whenever they want. This means that the content is streamed to the client only when they are connected, and therefore, the server has a separate connection with each client. This is best used when you want your clients or users to be able to have more control over the session. With ondemand publishing, users can stop, rewind, pause, fast-forward, and skip the content at their leisure. When would this be used? Many companies record training material that they want the users or instructors to be able to control. On-demand publishing would be a good fit for this type of use.

On-demand publishing points can also be used to stream media from a remote server or another publishing point. These can be part of a playlist or just content on another server. However, when the media resides on another server, the users will not be able to use the playback controls, such as pause, fast-forward, skip, and rewind.

By default, Windows Media Services uses unicast streaming. The stream is a one-toone connection between the server and the client. Only those clients that request a specific stream will receive it. You can use both on-demand and broadcast publishing points. The benefit of using this type of streaming is that it is easier to set up and will work in environments that are not set up for multicast streaming. The drawback of unicast is that because it’s a one-to-one connection, it will be limited by the speed of the server and the network. If your content is going to be viewed simultaneously by a large number of clients, you will want to monitor your server to ensure that it is not overwhelmed. You would want to consider using unicast if the following applies to you: NÛ

NÛ

NÛ

You require a detailed client log. Your audience is small or the content is small enough to be compatible with your network and server. Your network is not multicast enabled.

Multicast is the ability to stream media from a single server to many clients at the same time. The server streams the content to a multicast IP address on the network, and all clients receive the same stream by using that IP address. Unlike unicast streaming, multicast streaming can only be done from a broadcast publishing point. The hardware and network must be multicast enabled; they have to be able to transmit a Class D IP address (224.0.0.0 to 239.255.255.255). If you are unsure if the network hardware, like routers and firewalls, can transmit this type of address, check with your hardware vendors before attempting a multicast stream. The benefit of using this type of streaming is that, if the network allows, there is only one stream from the server no matter how many clients you have; it requires the same amount of bandwidth as a unicast stream. This will preserve network bandwidth and can be used if your network bandwidth is low.

Multicast on the Internet is generally not a viable option since only small portions are multicast enabled. Multicast is best used in a corporate environment where all routers can be multicast enabled.

Configuring Media Server

235

Multicast might be a good solution if the following applies: NÛ

You’re broadcasting to a large audience.

NÛ

Network and server capacities are limited.

NÛ

The entire network is multicast enabled.

In Exercise 6.6, you will learn how to create a broadcast publishing point, and then in Exercise 6.7, you will configure a multicast stream from that publishing point. E XERCISE 6.7

Creating a Broadcast Publishing Point The following steps will aid you in creating a Broadcast Publishing Point:

1.

In Server Manager, expand Roles\Streaming Media Services\\ Publishing Points.

2.

Choose Add Publishing Point (Wizard).

3.

On the Welcome to the Add Publishing Point Wizard screen, click Next.

4.

Now choose a name for the publishing point and click Next.

236

Chapter 6

N

Configuring Additional Communication Services

E XE RC I SE 6.6 (continued)

5.

On the following page, choose the option that fits your content type and then click Next.

6.

Now choose how you want your content to be delivered and then click Next. You have the option to choose Unicast (each client connects to the server) or Multicast (requires a multicast router between the server and clients). For this exercise, choose Unicast, which is selected by default.

7.

On the next screen, enter the encoder URL. An example would be http://encoder, and it would match the name of the server doing the encoding.

8.

Check Enable Logging on This Publishing Point, if you want to log data about the clients that are connecting. Click Next

9.

On the Summary page, review the selections, and if you want to publish this content right away, check Start Publishing Point When Wizard Finishes. Click Next

10. Now you are at the Completing the Add Publishing Point Wizard page. Here you can create the announcement for the stream. Check After the Wizard Finishes and choose the type of announcement to make. If you are unsure, leave the default box checked, which is Create an Announcement File (.asx) or Web Page (.htm).

11. Click Finish. 12. Since the Unicast stream option was chosen in step 6, the Unicast Announcement Wizard appears. Click Next.

Configuring Media Server

237

E XE RC I SE 6.6 (continued)

13. Review the Access to the Content page to ensure that the URL is pointing to the publishing point that was created in step 4. If it is not correct, click Modify and enter the server name or IP address.

14. On the Save Announcement page, make sure the announcement file is correctly pointing to the publishing point that was created in step 4. If not, click the Browse button and choose the location of the file. Click Next.

15. Edit any metadata on the next screen, where you can add a title, author name, and a copyright notice to the file. When finished, click Next.

16. Click Finish. 17. If everything completed successfully, you will be able to test your new content at the next screen.

Now that you have created the broadcast publishing point, you want to change the streaming type to make it a multicast stream, which will conserve network bandwidth and server load, as shown in Exercise 6.7. E XERCISE 6.7

Configuring a Multicast Stream The next steps can be used to configure a Multicast Stream:

1.

In Server Manager, expand Roles\Streaming Media Services\\ Publishing Points.

2.

Click on the publishing point you created in Exercise 6.5, step 12.

238

Chapter 6

N

Configuring Additional Communication Services

E XE RCISE 6.7 (continued)

3.

In the Content pane, click the Properties tab.

4.

In the Category section, click Multicast Streaming.

5.

In the Plug-In section, click WMS Multicast Data Writer and then right click and click Properties.

Configuring Media Server

E XE RCISE 6.7 (continued)

6.

In the Destination Multicast IP Address and Port section, specify the following settings: NÛ

IP address: Type in the multicast address.

NÛ

Port: This is the port from which the content will be streamed.

NÛ

Time-to-Live (TTL): Here you enter the number of routers your multicast stream pass through before timing out.

7.

Click the Advanced tab if you have multiple network adapters on your server.

8.

Click the IP address you want to use in the drop-down box.

9.

In the Logging URL box, enter the URL to the logging directory and click OK.

10. To start this publishing point, right-click on it and choose Start.

239

Chapter 6

240

N

Configuring Additional Communication Services

Configuring Advanced Streaming Solutions Windows Media Services allow you to control most aspects of how you stream content to your users. If you just need to get a small video out to a limited number of users, the default settings will most likely accomplish the task. However, if you have a media server that gets a lot of traffic, it might be to your benefit to change some of the more advanced options. In this section, we will review two areas: NÛ

Intelligent streaming

NÛ

Fast streaming

The method that your server uses with Windows Media Player to detect and adjust the properties of a stream automatically is called intelligent streaming. This type of streaming allows for a continuous flow of content that is set according to the user’s connection speed. A user’s media player will respond to having low bandwidth by requesting that the server reduce the bit rate. For the most part, intelligent streaming is completely automatic and requires no additional configuration. Fast streaming refers to a group of features that Windows Media Services includes to improve the quality of the user’s session: NÛ

Fast Cache

NÛ

Fast Start

NÛ

Advanced Fast Start

NÛ

Fast Recovery

NÛ

Fast Reconnect

Fast Cache Fast caching is a way for the Windows Media Services and Windows media players to stream the content to the clients faster than the specified rate. So if you have a 128 kilobits per second (Kbps) stream, using Fast Cache you can stream it at 700Kbps. This is accomplished by streaming the content to the client machine and then the Windows Media Player is able to buffer it before playing at the specified data rate. This is extremely useful when streaming over wireless networks that have high latency or when the quality of the content received is of top priority.

When Fast Cache is enabled, intelligent streaming cannot be used. In addition, Fast Cache is used only by clients that connect to a unicast stream.

Exercise 6.8 shows you how to enable Fast Cache.

Configuring Media Server

241

EXERCISE 6.8

Enabling Fast Cache Do the following to enable Fast Cache:

1.

In Server Manager expand Roles\Streaming Media Services\Windows Media Services\\Publishing Points.

2.

Click on your broadcast and click the Properties tab in the Content pane.

3.

Now click on General in the Category section.

4.

In the Property section, right-click Enable Fast Cache and choose Enable. (In the following screen shot, the Enable option is grayed out because Fast Cache is already enabled.)

Fast Start Fast Start allows users to start to receive content more quickly. It does this by allowing the player to provide data directly to the buffer at higher speeds than the request bit rate. This option is available to users with Windows Media Player for Windows XP or later. It helps reduce the delays and re-buffering that occur when a user fast-forwards and rewinds content. It also aids in a smoother transition between content items. Fast Start also reduces the amount of playback errors due to packet loss as it pre-buffers data.

242

Chapter 6

N

Configuring Additional Communication Services

Advanced Fast Start Advanced Fast Start is used for reducing startup times in Windows Media Player 10 and higher. It has all the same features and benefits as Fast Start but can start to play a stream before its buffer is full, unlike the Fast Start option, which makes the user must wait until the buffer is full. With Advanced Fast Start, as soon as the player receives the minimum amount of data, playback will begin. While the content is being played, the buffer will continue to fill at an advanced rate until full. Once the buffer is full, the acceleration stops and the stream continues to be received and played at its specified rate. Advanced Fast Start must be enabled because it is disabled by default (see Exercise 6.9). EXERCISE 6.9

Enabling Advanced Fast Start Advanced Fast Start will be enabled in the following steps:

1. In Server Manager, expand Roles\Streaming Media Services\\ Publishing Points.

2.

Click on the broadcast and click the Properties tab.

3.

Click on General in the Category section.

4.

In the Property section, right-click on Enable Advanced Fast Start and choose Enable.

Configuring Media Server

243

Fast Recovery and Fast Reconnect Fast Recovery and Fast Reconnect are similar in that they allow a media player to resume in case of corruption or network outage. Fast Recovery is used when a media player receives lost or damaged data packets. If this occurs, the player does not have to request that the server resend the data. It can recover the lost or damaged data itself. To utilize this feature, you should enable forward error correction (FEC) on a publishing point. Enabling FEC will help in networks where packet loss or corruption frequently occurs, such as wireless networks and satellite connections. Exercise 6.10 shows you how to enable FEC on a publishing point. E X E R C I S E 6 .1 0

Enabling FEC To enable FEC, do the following steps:

1.

In Server Manager, expand Roles\Streaming Media Services\\Publishing Points.

2.

Click on your broadcast and click the Properties tab.

3.

Now click on Wireless in the Category section.

4.

Right-click Enable Forward Error Correction and choose Enable.

244

Chapter 6

N

Configuring Additional Communication Services

Fast Reconnect will reconnect a media session in case of temporary network outage. When a client loses its connection to a media server, Fast Reconnect enables the client to reconnect to the server automatically and restart the streaming. How it affects the playback to the user depends on following two factors: Connected to an on-demand publishing point the connection was lost.

The client restarts the playback at the point

Connected to a broadcast publishing point Client reconnects to the broadcast in progress. The user may experience a gap in the broadcast. In Exercise 6.11, you’ll set the number of times a client can attempt a reconnect. E X E R C I S E 6 .11

Setting Client Connect Attempts Configure client connect attempt with the following steps:

1.

In Server Manager, expand Roles\Streaming Media Services\\ Publishing Points.

2.

Click on your broadcast and click the Source tab.

3.

In the Content Source section, click Change.

Configuring Media Server

245

E X E R C I S E 6 .11 ( c o n t i n u e d )

4.

In the location box, add ?WMReconnect=3 to the end of your location. This will allow the clients to attempt a reconnect three times.

5.

Click OK.

Options for Configuring Security in a Windows Media Server The content you provide to your users can be very valuable to your organization. Much time and money has been spent to create this content, and one of the more important tasks that you can do is control access to it. It is therefore important that you configure the security options of your media server. This will ensure that your company’s valuable media is protected from unauthorized access. The following sections will cover these topics: NÛ

Authentication

NÛ

Authorization

Authentication Authentication confirms the identity of a user who is trying to gain access to a resource. After a user is authenticated, authorization occurs so that the user gains proper access to the content. When the user attempts to gain access, the server attempts to authenticate through the anonymous authentication plug-in. You would use this type of anonymous authentication if you do not want the users to have to enter a username and password. This is configured by default, but if you want to change the Anonymous account, you must make sure the account you use has read permissions for any files and folders that will be streamed. In Exercise 6.12, you’ll change the Anonymous account. E X E R C I S E 6 .1 2

Changing the Anonymous Account To change the Anonymous account, follow these steps:

1.

In Server Manager, expand Roles\Streaming Media Services\\ Publishing Points.

2.

Click on your broadcast and click the Properties tab.

3.

In the Category section, click Authentication.

4.

In the Plug-In section, click on WMS Anonymous User Authentication.

246

Chapter 6

N

Configuring Additional Communication Services

E X E R C I S E 6 .1 2 ( c o n t i n u e d )

5.

Click the Properties button.

6.

In the User Name box, type the account name you want anonymous users to use.

7.

In the Password box, enter the password for the account.

8.

In the Confirm box, reenter the password.

9.

Click OK.

10. Right-click WMS Anonymous User Authentication and choose Enable.

Authorization and Authentication work hand in hand to grant access to the media on your server. If Authorization is enabled but Authentication is disabled, clients cannot access the server.

Authorization Authorization takes information it receives from the authentication process and uses it to grant or deny access to the content. Authorization occurs only after authentication is successful. During this process, the server checks the user against the access permissions set on the resource.

Configuring Media Server

247

Authorization uses the following three plug-ins: WMS NTFS ACL Authorization the permissions.

If you use NTFS, you can enable this feature to enforce

WMS IP Address Authorization

You can allow or deny access based on IP address.

WMS Publishing Points ACL Authorization You can create access control lists (ACLs) for your publishing points and assign access permissions to users or groups. To configure these plug-ins, you will again use Server Manager (Exercise 6.13). E X E R C I S E 6 .1 3

Enabling ACL Authorization To enable WMS NTFS ACL authorization, follow these steps:

1.

In Server Manager expand Roles\Streaming Media Services\\ Publishing Points.

2.

Click on the broadcast and click the Properties tab.

3.

In the Category section, click Authorization.

4.

Right-click WMS NTFS ACL Authorization and choose Enable.

To allow or deny access by IP address, you need to configure the WMS IP Address Authorization plug-in (see Exercise 6.14). E X E R C I S E 6 .1 4

Allowing or Denying IP Addresses To allow or deny IP addresses, follow these steps:

1.

In Server Manager, expand Roles\Streaming Media Services\\ Publishing Points.

2.

Click on the broadcast and click the Properties tab.

3.

In the Category section, click Authorization.

4.

Right-click on WMS IP Address Authorization and choose Properties.

5.

Now choose one of the following options: NÛ

Allow All Except Those in the Deny List

NÛ

Deny All Except Those in the Allow List

NÛ

Restrict as Specified in the Following List

Chapter 6

248

N

Configuring Additional Communication Services

E X E R C I S E 6 .1 4 ( c o n t i n u e d )

6.

After making the choices and filling in the IP addresses, click OK.

At times you will want to create ACL lists for publishing points on your sever. Configuring the ACL list will allow you to grant or deny access to users or clients. Exercise 6.15 walks you through creating an ACL list. E X E R C I S E 6 .1 5

Creating an ACL List ACL list can be configured by following these steps:

1.

In Server Manager expand Roles\Streaming Media Services\\ Publishing Points.

2.

Click on your broadcast and click the Properties tab.

3.

In the Category section, click Authorization.

4.

Right-click on WMS Publishing Points ACL Authorization and click properties.

5.

On the Properties dialog box, you can do the following: NÛ

Add or remove a user or group

NÛ

Set permissions for a new user or group

NÛ

Change the permissions for a group

Configuring Digital Rights Management (DRM)

249

E X E R C I S E 6 .1 5 ( c o n t i n u e d )

6.

Click OK.

Configuring Digital Rights Management (DRM) Digital Rights Management, or DRM, is a technology that allows the owner of some forms of media to enforce the terms to the people who have access to use it. Those who own the copyright to music, film, books, and video commonly use DRM to protect their property. You or your company may own media that you deliver on your media server or provide in email or SharePoint sites. It’s important to protect it. It is common for confidential and critical information to be sent from one company to a competing company or media outlet. This can cause public relations, legal, or competition problems for an organization. For example, a company may create a widget that is far superior to the competitor’s widgets. The company has spent thousands of man hours and millions of dollars to create and document this new widget. A disgruntled employee could easily send these documents to the competitor or post them to a weblog for the world to see. If the company protected these documents using a DRM solution, it would be able to avoid theft.

250

Chapter 6

N

Configuring Additional Communication Services

DRM Controversy Much debate has sprung from companies using DRM to protect the media they own. This is especially true of the entertainment industry. Over the past five years, controversy over audio files such as MP3s—more specifically, the sharing of these files—has lead the industry to adopt DRM protection. Those in favor of DRM state that it is necessary for the copyright holders to be able to prevent others from duplicating and sharing their work illegally. Those opposed take the stand that as long as they are not using the media in a way that would violate commercial use, they should not have restrictions on content that they have purchased. Despite the controversy around DRM, companies like Apple and Microsoft continue to use this form of protection. It allows the companies to provide content, such as music, on a subscription basis. Some companies are listening to the cries of the users and are now are providing content that is DRM free. As bandwidth speeds increase to consumers’ homes, the availability of video and movies appear to be heading to a similar pay-per-view model. Will DRM continue to be a method to protect the rights of those who create or publish the content? Time will tell. Although music and videos are often in the middle of this controversy, many companies are adopting DRM to protect internal documentation from prying eyes.

How Does DRM work? When media is created, it is encrypted in order to protect it. For a user to access this encrypted media, they have to have a license. This license contains information such as the following: NÛ

How long the content can be used

NÛ

What actions can be done on the media

Simply put, the license or key unlocks the content and allows it to be played. The nice thing about DRM is that you get to control how long it will be unlocked. For example, say you want to provide content as a promotion that lasts only five days. With DRM protection, you can set the key to expire in five days. With DRM you don’t have to worry about users copying material and giving it to others because no matter who plays the content, they still need to acquire a key or license. DRM rights are stored in the key and not the content. This means that you can create different keys for the same file. A normal DRM scenario would be that you encode content with DRM protection. Then it would be posted so that users could download it. After the content is downloaded, the user’s player sees that it is protected and connects to your license provider site to get the needed key. After the user pays for the key, they are able to play the content.

Configuring Digital Rights Management (DRM)

251

DRM also can be used to protect other types of files: NÛ

Office documents

NÛ

Email

Word, Excel, PowerPoint, and other important company files can be protected using Active Directory Rights Management Service (AD RMS). A typical example would be using a SharePoint intranet that has or allows external users to view content. The following sections, it is assumes that you have installed the AD RMS role and have reviewed the event log for any errors.

Encryption Before the Internet boom, encryption was mainly used by the military to protect data. However, today encryption is a normal and needed protection against theft of content or documents. What is encryption? It is locking up data through the use of electronic keys. It is similar to locking the doors on your home. You need a key to lock and unlock your door locks. It is doubtful you would ever consider having a home without any locks or leaving the doors open and going away for six months. If you did, you wouldn’t be surprised if your valuables were stolen. Some people even pay large amounts of money to purchase high-end security alarms to ensure that they have the best protection for their home. The same is true of your data; without locking it with a lock and key, you are inviting anyone to take it. AD RMS encrypts data by keeping out people who do not have proper keys. With AD RMS, only trusted entities are granted access rights, just like giving someone you trust a key to your home. In addition to the AD RMS clients installed on a computer, AD RMS can be used in specialized applications, these are enabled to enforce the usage rights. The following applications are AD RMS enabled: NÛ

Microsoft Office 2003

NÛ

Office 2007

NÛ

Windows Mobile 6

The AD RMS client is included with Windows Vista and Windows Server 2008. If you are using Windows 2000 Server, Windows XP, or another operating system, you can download the AD RMS client from the Microsoft Download Center at฀www.microsoft.com/downloads/ details.aspx?FamilyId=02DA5107-2919-414B-A5A3-3102C7447838&displaylang=en.

For AD RMS to encrypt your data, you need to both have the AD RMS client installed and have an AD RMS–enabled application. However, to be able to create protected content you need to have the following: NÛ

Office 2007 Enterprise

NÛ

Office 2007 Professional

NÛ

Office 2007 Ultimate Exercise 6.16 will demonstrate how to create a protected document.

Chapter 6

252

N

Configuring Additional Communication Services

E X E R C I S E 6 .1 6

Using AD DRM to Protect a Document Protecting a document can be done by following these steps:

1.

Open Microsoft Word 2007.

2.

Open a document you want AD RMS to protect.

3.

Click the Microsoft button in the top-left corner of the screen.

4.

Click Prepare.

5.

Click Restrict Permissions.

6.

Click Restrict Access.

7.

Now click Restrict Permission to This Document.

8.

In the Read box, type in the name of the group that you want to allow read permissions.

9.

Now save this document in your network location.

The group you specified can only view this document now. They will not be able to change, print, or even copy it.

Sharing Business Rules Business rules are no different than policies. Business rules allow you, the administrator, to tell the user or client how they can use protected content. Once you have created and protected your content, it is time to distribute it. For others to be able to view the content, they need access to your business rules. This means that you have to share your business rules with the license issuer. In this case, the license issuer would be your AD RMS server, so it would need to have access to these rules or policies. Business rules can consist of the following: NÛ

Seed

NÛ

Public key

NÛ

Specific rules When you create protected content, you will choose a set of rules to do the following:

NÛ

Specify when the document expires

NÛ

Allow printing

NÛ

Allow copying

Configuring Digital Rights Management (DRM)

NÛ

Specify whether users can request additional permissions

NÛ

Give users and groups permissions to the document

253

This information gets stored within a license and is considered a rule because it states what the user can or cannot do. If you create the permission in an AD RMS application, such as Microsoft Word, your client machine has the rules. Now when you save the data, the rules are shared with the RMS server. When another user wants to view the content, their application recognizes that the content is protected and requests the license or set of business rules. If they have been given permissions to view the content, the content will open. Sharing business rules is something that happens automatically when you create protected content in an environment where AD RMS is running. Sharing is done between the client and the server and requires no interaction from the user or administrator unless the content business rule requires the user to pay for the use.

Configuring License Delivery When a user tries to open a file that is protected by AD RMS, it requests a license. The AD RMS server must look up the license information and then pass that along to the client. This allows the client to play the protected content. This means that the user must have access to the license server to receive the license. You can control who has access to receive the license by configuring the exclusions policies (Exercise 6.17). E X E R C I S E 6 .17

Configuring Users’ Exclusions To configure Users’ Exclusions, do the following steps:

1.

Open the Active Directory Rights Management Services console by clicking Start\ Administrative tools\Active Directory Rights Management Services.

2.

Expand the local server and select Exclusion Polices.

3.

From here you have the option to exclude the following: NÛ

Users

NÛ

Applications

NÛ

Windows versions

NÛ

Lockbox

4.

To exclude users, first right-click on Users in the left pane and choose Enable.

5.

In the Actions pane, click Exclude User.

254

Chapter 6

N

Configuring Additional Communication Services

E X E R C I S E 6 .17 ( c o n t i n u e d )

6.

In the Exclude User Wizard that opens, check the box Use this option for excluding rights accounts certificates of internal users who have a Active Directory Domain Services account.

7.

Enter the username of the account you want to exclude from having access to the license server.

8.

If you’re unsure of the username, click the Browse button and choose the user account.

9.

After entering the username, click Finish.

You can also exclude certain applications from receiving access to the license server. This is useful when you want users to be able to receive access to content such as Word, Excel, and PowerPoint documents but do not want them to be able to use a media player to play media content in the protected library. Exercise 6.18 shows you how to exclude an application.

Configuring Digital Rights Management (DRM)

E X E R C I S E 6 .1 8

Configuring Application Exclusions Follow these steps to configure Application Exclusions:

1.

Open the Active Directory Rights Management Services console by clicking Start\ Administrative tools\Active Directory Rights Management Services.

2.

Expand the local server and select Exclusion Polices.

3.

In the Content pane, right-click on Applications and choose Enable.

4.

In the Actions pane, click Exclude Applications.

5.

On the Exclude Application page, enter the application filename and versions you want to exclude.

255

256

Chapter 6

N

Configuring Additional Communication Services

E X E R C I S E 6 .1 8 ( c o n t i n u e d )

6.

Click Finish.

Configuring Policy Templates Policy templates help administrators set a standard for user access when it comes to content. In the past, this would have been done with NTFS rights and folders. Before AD RMS and DRM, administrators would create a network folder and then set access control rights on the folder. With AD RMS, you can reduce your workload and have users assign this control themselves. For example, policy templates can make sure that users do not, remove the administrator ability to move, copy or backup the content. While creating policies is a relatively simple process, care is needed to ensure that your templates meet your users’ needs. This will require that you spend some time with your users and try to understand the needs of your company. Here are some of the things you want to consider: NÛ

Needs of individual users

NÛ

Needs of groups of users

NÛ

Department access

NÛ

Client access

NÛ

How this affects network administrators

Configuring Digital Rights Management (DRM)

257

After spending time figuring out your company’s requirements, you can create policy templates so that when users create protected content, they can select your preconfigured templates. Templates can be made available for users who might not be connected to the network when they create their content. This is accomplished by deploying your templates from a shared folder. The AD RMS client will then store copies of the policies on the local machine. This still allows you to change a policy that is in a shared folder, and then when the AD RMS client (which is installed on the client machines) polls the AD RMS server it will detect that a change has occurred in the templates and download it to the local machine. To configure policy templates, open the Active Directory Rights Management Services console by clicking Start, then choosing Administrative Tools and then Active Directory Rights Management Services. Then follow the steps in Exercise 6.19. E X E R C I S E 6 .1 9

Configuring Policy Template To configure a Policy Template, do the following:

1.

Expand the local server.

2.

Click on Rights Policy Templates.

258

Chapter 6

N

Configuring Additional Communication Services

E X E R C I S E 6 .1 9 ( c o n t i n u e d )

3.

In the Actions pane, click Create Distributed Right Policy Template.

4.

In the Template Identification page, click Add.

5.

In the Name box, enter the name for this policy.

6.

In the Description box, enter a description for this policy.

7.

Click Add.

8.

Back at the Template Identification page, click Next.

9.

On the Add User Rights page, add the users and permissions required.

Configuring Digital Rights Management (DRM)

E X E R C I S E 6 .1 9 ( c o n t i n u e d )

10. When finished, click Next. 11. Next, you are able to specify an expiration policy. Enter the dates, if any, on which you want the content being protected by this policy to expire.

12. Click Next. 13 On the Specify Extended Policy page, choose any additional conditions that you require for this template. 14. Click Next. 15. In the Specify Revocation Policy page, check the box next to Require Revocation if you need to deny permission based on other factors. Those factors can include users, application, content ID, or operating systems.

16. Click Finish to create the template.

259

Chapter 6

260

N

Configuring Additional Communication Services

Summary Fax services are still a solution that companies, big and small, rely on to maintain and increase business. It is important that you do not overlook this technology. Spending time to configure routing rules will increase the productivity of your users because it can automate the process of scanning, emailing, and filing faxes. After spending time understanding Windows Media Services, you should have an appreciation for how it can help an organization to create, distribute, and publish content. Many options exist beyond the basics. Looking at the advanced options helped you to understand that you can optimize the way you deliver the content to the user. Digital Rights Management is something to take seriously as in this day and age. If you don’t protect your data, chances are someone will acquire it. Protecting data is just smart management. AD RMS allows an administrator to protect files such as those created in Word, Excel, and PowerPoint. This is a great feature in Windows Server 2008, allowing users to protect data stored on a network share was something that administrators were reluctant to do. This was typically something that administrators would perform themselves. Now with AD RMS and policy template, administrators can create a policy for protection and access control and the end user can apply that to their content, thus freeing up IT staff to perform other tasks.

Exam Essentials Understand Fax Server options. Review how to configure dialing rules and routing rules. Understand how to set up a local fax and how to configure its properties. Know how to configure basic media streaming solutions. It is important that you know when to use multicast and when to use unicast streaming, what publishing points are, and the difference between broadcast and on-demand publishing and when to use each. NÛ

When to use multicast and when to use unicast streaming: NÛ

Publishing points

NÛ

The difference between broadcast and on-demand publishing and when to use each

Understand advanced options for media streaming. ing, intelligent streaming and Fast Reconnect.

Understand topics such as fast cach-

Know how DRM and AD RMS protect content. Review all forms of rights protection. Understanding terms like business rules and policies is important. Know how to configure a policy template and why they are needed.

Review Questions

261

Review Questions 1.

To monitor activity in the Incoming, Inbox and Outbox folders of a fax server, it is recommended that you install Windows Fax and Scan. What feature should be installed for that software to be available? A. Print Services

2.

B.

Fax Service

C.

Media Services

D.

Desktop Experience

How do you install fax devices that were used on the server prior to installation of the Fax Services role? A. Rerun the Install Printer Wizard.

3.

B.

Do nothing. Fax devices are detected when the role is installed.

C.

Consult the fax device vendor for installation instructions specific to your device.

D.

Use the windows update service to re-install the device with the drives needed for Fax Services.

When a fax device is detected and installed, it is automatically configured to do what? A. Send faxes.

4.

B.

Receive faxes.

C.

Send and receive faxes.

D.

Nothing is enabled by default.

How is individual fax routing configured? A. Per printer

5.

B.

Per fax device

C.

Based on clients

D.

Depends on volume

How would you ensure that faxes going to a certain area code are sent from only a particular fax device? A. Instruct users to choose the device for that area code. B.

Configure the users’ computers to only use one device.

C.

Create a fax rule that specifies a device to use a certain area code.

D.

Install advanced fax software on your users’ computers and configure it to send faxes to the right device.

Chapter 6

262

6.

N

Configuring Additional Communication Services

Which editions of Windows Server 2008 will allow advanced features such as multicast streaming? A. Windows Server 2008 Standard

7.

B.

Windows Web Server 2008

C.

Windows Server 2008 Core

D.

Windows Server 2008 Enterprise

Which of the following is a correct procedure to install Windows Media Services? A. Add Roles wizard.

8.

B.

Add Features wizard.

C.

It must be downloaded and installed from Microsoft’s website as a service add-in.

D.

Use Add/Remove Programs in Control Panel.

What are the system requirements for installing Windows Media Services? A. One or more processors with a minimum speed of 550MHz

9.

B.

One or more processors with a minimum speed of 133MHz

C.

1GB of RAM

D.

5GB of free space

Which of the following correctly describes the term streaming media? A. Media that is newer than 2003 B.

Media that is created by Microsoft

C.

Media that is displayed to the end user as it is being delivered from a server

D.

Any media that contains audio

10. What does Media Services use publishing points for? A. To stream Microsoft Publisher files B.

To tell clients how to reach content

C.

To allow network users to use Microsoft Publisher without having the program installed

D.

To hold content directories

11. What type of publishing point would you use to allow the users to control the fast-forward and rewind features for content? A. Broadcast B.

Pay per view

C.

On-demand

D.

Silent

Review Questions

12. By default, what type of streaming does Media Services use? A. Unicast B.

Single

C.

Multicast

D.

Multipoint

13. What type of streaming allows streaming from a single server to many clients? A. Unicast B.

Multicast

C.

Multipoint

D.

Dual connection

14. When would you consider using Multicast streaming? (Choose all that apply.) A. When your switches have unicast support B.

When you have only two media servers

C.

When you’re broadcasting to a large audience

D.

When your network is multicast enabled

15. What wizard is used to create a publishing point? A. Media Services B.

Add/Remove Programs

C.

Add Publishing Point

D.

Add a Feature

16. When you enable Fast Cache, what other method cannot be used? A. Intelligent streaming B.

Fast Start

C.

Fast Reconnect

D.

Fast Recovery

17. When Authorization is enabled on a media server but Authentication is disabled, what happens to the client’s request for access? A. Nothing. B.

Clients are notified that Authentication is disabled.

C.

Clients are not able to access the server.

D.

Client requests are not affected.

263

Chapter 6

264

N

Configuring Additional Communication Services

18. AD RMS can protect what types of files? A. Office documents B.

SharePoint files

C.

Email

D.

All of the above

19. The method to protect or lock up content with a electronic key is known as___________________? A. Intelligent protection B.

Encryption

C.

DRM security

D.

Lock and key

20. Which of the following is requested by a client computer when a user tries to open a protected file from Windows Server 2008? A. Code B.

Authorization

C.

License

D.

Authentication

Answers to Review Questions

265

Answers to Review Questions 1.

D. When the Desktop Experience feature is installed, it installs Windows Fax and Scan by default.

2.

B. When the Fax Server role is installed, any devices already connected to the server are detected and installed.

3.

A. After installation of a fax device, the fax server configures the device to send faxes.

4.

B. Individual fax routing is configured on a per-device basis.

5.

C. Fax rules allow you to optimize the use of faxes by associating a rule with a fax device and an area code or region.

6.

D. Advanced features for Windows media servers are available on only Windows Server 2008 Enterprise and Datacenter editions.

7.

C. Windows Media Services is not available from the Add Roles Wizard. It must be downloaded and installed from Microsoft’s website.

8.

B. Windows Media Services require a minimum processor speed of 133MHz.

9.

C. Any media that is played in a user’s player but resides on a server would be considered streaming.

10. B. Publishing points are used to tell clients how to find content. 11. C. On-demand broadcast allows the user to control the media. The user can stop, pause, rewind, and fast-forward the content. 12. A. Windows Media Services uses, by default, unicast streaming. 13. B. Multicast streaming allows the streaming of media from a single server to multiple clients. 14. C, D. You would consider using multicast if you need to deliver content to a large audience. Your network must be multicast enabled. 15. C. The Add Publishing Point Wizard is used to create publishing points. 16. A. When you use Fast Cache, you are not able to use intelligent streaming. 17. C. When Authentication is disabled, clients will not be able to access the server because both Authorization and Authentication is needed to grant a client’s request. 18. D. AD RMS can protect Office documents, SharePoint libraries, and email. 19. B. Encryption is the locking or protecting data by using electronic keys. 20. C. A user will request a license from the server to view protected content.

Chapter

7

Configuring Windows SharePoint Services (WSS) MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: ÛÛ Configuring Network Application Services NÛ

Configure Microsoft Windows SharePoint Services server options. May include but is not limited to: site permissions; backup; antivirus; configuring Windows SharePoint Services service accounts

Windows SharePoint Services offers businesses a simple and cost-effective solution to collaborate and to manage knowledge, such as user forums, company libraries, and professional training. Microsoft provides this as a free add-on, starting with Windows Server 2003. Windows SharePoint Services, or WSS 3.0 as it will be referred to in the rest of the chapter, has had a major overhaul since its previous version, WSS 2.0, starting with using the .NET Framework 3.0. WSS 3.0 has also closed many of the gaps that WSS 2.0 had in ease of use and functionality. This makes WSS 3.0 a secure and simple-to-deploy option for any company looking to increase its efficiency in business processes. In short, WSS can give your people the access to information they need when they need it. This chapter will give you the information you need to configure some key options of WSS, such as: ■฀

Configuring Windows SharePoint Services, including incoming and outgoing email settings, workflow settings, antivirus configuration.

■฀

Configuring Windows SharePoint Services Sites, including upgrading from WSS 2.0, creating or extending web applications.

■฀

Configuring Authentication for Windows SharePoint Services, including authentication for WSS, Digest Authentication, and Web Single Sign-On.

This chapter assumes that you have already met the prerequisites and have already installed WSS 3.0 on your server per the Microsoft readme and deployment documents.

Installation files, deployment documentation, and readme files are available from Microsoft TechNet site for WSS 3.0 at www.microsoft.com/technet/฀ windowsserver/sharepoint/default.mspx. You must install WSS 3.0 with Service Pack 1 on Windows Server 2008 as WSS 3.0 is not supported, more information about this can be found at http://support.microsoft.com/ kb/943587.

The configurations and labs in this chapter are typical setups using Microsoft default settings. This is known as an out-of-the-box installation of WSS 3.0 on a Windows Server 2008 domain member server. Many of the steps explained here can also be used on a similar Windows Server 2003 Service Pack 1 (SP1) installation.

Configuring Windows SharePoint Services

269

Configuring Windows SharePoint Services Email, workflow, logging, and anti-virus settings allow your WSS site to provide superior functionality, thus increasing workflow and productivity. You don’t need to be an expert web designer to configure these options. You will, however, need information on your current email server to proceed.

For the following sections, you will need the email server display address ( @yourcompany.com) and the outbound SMTP (Simple Mail Transfer Protocol) server address.

The WSS 3.0 Central Administration site will be used to configure the options in the following sections (Figure 7.1). To open the Central Administration site on your WSS server, choose Start  All Programs  Administrative Tools and click on SharePoint 3.0 Central Administration. F I G U R E 7.1

WSS Central Administration site

270

Chapter 7

N

Configuring Windows SharePoint Services (WSS)

On this central site is an Administrator Tasks checklist. It provides you with prioritized tasks, which will aid you in a successful setup. It is best if you take some time to familiarize yourself with the first item, “READ FIRST - Click this link for deployment instructions,” which is displayed on the Central Administration home page.

The quick start guide will help you understand how to deploy WSS in different deployment scenarios, such as deploying in server farm environments.

Configuring Incoming Email Settings Before you enable incoming email, you must have preinstalled the Internet Information Services (IIS6 or newer is required for WSS 3.0) and Simple Mail Transfer Protocol (SMTP) server. This can be done from the Add/Remove programs option in Control Panel on your server. Why do you need to bother with using the incoming email settings section? Say your users have started to use your new SharePoint site only to find out that in order for them to store email from other teams, they have to open the SharePoint site and upload the content. This would not only decrease productivity, it would also discourage users from using the information management features. Configuring this feature will allow your users to store their email-based information in lists and libraries and allows the site to receive email directly. The lists and libraries can be assigned an email address that will make the team sites more efficient in managing their information. Do you have a need to receive or offer support in your organization? Perhaps you could create a form for IT support. Configuring incoming email would allow your users to create an email message that can be sent to your staff. With some custom coding, you could use this feature to trace the progress of requests and have WSS alert them anytime a change is made to a request. And there are other benefits of configuring incoming email settings: NÛ

Archiving email

NÛ

Creating a place to share information

NÛ

Adding content via email

To configure the incoming email settings, you need to locate the configuration page for incoming email. This page is found by following these steps: 1.

On the navigation bar on the Central Administration site, click Operations.

2.

Locate the Topology and Services section and select Incoming E-Mail settings, which will take you to the Configure Incoming E-mail Settings page (Figure 7.2).

Configuring Windows SharePoint Services

F I G U R E 7. 2

271

Configuring email settings

There are four different sections that you should understand how to configure: Enable Incoming E-Mail When incoming email is enabled, sites can accept email and store incoming messages in list and libraries. Directory Management Service This is how SharePoint connects your SharePoint site to your users’ organization directory. When active, it provides enhanced email features like creation and management of email distribution groups, creation of contacts in users’ directories, and allowing users to find email-enabled SharePoint lists in their address book. Incoming E-Mail Server Display Address This is usually something like @yourcompany.com. Safe E-Mail Servers This is where you specify if you want to lock down your SharePoint environment to just certain email servers or if you want to allow any email server to be able to route email to your site. Now that you have a basic overview of the options, you’ll choose the options for the example scenario. In Exercise 7.1, you’ll configure the incoming email settings.

272

Chapter 7

N

Configuring Windows SharePoint Services (WSS)

E X E R C I S E 7.1

Configuring Incoming Email Settings To configure the incoming email settings, follow these steps:

1.

Open the Central Administration site by choosing Start  All Programs  Administrative Tools and clicking SharePoint 3.0 Central Administration.

2.

On the navigation bar on the Central Administration site, click Operations.

3.

In the Topology and Services section, select Incoming E-Mail Settings.

4.

In the Enable Incoming E-Mail section, choose Yes.

5.

Select Automatic in the Enable Incoming E-Mail section.

6.

In the Directory Management Service section, select No.

7.

In the E-Mail Server Display Address box, type the email server name in the form @mycompany.com.

8.

In the Safe E-Mail Servers section, select Accept mail from All E-Mail Servers.

9.

Click OK.

Configuring Windows SharePoint Services

273

E X E R C I S E 7.1 ( c o n t i n u e d )

Specify the email server address that which is displayed when users create an incoming email address for a list or group. Use this setting in conjunction with the SharePoint Directory Management Service to provide an email server address that is more user friendly. If you select Advanced for the Enable Incoming E-Mail option, you can specify a folder that the emails will be “dropped” into instead of using an SMTP server. In this scenario, we know that we have only one email server in production, so there is no need to block other servers. However, if you choose to enable the Accept Mail from These Safe E-Mail Servers option, then type the IP addresses (one per line) of the email servers that you want to specify as safe in the corresponding box.

Configuring Outgoing Email Settings Outgoing email settings are the building blocks administrators can use for several different email notification features. fact, without proper configuration of the outgoing email settings, you will not be able to utilize alerts or application notification. Similar to when you configured incoming email settings, you must have preinstalled the Internet Information Services (IIS6 or newer is required for WSS 3.0) and Simple Mail Transfer Protocol (SMTP) server. So where would you use these features? As a company grows, it has a greater need to get key information to its users fast. Therefore, here are a few ways you could use alerts and notifications: Alerts Users can have the WSS site alert them when updates to lists, discussions, libraries, and other parts of the site are updated. This works out nicely when you have two different groups working on the same documents, list, or libraries. Users can configure alerts to notify them when changes are made to the documents they are responsible for. As users are able to manage this configuration, this reduces the amount of administration effort.

If your users are not able to configure alerts, check your permissions on the site. Users must have at least View permissions.

Notifications or administration notices As a site administrator, you could use these to receive emails when a user requests access to a site or if you want to know when someone has gone over their storage quota. This would help simplify the process for your users and reduce the impact on your help desk.

274

Chapter 7

N

Configuring Windows SharePoint Services (WSS)

WSS Email Benefits About a year ago, we came across a client who was looking for a low-cost application that would allow them to create a purchase order form. They said that this application must send out email alerts to the approving manager and the user who submitted the purchase order. They wanted it to pull the user’s information from Active Directory and populate it on the form, which would save the user time and make sure the information on the request was standard. We looked into several different applications to accomplish this task. After some additional research, we realized that WSS and the outgoing email feature would be exactly the foundation we would need to accomplish what the client wanted. While this required some additional programming on our part, it was nice that we only had to configure the outgoing email settings to send alerts to the proper people. After setting up the outgoing email, we created the forms they wanted and linked certain dialog boxes to populate their Active Directory user account. We were able to do all of this while staying in the client’s modest budget. The best part is that we are now able to take the code we used for this client and sell it to other clients as an already finished product.

Let’s review a few requirements that must be met before you can configure the settings because outgoing email relies on several components that you must consider. NÛ

NÛ

The From email address is used to help identify the sender of the message you receive. This can be something like [email protected]. A Reply-To address is needed. This will be the address that your users reply to when they get an alert or administrator notification. Many companies use [email protected] or something similar as a Reply-To address because they do not monitor this email address and thus do not want users to reply to an alert or system notice.

NÛ

NÛ

SMTP service installed. You will need to know the DNS name or IP address of the SMTP server you plan to use. Some SMTP mail servers require usernames and passwords that you have to configure to allow your WSS site to use SMTP to send mail. Character set. You need to know what language set to use in the body of your alert email. If you do not know, use the default language. Now that you are armed with the requirements, you can proceed to Exercise 7.2.

Configuring Windows SharePoint Services

E X E R C I S E 7. 2

Configuring Outgoing Email Settings Follow these steps to configure outgoing email settings:

1.

Choose Start  All Programs  Administrative Tools and click SharePoint 3.0 Central Administration.

2.

On the navigation bar in the upper-left side of your screen, choose Operations.

3.

Under the Topology and Services section, choose Outgoing E-Mail Settings to configure your mail settings.

4.

In the Outbound SMTP Server box, enter your SMTP server address or IP address (for example, mailer.yourcompany.net).

5.

In the From Address field, put in the address you want people to see when they get an email alert (for example, [email protected]).

6.

In the Reply-To Address box, enter the email address you want people to use to reply (for example, [email protected]).

7.

For the Character Set option, leave the default selected, which is 65001 (Unicode UTF-8).

8.

Now click OK.

275

276

Chapter 7

N

Configuring Windows SharePoint Services (WSS)

Configuring Outgoing Email Settings for a Specific Web Application Now that you have configured the outgoing email for your WSS site applications, you might have a need for different settings for a specific web application. WSS gives you the ability to have two different applications send out email using different email addresses. For example, you can have an application in your HR department that sends out emails and an application on your news page that sends out alerts. You can configure each application to use a different From and Reply-To address. Exercise 7.3 shows how to configure the settings for a specific application. In the exercise, the same SMTP settings that were used in Exercise 7.2 will be used again. E X E R C I S E 7. 3

Configuring Outgoing Email Settings for a Specific Web Application To change the outgoing email settings for a web application, follow these steps:

1.

Choose Start  All Programs  Administrative Tools and click SharePoint 3.0 Central Administration.

2.

On the navigation bar at the upper-left side of your screen, choose Application Management.

3.

Under the SharePoint Web Application Management section, choose Web Application Outgoing Email Settings.

Configuring Windows SharePoint Services

277

E X E R C I S E 7. 3 ( c o n t i n u e d )

4.

In the Web Application section, select the application from the drop-down list.

5.

Now, the first option in the Mail Settings section is Outbound SMTP Server. Input the same information you entered in. If you plan to use an SMTP server other than the default, enter the new server DNS name or IP address here.

6.

Enter the From and Reply-to addresses you plan to use for this specific application. The From address is the address that will appear to your email recipients. The Replyto address is the address your users will send to when they choose Reply.

7.

The character set can remain at the default setting or one that is appropriate for your language.

8.

Click OK.

Configuring Workflow Settings Workflow settings are configured at the application level. This allows the site administrator or your end users to create their own application-specific workflows. You can have different workflows for each application. You can choose to control whether end users or site administrators will configure these settings. Allowing your users to configure them can greatly reduce your administrators’ involvement, but it can increase the risk of nonstandard workflows entering your work environment. By default, your users can create their own workflows using only code that your site administrators deploy. You also have the option to choose whether you want internal or external users to receive alerts when they are assigned a task. If you want external users to participate in the workflow process, then WSS will send them a copy of the document assigned to them. As mentioned, the workflow is application specific and you will most likely configure these options after you have developed your applications. The Central Administration site will allow you to configure the workflow settings. You can configure these settings by following these steps: 1.

From the Central Administration site, click Application Management on the navigation bar in the upper-left portion of the screen.

2.

Choose Workflow Settings.

3.

In the Web Application section, choose your application.

4.

Under User-Defined Workflows, select Yes or No.

5.

For Workflow Task Notifications, you have the option of choosing Yes or No to send alerts to your users when they assigned a task and if you want external users to be sent a copy of any documents assigned to them.

6.

Click OK.

Chapter 7

278

N

Configuring Windows SharePoint Services (WSS)

Configuring Diagnostic Logging Settings In this section, you have to make some basic decisions about what you want to log and how much you want to share with Microsoft. We will cover the following topics: NÛ

Error reporting

NÛ

Microsoft Customer Experience Improvement Program (CEIP)

NÛ

Event throttling

When software is being set up, one of the least-configured settings is logging, which provides valuable data for both the IT professional and the application vendor. Taking some time to configure these options can save many hours of troubleshooting. In addition, if you choose to share this information with Microsoft, it will help the developers produce a better product. Providing this information to Microsoft is optional. We will review each of these options so you can make an informed decision. Error reporting When you have any issues with your application or hardware or encounter a problem, error reporting will create an error report or log information in a system log for you to review. The following list includes some of the items WSS collects: NÛ

IP address of the server

NÛ

Product ID

NÛ

Condition of server when problem occurred

NÛ

Hardware your server is using

NÛ

Software version

While Microsoft does not try to collect personal information, it is entirely possible that such information could be included in the report. Personal information can include, but is not limited to, usernames, email addresses, URLs, and IP addresses. Microsoft states that it uses this information only to help determine the problem and how to solve it, but you will have to whether you want Microsoft to have it. You can choose to either send these error reports periodically or have this information sent silently. Please review any policies your corporation may have on sharing of information. Microsoft Customer Experience Improvement Program (CEIP) If you agree to allow the sharing of information with Microsoft, it will use the information to improve the stability, functionality, and performance of the WSS product. Event throttling When you choose to log events, it is important that you manage not only what type of information is put into the logs, but also how big in size the logs can become. If you don’t configure these settings, you run the risk of the files growing out of control. You can choose to have this information logged into the Windows event log or trace logs. You have a lot of control in WSS 3.0 when it comes to event throttling. You will have to decide the level of importance of each event because WSS has settings that specify how critical

Configuring Windows SharePoint Services

279

each event is. WSS breaks up the events into categories and you can decide to throttle them all or just throttle a single event. Categories such as the following are defined by different services or common events in Windows SharePoint: NÛ

All

NÛ

By product

NÛ

Features

NÛ

SharePoint services

NÛ

Administration functions

NÛ

Shared services

After choosing the type of category you want to log, you will want to choose the level of events to include in the log. The options for logging Windows events are as follows: NÛ

None

NÛ

Error

NÛ

Warning

NÛ

Audit failure

NÛ

Audit success

NÛ

Information

When choosing the level of events to log, keep in mind that you want to always choose the least critical event to monitor. WSS will record events that are equal to or greater than the selected event. This applies to both Windows events and trace logs. For more information on Windows event logs, please review the documentation that comes with your server.

The following options are available when using trace logs: NÛ

None

NÛ

Unexpected

NÛ

Monitorable

NÛ

High

NÛ

Medium

NÛ

Verbose In Exercise 7.4, we will show you how to configure the diagnostic settings.

280

Chapter 7

N

Configuring Windows SharePoint Services (WSS)

E X E R C I S E 7. 4

Configuring Diagnostic Log Settings To configure diagnostic logging, follow these steps:

1.

Choose Start  All Programs  Administrative Tools and click SharePoint 3.0 Central Administration.

2.

On the navigation bar in the upper-left portions of your screen, choose Operations.

3.

In the Logging and Reporting section, click Diagnostic Logging.

4.

Choose Yes or No in the Customer Experience Improvement Program section.

5.

In the Error Report section, choose to collect the error reports or to ignore them. If you choose to collect reports, decide if you want to periodically download or silently send the reports to Microsoft.

6.

In the Event Throttling section, click on the drop-down box to select your category of events. In the Least Critical Event menus, choose the event equal to the lowest level you want to monitor.

7.

In the Trace Log section, add the path to the location in which you want the log files to reside. If your WSS is in a server farm configuration, make sure the location you choose is available on all servers.

Configuring Windows SharePoint Services

281

E X E R C I S E 7. 4 ( c o n t i n u e d )

8.

In the Number of Log Files box, enter the number of files you want to retain. If you are unsure, leave the default.

9.

Change the number of minutes to use the log files.

10. Click OK.

Configuring Antivirus Settings In today’s world, running your WSS server, or any other server for that matter, without an antivirus product is playing a dangerous game. It will only be a matter of time until a user uploads a virus and distributes it to others. It is best practice to install an antivirus product on all servers in a server farm. After you install an antivirus product on the WSS server, it is important to configure the antivirus settings.

In a server farm, all web servers with documents must have the antivirus product installed before these settings will take effect.

There are four antivirus settings we can configure: Scan Documents on Upload When a user uploads a document to your WSS site, your antivirus product will scan it to ensure that it does not contain viruses. This will help protect from spreading viruses to other users. Scan Documents on Download When selected, this feature will scan a document before it is downloaded to a user’s computer. It will prompt the user about an infection and allow them to decide to continue or not, unless you check the next option. Allow Users to Download Infected Documents When this option is selected, it allows users to download infected documents to their local computer. This is not a recommended option to select unless you have a specific reason to, like troubleshooting a document. Attempt to Clean Infected Documents If a virus is found during the scanning process, this option will allow the antivirus product to clean it automatically. To locate these options, follow these steps: 1.

Open the Central Administration site by choosing Start  All Programs  Administrative Tools and clicking SharePoint 3.0 Central Administration.

2.

On the top navigation bar, click Operations.

3.

In the Security Configuration section, click Antivirus. Use this page, seen in Figure 7.3, to configure your antivirus options.

282

Chapter 7

F I G U R E 7. 3

N

Configuring Windows SharePoint Services (WSS)

Antivirus options

Using the Best Practices Analyzer Tool The Best Practices Analyzer tool is used to check for common problems and to determine if your WSS installation contains the best security practices. The tool is also used to help you fine-tune your WSS installation so that it is optimized for performance. To use the tool, download it and install on your server. After it’s installed, you can check your site’s configuration by opening a command prompt and then switching to the location that contains the Best Practice Analyzer. By default this is C:\BPA. Now follow these steps: 1.

Type sharepointbpa.exe฀-cmd฀analyze฀-substitutions฀SERVER_NAME฀฀ CentralAdministrationServer and press Enter. Replace CentralAdministrationServer with the name of your server. You need to keep SERVER_NAME in capital letters.

2.

After the Best Practice Analyzer tool has finished analyzing your site, open sharepointbpa.report.htm in a web browser to view the results. This file will be located in the same location as the installation. The default is C:\BPA.

You can download the tool at the following link: http://go.microsoft.com/฀ fwlink/?LinkID=83335&clcid=0x409.

Configuring Windows SharePoint Services (WSS) Sites

283

Configuring Windows SharePoint Services (WSS) Sites With the installation of your default WSS 3.0 site is complete, you are ready to start creating additional sites. In the following sections, you will learn about these topics: Upgrading from WSS 2.0 Careful planning and preparation is needed to successfully upgrade a WSS 2.0 installation. Create or extend web applications You must create applications before sites can be created. You will learn how to create and extend Web applications. Configure alternate access mapping This allows you to assign different URLs to the same site. Create zones for web applications A default zone is automatically created when you create a web application. We will explain how to add additional zones. Create quota templates With quota templates, you can control how large a site collection can become. You will learn how to configure the quota templates. Create site collections We will show you how to create a site collection and assign the primary and secondary owners. Enable access for end users After the creation of a site is completed, access will need to be granted to your users. Add site content

After site collections are created, content can be added.

Upgrading from WSS 2.0 Performing an upgrade from WSS 2.0 to WSS 3.0 is not a simple process. Because each environment is different, as are the WSS applications, you must plan accordingly. It is also important that you not only give consideration to the initial software upgrade but also think about any issues that might come up after the upgrade. First, Service Pack 2 for SharePoint Services 2.0 must be installed. Then the remaining prerequisites must also be met as follows: NÛ

Install Microsoft .NET Framework 3.0.

NÛ

Enable Microsoft ASP.NET 2.0.

NÛ

Application and web server must be running Windows Server 2003 with Service Pack 1 (SP1).

Next, make sure that a full backup of the assigned SQL server has been completed. This will ensure that a recovery can be completed in case something goes wrong with the upgrade. WSS 2.0 uses two types of databases, a configuration database and a content database.

284

Chapter 7

N

Configuring Windows SharePoint Services (WSS)

Microsoft has provided a pre-upgrade tool to scan the site that will be upgraded and then fix any errors before attempting the upgrade. During the installation of the WSS 3.0 upgrade, the installation wizard will exit and prompt you to run this tool. It is a good idea to run the tool each time that an error is fixed to make sure no additional issues have appeared.

For more information on the WSS 2.0 upgrade tool and the upgrade procedures, visit http://technet2.microsoft.com/windowsserver/WSS/en/ library/700c3d60-f394-4ca9-a6d8-ab597fc3c31b1033.mspx?mfr=true.

If any custom Web Parts have been created for the site that will be upgraded, especially if ASP.NET 2.0 was used, you will need to test and verify that the Web Parts will work in the upgraded environment. If these parts were created with ASP.NET 1.1, they must be rebuilt using ASP.NET 2.0 before you attempt an upgrade. You are now ready to perform the upgrade. We will cover only an in-place upgrade, so please consult the Microsoft TechNet articles from the above link for other upgrade options. Other options include a gradual upgrade and database migration. Performing an in-place upgrade is the simplest option. In-place upgrades will update all content and configuration data at the same time. Keep in mind that while this upgrade is running, your users will not be able to access the web server; make sure you inform your users of this downtime. An in-place upgrade is best when you have a single server or a small farm with little to no custom applications. If you are in a medium to large server farm or have heavy customization, you are better off using a gradual upgrade, which would reduce the impact on your users. The process of upgrading includes the following steps: NÛ

NÛ

NÛ

Install Windows SharePoint Services Version 3.0: This will perform an automated in-place upgrade. Run the Configuration Wizard: This will finish your upgrade and install the Central Administration web application. Review log files and resolve any issues: Log files can be located at %commonprogramfiles%\Microsoft฀Shared\web฀server฀extensions\12\LOGS.

When the upgrade is finished, review and perform any post-upgrade steps found in the Microsoft TechNet article referenced in this section.

Creating or Extending Web Applications A web application is an IIS site with a unique application pool. Before creating sites or site collections, you first must create a web application. When you create a new application, a new database will also be created and the methods used to authenticate your connection to the database will be defined. If you have a need to broaden your web application to users that are not on your domain, you will have to extend your application to another IIS website.

Configuring Windows SharePoint Services (WSS) Sites

285

Performing an In-Place Upgrade We recently did an in-place upgrade from WSS 2.0 to WSS 3.0 for a client that had about 250 users. The users had become very accustomed to using the WSS 2.0 site and found that the tool was valuable to their organization. The client asked for some additional features, such as allowing extranet users, blogging, and some additional forms that would be linked to their Internet site. All of the custom applications were designed using WSS 2.0, and that was a cause for concern. We wanted to minimize the amount of development work needed to upgrade them to WSS 3.0. We decided to go ahead with the upgrade plans because the increased functionality and the ease of use were very appealing to both their administrators and end users. In addition, WSS 3.0 has features that would allow them to have extranet users and reduce the administration needed. Following the Microsoft TechNet articles for Windows SharePoint Service 3.0 proved invaluable to having a successful upgrade. We determined to make images of the server before attempting the upgrade, which we highly recommend. After the images were created (we created an image of a domain controller for Active Directory access), we converted them to virtual machines. We’re glad we took the time to create the virtual machines because it allowed us to attempt several upgrades. We say several because the first time we preformed an upgrade to WSS 3.0, the upgrade failed. Just a tip: make sure you install all the prerequisites listed on the site. We had failed to upgrade ASP.NET from 2.0 to 3.0. After the upgrade was completed, our development staff had to update some of our custom applications. They would not work after the upgrade because the applications were developed in ASP.NET 2.0. Overall the upgrade was a success and we learned a lot in the process.

Follow these steps to create a new Web application: 1.

Choose Start  All Programs  Administrative Tools and click SharePoint 3.0 Central Administration.

2.

On the top navigation bar, click Application Management.

3.

Choose Create or Extend Web Applications and then choose Create a New Web Application (Figure 7.4).

4.

After you choose Create a New Web Application, the next page will allow you to choose to use an existing IIS site or create a new site. These options are found in the IIS Web Site section of the Create New Web Application page.

5.

On the Create New Web Application page, enter your host header info and port number.

6.

In the Security Configuration section, choose an authentication provider and whether you want to allow Anonymous access. If you are unsure, leave the defaults.

Chapter 7

286

F I G U R E 7. 4

N

Configuring Windows SharePoint Services (WSS)

Creating a new web application

7.

When SSL is chosen, remember to add an appropriate certificate on each server.

8.

In the Load Balanced URL section, add the URL that all sites will use as links on their pages. By default, the box will add the current server name and port.

9.

Choose an already existing application pool or make a new one. If you want to use an existing pool, then just choose that pool from the menu list. To create a new pool, click Create New Application Pool. NÛ

Type the name of the pool in the Application Pool Name box.

NÛ

Choose Predefined to use an existing application pool security account.

NÛ

If you want to use an account for security that is not currently being used, type the username in the User Name box and the password in the Password box.

10. In the section titled Reset Internet Information Services, choose whether you want to

allow SharePoint to restart IIS. If you choose not to allow SharePoint to restart the IIS service, this procedure must be preformed manually, which can be done by running iisreset฀/noforce on each web server in the farm. Your new site will not be functional until after you restart the IIS service. 11. Now choose your database server, database name, and the method of authentication

for the web application. 12. Click OK to create the new application.

Configuring Windows SharePoint Services (WSS) Sites

287

To extend an existing web application, follow these steps: 1.

Click Create or Extend Web application in the Web Application Management section.

2.

Next, choose Extend an Existing Web Application.

3.

In the Web Application section, choose a web application in the drop-down menu.

4.

In the IIS Web Site section, choose whether you want to use an existing site or create a new one. The boxes below—Description, Port, and Path—will populate with default information. You can choose to keep the default information or enter your own.

5.

In the Security Configuration section, configure the authentication and encryption options. If unsure, leave the default options.

6.

Next, in the Use Secure Sockets section, choose whether you want to use Secure Sockets Layer (SSL). If you choose this option, an SSL certificate must also be installed.

7.

In the Load Balanced URL section, add the URL that all sites will use as links on their pages. By default, the box will add the current server name and port.

8.

In the same section, under Zone, select the zone for the extended web application. Options are Intranet, Internet, Custom, and Extranet.

9.

Click OK.

Configuring Alternate Access Mapping Alternate access mapping is one of the more powerful features in WSS 3.0. Yet, for whatever reason, it is also one of the least understood. Where does this feature shine? Do you have a reverse proxy or load balancing needs? Then this feature will benefit you. But just what is alternate access mapping? Simply put, it tells SharePoint how to map a request from a web browser to the proper web application. This is needed so that SharePoint can give the correct content back to you. It then tells WSS what URL the user should be directed to. One of the biggest reasons you would want to configure alternate access mapping is when the URL of a web request received by IIS is not the same URL that the user entered. Each web application can support five collections of mappings per URL. They correspond to the five zones: default, intranet, extranet, Internet, and custom. You will now learn how to add an internal URL, edit or delete an internal URL, map to an external source, and edit public URLs: 1.

Choose Start  All Programs  Administrative Tools and click SharePoint 3.0 Central Administration.

2.

On the top navigation bar, click Operations and then choose Alternate Access Mappings. To add an internal URL, follow these steps:

1.

Click Add Internal URLs on the Alternate Access Mappings page (Figure 7.5).

288

Chapter 7

F I G U R E 7. 5

N

Configuring Windows SharePoint Services (WSS)

Add Internal URL

2.

If your collection is not specified in the Alternate Access Mapping Collection, choose the collection from the drop-down menu.

3.

Add the new URL in the next box and choose your zone.

4.

Click Save. To edit or delete an Internal URL, follow these steps:

1.

In the Alternate Access Mappings page, click on the URL you want to edit or delete.

2.

Modify the URL and or the zone.

3.

If the URL needs to be deleted, click Delete at the bottom of the screen.

4.

If you made any changes to the URL, click Save.

You cannot delete the last URL because there should always be at least one URL for the default zone.

To edit public URLs, follow these steps: 1.

Back on the Alternate Access Mappings page, click Edit Public Zone URLs.

2.

Select a collection from the Alternate Access Mapping Collection menu box. See Figure 7.6

Configuring Windows SharePoint Services (WSS) Sites

F I G U R E 7. 6

289

Edit Public Zone URLs

3.

Modify or add URLs in the Public URLs section.

4.

Click Save.

WSS 3.0 allows you to define resources that are outside of an internal application, but you need to make sure the URL is unique to your server farm. To map to an external source, follow these steps: 1.

On the Alternate Access Mappings page, click Map to External Resource. The Create External Resource Mapping page is shown in Figure 7.7.

2.

Type a unique resource name and add a new URL in the boxes in the External Resource Mapping section.

3.

Click Save.

Creating Zones for Web Applications Use the procedure outlined in the section “Creating or Extending Web Applications” to create a new zone. A new zone is created when you extend an existing Web application.

290

Chapter 7

F I G U R E 7. 7

N

Configuring Windows SharePoint Services (WSS)

The Create External Resource Mapping page.

Creating Quota Templates As users get used to using your WSS site, they will naturally start storing more and more data on it. This can be a blessing because you are finally getting them to use your new data management tool. However, caution is needed because a database can grow out of control. Quota templates are a solution to this problem. With these templates, you can add storage limits on a site collection. This feature can trigger an email alert to your administrators when this size limit is reached. You can apply these quotas to any site collection in a server farm. The quota will apply to the top-level site and all other sites under it. To create a new quota template, follow these steps: 1.

Open the Central Administration site by clicking Start  All Programs  Administrative Tools and clicking SharePoint 3.0 Central Administration.

2.

Click Application Management.

3.

Under the SharePoint Site Management section, choose Quota Templates (Figure 7.8).

Configuring Windows SharePoint Services (WSS) Sites

F I G U R E 7. 8

291

Creating a quota template

4.

Choose Create a New Quota Template in the Template Name section. (From this section, you can also choose to edit an existing template or delete an existing template). You can create this template using an existing quota template or just choose a new blank one. Name the new template.

5.

In the Storage Limit Values section, set the limits for data storage and the threshold for sending an alert email.

6.

Click OK.

Creating Site Collections When you create a new site collection, you are also creating a top-level website for WSS. You will have the option to choose several templates for the site, such as templates for document libraries, help desk, knowledge bases, room and equipment reservations, team sites, wikis, and blogs. To create a new site collection, you will need to navigate to the Application Management page, which can be done by choosing Start  All Programs  Administrative Tools and clicking SharePoint 3.0 Central Administration. Then, follow these steps: 1.

Click Application Management, and in the SharePoint Site Management section, click Create Site Collection. The Create Site Collection page is shown in Figure 7.9.

292

Chapter 7

F I G U R E 7. 9

N

Configuring Windows SharePoint Services (WSS)

Creating a new site

2.

Make sure the web application is selected in the Web Application drop-down box.

3.

Give the collection a title and description, and then add a URL in the URL box.

4.

Choose a template in the Template Selection section.

5.

Next, add a primary and secondary site administrators.

6.

Select a quota template.

7.

Click OK.

Enabling Access For End Users Now that the WSS site is created, you can give access to your users. This section will help you understand how to give access to site administrators, collection administrators, site owners, and, most important, end users. Without proper access planning, you can find yourself taking away or add access needlessly.

For more information on planning site security, visit http://technet฀ .microsoft.com/en-us/library/cc288189.aspx.

Configuring Windows SharePoint Services (WSS) Sites

293

Within a site collection, you can configure access to sites, libraries, folders, documents, and items. Most of the configuration of user access will take place in the site collection and not from the Central Administration page. First add site collection administrators to your site. This portion is done from the Central Administration site by choosing Start  All Programs  Administrative Tools and clicking SharePoint 3.0 Central Administration. Then, just follow these steps: 1.

Choose Application Management from the navigation bar.

2.

In the SharePoint Site Management section, click Site Collection Administrators. Figure 7.10 shows the Site Collection Administrators page.

F I G U R E 7.1 0

The Site Collection Administrators page

3.

Select a site collection from the drop-down menu.

4.

In the following two boxes, add primary and secondary site collection administrators.

5.

Click OK. You are now ready to give site owners, visitors, and other groups access to your site.

When assigning access, it is a good practice to add groups for access instead of individual users. This makes administration of security easier to manage.

294

Chapter 7

N

Configuring Windows SharePoint Services (WSS)

First we’ll show you how to set up groups and then how to add users to those groups. Navigate to your site, and on the home page, select Site Settings from the Site Action menu. Then follow these steps: 1.

Click People and Groups. Figure 7.11 shows the resulting page.

F I G U R E 7.11

Adding users and groups

2.

From this page, choose Groups from the Settings menu.

3.

From the Settings menu drop down, click Set Up Groups.

4.

From this page, you can set up or change users and groups. You can also create a new group.

Now that you have your groups set up, you can add users groups and give them proper permissions: 1.

On the People and Groups page, click on the new group that was created.

2.

Choose New on the navigation bar and select Add Users.

3.

On the Add Users page, type the name of the accounts to add. You can browse for users in Active Directory.

4.

In the Give Permissions section, add the level of permissions you want the users to have. Make sure you have selected Add Users to a SharePoint Group and that you select the correct group.

5.

Finally, choose whether you want to have a welcome email sent to the new user and any personal message.

6.

Click OK.

Configuring Authentication for WSS

295

Adding Site Content There are three main ways you can add content to your WSS sites: NÛ

Allow users to add content.

NÛ

Use web designers to create content.

NÛ

Migrate content from another site.

There are some things to consider when choosing what option you will use for adding site content: NÛ

Will the public see this content?

NÛ

Is the site for a large organization?

NÛ

Are you redesigning or reorganizing another site?

NÛ

Will the site be a collaboration site, which might include wikis, blogs, or other usercreated content? Here are two of the more popular choices for adding content to a WSS site:

User-added content You can immediately allow users and site owners to add content to the WSS sites by following the steps in the section “Enabling Access For End Users” earlier in this chapter. The benefit of allowing user-added content is it involves users immediately, and they tend to want to add and update the content on a regular basis. Migrate content You have a couple of options to migrate content from a different site. One option is to use the Export and Import operations of the Stsadm tool. The other option is to use the Central Administration page to perform a migration.

Read more about the Stsadm tool and the Central Administration options for migrating content by visiting the Windows SharePoint Services 3.0 Technical Library at http://technet.microsoft.com/en-us/library/cc288664.aspx.

Configuring Authentication for WSS Authentication is the process of validating a user’s rights to log into your WSS site and verifying the level of access they should have. WSS uses IIS to manage user authentication. After IIS has determined that the user is authentic, WSS will perform the authorization. WSS will then allow the user to access the resources on the WSS site to which they have been given access.

Chapter 7

296

N

Configuring Windows SharePoint Services (WSS)

WSS has provided support for federated authorization, also known as Web Single Sign On (Web SSO). This means that the authentication system is not local to the computer that hosts Windows SharePoint Services 3.0. WSS provides for several other authentication scenarios: NÛ

Standard Windows authentication.

NÛ

Simple database containing usernames and passwords.

NÛ

Integrating directly into your company’s identity management system.

NÛ

Using several systems together. This would allow for a company identity system to authenticate partner employees but another system to authenticate internal employees. Table 7.1 shows the supported authentication methods.

TA B L E 7.1

Supported Authentication Methods

Authentication Methods

Description

Examples

Windows

These are standard IIS windows authentication methods.

Basic Anonymous Digest Certificates Kerberos (Integrated Windows) NTLM (Integrated Windows)

ASP.NET forms

WSS 3.0 adds support for identity management systems by adding ASP.NET-based forms authentication.

LDAP (Lightweight Directory Access Protocol) SQL Database or other databases Other ASP.NET-based forms

Web Single Sign-On (SSO)

Enables SSO in environments that are on disparate platforms.

ADFS (Active Directory Federation Services) Additional identity management systems

The following sections will cover a couple of the configuration options: NÛ

Digest authentication

NÛ

Web Single Sign-On (Web SSO) using Active Directory Federation Services (ADFS)

Configuring Authentication for WSS

297

Configure Digest Authentication Digest authentication is similar to Basic authentication. The main difference is that Digest authentication is more secure. How does Basic authentication work? First, Windows account credentials must have been previously assigned. Then, Basic authentication allows credentials to be passed on over a web browser. Basic authentication. however, lacks security because user credentials are passed over the network in plain text and over an unsecure HTTP session. You are able to increase security by using SSL encryption. Digest authentication provides increased security because user credentials are encrypted before being sent over the network. Digest uses a challenge/response protocol, which means that the authentication requestor will have to correctly answer a challenge from the server. To do this, the client has to supply a correct shared secret password string. To use Digest authentication, you have to meet the following requirements: NÛ

Users and the IIS server must be on the same domain or have a trust relationship.

NÛ

You must have a valid user account in Active Directory.

NÛ

You must have at least one Windows Server 2003 server in the domain.

NÛ

NÛ

NÛ

You must install the IISSuba.dll file on the domain controller. This file is automatically copied to the server when you install a Windows Server 2003 server. Windows Server 2003 must have SP2 installed. A hot fix is needed if you are using a web browser that is not Internet Explorer 6.0 or 7.0.

Users can be configured for authentication within a zone of a web application. The zones are as follows: Internet

For your customers

Intranet For your internal users Default For your remote employees Custom Extranet

For your administrators For your partners

Both WSS and IIS must be configured to use Digest authentication. Exercise 7.5 shows how to configure Digest authentication. E X E R C I S E 7. 5

Configuring Digest Authentication To configure Digest Authentication, follow these steps:

1.

Choose Start  All Programs  Administrative Tools and click SharePoint 3.0 Central Administration.

298

Chapter 7

N

Configuring Windows SharePoint Services (WSS)

E X E R C I S E 7. 5 ( c o n t i n u e d )

2.

On the navigation bar in the upper-left side of your screen, choose Application Management.

3.

In the Application Security section, choose Authentication providers.

4.

On the Authentication Providers page, make sure the application you want to configure is listed and then click on it.

5.

Click the zone of the web application for which you want to enable Digest authentication.

6.

In the IIS Authentication section of the Edit Authentication page, clear the Integrated Windows Authentication and Basic Authentication boxes.

7.

Click Save.

Configuring Authentication for WSS

299

E X E R C I S E 7. 5 ( c o n t i n u e d )

Now we will use the IIS management console to enable Digest authentication in IIS:

8.

Choose Start  All Programs  Administrative Tools and click Internet Information Services.

9.

In the connections pane, under sites, click on the IIS site that corresponds to the web application zone for which you want to configure Digest authentication. In the features view, in the center of the screen under IIS, double-click Authentication.

10. Highlight Digest Authentication, and then right click on Digest Authentication, choose Enable. This will enable Digest authentication with the default settings.

300

Chapter 7

N

Configuring Windows SharePoint Services (WSS)

E X E R C I S E 7. 5 ( c o n t i n u e d )

11. Optionally, in the Actions section, click the Edit button to enter a realm name. 12. Enter the realm that is appropriate and click OK. 13. Click OK on any remaining dialog boxes.

Configuring Web SSO Authentication by Using ADFS Web Single Sign On (SSO) will allow users in a company different than your own to access servers hosted by you. It accomplishes this by using their existing Active Directory accounts. Web SSO relies on Active Directory Federation Services (ADFS) to create a trust relationship between two companies, which results in a one-time logon for end users. After a user is authenticated, they are given an authentication token (cookie).

The Microsoft SharePoint blog has some good information about configuring multiple authentication providers. The URL is http://blogs.msdn.com/฀ sharepoint/archive/2006/08/16/configuring-multiple-authentication-฀ providers-for-sharepoint-2007.aspx.

Configuring Authentication for WSS

301

To complete Exercise 7.6, you should have already installed the Web Agent for Claims Aware Applications, installed the hot fix for ADFS (it’s included in Windows 2003 Service Pack 2), and created a web application. The web application needs to be configured to use Windows authentication. In this exercise, you’ll configure your extranet web application so that it will use Web SSO. E X E R C I S E 7. 6

Configuring Web SSO authentication Web SSO authentication will be configured by performing the following steps:

1.

First, extend the web application. This can be done from the Central Administration site.

2.

Open the Central Administration site by choosing Start  All Programs  Administrative Tools and clicking on SharePoint 3.0 Central Administration.

3.

On the navigation bar, choose Application Management.

4.

Click Create or Extend Web Applications and then click Extend an Existing Web Application.

5.

Make sure the application is selected in the Web Application menu.

6.

In the IIS Web Site section, add a host header (for example, extranet.myresearch.net).

302

Chapter 7

N

Configuring Windows SharePoint Services (WSS)

E X E R C I S E 7. 6 ( c o n t i n u e d )

7.

Now change the zone to Extranet.

8.

Give the site a host header name. This will be what you will configure DNS to resolve against.

9.

Check the box to use SSL.

10. Change the port number to 443 (it is required by ADFS). 11. In the Load Balanced URL box, delete the :443 text string. 12. Finish extending the web application by clicking OK. 13. Verity that the URLs on the Alternate Access Mappings page are correct. (See Figure 7.5 earlier in this chapter.)

14. You will now need to add an SSL certificate. This certificate should be issued to the name that clients will use. You added this same name as a host header.

Configuring Authentication for WSS

E X E R C I S E 7. 6 ( c o n t i n u e d )

You will now configure the authentication provider for the extranet zone so that is uses Web SSO:

15. Under the Application Security section on the Application Management page, click Authentication Providers.

16. From the menu bar labeled Web Application, select your application from the drop down menu.

17. You should now see two mapped zones for this application. Click the Windows link for the Extranet zone.

18. Choose Web Single Sign On in the Authentication Type section.

303

304

Chapter 7

N

Configuring Windows SharePoint Services (WSS)

E X E R C I S E 7. 6 ( c o n t i n u e d )

19. In the Membership Provider Name box, add the following: SingleSignOnMembershipProvider2. Keep this value because you will need it when you edit the web.config file.

20. Add SingleSignOnRoleProvider2 in the Role Manager box. Remember this value also for editing the web.config file. 21. Check to make sure the Enable Client Integration setting is set to No. 22. Click Save.

Now the application has been configured to use Web SSO. However, permissions still need to be assigned to the users so they can access this site.

To find out how to configure user permissions for extranet websites, please review the documentation found at the following URL: http://technet฀ .microsoft.com/en-us/windowsserver/sharepoint/default.aspx.

Exam Essentials

305

Summary Proper configuration of email, logging, alerts, and workflow settings is vital to a productive WSS installation. Taking the time to configure these settings, as well as antivirus settings, will ensure that all WSS sites are running at peak performance. When you’re finished with the configuration of these settings, run the Best Practices Analyzer tool. In this chapter, you saw how powerful an application WSS can become when you create and extend web applications. Never overlook the value of quota templates to ensure that site collections do not grow out of control. This chapter also stressed the importance of a properly planned and executed upgrade from WSS 2.0 to 3.0. As you plan a WSS 3.0 installation, time should be devoted to how users will be authenticated. WSS 3.0 supports several security scenarios, such as standard Windows authentication, simple database, using a company identity management system, and Web Single Sign On.

Exam Essentials Understand how to perform an upgrade. It is important for you to be familiar with the recommended upgrade procedures. Knowing what the prerequisites are will prove valuable. Know authentication types. Review all forms of authentication and the differences between basic, digest, NTLM, and ADFM. It’s important to know when and why to use each type. Understand logging. Know where you would look to find event logs for WSS events. Review what information is collected and how to set up trace logging. Configuring incoming and outgoing email. Review and understand how to configure both incoming and outgoing email settings. Understand how a WSS 3.0 site can benefit from using these features.

Chapter 7

306

N

Configuring Windows SharePoint Services (WSS)

Review Questions 1.

Where can you configure email, workflow, and logging settings? A. SharePoint Community Portal

2.

B.

SharePoint Central Administration site

C.

Site actions

D.

Team site

The term safe email servers refers to what? A. Email servers that are configured properly

3.

B.

Email servers that are not on the DNS blacklist

C.

Servers you deem safe to receive emails from

D.

Servers that are on the same Active Directory domain

For users to be able to configure email alerts, they must have at least what level of permissions? A. Site administrator

4.

B.

Read and Write

C.

Full

D.

View

What service must be installed before you can send out emails and alerts from your WSS server? A. DNS B.

5.

SMTP

C.

Active Directory

D.

SNMB

What are some of the errors that diagnostic logging will record? (Choose all that apply.) A. Product ID

6.

B.

IP address of server

C.

Software version

D.

Condition of your server at time of error

What categories are defined in WSS event throttling? (Choose all that apply.) A. Features B.

By product

C.

Workstations

D.

Active Directory users

Review Questions

7.

307

When choosing the level of event to log, what should you keep in mind? A. WSS will record events that are greater than or equal to the selected event.

8.

B.

How many users will be accessing your WSS site?

C.

How much free space is left on your WSS server hard drives?

D.

WSS will record events that are equal to or less than the selected event.

What options do you have when using trace logs? (Choose all that apply). A. High

9.

B.

Medium

C.

Unnecessary

D.

None

On a properly configured WSS server using an anti-virus solution, when would you allow users to download infected documents? A. When users complain that they need the document for a project deadline. B.

Always, because most all of the warnings in a WSS site are considered false positives.

C.

Only when you have a specific reason such as troubleshooting a virus on your system.

D.

Only when you have an antivirus solution on the end users’ computers.

10. When should you use the Best Practices Analyzer tool? A. When you need to check for common problems and determine if your installation is configured with the best security practices B.

Only when you have an issue with a web application

C.

Only when you want to use this tool in a server farm network

D.

Only when you are using Exchange servers

11. What does alternate access mapping allow you to do? A. Create a specific web zone. B.

Control how large your site collections become.

C.

Add different UNC paths.

D.

Assign different URLs to the same site.

12. What are the prerequisites for upgrading from WSS 2.0? (Choose all that apply.) A. Microsoft .NET Framework 3.0. B.

Service Pack 2 for SharePoint Services 2.0.

C.

100GB of free space for the upgraded database.

D.

Nothing; you cannot upgrade SharePoint services 2.0 to WSS 3.0.

Chapter 7

308

N

Configuring Windows SharePoint Services (WSS)

13. Before performing an upgrade from a 2.0 WSS site to 3.0, what type of backup should be preformed? A. Full B.

Not needed because it is preformed during upgrade.

C.

Partial

D.

Differential

14. When must you rebuild your Web Parts before you perform an upgrade? A. When the web parts were created with ASP.NET 1.1. B.

It is not required to rebuild Web Parts because the upgrade will rebuild the application.

C.

When the Web Parts were created with ASP.NET 2.0.

D.

Only when the Web Parts contain workflow settings.

15. True/False: Quota templates are used to manage a site’s template library. A. True B.

False

16. When you create a new site collection you are also creating a top-level ___________________ . A. Application B.

Library

C.

Website

D.

Extranet site

17. What items can you configure access for within a site collection? (Choose all that apply.) A. Library B.

Folder

C.

Item

D.

Document

18. The majority of the configuration of user access is configured within ___________________ . A. Central Administration site B.

Site collection

C.

Active Directory

D.

User groups

Review Questions

19. It is good practice, when giving users access, to assign access by ___________________ . A. Individual users B.

NTFS

C.

Groups

D.

NDS

20. While WSS allows for Basic authentication, why is it not recommended? A. Lacks security. B.

IIS does not support it.

C.

Will not authenticate with Active Directory users.

D.

It is only for NDS networks.

309

310

Chapter 7

N

Configuring Windows SharePoint Services (WSS)

Answers to Review Questions 1.

B. Email, workflow, and logging are configured from the WSS 3.0 Central Administration site.

2.

C. When you configure incoming email settings, you enter the DNS names or IP addresses of servers from which you can safely receive incoming email.

3.

D. Users must have at least View permissions to configure alerts.

4.

B. Before you can enable outgoing email, you must install the SMTP service. The SMTP service is a component of IIS and must be running on at least one server in your farm.

5.

A, B, C, D. All of the items listed are logged into an error report or system log when diagnostic logging is configured properly.

6.

A, B. Categories are defined by services or common events. Workstations and Active Directory users are not events or services. However, defining by features or by products is supported.

7.

A. You always want to choose the least-critical event to monitor because WSS will record only events that are greater than or equal to the selected event.

8.

A, B, D. Your options when using trace logs include None, Unexpected, Monitorable, High, Medium, and Verbose.

9.

C. You should enable the feature to download infected documents only when you are troubleshooting a virus or if you have a specific reason. By default, you want to disable this feature.

10. A. This tool can be used for troubleshooting common problems and to determine if you have the best security configuration. It can also be used to optimize your configuration. 11. D. Alternate access mapping allows you to give different URLs to the same site. 12. A, B. Before you can upgrade to WSS 3.0, you have to install .NET 3.0, enable ASP.Net 2.0, and install Service Pack 2 for SharePoint Services 2.0, and your application and web server must be on Service Pack 1 of Windows 2003. 13. A. To ensure that you can recover your current installation of SharePoint Services, you always want to have a current full backup of your SQL database. 14. A. If any custom Web Part was created with ASP.NET 1.1, you must first rebuild the part with ASP.NET 2.0 and then perform an upgrade. 15. B. Quota templates are used to add storage limits on your site collections. 16. C. A top-level website is also created when you create a new site collection.

Answers to Review Questions

17. A, B, C, D. Within a site collection you have the ability to configure access to libraries, folders, items, and documents. 18. B. User access is configured within the site collections. 19. C. When you plan for and give access to users for site collections, it is best practice to create groups and assign groups access. 20. A. WSS will support Basic authentication but lacks security because it passes the user’s information over the network in clear text.

311

Chapter

8

Using Virtualization In Windows Server 2008 MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: ÛÛ Configure Windows Server Hyper-V and virtual machines. May include but is not limited to: NÛ

Virtual networking, virtualization hardware requirements, Virtual Hard Disks, migrate from physical to virtual, VM additions, backup, optimization, server core

Hyper-V is a new server role in Windows Server 2008 that allows you to virtualized your environment and therefore run multiple virtual operating system instances on a physical server simultaneously. This not only helps you to improve server utilization, it helps you to create a more cost effective and dynamic system. In this chapter, you will learn the basic concepts and features of Hyper-V that a Windows Server 2008 technical specialist must know. You will also get a solid understanding of what is important in virtualization and in what areas of your work life you can use it.

As this chapter is being written, Hyper-V is not yet final. All testing, pictures and screen shots in this chapter have been made with the Hyper-V Release Candidate 0 version.

This chapter will cover the following topics: NÛ

Hyper-V overview

NÛ

Hyper-V installation and configuration

NÛ

Configure virtual machines

Hyper-V Overview In the following sections, we’ll introduce you the Hyper-V. To begin, we’ll take a look at virtualization and what types of virtualization exist. We will then discuss Hyper-V features and the Hyper-V architecture before finishing up with the Hyper-V requirements for software and hardware.

What Is Virtualization? Virtualization is a method for abstracting physical resources from the way they interact with other resources. For example, if you abstract the physical hardware from the operating system, you get the benefit of being able to move the operating system between different physical systems. This is called server virtualization. But there are also other forms of virtualization available, such as presentation virtualization, desktop virtualization, and

Hyper-V Overview

315

application virtualization. We will now briefly explain the differences between these forms of virtualization: Server virtualization This basically enables multiple servers to run on the same physical server. Hyper-V is a server virtualization tool that allows you to move physical machines to virtual machines and manage them on a few physical servers. Thus, you will be able to consolidate physical servers. Presentation virtualization When you use presentation virtualization, your applications run on a different computer and only the screen information is transferred to your computer. An example for presentation virtualization is Microsoft Terminal Services in Windows Server 2008. Desktop virtualization This provides you with a virtual machine on your desktop, comparable to server virtualization. You run your complete operating system and applications in a virtual machine, so your local physical machine just needs to run a very basic operating system. An example for this form of virtualization is Microsoft Virtual PC. Application virtualization Application virtualization helps to prevent conflicts between applications on the same PC. Thus it helps you to isolate the application running environment from the operating system installation requirements by creating application-specific copies of all shared resources and helps reduce application-to-application incompatibility and testing needs. An example of an application virtualization tool is Microsoft SoftGrid Application Virtualization.

Hyper-V Features As a lead-in to the virtualization topic and Hyper-V, we will start with a list of key features, followed by a list of supported guest operating systems. This should provide you with a quick high-level view on this feature before we dig deeper into the technology.

Key Features of Hyper-V The following list provides the key features of Hyper-V: New architecture The hypervisor-based architecture that has a 64-bit micro-kernel provides a new array of device support as well as performance and security improvements. Operating system support 32-bit and 64-bit operating systems can run simultaneous in Hyper-V. Also different platforms like Windows, Linux and others are supported. Support for Symmetric Multiprocessors (SMP) Support for up to four processors in a virtual machine environment provides you with the ability to run applications as well as multiple virtual machines faster. Network load balancing Hyper-V provides support for Windows Network Load Balancing (NLB) to balance the network load across virtual machines on different servers.

316

Chapter 8

N

Using Virtualization In Windows Server 2008

New hardware architecture Hyper-V’s new architecture provides improved utilization of resources like networking and disks. Quick migration Hyper-V’s quick migration feature provides you with the functionality to run virtual machines in a clustered environment with switch-over capabilities when there is a failure. Thus you can reduce downtime and achieve higher availability of your virtual machines. Virtual machine snapshot You can take snapshots of running virtual machines, which provides you with the capability to easily recover to any previous virtual machine snapshot state quickly. Scripting Using the Windows Management Instrumentation (WMI) interfaces and APIs, you can easily build custom scripts to automate processes in your virtual machines.

Supported Guest Operating Systems The following guest operating systems have been successfully tested on Hyper-V and are hypervisor aware: NÛ

Windows Server 2008 x86 (VM configured as 1-, 2-, or 4-way SMP)

NÛ

Windows Server 2008 x64 (VM configured as 1-, 2-, or 4-way SMP)

NÛ

Windows Server 2003 x86 (VMs configured as 1- or 2-way SMP only)

NÛ

Windows Server 2003 x64 (VMs configured as 1-way only)

NÛ

Windows Vista x86 with Service Pack 1 (VMs configured as 1-way only)

NÛ

Windows XP x86 with Service Pack 3 (VMs configured as 1-way only)

NÛ

SUSE Linux Enterprise Server 10 with Service Pack 1 x86 Edition

NÛ

SUSE Linux Enterprise Server 10 with Service Pack 1 x64 Edition

The list of supported guest operating systems might be extended once Hyper-V is released. Please check the official Microsoft Hyper-V site to get an accurate list of supported operating systems: www.microsoft.com/ virtualization.

Hyper-V Architecture This section will provide you with an overview of the Hyper-V architecture (see Figure 8.1). We’ll explain the differences between a hypervisor-aware and non-hypervisor-aware child partition.

Hyper-V Overview

F I G U R E 8 .1

317

Hyper-V architecture

Parent partition

Child partitions

Virtualization stack WMI provider VM service

VM worker process

Applications

Applications User mode

Windows Server 2008

Windows kernel

Applications

Hypervisor-aware OS (e.g., Windows Server 2003, 2008)

Xen-enabled Linux kernel

Non-hypervisoraware OS

Windows kernel VSP

Integration components

Linux Integration components Kernel mode Emulation

VMBus Hyper-V hypervisor Hardware

As you can see, Hyper-V is based on the new microkernel architecture. Hyper-V provides a virtualization layer called a hypervisor that runs directly on the system hardware. You can see that the hypervisor is similar to what the kernel is to Windows. It is a software layer responsible for the interaction with the core hardware and works in conjunction with an optimized instance of Windows Server 2008 that allows running multiple operating systems on a physical server simultaneously. The Hyper-V architecture consists of the hypervisor and parent and child partitions. The Windows Server 2008 operating system runs in the parent partition and provides the WMI provider for scripting as well as the VM service. Virtual machines run each in their own child partitions. Child partitions do not have direct access to hardware resources; instead, they have a virtual view of the resources, which are called virtual devices. If you’re running a hypervisor-aware operating system like Windows Server 2003 or Windows Server 2008 in your virtual machine, any request to the virtual devices is redirected via the high-speed Imbues to the devices in the parent partition, which will manage the requests. By default, only Windows Server 2008 is a hypervisor-aware operating system. Once you install the Hyper-V integration components on the operating system other than Windows Server 2008, it will be hypervisor aware. Microsoft provides a hypervisor adapter to make Linux hypervisor aware. Non-hypervisor-aware operating systems (e.g., Windows NT 4.0) use an emulator to communicate with the Windows hypervisor, which is slower than using the Imbues.

318

Chapter 8

N

Using Virtualization In Windows Server 2008

Hyper-V Requirements The following sections will describe the hardware and software requirements for installing the Hyper-V server role. It is important to understand these requirements for your software license as well as for planning for server hardware. When you understand the requirements, you can design and configure a Hyper-V solution that will meet the needs of your applications.

Hardware Requirements In addition to the basic hardware requirements for Windows Server 2008, there are requirements that are needed to run the Hyper-V server role on your Windows server. They are listed in Table 8.1. TA B L E 8 .1

Hardware Requirements for Hyper-V

Requirement Area

Definition

An x64-based processor (Intel or AMD). Remember Hardware Data Execution Protection that Hyper-V does not support Itanium (IA-64) (DEP) must be available and enabled. processors. Specifically, you must enable฀Intel฀ XD bit (execute disable bit) or AMD฀NX bit (no execute bit). CPU

Hardware-assisted virtualization. This is available in processors that include a virtualization option, specifically, Intel VT and AMD Virtualization (AMD-V) Memory

512MB minimum for the operating system.

Additional memory is required for each virtual machine, depending on the operating system you want to run. Hard disk Additional space is required for each virtual machine, depending on the operating system you want to run.

8GB for operating system.

Hyper-V Overview

319

The Add Roles Wizard in Server Manager additionally verifies the hardware requirements. A good starting point is to check your hardware against the Microsoft hardware list to make sure your hardware is supported by Windows Server 2008. If you try to install the Hyper-V server role on a computer that does not meet the CPU requirements, you get a warning window that looks like Figure 8.2. FIGURE 8.2

Warning window that Hyper-V cannot be installed

Verifying Hyper-V’s CPU requirements is not that easy, especially if you don’t know exactly where to look. We found a freeware tool called Securable that you can use to check your CPU to make sure it meets Hyper-V’s requirements. You can download it from the following page: http:// www.grc฀ .com/securable.htm.

Software Requirements To use virtualization in Windows Server 2008, you need to consider the basic software requirements for Hyper-V. Hyper-V runs only on the following editions of the Windows Server 2008 operating system: NÛ

Windows Server 2008 Standard (x64 based)

NÛ

Windows Server 2008 Enterprise (x64 based)

NÛ

Windows Server 2008 Datacenter (x64 based)

It’s important to understand for your exam that Windows Server 2008 Web edition, any Windows Server 2008 x86-based editions, and Windows Server 2008 editions without Hyper-V do not support the Hyper-V server role. Also, Hyper-V is not available on the Windows Server 2008 for Itanium-Based Systems edition.

320

Chapter 8

N

Using Virtualization In Windows Server 2008

For the exam, you should know what Windows Server 2008 editions will support Hyper-V. Also remember that Hyper-V can be installed on Full and Server Core installation options.

Hyper-V Installation and Configuration The following sections explain how to install the Hyper-V role using Server Manager in Windows Server 2008 full installation mode or the command line in Windows Server 2008 server core. We will then take a look at Hyper-V as part of Server Manager before discussing how to use the Hyper-V Manager. Finally, we will look at the Hyper-V server settings and then cover two important areas for Hyper-V: virtual networks and virtual hard disks.

Install Hyper-V Role Now it’s time to see how to install the Hyper-V server role on the two installation options of Windows Server 2008, namely, a full as well as Server Core.

Installing Hyper-V on Full Installation Mode You can install the Hyper-V server role on any Windows Server 2008 installation for which the Full option was chosen. In addition, the server must meet both the hardware and software requirements. The installation process is as simple, as Exercise 8.1 shows. E X E R C I S E 8 .1

Installing Hyper-V on Full Installation Mode Complete the following steps to install Hyper-V on Windows Server 2008:

1.

Click Start  Administrative Tools  Server Manager.

2.

In Server Manager, click Roles  Add Roles.

3.

On the Select Server Roles page, check Hyper-V and click next.

Hyper-V Installation and Configuration

E X E R C I S E 8 .1 ( c o n t i n u e d )

4.

On the Hyper-V page, click next.

5.

On the Create Virtual Networks page, leave Local Area Connection unchecked, and click next.

321

322

Chapter 8

N

Using Virtualization In Windows Server 2008

E X E R C I S E 8 .1 ( c o n t i n u e d )

6.

On the Confirm Installation Selections page, review the selection and then click Install.

7.

After the installation is finished, click the Close button.

8.

Now the Add Roles Wizard will pop up and ask you to restart the system. Click yes to perform a restart.

9.

After the system restarts and you log in again, the Resume Configuration Wizard appears and finishes the installation. Once the Installation Results page appears click close.

Install Hyper-V on Server Core New to Windows Server 2008 is the Server Core installation option, which creates an operating system installation without a GUI shell. You can either manage the server remotely from another system or use the server core’s command-line interface. This installation option provides the following benefits: NÛ

Reduces attack surface (because fewer applications are running on the server)

NÛ

Reduces maintenance and management (because only the required options are installed)

NÛ

Requires less disk space and produces less processor utilization

NÛ

Provides a minimal parent partition

NÛ

Reduces system resources required by the operating system as well as the attack surface

Hyper-V Installation and Configuration

323

Using Hyper-V on a server core installation, you can fundamentally improve availability because the attack surface is reduced and downtime due to patches is optimized. It will thus be more secure and reliable with less management. To install Hyper-V on your Windows installation, you must execute the following command in the command-line interface: start฀/w฀ocsetup฀Microsoft-Hyper-V

Because the OCSETUP command is case sensitive, make sure you write Microsoft-Hyper-V exactly as shown. Otherwise you will get an error message and Hyper-V won’t be added as a server role.

Hyper-V in Server Manager As with all the other Windows Server 2008 roles, the Hyper-V role neatly integrates into Server Manager. Server Manager filters the information just for the specific role and thus displays only the required information. As you can see in Figure 8.3, the Hyper-V Summary page shows related event log entries, the state of the system services for Hyper-V, and useful resources and support. FIGURE 8.3

Hyper-V in Server Manager

324

Chapter 8

N

Using Virtualization In Windows Server 2008

Using Hyper-V Manager Hyper-V Manager is the central management console to configure your server and create and manage your virtual machines, virtual networks, and virtual hard disks. Unlike Virtual Server 2005, where you managed all virtual machines through a web interface, Hyper-V Manager is managed through a Microsoft Management Console (MMC) snap-in. You can access it either in Server Manager or by using Start  Administrative Tools  Hyper-V Manager. Figure 8.4 shows how Hyper-V Manager looks once you start it. FIGURE 8.4

Hyper-V Manager

Hyper-V Manager is available for the following operating systems: NÛ

Windows Server 2008

NÛ

Windows Vista with Service Pack 1(SP1)

Hyper-V Manager is only installed on a Windows Server 2008 machine when you install Hyper-V on it. On Windows Vista, you will need to install the Hyper-V Manager MMC for Vista SP1 to manage Hyper-V from your Vista client. Hyper-V Manager can be installed only on the following versions of Windows Vista: NÛ

Business

NÛ

Enterprise

NÛ

Ultimate

Hyper-V Installation and Configuration

325

To download Vista Hyper-V Manager, use the following URLs: NÛ

NÛ

For Windows Vista x64: www.microsoft.com/downloads/details.aspx?FamilyId=450931F5EBEC-4C0B-95BD-E3BA19D296B1&displaylang=en For Windows Vista x86: www.microsoft.com/downloads/details.aspx?FamilyId=BC3D09CC3752-4934-B84C-905E78BE50A1&displaylang=en

It’s important to understand that there will be no version of Hyper-V Manager for Windows XP or Windows Server 2003. Thus, you might need to use a remote control solution like Remote Desktop Connection to a computer that can run Hyper-V Manager in order to manage it from your desktop.

You can use Hyper-V Manager to connect to any Full or Server Core installation remotely. Besides Hyper-V Manager, you can use the WMI interface for scripting Hyper-V.

Configure Hyper-V Settings In this section, you will get an overview of the available Hyper-V settings for the server. You configure all server-side default configuration settings like default locations of your configuration files or the release key. You can open the Hyper-V Settings page (Figure 8.5) in Hyper-V Manager by clicking Hyper-V Settings in the Actions pane. FIGURE 8.5

Hyper-V settings

326

Chapter 8

N

Using Virtualization In Windows Server 2008

The Hyper-V Settings page includes the following settings: Virtual Hard Disks

Specifies the default location of your virtual hard disk files (.vhd).

Virtual Machines Specifies the default location of your virtual machine configuration files. It includes the Virtual Machine XML configuration files (part of the Virtual Machines folder) as well as related snapshots (part of the Snapshot folder). Keyboard Defines how to use Windows key combinations. Options are Physical Computer, Virtual Machine, and Virtual Machine only when running full screen. Release Key Specifies the key combination to release the mouse in your virtual machine. Options are Ctrl+Alt+left arrow, Ctrl+Alt+right arrow, Ctrl+Alt+space, and Ctrl+Alt+Shift. User Credentials Specifies whether you want to use your default credentials to connect to a running virtual machine. Delete Saved Credentials

Deletes any saved credentials stored on this computer.

Reset Check Boxes Resets any check boxes that hide pages and messages when checked. This will bring up again any window on which you checked the Do Not Show This Window Again check box.

Manage Virtual Networks A virtual network provides the virtual links between nodes in either a virtual or a physical network. Virtual networking in Hyper-V is provided in a secure and dynamic way because you can granularly define virtual network switches for their required usage. For example, you can define a private or internal virtual network if you don’t want to allow your virtual machines to send packages to the physical network. In order to allow your virtual machines to communicate with each other, you need virtual networks. Just like normal networks, virtual networks exist only on the host computer and allow you to configure how virtual machines communicate with each other, with the host, and with the network or Internet. You manage virtual networks in Hyper-V using Virtual Network Manager, shown in Figure 8.6. Using Virtual Network Manager, you can create, manage, and delete virtual networks, sometimes also called virtual switches. You can define the network type as external, internal only, or private: External Any virtual machine connected to this virtual switch can access the physical network. You would use this option if you want to allow your virtual machines to access, for example, other servers on the network or the Internet. This option is used in production environments where your clients connect directly to the virtual machines. Internal Only This option allows virtual machines to communicate with each other as well as the host system, but not with the physical network. When you create an internal network, it also creates a local area connection in Network Connections that allows the host machine to communicate with the virtual machines. You can use this if you want to separate your host’s network from your virtual networks.

Hyper-V Installation and Configuration

FIGURE 8.6

327

Virtual Network Manager

Private virtual machine network When you use this option, virtual machines can communicate with each other but not to the host system or the physical network, thus no network packets are hitting the wire. You can use this to define internal virtual networks for test environments or labs, for example.

It is of the utmost importance that you understand the different virtual network types because it is highly likely that there will be a question about them on the exam.

On the external and internal only virtual networks, you also can enable virtual LAN (VLAN) identification. You can use VLAN to partition your network into multiple subnets using a VLAN ID. When you enable virtual LAN identification, the NIC connected to the switch will never see packets tagged with VLAN IDs. Instead, all packets traveling from the NIC to the switch will be tagged with the access mode VLAN ID as they leave the switch port. All packets traveling from the switch port to the NIC will have their VLAN tags removed. You can use this if you are already logically segmenting your physical machines, also for your virtual ones. Exercise 8.2 explains how to create an internal only virtual network switch.

328

Chapter 8

N

Using Virtualization In Windows Server 2008

EXERCISE 8.2

Creating an internal Virtual Network Follow these steps to create an internal virtual network so you can communicate between the virtual machine and the host computer:

1.

Click Start  Administrative Tools  Hyper-V Manager.

2.

In Hyper-V Manager, in the Actions pane, click Virtual Network Manager.

3.

On the Create Virtual Network page, select Internal and click the Add button.

4.

On the New Virtual Network page, enter Internal Virtual Network in the Name ield.

5.

Click OK.

When you create the internal virtual network, a network device is created in Network Connections, as shown in Figure 8.7. F I G U R E 8 .7

Virtual network card

This is also the case when you create an external virtual network because it will replace the physical network card of the host machine to give the parent partition a virtual network card that is also used in the child partitions. Unlike with Virtual Server 2005, Hyper-V binds the virtual network service to a physical network adapter only when an external virtual network is created. The benefit for this is that the performance is better if you do not use the external virtual network option. The downside, however, is that there will be a network disruption when you create or delete an external virtual network.

Hyper-V Installation and Configuration

329

Communication between the virtual machine and the local host computer is not configured automatically. Once you install a virtual machine, you need to make sure the TCP/IP settings are in correspondence with the settings you define in the virtual network card. Start with a ping from your host machine to the virtual machines in order to verify that communication is working.

Managing Virtual Hard Disks In addition to virtual networks, you also need to manage virtual hard disks that you attach to your virtual machines. A virtual hard disk in Hyper-V, apart from a pass-through disk, is a VHD file that basically simulates a hard drive to your virtual machine. The following sections will first show you what types of virtual hard disks are available and then show you how to create them. You will also learn about what options are available to manage virtual hard disks.

Types of Hard Disks Depending on how you want to use the disk, Hyper-V offers various types, as described in Table 8.2. TA B L E 8 . 2

Virtual Hard Disks in Hyper-V

Type of Disk

Description

When to Use It

Dynamically expanding

This disk starts with a small VHD file and expands it on demand once an installation takes place. It can grow to the maximum size you defined during creation. You can use this type of disk to clone a local hard drive during creation.

This option is effective when you don’t know the exact space needed on the disk and when you want to preserve hard disk space on the host machine. Unfortunately, it is the slowest disk type.

Fixed size

The size of the VHD file is fixed to the size specified when the disk is created. This option is faster than a dynamically expanding disk. However, a fixed size disk uses up the maximum defined space immediately. This type is ideal for cloning a local hard drive.

A fixed size provides faster access than dynamically expanding or differencing disks but is slower than a physical disk.

330

Chapter 8

TA B L E 8 . 2

N

Using Virtualization In Windows Server 2008

Virtual Hard Disks in Hyper-V

(continued)

Type of Disk

Description

When to Use It

Differencing

This type of disk is associated in a parent-child relationship with another disk. The differencing disk is the child and the associated virtual disk is the parent. Differencing disks include only the differences to the parent disk. By using this type, you can save a lot of disk space in similar virtual machines. This option is suitable if you have multiple virtual machines with similar operating systems.

Differencing disks are most commonly found in test environments and should not be used in production environments.

Physical (or passthrough disk)

The virtual machine receives direct pass-through access to the physical disk for exclusive use. This type provides the highest performance of all disk types and thus should be used for production servers where performance is top priority. The drive is not available for other guest systems.

This type is used in high-end datacenters to provide optimum performance for VMs. Also in failover cluster environments.

You should make sure you understand the different virtual hard disk types by heart because there are often questions about them!

Creating Virtual Hard Disks To help you gain practice in creating virtual hard disks, the following three exercises will teach you how to create a differencing hard disk, how to clone an existing disk by creating a new disk, and how to configure a physical or pass-through disk to your virtual machine. First, in Exercise 8.3, you will learn how to create a differencing virtual hard disk.

Hyper-V Installation and Configuration

EXERCISE 8.3

Creating a Differencing Hard Disk Follow these steps to create a differencing disk:

1.

Click Start  Administrative Tools  Hyper-V Manager.

2.

In Hyper-V Manager, on the Actions pane, click New  Hard Disk.

3.

In the New Virtual Hard Disk Wizard, click Next on the Before You Begin page.

4.

On the Choose Disk Type page, select Differencing and click Next.

5.

On the Specify Name and Location page, enter the new name of the child disk (for example, child-disk.vhd). You can also modify the default location of the new VHD file if you want. Click Next to continue.

6.

Next, on the Configure Disk page, you need to specify the parent VHD file. This will be the basis for your differencing disk. For example, a complete installation of Windows Server 2008 is a good parent. Click Next to continue.

331

332

Chapter 8

N

Using Virtualization In Windows Server 2008

E XE RC I S E 8 . 3 (continued)

7.

On the Completing the New Virtual Hard Disk Wizard page, verify that all settings are correct and click Finish to create the hard disk.

Exercise 8.4 will show you how to create a fixed disk based on a local hard drive. Please remember that only fixed size or dynamically expanding disks can be used to clone a local hard drive during creation. EXERCISE 8.4

Creating a Fixed Size Disk and Cloning a Local Drive Follow these steps to create a fixed hard disk and migrate a physical disk to it:

1.

Click Start  Administrative Tools  Hyper-V Manager.

2.

In Hyper-V Manager, on the Actions pane, click New  Hard Disk.

3.

In the New Virtual Hard Disk Wizard, click Next on the Before You Begin page.

4.

On the Choose Disk Type page, select Fixed Size and click Next.

5.

On the Specify Name and Location page, enter the new name of the virtual hard disk (for example, clone.vhd). You can also modify the default location of the new VHD file if you want. Click Next to continue.

Hyper-V Installation and Configuration

E XE RC I S E 8 . 4 (continued)

6.

Next, on the Configure Disk page, you can decide if you want to create a blank virtual hard disk with a specified size or if you want to copy the contents of a hard disk to the virtual disk. For this exercise, select Copy the Contents of the Specified Physical Disk and select a physical drive on which to copy to the virtual disk. Then click Next to continue.

7.

On the Completing the New Virtual Hard Disk Wizard page, verify that all settings are correct and click Finish to create the virtual hard disk and start the copy process.

333

334

Chapter 8

N

Using Virtualization In Windows Server 2008

Because the process to copy a physical drive to a virtual disk is just a normal copy process, you should allow enough time to complete it. The time varies depending on the size of your physical disk.

The process to add a physical or pass-through disk to a virtual machine is quite different. For this, you first need to create the virtual machine, and then you open the Virtual Machine Settings to configure the physical disk. If you did not yet create a virtual machine in Hyper-V Manager, you should complete Exercise 8.6 to create one and come back to this section. If you want to add a physical disk to a virtual machine, the physical disk must be set as Offline in Disk Management, as shown in Figure 8.8. FIGURE 8.8

Disk Management you can set disks offline

To access Disk Management, click the Start button, right-click on Computer, select Manage, and then expand Storage in the left pane and click Disk Management.

You cannot share a physical disk among multiple virtual machines or with the host system.

Now we will continue our excursion in the world of virtual disks by adding a physical or pass-through disk to a virtual machine.

Hyper-V Installation and Configuration

EXERCISE 8.5

Adding a Pass-Through Disk to a Virtual Machine To add a physical or pass-through disk to your virtual machine, follow these steps:

1.

Click Start  Administrative Tools  Hyper-V Manager.

2.

In Hyper-V Manager, in the Virtual Machines pane, right-click the virtual machine you want to add a physical drive to and then click Settings. Remember, the virtual machine state must be set to Off to configure hard drive settings.

3.

In the Settings window, in the Hardware pane, click on IDE Controller 0.

4.

In the IDE Controller pane, select Hard Drive and click the Add button.

5.

In the Hard Drive pane, you now need to select Physical Hard Disk and select the appropriate disk drive in the drop-down list.

6.

Click OK.

335

336

Chapter 8

N

Using Virtualization In Windows Server 2008

Physical or pass-through disks might not be that important if your use for virtualization is based on test environments, but it gets crucial when you need to plan for highly available virtual datacenters. This is especially true if you consider using failover clusters to provide the Quick Migration feature, which is when you should consider matching one logical unit number (LUN) from your enterprise storage system or storage area network (SAN) as one physical disk. This provides you with the optimum performance you need in such an environment.

Managing Virtual Hard Disks Hyper-V also provides two tools to manage virtual hard disks: Inspect Disk and Edit Disk. These tools are available on Actions pane in Hyper-V Manager: Inspect Disk Provides you with information about the virtual disk. It shows you not only the type of the disk but also information like the maximum size for dynamically expanding disks and the parent VHD for differencing disks. Edit Disk Provides you with the Edit Virtual Hard Disk Wizard, which you can use to compact, convert, expand, merge, and reconnect hard disks. Figure 8.9 shows you the wizard’s options when you select a dynamically expanding disk. FIGURE 8.9

The Edit Virtual Hard Disk Wizard

Table 8.3 provides you with an overview of what you can do with the wizard.

Configuring Virtual Machines

TA B L E 8 . 3

337

Edit Disk Overview

Action

Description

Compact

Reduces the size of a dynamically expanding or differencing disk by removing blank space from deleted files.

Convert

Converts a dynamically expanding disk to a fixed disk or vice versa.

Expand

Increases the storage capacity of a dynamically expanding disk or a fixed virtual hard disk.

Merge

Merges the changes from a differencing disk into either the parent disk or another disk (applies to differencing disks only!).

Reconnect

If a differencing disk does not find its referring parent disk anymore, this option can reconnect the parent to the disk again.

Configuring Virtual Machines The following sections cover the topics of creating and managing virtual machines as well as how to back up and restore virtual machines using features like Import and Export and Snapshot. We’ll also briefly cover Hyper-V’s Quick Migration feature.

Creating and Managing Virtual Machines It is important to learn how to create a virtual machine, how to change its configuration, and how to delete it. We will take a look at the Virtual Machine Connection tool and install the Hyper-V Integration Components to a virtual machine.

Virtual Machines Virtual machines define the child partitions in which you run operating system instances. Each virtual machine is separate and can only communicate with the others using a virtual network. You can assign hard drive(s), virtual network(s), DVD drives, and other system components to it. A virtual machine is similar to an existing physical server, but it doesn’t run on dedicated hardware anymore but shares the hardware of the host system with the other virtual machines that run on the host. Exercise 8.6 shows you how to create a new virtual machine.

338

Chapter 8

N

Using Virtualization In Windows Server 2008

EXERCISE 8.6

Creating a new Virtual Machine Follow these steps to create a new virtual machine:

1.

Click Start  Administrative Tools  Hyper-V Manager.

2.

In Hyper-V Manager, on the Actions pane, click New  Virtual Machine.

3.

In the New Virtual Machine Wizard, click Next on the Before You Begin page.

4.

On the Specify Name and Location page, give your virtual machine a name and change the default location of the virtual machine configuration files. Click Next to continue.

5.

On the Assign Memory page, define how much of your host computer’s memory you want to assign to this virtual machine. Remember that once your virtual machine uses up all your physical memory, they will start swapping to disk, thus reducing the performance of all virtual machines. Click Next to continue.

6.

On the Configure Networking page, select the virtual network that you previously configured using Virtual Network Manager. Click Next to continue.

Configuring Virtual Machines

E XE RC I S E 8 .6 (continued)

7.

On the next page, you configure your virtual hard disk. You can create a new virtual hard disk, select an existing disk, or choose to attach the hard disk later. Be aware that you can create only a dynamically expanding virtual disk on this page; you cannot create a differencing, physical, or fixed virtual hard disk here. However, if you created the virtual hard disk already, you can select of course it. Click Next to continue.

339

340

Chapter 8

N

Using Virtualization In Windows Server 2008

E XE RC I S E 8 .6 (continued)

8.

On the Installation Options page, you can select how you want to install your operating system. You have the option to install an operating system later, install the operating system from a boot CD/DVD-ROM where you can select a physical device or an image file (ISO file), install an operating system from a floppy disk image (VFD file, or a virtual boot floppy disk), or install an operating system from a network-based installation server. The last option will install a legacy network adapter to your virtual machine so you can boot from the network adapter. Select Install an operating system later and then click on Next.

9.

On the Completing the New Virtual Machine Wizard summary page, verify that all settings are correct. You also have the option to immediately start the virtual machine after creation. Click Next to create the virtual machine.

After completing Exercise 8.6, you will have a virtual machine available in Hyper-V Manager. Initially, the state of the virtual machine will be Off. Virtual machines can have the following states: Off, Starting, Running, Paused, and Saved. You can change the state of a virtual machine in the Virtual Machines pane by right-clicking on the virtual machine’s name, as seen in Figure 8.10, or by using the virtual machine connection window.

Configuring Virtual Machines

F I G U R E 8 .1 0

341

Options available when right-clicking on a virtual machine

Here is a list of all state options you have available for a virtual machine: Start Turn on the virtual machine. This is similar to pressing the power button when the machine is turned off. This option is available when your virtual machine is off or in saved state. Turn Off Turn off the virtual machine. This is similar to pressing the power off button on the computer. This option is available when your virtual machine is in running, saved, or paused. Shut Down This option shuts down your operating system. You need to have the Hyper-V Integration Components installed on the operating system; otherwise Hyper-V will not be able to shut down the system. You will read about the Hyper-V Integration Components in the section “Installing Hyper-V Integration Components” later in this chapter. Save The virtual machine is saved to disk in its current state. This option is available when your virtual machine is running or in paused state. Pause Pause the current virtual machine, but do not save the state to disk. You can use this option to quickly release processor utilization from this virtual machine to the host system.

342

Chapter 8

N

Using Virtualization In Windows Server 2008

Reset Reset the virtual machine. This is like pressing the reset button on your computer. You will lose the current state and any unsaved data in the virtual machine. This option is available when your virtual machine is running or in paused state. Resume When your virtual machine is paused, you can resume it and bring it online again.

Change Configuration on an Existing Virtual Machine To change the configuration settings on an existing virtual machine, you right-click on your virtual machine’s name in the Virtual Machines pane in Hyper-V Manager and choose Settings. You can change settings like memory allocation and hard drive configuration. All items that you can configure are described in the following list: Add Hardware Add devices to your virtual machine, namely a SCSI controller, a network adapter, or a legacy network adapter. A legacy network adapter is required if you want to perform a network-based installation of an operating system. BIOS This is the replacement of the virtual machine’s BIOS. Because you cannot enter the BIOS during startup anymore, you need to configure it with this setting. You can turn Num Lock on or off and change the basic startup order of the devices. Memory Change the amount of random access memory (RAM) allocated to the virtual machine. Processor Change the number of logical processors this virtual machine can use as well as define resource control to balance resources among virtual machine by using a relative weight. IDE Controller Add/change and remove devices from the IDE controller. You can have hard drives or DVD drives as devices. Every IDE controller can have up to two devices attached, and by default you have two IDE controllers available. Hard Drive Select a controller to attach to this device as well as specify the media to use with your virtual hard disk. The available options are Virtual hard disk (.vhd) file (with additional buttons labeled New, Edit, Inspect, and Browse that are explained in the virtual hard disk section) and Physical hard disk. You can also remove the device here. DVD Drive Select a controller to attach to this device as well as specify the media to use with your virtual CD/DVD drive. The available options are None, Image file (ISO image), and Physical CD/DVD drive connected to the host computer. You also can remove the device here. SCSI Controller Configure all hard drives that are connected to the SCSI controller. You can add up to 63 hard drives to each SCSI controller, and you can have multiple SCSI controllers available. Network Adapter Specify the configuration of the network adapter or remove it. You can also configure for each adapter the virtual network and MAC address and enable virtual LAN identification.

Configuring Virtual Machines

343

COM 1 Configure the virtual COM port to communicate with the physical computer through a named pipe. You have COM1 and COM2 available. Diskette Drive

Specify a virtual floppy disk file to use.

Name Edit the name of the virtual machine and provide some notes about it. Integration Services Define what integration services are available to your virtual machine. Options are Operating system shutdown, Time synchronization, Data Exchange, Heartbeat, and Backup (volume snapshot). Snapshot File Location

Define the default file location of your snapshot files.

Automatic Start Action Define what this virtual machine will do when the physical computer starts. Options are Nothing, Automatically start if the service was running, and Always start this virtual machine. You also can define a start delay here. Automatic Stop Action Define what this virtual machine will do when the physical computer shuts down. Options are Save State, Turn Off, and Shut down.

Please be aware that only some settings can be changed when the virtual machine’s state is Running. It is best practice to shut down the virtual machine before you want to modify any setting.

Deleting Virtual Machines You can also delete virtual machines using Hyper-V Manager. However, this only deletes the configuration files, not any related virtual disks, as seen in Figure 8.11. F I G U R E 8 .11

Delete virtual machine warning window

Make sure you manually delete any virtual disks that were part of the virtual machines in order to free up disk space.

Virtual Machine Connection Similar to the Virtual Machine Remote Control (VMRC) client that was available with Virtual Server 2005 R2 and previous versions, Hyper-V comes with Virtual Machine Connection to connect to virtual machines that run on a local or remote server. You can use it to log onto the virtual machine and use your computer’s mouse and keyboard to interact

344

Chapter 8

N

Using Virtualization In Windows Server 2008

with the virtual machine. You can open Virtual Machine Connection in Hyper-V Manager by double-clicking on a virtual machine or right-click on a virtual machine and select Connect. If your virtual machine is turned off, you might see a window similar to the one in Figure 8.12. F I G U R E 8 .1 2

Virtual Machine Connection window when the machine is turned off

Virtual Machine Connection provides you with functionality similar Hyper-V Manager, such as being able to change the state of a virtual machine, but it also provides you with additional features that are especially useful when you want to work with a virtual machine: File Access settings or exit Virtual Machine Connection. Action Change the state of a virtual machine and create or revert a snapshot. Additionally, you have the options to send Ctrl+Alt+Delete to your virtual machine and Insert Integration Services Setup Disk. Media

Insert or eject a DVD or floppy media.

Clipboard Type the text that is on the Clipboard in virtual machine or capture screen of the machine. Context-sensitive buttons are available to provide you with quick access to the most important features under the menu bar, as you can see in Figure 8.13.

Configuring Virtual Machines

345

F I G U R E 8 .1 3 Virtual Machine Connection window showing a running Windows Server 2003 virtual machine

Installing Hyper-V Integration Components Hyper-V Integration Components, also called Integration Services, are required to make your guest operating system “hypervisor aware.” Similar to the VM Additions that were part of Microsoft Virtual Server 2005, the components improve the performance of the guest operating system once the components are installed. On the architectural perspective, virtual devices are redirected directly via the VMBus, thus quicker access to resources and devices is provided. If you do not install the Hyper-V Integration Components, the guest operating system uses emulation to communicate with the host’s devices, which of course makes the guest operating system slower. Hyper-V Integration Components are currently available for the following operating systems: NÛ

Windows Vista SP1 (x86)

NÛ

Windows XP SP3 (x86)

346

Chapter 8

N

Using Virtualization In Windows Server 2008

NÛ

Windows Server 2003

NÛ

Windows Server 2008

NÛ

SUSE Linux Enterprise Server 10 SP1 or XEN-Enabled Linux

As this chapter was being written, Microsoft had not announced any other operating systems that support the Hyper-V Integration Components. This is subject to change quite quickly, so you should use this list as a reference. Please check the official Microsoft Hyper-V site at www.microsoft฀ .com/virtualization for any new announcements.

Exercise 8.7 shows you how to install Hyper-V Integration Components on one of your virtual machines running Windows Server 2003. E XERCISE 8.7

Installing Hyper-V Integration Components Follow these steps to install the Hyper-V Integration Components in a virtual machine running Windows Server 2003 or 2008:

1.

Click Start  Administrative Tools  Hyper-V Manager.

2.

In Hyper-V Manager, in the Virtual Machines pane, right-click the virtual machine on which you want to install Hyper-V Integration Components and select Start.

3.

Right-click the virtual machine again and select Connect to Open a Virtual Machine Connection. Meanwhile, your virtual machine should be already booting.

4.

If you need to log in to the operating system of your virtual machine, you should do so.

5.

Once the Windows Desktop appears, you need to select Insert Integration Services Setup Disk from the Actions menu of your Virtual Machine Connection window.

6.

Once the Hyper-V Integration Components are installed, you are asked to perform a reboot.

Configuring Virtual Machines

347

E XE RC I S E 8 .7 (continued)

After the reboot, Hyper-V Integration Components are installed on your operating system and you will be able to use them.

Back Up and Restore Virtual Machines The following sections cover exporting and importing virtual machines between host machines as well as taking a snapshot to back up a certain state of your virtual machine. We will also briefly discuss what Quick Migration is and how Hyper-V uses it.

Exporting and Importing Virtual Machines This section will explain how to move virtual machines between host computers or move them to a different drive. This is quite different to previous versions of Microsoft’s virtualization software. To move a virtual machine in Virtual Server 2005, you stopped the machine

348

Chapter 8

N

Using Virtualization In Windows Server 2008

and moved its configuration file (VMC) as well as its virtual hard disk file (VHD) to the target location and then changed the VMC file to point to the VHD file. Using Hyper-V, you cannot move the configuration files anymore. You need to use the Export feature to export the virtual machine and then use Import on the target machine to import the virtual machine to Hyper-V. To export a virtual machine, it must be either in Off or Saved state. Open Hyper-V Manager, select the virtual machine you want to export and either right-click on the virtual machine and select Export or click on Export on the virtual machine name’s pane. You will see the Export Virtual Machine dialog box, shown in Figure 8.14. F I G U R E 8 .1 4

Export Virtual Machine window

In this dialog box, you can set the export path for the virtual machine and choose whether to export your virtual machine state data or not.

Because Hyper-V will use the exported files after importing them, you should store the export directly on the target machine’s disks and not on a file share.

Configuring Virtual Machines

349

Once you check Don’t Export Virtual Machine State Data, only the virtual machine’s configuration files will be exported. The virtual hard disk and snapshots will not be exported. In the export path, a folder with the name of the virtual machine is created along with the following subfolders: Virtual Machines This includes the virtual machine configuration files as well as the virtual machine state if the machine is saved. Virtual Hard Disks If you exported the state data, this folder will include your virtual hard disks VHD file(s). Snapshots

If you exported the state data, this folder will include all snapshot files.

Once the virtual machine finishes exporting, you can move the export folder to the target machine if you did not store it directly on the server’s disks. Open Hyper-V Manager and click Import Virtual Machine, which is located in Actions pane. The Import Virtual Machine dialog box asks you for the path to the exported virtual machine and allows you to decide if you want to reuse the old virtual machine ID as shown in Figure 8.15. F I G U R E 8 .1 5

The Import Virtual Machine dialog box

You want to reuse old virtual machine IDs if you’re moving all virtual machines from a host to a new target machine. The virtual machines are practically the same as on the source system. However, you do not want to reuse old virtual machine IDs if you used Export to clone a virtual machine.

Because Hyper-V uses the import folder as the new target folder for the imported virtual machine, an exported virtual machine can be imported only once. Of course, if you copy the files to a different location before importing them, you can overcome this limitation.

When you import a virtual machine with state data, Hyper-V will use the import path for the virtual hard disks as well as snapshots in its virtual machine configuration XML. Thus, you’re able to import an exported machine only once. For that reason, the import folder should already be on the host’s target disk.

350

Chapter 8

N

Using Virtualization In Windows Server 2008

If you import only the virtual machine configuration, without the state data or hard disks, you will receive a warning message like the one in Figure 8.16. F I G U R E 8 .1 6

Import warning message

You receive this warning because the virtual machine has probably one or more hard drives configured that now point to no VHD file. You need to correct these settings before starting the virtual machine to have this work.

Managing Snapshots With virtual machine snapshots, you can save a copy of the virtual machine at any point in time, including while the virtual machine is running. You can take multiple snapshots of a virtual machine and then revert it to any previous state by applying a snapshot. Using snapshots makes it easier to diagnose the cause of errors by reducing the number of times you need to repeat a task or sequence within a virtual machine. The benefit is obvious; if you use snapshots to revert to a previous virtual machine configuration, you do not need to copy virtual machines to keep a state. Thus it is a quick and easy way to back up a certain state of your virtual machine. You can create a snapshot when a virtual machine is in a running, saved, or turned-off state. It’s only from a paused state that you cannot perform a snapshot.

Snapshots are extremely useful in training classes or testing environments. When your company goes to test new software, you can make sure to do snapshots at every single step so you can immediately go back if some problems or issues arise. In training classes, you can prepare each virtual machine for your students according to your special requirements, and once the course is finished, you just revert all virtual machines to their initial configuration. No hassles with experienced users that change your configuration without letting you know anymore.

In Exercise 8.8. you’ll create and rename a snapshot.

Configuring Virtual Machines

EXERCISE 8.8

Creating a Snapshot of a Virtual Machine Follow these steps to create and rename a snapshot of a virtual machine using Hyper-V Manager:

1.

Click Start  Administrative Tools  Hyper-V Manager.

2.

In Hyper-V Manager, in the Virtual Machines pane, right-click the virtual machine.

3.

In the Actions pane, select Snapshot.

4.

Once the snapshot is taken, it should appear in the Snapshots pane in Hyper-V Manager. Right-click the snapshot and select Settings.

5.

In the Settings window, on the Management pane, click Name and type in First Snapshot as the name. You can also add some notes to make it easy to identify.

351

352

Chapter 8

N

Using Virtualization In Windows Server 2008

E XE RC I S E 8 . 8 (continued)

6.

Click OK to apply the changes.

Configuring Virtual Machines

353

Technically speaking, when you make a snapshot, the following files will be created in the virtual machine’s snapshot folder: NÛ

A virtual machine configuration file

NÛ

Virtual machine saved state files

NÛ

Snapshot differencing disks (AVHDs)

Once you create a snapshot for a virtual machine, you will also have the Revert option available in the virtual machine name’s pane in Hyper-V Manager. Reverting basically means that you restore the last snapshot made. You also see the last snapshot taken marked with a green arrow in the Snapshots pane (Figure 8.17). F I G U R E 8 .17

Revert Option in Hyper-V

However, you will also have options available directly on the snapshot level that let you perform certain actions: Settings This opens the settings window of the virtual machine. The only settings you can change are the name and the notes field. All others are read-only. Apply Applying a snapshot to a virtual machine technically means that you copy the virtual machine state from the snapshot to the active virtual machine. You can look at this as a “restore this snapshot” option. Because you would lose all unsaved data and settings from the active virtual machine, you will be asked if you want to create another snapshot before you apply this snapshot. If you just click Apply, the active machine will be overwritten and reverted back to the state it was in when the snapshot was made. This snapshot will not be removed. Figure 8.18 shows you the warning message that appears when you apply a snapshot.

354

Chapter 8

F I G U R E 8 .1 8

N

Using Virtualization In Windows Server 2008

Window that appears when you Apply a Snapshot

Rename You can change the name of the snapshot without the need to open settings. Delete Snapshot Deleting a snapshot is like deleting a backup file. You will be no longer able to restore to that point in time. Deleting a single snapshot does not affect any other snapshots that you made for this virtual machine. You will delete only the selected snapshot. However, sometimes when you do delete a snapshot, the system needs to merge the differencing disks. This occurs in the background when the virtual machine is not running. The user does not see when it happens. Delete Snapshot Subtree This will delete the selected snapshot and all snapshots that are hierarchically underneath it. If you delete a snapshot with only one sub-snapshot, the configuration and saved state files for the snapshot will be deleted and the snapshot’s differencing disks will be merged. If you have more sub-snapshots, merging will not take place. In Exercise 8.9, you will apply a snapshot thus revert to a previous virtual machine state. EXERCISE 8.9

Applying a Snapshot To recover a snapshot, follow these steps.

1.

Click Start  Administrative Tools  Hyper-V Manager.

2.

In Hyper-V Manager, in the Virtual Machines pane, click the virtual machine for which you created a snapshot.

3.

In the Snapshots pane, select First Snapshot.

4.

In the First Snapshot pane, under Actions pane, click Apply.

5.

In the Apply Snapshot window, click Apply.

Quick Migration In combination with Windows Server 2008’s clustering support in Enterprise and Datacenter editions, Quick Migration enables high availability features for virtual machines, so if one server fails, its workload can be picked up by another node member with minimal interruption in user access.

Exam Essentials

355

Basically, each virtual machine is defined as a virtual machine application on a cluster node. Once the cluster node goes down, another cluster node can take over the virtual machine. Unfortunately this means that in the event of failure, the system state of the virtual machine is lost because it does a normal bootup with the virtual machine. Planned failover saves the current state, moves it, and then restores it on the target side correctly. This topic is too complicated for the 70-643 exam, but we wanted you to understand the basic concept so you would know that this feature is available in Hyper-V.

Summary Virtualization is quickly becoming a hot topic. The potential for consolidation is tremendous, thus it will get more and more important. After reading this chapter, you should have a good understanding of the Hyper-V architecture and what it requires to install Hyper-V. The section about installation and configuration covered various basic aspects of configuring the virtualization environment. You learned about the different types of virtual networks that are available, the options for installing the Hyper-V role, and the various types of virtual hard disks that you can use to optimize virtualization for your specific scenario. You also learned how to configure virtual machines using the Hyper-V environment and how to create your own virtual datacenter on top of your Hyper-V machines. We showed you how to create and manage virtual machines, how to use Virtual Machine Connection to remotely control a virtual machine, and how to install Hyper-V Integration Components. And you learned how to export and import virtual machines as well as how to do snapshots of your virtual machine. If you have never worked with virtualization software before, the information in this chapter may have been completely new to you. You should now be well prepared to try out Hyper-V in your own environment.

Exam Essentials Understand Hyper-V’s architecture. When you have a good understanding of Hyper-V’s architecture, especially when an operating system in a virtual machine is hypervisor aware versus non-hypervisor aware, you have a solid understanding of what is important from an architectural perspective. You should know about the Hyper-V Integration Components and how they change the behavior of a virtual machine. Also know which operating systems the integration components are available for. Know Hyper-V’s requirements and how to install it. Know the hardware and software requirements as well as how to install Hyper-V. Hyper-V requires an x64-based processor and Data Execution Protection (DEP), and hardware assisted virtualization must enabled.

356

Chapter 8

N

Using Virtualization In Windows Server 2008

Don’t forget this! Also remember that you can install Hyper-V two ways: using Server Manager or using the command line in Server Core. Understand virtual networks and virtual hard disks. Virtual networks and hard disks are the two most tested topics. You definitely should know the types of virtual networks available (i.e., external, internal only, and private virtual network) as well as all types of virtual hard disks (i.e., dynamically expanding, fixed size, differential, and physical or passthrough). You should be able to apply the correct one when needed. Don’t forget the Edit Virtual Hard Disk Wizard, which is also a good source for questions in the exam. Know how to create and manage virtual machines. You should be able to explain how to create a virtual machine, what options you have to install an operating system in a virtual machine, and how to install the Hyper-V Integration Components on a virtual machine. Don’t forget about the virtual machine states and the virtual machine settings! Understand how to back up and restore virtual machines. Have a good understanding of the concept of exporting and importing virtual machines, how snapshots work, and what lies behind a Quick Migration. Understand how you can export a virtual machine, what you should consider when moving it to a new host machine, and what happens after importing it to the import folder. The same applies to snapshots: You need to know what options you have available and what each option will do. Especially recognize the difference between applying and reverting a snapshot.

Review Questions

357

Review Questions 1.

On which of the following x64 editions of Windows Server 2008 does Hyper-V run? (Choose all that apply.) A. Windows Server 2008, Web Edition

2.

B.

Windows Server 2008, Standard Edition

C.

Windows Server 2008, Enterprise Edition

D.

Windows Server 2008, Datacenter Edition

You want to build a test environment based on virtual machines on a single Windows Server 2008 machine, but you also want to make sure that the virtual machines communicate with only each other. What type of virtual network do you need to configure? A. External

3.

B.

Internal only

C.

Private virtual machine network

D.

Public virtual machine network

Andy wants to change the memory of a virtual machine that is currently powered up. What does he need to do? A. Shut down the virtual machine, use virtual machine’s settings to change the memory, and start it again.

4.

B.

Use the virtual machine’s settings to change the memory.

C.

Pause the virtual machine, use virtual machine’s settings to change the memory, and resume it again.

D.

Save the virtual machine, use virtual machine’s settings to change the memory, and resume it again.

You want to make sure the hard disk space for your virtual machines is only occupied once needed. What type of virtual hard disk would you recommend? A. Dynamically expanding disk

5.

B.

Fixed size disk

C.

Differencing disk

D.

Physical or pass-through disk

How do you add a physical disk to a virtual machine? A. Use the Virtual Hard Disk Wizard. B.

Use the Edit Virtual Hard Disk Wizard.

C.

Use the virtual machine’s settings.

D.

Use the New Virtual Machine Wizard.

Chapter 8

358

6.

N

Using Virtualization In Windows Server 2008

Sigi bought a new server with an Itanium IA-64 processor, 4GB RAM and a SAN that provides 1TB hard disk space. After installing Windows Server 2008 for Itanium-Based Systems, he wants to install Hyper-V on this server. Can Hyper-V be installed on this system? A. Yes B. No

7.

What are the minimum CPU requirements for running Hyper-V on a machine? (Choose all that apply.) A. An x64-based processor (Intel or AMD).

8.

B.

Hardware Data Execution Protection (DEP) must be enabled.

C.

Hardware-assisted virtualization must be enabled.

D.

The processor must at least have a dual core.

What is the command to install Hyper-V on a Windows Server 2008 machine that was installed in Server Core? A. start฀/w฀ocsetup฀Hyper-V

9.

B.

start฀/w฀ocsetup฀microsoft-hyper-v

C.

start฀/w฀ocsetup฀Microsoft-Hyper-V

D.

start฀/w฀ocsetup฀hyper-v

On what operating systems can you install the Hyper-V Manager MMC? (Choose all that apply.) A. Windows Server 2008 B.

Windows Server 2003

C.

Windows XP SP3

D.

Windows Vista SP1

10. What statement is correct for an external virtual network? A. The virtual machines can communicate with each other and with the host machine. B.

The virtual machines can communicate with each other only.

C.

The virtual machines can communicate with each other, with the host machine, and with an external network.

D.

The virtual machines cannot communicate with each other.

11. In your test lab, Carola wants to save hard disk space and therefore creates a master virtual disk that should be used as the basis for the virtual machines. What type of virtual hard disks should she create for the virtual machines? A. Dynamically expanding B.

Fixed size

C.

Differencing

D.

Physical or pass-through

Review Questions

359

12. You want to create a virtual disk that clones a local drive available on your host machine. What types of disk can you use to be able to copy a physical disk to a virtual disk using Hyper-V Manager? (Choose all that apply.) A. Dynamically expanding B.

Fixed size

C.

Differencing

D.

Physical or pass-through

13. Joel wants to use the fastest option of virtual hard disks available because he needs excellent performance for his virtual machines. What is the best choice for him? A. Dynamically expanding B.

Fixed size

C.

Differencing

D.

Physical or pass-through

14. What is a legacy network adapter in Hyper-V? A. A virtual network adapter that can be configured when the Hyper-V Integration Components are installed B.

A virtual network adapter that can connect to the virtual networks

C.

A virtual network adapter that you need in order to boot from the network

D.

A virtual network adapter that connects your virtual machine to the host machine

15. You run an operating system like Windows NT 4.0 in a virtual machine where you do not have the Hyper-V Integration Components available. What statement about this situation is correct? A. The operating system will not run in the virtual machine. B.

The operating system will run in the virtual machine and use the Imbues to communicate with the hypervisor.

C.

The operating system will run in the virtual machine but needs a separate hypervisor to be installed.

D.

The operating system will run in the virtual machine but uses emulation to communicate with the hypervisor.

16. How do you move virtual machines between host machines? A. Use the Export and Import Virtual Machine command in Hyper-V. B.

Move the virtual machine files to the target host and add them to Hyper-V.

C.

Create a snapshot of the virtual machine and apply it to a different machine.

D.

Use the Save command in Hyper-V.

Chapter 8

360

N

Using Virtualization In Windows Server 2008

17. Jan does an export of a virtual machine. He checks the Don’t Export Virtual Machine State Data option. Considering this, what folder(s) will be available in the export? A. Virtual Machines B.

Virtual Hard Disks

C.

Snapshots

D.

VM Configuration

18. Once you create a snapshot, what options do you have available for it? (Choose all that apply.) A. Settings B.

Apply

C.

Delete Snapshot

D.

Revert

19. You are using a differencing disk for your virtual machine. When you use the Edit Virtual Hard Disk Wizard in Hyper-V, what options do you have available with this type of disk? (Choose all that apply.) A. Compact B.

Convert

C.

Expand

D.

Merge

20. Robert is administrator of a Hyper-V machine that hosts many virtual machines. He created five snapshots for a single virtual machine on which he is currently installing software. Now he wants to go back to snapshot no. 3 without losing the other snapshots. What statements are correct considering that he applies snapshot no.3? (Choose all that apply.) A. After snapshot no.3 is applied, all later snapshots are deleted. B.

After snapshot no.3 is applied, he is still able to go back to snapshot no.5.

C.

After snapshot no.3 is applied, snapshot no.3 will be deleted.

D.

After snapshot no.3 is applied, the active virtual machine will be in the exact state of snapshot no.3.

Answers to Review Questions

361

Answers to Review Questions 1.

B, C, D. Hyper-V can be installed on Standard, Enterprise, or Datacenter Edition of Windows Server 2008 x64 editions. Itanium, x86, and Web Editions are not supported.

2.

C. The external virtual network type will allow the virtual machine to communicate with the external network as it would with the Internet, so A is wrong. The internal only network type allows communication between the virtual machines and the host machine. Because the question says that only communication between the virtual machines should be allowed, the only valid answer is private virtual machine network. The last option, public virtual machine network, does not exist in Hyper-V.

3.

A. This question focuses on the fact that you cannot change the memory if the virtual machine is running, paused, or saved. The only valid answer is to shut it down and then change the memory.

4.

A. The only virtual hard disk that increases in size is the dynamically expanding disk. Thus this is the only valid answer to this question. The fixed size disk creates a disk of the size you specify, the differencing disk is a special disk that stores only the differences between it and a parent disk, and the physical disk uses a physical drive and makes it available to the virtual machine.

5.

C. Physical hard disks cannot be configured using the Virtual Hard Disk Wizard, the Edit Virtual Hard Disk Wizard, or the New Virtual Machine Wizard. You can only configure and attach a physical disk using the virtual machine’s settings.

6.

B.

7.

A, B, C. The minimum CPU requirement for running Hyper-V is a x64-based processor (Itanium is not supported), hardware Data Execution Protection must be enabled, and hardware-assisted virtualization must be enabled. There is no minimum requirement for a dual-core processor.

8.

C. This question is regarding the setup command to install the Hyper-V server role on a Server Core machine. It’s important to remember that housetop commands are case sensitive and that the correct command is start฀/w฀ocsetup฀Microsoft-Hyper-V, which is option C. All other commands will fail to install Hyper-V on a Server Core machine.

9.

A, D. The Hyper-V Manager is available only for Windows Server 2008 and Windows Vista SP1. There is no version available that runs on Windows Server 2003 or on Windows XP SP3.

Hyper-V is not supported on Itanium-based systems, thus he cannot install it.

10. C. The virtual network type in which the machines communicate with each other and with the host machine is called internal only. In a private virtual network, the virtual machines can communicate only with each other, but not with the network or the host machine. The external network type defines a network where the virtual machines can communicate with each other, with the host machine, and with an external network like the Internet. Thus, C is the correct answer. Once you define a virtual network, the virtual machines can communicate with each other. So the only scenario in which the virtual machines cannot communicate with each other is when they don’t have a virtual network defined.

362

Chapter 8

N

Using Virtualization In Windows Server 2008

11. C. Only the differencing hard disk is associated in a parent-child relationship with another disk. Dynamically expanding starts with a small VHD file and expands it on demand once an installation takes place. The fixed size disk sets a fixed size on the VHD file. The physical disk is a physical drive on the host machine, so it doesn’t support a parent-child relationship with another disk. 12. A, B. Hyper-V Manager support only copying a physical disk to a virtual disk using dynamically expanding or fixed size virtual hard disks. You can perform this task in the New Virtual Hard Disk Wizard. Differencing and physical disks are not available for this feature. 13. D. The fastest virtual hard disk is the physical or pass-through disk because it directly uses the physical disk. The fixed size disk is the fastest option using a VHD file. Dynamically expanding and differencing disks are slower, so they are not recommended for use in production datacenters. 14. C. A legacy network adapter is a virtual network adapter that allows you to boot from the network. All other options are misleading and only point to different virtual network types. 15. D. All operating systems that do not have the Hyper-V Integration Components available will not be hypervisor aware. For this reason, they cannot use the Imbues but need emulation to communicate with the hypervisor. The operating system will still run, but it will be slower. 16. A. The only supported way to move virtual machines between host machines listed here is to use Export and Import Virtual Machine. The option to move the virtual machine files cannot be used anymore because you will lose the configuration of your virtual machines. You cannot apply a snapshot to a different host machine, nor is a Save command available in Hyper-V. 17. A. As the virtual machine state data is not exported, only the Virtual Machines folder will be available in the export folder. Virtual Hard Disks and Snapshots are created only when you export the machine state data. VM Configuration doesn’t exist. 18. A, B, C. Only Revert is wrong, as this option applies to the virtual machine, not to the snapshot. Settings, Apply, and Delete Snapshot are all valid options for a snapshot. 19. A, D. When you use a differencing disk, you have only the option to compact, meaning to remove blank space from the VHD file, and to merge, meaning to merge the changes from the differencing disk directly into the parent or another disk. 20. B, D. When Robert applies one snapshot, all earlier or later snapshots, as well as the snapshot that he applies, are not affected. Thus options A and C are wrong. Because Hyper-V keeps later snapshots, he is able to apply one. Also, the basic concept of snapshots is they act as the active virtual machine state once you apply them.

Chapter

9

Deploying Servers MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: ÛÛ Configuring Windows Deployment Services, Install from media (IFM), capture Windows Deployment Services images, deploy Windows Deployment Services images, server core ÛÛ Deploy images using Windows Deployment Services. May include but is not limited to: Install from media (IFM); configure Windows Deployment Services; capture Windows Deployment Services images; deploy Windows Deployment Services images; server core ÛÛ Configure Microsoft Windows activation. May include but is not limited to: install a KMS server; create a DNS SRV record, replicate volume license data

Windows Deployment Services is a tool that allows administrators to easily deploy and manage images, scripts, and the unattended installation of computer systems. This service can prove to be invaluable to those tasked with the administration of a medium or large corporate network. Windows Deployment Services can help with basic tasks such as formatting and partitioning a physical system, deploying a consistent set of standards across the network, simplifying the installation of operating systems, and performing post-installation tasks. In this chapter, we will cover the following areas: NÛ

Deploying images

NÛ

Installing from media

NÛ

Configuring Windows Deployment Services (WDS)

NÛ

Deploying Server Core

NÛ

Configuring Windows Activation

NÛ

Installing and configuring KMS

Windows Deployment Services Before the development of tools such as Microsoft Windows Deployment Services (WDS), a network administrator was tasked with manually configuring all of the systems in a network to upgrade or install an operating system. This would involve many man-hours, costing organizations time and money. Deployment Services reduces that need to physically install or upgrade systems, allowing IT administrators to manage the installation of systems from a central location, which can result in more time to devote to other, more important tasks. Several modifications have been made to Windows Deployment Services from the previous version, which was known as Remote Installation Services (RIS) and Windows Deployment Services on Windows Server 2003. WDS now includes the following: NÛ

Ability to deploy Windows Vista and Windows Server 2008

NÛ

Support for Windows PE as a boot operating system

NÛ

Ability to transmit data and images by use of multicast

NÛ

Support for network boot of x64-bit operating systems

Deploying Images by Using Windows Deployment Services

365

To fully explore the latest version of WDS, you should be familiar with the following topics: NÛ

Windows image (.wim) format

NÛ

Windows Pre-boot Execution Environment (PXE)

NÛ

Active Directory

NÛ

Dynamic Host Configuration Protocol (DHCP)

NÛ

Windows Preinstallation Environment (WinPE)

For many small shops, and in previous years, server installations were done by manually installing the operating system. This means that an administrator would have to manually monitor and configure each server install. As the resources to deploy images have improved, it has opened the way for a simplified deployment of servers, one that an IT administrator can trust. The benefit of WDS goes beyond just freeing up time; it takes a major step forward in assuring company standards when it comes to how servers are built and configured. If you are not familiar with these terms and components, we recommend that you spend some time studying them before attempting to deploy system images in a production environment.

You can find more information on Windows Imaging from Microsoft TechNet: http://technet2.microsoft.com/windowsserver2008/en/library/ fbd2d37b-4127-43fd-a079-f78bbd44b7601033.mspx?mfr=true.

While WDS can deploy an operating system to your workstation environment, this chapter will focus on using WDS to deploy servers.

Deploying Images by Using Windows Deployment Services Windows Deployment Services include several components that can help a network administrator quickly, easily, and effectively install operating systems to servers: Management Tools These are the tools you will use to create system images and manage the server and client machine accounts. Server components The server components are the items needed to boot a client computer and install an operating system on a client machine. will be created to keep the data needed for the network boot, such as boot and install images. Client components These components are needed for the client machine to communicate with the server so that the proper items are installed and configured. The Windows PE interface is a client component.

366

Chapter 9

N

Deploying Servers

To understand these components, you must understand first what an image is. Simply put, in this context, it’s a snapshot of a server that was built to your specifications. WDS uses two types of images: Install image

This contains the operating system you want to deploy to a server.

Boot Image This is the image that a client computer or server will boot to before you install the install image. Think of these images this way: a boot image is like a car and the install image is like a resort. Before you can sit in the comfort of the resort, you have to know how to get there and then have some means to travel to it. The car is what gets you to your destination; it knows the distance, direction, and speed it takes to get you there. With WDS, you are able to customize your images so they have exactly the configuration required by company standards. This will save time and money because you only need to set up the images, not babysit each server install. Before you can take advantage of this powerful tool, a proper installation and configuration is vital. Windows Deployment Services will not successfully deploy an operating system if the required components are not configured properly. The next section will guide you through the recommended installation of Windows Deployment Services and show you how configure them.

Using Windows Deployment Services Before you can start to deploy servers, you must configure Windows Deployment Services and create images. A check list can assist you in making sure your installation is completed correctly. Here are some things to be sure your check list includes: Active Directory domain.

The WDS server must at least be a member server in an Active Directory

DHCP and DNS resolution.

WDS relies on DHCP and DNS for both IP addresses and name

NTFS

The WDS server requires the NTFS filesystem.

Credentials The user account that will be used to perform the install and related tasks must be a member of the local Administrators group. Make sure the server you plan to use for WDS has these items installed and properly configured. When time is taken to ensure that the server is properly prepared, it will result in a trouble-free installation and configuration of WDS. After you have met the prerequisites for the server build, WDS must be installed as a role (Exercise 9.1).

Using Windows Deployment Services

Benefit of Images Recently a client had an increasing need to improve the quality of their machine builds and reduce the time that was spent deploying new machines. This client had 250 computers in five locations and two states. They had just signed an agreement to refresh onethird of their machines, and because this was a leasing program, they would be doing this every year. The current standard operating procedure was to build each machine by hand, which would result in an IT administrator or specialist spending 3 to 5 hours per machine. Each phase of the technical refresh program would have around 80 machines. Simple math tells you that this would require 240 to 400 hours spent on just building the machines, which is not efficient. A plan was developed to create system images and then deploy them with the earlier version of WDS, which was called Remote Installation Service, or RIS. While RIS was not as easy to use or set up as WDS, it did show how valuable images really are. They decided to create three separate images, each with various applications installed based on the departments. A lot of time was spent working with department heads to determine what exactly the images would contain, which allowed us to create base images that needed very little additional attention after they were installed. While we knew that this would reduce the time needed to deploy a machine and would create a standard build, a side benefit turned out to be using the images to assist the help desk. If the help desk encountered an issue that would normally result in them deploying someone to rebuild the machine, they would instead deploy the build image. Overall, the use of images saved many man-hours and saved the organization money.

E X E R C I S E 9 .1

Installing the WDS Role Follow these steps to install the Window Deployment Services role:

1.

To open Server Manager, click Start  All Programs  Administrative Tools  Server Manager.

2.

In the left pane, click Roles.

3.

In the Roles Summary section, choose Add Roles.

4.

Click Next on the Before You Begin screen.

5.

On the Select Server Roles page, check the box next to Windows Deployment Services.

367

368

Chapter 9

N

Deploying Servers

E X E R C I S E 9 .1 ( c o n t i n u e d )

6.

Click Next on the Overview of Windows Deployment Services page.

7.

On the Select Role Services, check the Deployment Server and Transport Server boxes.

Using Windows Deployment Services

369

E X E R C I S E 9 .1 ( c o n t i n u e d )

8.

Review the selections on the Confirm Installation Selections page.

9.

After reviewing the selections, click Install.

During the installation of WDS, the deployment server and transportation server were chosen. The following paragraphs briefly explain these two services: Transportation Server This option can be chosen without choosing the Deployment Server option. It is used to create a namespace to transmit data from a single server. When just this feature is installed, the server does not need Active Directory, DHCP, or DNS. This option would be selected by itself when you are doing a custom deployment solution. While some advanced options can be configured, such as using a defined range of IP address or setting up the UDP port, the standard installation does not require any additional configuration. Deployment Server The Deployment Server option gives WDS full functionality. When this option is checked during installation, the transportation server must be installed along with it. This end-to-end solution brings the following functionality: NÛ

Support for network boot (PXE server)

NÛ

Location to store images

NÛ

Multicast

NÛ

Monitor for clients installs

NÛ

Management tool

With the installation of the WDS role completed, the next section will explain how to configure the WDS settings.

Configuring WDS One of the nice things about WDS is that it is included as a role that you choose to install. After the role is installed, it requires very little configuration. This means you are able to start creating your deployments within a short period of time. It is necessary to configure WDS before you use it the first time. The following options are among those that can be configured: NÛ

NÛ

NÛ

NÛ

Create a shared folder that will be used to store the install images, PXE boot files, and the files for Windows PE booting. Answer settings for how the server handles incoming client boot requests. Add a DHCP tag, which is needed so that the clients know what port the WDS server is listening on. Set boot client options so boot clients can find the DHCP server.

370

Chapter 9

N

Deploying Servers

Microsoft allows WDS to be configured in two ways: NÛ

Using the Windows Deployment Services Configuration Wizard

NÛ

Using a command line and the WDSUTIL In Exercise 9.2, you’ll configure WDS for first use.

EXERCISE 9.2

Configuring WDS Server for First Use Follow these steps to configure WDS Server for first use:

1.

Choose Start  All Programs  Administrative Tools  Windows Deployment Services.

2.

In the left pane, expand the Servers node.

3.

Right-click on the server name and choose Configure Server. This will open the Windows Deployment Services Configuration Wizard.

4.

On the Welcome Page, click Next.

5.

On the Remote Installation Folder Location screen, choose the folder that will hold the images.

6.

Choose the answer policy on the PXE Server Initial Settings screen. For this exercise, choose Do not respond to any client computer.

Using Windows Deployment Services

E XE RC I S E 9. 2 (continued)

Three options are presented to you on the PXE Server Initial Settings screen: Do Not Respond to Any Client Computer server to respond to any clients.

Use this option if you do not want the WDS

Respond Only to Known Client Computers If the client is not prestaged in Active Directory, which means you will have to add the computer to AD before PXE boot to a machine, then selecting this option will prevent them from PXE boot to the WDS server. Respond to All (Known and Unknown) Client Computers This will allow all clients to boot to the WDS server. Additionally, checking the box “For unknown clients, notify administrator and respond after approval” will require that an administrator approve new clients before allowing them to receive the boot service.

7.

Click Finish.

8.

On the Configuration Complete screen, choose to either add images now or add them later with the Add Image Wizard.

9.

Click Finish.

After completing the basic configuration, you can configure the server properties. The options that can be configured are as follows: NÛ

PXE response settings

NÛ

Directory Services

371

Chapter 9

372

NÛ

Boot

NÛ

Client

NÛ

DHCP

NÛ

Network Settings

NÛ

Advanced

N

Deploying Servers

The configuration wizard sets up the basic settings like the PXE response settings, but there are some common settings that need to be looked at or configured. They’re on the following tabs: Boot tab When the client wants to interact with the server, it will follow the settings on this tab. By default, the configuration wizard configures the PXE boot to require the clients to press F12 for the boot to start. This can be changed so that the PXE boot begins immediately. This might be a great option if you are doing a large-scale migration that occurs after hours when you don’t want to have to press F12 on each client. Network Settings tab On this tab, you can configure the Multicast IP address, the UDP port range, and the network profile. If any changes are made in this tab, you must restart the service. DHCP tab If the WDS server is installed on a server running DHCP, it will cause a conflict because both WDS and DHCP by default listen on port 67. This tab will allow you to change the settings so that WDS will not listen on port 67. In Exercise 9.3, you’ll configure some server properties. EXERCISE 9.3

Configuring WDS Server Properties Follow these steps to configure WDS server properties:

1.

Choose Start  All Programs  Administrative Tools  Windows Deployment Services.

2.

In the left pane, expand Servers.

3.

Right-click on the WDS server and choose Properties.

Using Windows Deployment Services

E XE RC I S E 9. 3 (continued)

4.

In the server’s Properties dialog box, click the Boot tab.

5.

On the Boot tab, make any necessary changes to the boot program or add a default boot image.

373

374

Chapter 9

N

Deploying Servers

E XE RC I S E 9. 3 (continued)

6.

On the Network Settings tab, determine what the multicast IP address will be or set it to be obtained from a DHCP server. Microsoft doesn’t recommend changing the default IP address range (unless your network needs a different range). The UDP port range and network profile can be changed on this tab.

7.

If the WDS server is running DHCP, click on the DHCP tab, check the Do Not Listen on Port 67 and Configure DHCP Option 60 to PXEClient.

8.

Click OK to finish.

Using Windows Deployment Services

375

Capturing Images Many IT administrators are familiar with the concept of system images. When most think of system images, they think of products such as Symantec Ghost or Acronis True Image. When you use images, you are essentially using an existing operating system configuration and creating a copy or a clone of it. Then this clone can be used to restore the computer or deploy it to additional computers to give them the same configuration. So what do we mean when we talk about capturing images specifically for WDS? Normally, when a image is deployed it will start up to a operating system setup wizard. Capturing images will start the image to a capture wizard instead, thus allowing the image to be saved as a WIM file (with a .wim filename extension). What is involved in creating an image? Here’s a high-level overview: 1.

Install an operating system on a server or computer.

2.

Make any custom changes needed, such as installing software, specific drivers, or anything else specific to your organization.

3.

Sysprep the server or computer.

4.

Reboot into Windows Preinstallation Environment (WinPE).

5.

Capture the offline image into a WIM file.

6.

Store the image in WDS the image store.

That is a high-level overview of the imaging process in WDS; let’s look at what WDS image capture utility does: 1.

WinPE boots and the WDS image capture utility is started.

2.

WDSCapture.exe looks for the WDSCapture.inf file. This file will contain answers to

the questions asked in the GUI during installation. If this file does not exist, you will have to manually enter the answers. 3.

Drives are then scanned for a sysprep offline image.

4.

Metadata is extracted from the data points in the image. This data will contain information such as HAL type, architecture, product name, OS version, and language.

5.

The volume in which to save the WIM file is selected.

6.

The image is updated with the information that was extracted in step 4 and any other values that are entered by the user.

7.

The image is uploaded to the WDS server.

An image can be captured both from the wizard and using a command-line tool. Exercises 9.4 and 9.5 will show you how to use both. Exercise 9.4 assumes you have already created a sysprep image and have added it to the Install Image folder. It also assumes you have added a boot image to the Boot Image folder.

376

Chapter 9

N

Deploying Servers

EXERCISE 9.4

Creating a Capture Image Using the Wizard Follow these steps to create a capture image using the wizard:

1.

Choose Start  All Programs  Administrative Tools  Windows Deployment Services.

2.

In the left pane, expand Servers.

3.

Expand your WDS server and then expand Install Images.

4.

Expand the Boot Image folder and right-click on the image.

5.

Choose Create Capture Boot Image.

Using Windows Deployment Services

E XE RC I S E 9. 4 (continued)

6.

In the Create Capture Image Wizard, on the Capture Image Metadata page, enter a name, description, and location.

377

378

Chapter 9

N

Deploying Servers

E XE RC I S E 9. 4 (continued)

7.

Click Next to create the capture image.

8.

Right-click on the Boot Image folder.

9.

Click Add Boot Image.

10. Browse and choose the capture image that was just created. 11. Click Next. 12. Enter the image name and description and click Next. 13. Review the selections on the Summary screen and click Next. 14. After the image is added, click Finish. 15. Create a machine that will be used for the image. Install the operating system, add your applications, and customize it to your standards.

16. Sysprep the computer. 17. When sysprep is finished, restart the computer and press F12. 18. On the Boot Manager Screen, select the capture image and click Next. 19. Choose the correct drive, add a name and description, and click Next. 20. Select the location to store the image and click Save. 21. Click Upload Image to WDS Server. 22. Provide the name of the WDS server, and then click Connect. If prompted for credentials, enter the username and password with rights to the WDS server.

23. Choose the image group in which to store the image. 24. Click Finish.

To create a sysprep image and add to WDS image store, please refer to the Microsoft TechNet article at http://technet2.microsoft.com/windowsserver2008/en/library/b7978b72-3b39-441d-924c-4b7a2fd96c371033. mspx?mfr=true.

Exercise 9.5 shows the steps involved in using the command-line utility named WDSUTIL to create a capture image.

Using Windows Deployment Services

EXERCISE 9.5

Using WDSUTIL to Create a Capture Image Follow these steps to use WDSUTIL to create a capture image:

1.

Click Start, right-click Command Prompt, and choose Run as Administrator.

2.

Within the command prompt, type the following: WDSUTIL฀/New-CaptureImage฀/Image:฀/Architecture:x86฀/ Filepath: Replace with the name of the boot image you want to use to create the capture image and with the file location and name of the new capture image.

3.

Type the following: WDSUTIL฀/Add-Image฀/Imagefile:฀/ImageType:boot Replace with the filename and location of the capture image you want to add to the image store.

4.

After the capture image has been created, follow steps 8 through 22 in Exercise 9.4 to boot the computer to the capture image and capture the operating system.

379

Chapter 9

380

N

Deploying Servers

Deploying Server Core A new feature introduced with Windows Server 2008 is Server Core. Server Core is a bare-bones installation of Windows Server 2008. You can think of it this way: If Windows Server 2008 is a top-of-the-line luxury car, then Windows Server 2008 Server Core is the stripped-down “no air conditioning, manual windows, with cloth seats” model. It might not be pretty to look at, but it gets the job done. Server core supports a limited amount of roles: NÛ

Active Directory Domain Services

NÛ

Active Directory Lightweight Directory Services

NÛ

DHCP

NÛ

DNS

NÛ

File Services

NÛ

Print Services

NÛ

Windows Virtualization

NÛ

Streaming Media Services

NÛ

Internet Information Services (IIS)

Server Core does not have the normal Windows interface or GUI. Most everything has to be configured via the command line or in some cases using Remote Server Administration Tools from a full version of Windows Server 2008 or Windows Vista. While this might scare some administrators off, it has many benefits: Reduced management Because Server Core has a minimum number of applications installed, it reduces management. Minimal maintenance Only basic systems can be installed on Server Core, so it reduces the upkeep you would need in a normal server installation. Smaller footprint Server Core requires only 1GB of disk space to install and 2GB free space for operations. Tighter security to attacks.

With only a few applications running on a server, it is less vulnerable

The prerequisites for Server Core are basic. It requires the Windows Server 2008 installation media, the product key, and the hardware on which to install it. It only takes a few minutes, depending on hardware, to install Server Core. One of the things to keep in mind is that you cannot upgrade or downgrade to Server Core. Server Core requires a clean installation. There are three editions available for Server Core installations: NÛ

Windows Server 2008 Standard

NÛ

Windows Server 2008 Enterprise

NÛ

Windows Server 2008 Datacenter Following the steps in Exercise 9.6 will result in the base install of Server Core.

Configuring Microsoft Windows Activation

381

EXERCISE 9.6

Installing Server Core Follow these steps to install Server Core:

1.

Insert the Windows Server 2008 CD and boot to the CD.

2.

At the Install Windows screen, choose the language, time format, and keyboard method that is relevant to your location and click Next.

3.

Click Install Now.

4.

Type in your product key and click Next.

5.

At the Select the Edition of Windows You Purchased screen, choose the Windows version and click Next.

6.

Accept the license terms and click Next.

7.

The only option available at the next screen will be Custom (Advanced).Click that option.

8.

Choose the disk on which to install Server Core and click Next.

9.

Allow setup to complete.

10. After setup is finished, click Other User and type Administrator with no password. 11. Press Enter. 12. Enter a password for the Administrator account.

After you install the base operating system, you use the command-line or remote administrative tools to configure the network settings, add the machine to the domain, create and format disks, and install roles and features.

Configuring Microsoft Windows Activation Windows Product Activation (WPA) was introduced with the release of Windows XP. The early versions required a 25-character alphanumeric format, and then starting with Windows XP SP2, it added a physical key (which is identified by the hardware). Large corporations, however, used a different set of rules. In the beginning, they were given OEM copies of the software, which did not require activation. Over time, these copies were leaked to other users

382

Chapter 9

N

Deploying Servers

and then the Internet. Microsoft worked hard to combat this by introducing Windows Genuine Advantage, which, when the user opts to use it, will allow them to download updates and content from Microsoft’s websites.

Starting with Windows Vista, if a user does not have a product key, it will result in loss of some of the functions, and that will eventually lead to most of the features being disabled. Microsoft understands that companies still use volume keys and need to reduce any loss of production due to product activation. In an effort to make activation easier for companies, Microsoft has allowed for the installation of Key Management Services (KMS). When KMS is installed or activated on a host machine, it becomes the centralized location from which Windows client machines can activate. This reduces the time to activate your products and reduces the impact on your bandwidth. When a KMS host is created with a KMS key, that machine will activate with Microsoft. Then in turn, when machines in your local network need to activate, they activate with the KMS host on your network.

s Windows Activation Backlash When Windows Product Activation (WPA) was first announced by Microsoft in 2001 as a means to prevent piracy, it was received with mixed reviews. Other than Microsoft itself, hardly anyone was in favor of it. Companies were not in favor of this new product activation feature because they were unsure of how it would affect their organization. They were used to having a single install disk without any restrictions, and each individual company had its own specific deployment needs. Home users were also concerned about the implications of the new activation feature. Would their private information be sent to Microsoft? Would Microsoft monitor their activity? How much change in hardware was required to trigger a new activation? The initial primary focus for Windows Activation was to discourage casual copying of Microsoft’s products, such as when one person purchases a copy of Microsoft Office and lets a friend install it on their machine. When Product Activation, what Windows Activation was then called, was introduced, it was reported that 50 percent of all piracy was casual copying. Over time, Windows Activation has gained not so much an acceptance but more of a tolerance by users. Microsoft has continued to refine the process to seem less of a bother to people, and in general, people have started to purchase their own copies of software.

KMS has the following prerequisites: NÛ

The KMS host must have the appropriate volume license.

NÛ

Machines on your network or KMS clients must also have the proper volume license.

Configuring Microsoft Windows Activation

NÛ

NÛ

383

KMS clients need access to the KMS server. The KMS server uses TCP port 1688 by default. Applications and services logs to be configured to handle the volume in your organization. Log sizes can be set in the Log Properties dialog box.

When planning to use a KMS host on your network, it is good to keep a few things in mind: KMS host changes The KMS host has the same rules as all other computers. If major hardware changes are made to the KMS server or it is on a virtual machine and is transferred to another computer, the KMS host will be required to reactivate with Microsoft. KMS key It is best to use the KMS key from the highest product group that your company has licensed. Volume licenses If you upgrade your product group or purchase a new volume license, you need to upgrade your existing KMS host. KMS requires a minimum number of physical servers on the network before it will start activating client machines. This is called the activation threshold. The thresholds are as follows: Windows Vista Requires 25 physical computers Windows Server 2008 Requires 5 servers How do the requirement thresholds work? A KMS host will count the number of physical computers that are requesting activation. The count is a combination of both Windows Vista machines and Windows Server 2008. For example, a company has 10 computers. Of the 10 computers, 8 are Windows Vista and 2 are Windows Server 2008. When these computers request activation, they are given an activation number, so the first computer that is running Vista is given the number 1. The next two computers are given numbers 2 and 3. The fourth computer is Windows Server 2008 and is given number 4, but none of the computers can be activated yet. The next computer to request activation is another Windows Server 2008 computer, and because it gets a number 5, it activates; however, the Vista computer will not activate until the number of total physical computers has reached 25. Therefore, this company has enough computers to reach the activation threshold for Windows Server 2008 but not for Windows Vista. Once the thresholds are met, the KMS server will activate virtual machines, but until the numbers are reached, the virtual machines will not count toward the total number of machines needed to cross the threshold. It is thus important to have met these thresholds before the expiration period so that the computers can be activated.

The grace period for meeting the KMS threshold requirements for all editions of Windows Vista is 30 days. The grace period for Windows Server 2008 is 60 days.

384

Chapter 9

N

Deploying Servers

Installing KMS Starting with Windows Server 2008, KMS is automatically included. However, the first KMS host needs a KMS key installed and then activated with Microsoft. After this initial activation, the KMS host does not communicate any further information to Microsoft. The following information is sent to Microsoft when you active the first KMS host: NÛ

IP address

NÛ

Product key

NÛ

Language settings

NÛ

Edition of the operating system

NÛ

Hardware ID hash

NÛ

Current date

NÛ

License and activation condition

Microsoft recommends having a minimum of two KMS host machines. This will ensure a failover to one or the other host in case of loss of connectivity.

The KMS service does not require a backup because it does not contain any data that can be lost. If a KMS host is lost, the replacement server will require the same configuration and hostname as the previous KMS host. The new host will then start to collect the activation request until it reaches the minimum threshold. You can keep a record of the KMS activations by saving the Key Management Service logs that will appear in the applications and services logs.

KMS can be installed on any physical machine running Windows Vista, Windows Server 2008, or Windows Server 2003. A KMS host installed on a Vista machine can only activate other Vista machines, so planning is needed for your environment. After the first KMS host is activated with Microsoft, the additional KMS host will activate to the first KMS host.

A KMS key can be used to activate up to five more KMS hosts on a network. Each KMS host can then be activated up to nine more times with the same key. If your company requires more than six KMS hosts, you can request additional activations. For more information, see the Volume Licensing website at http://go.microsoft.com/fwlink/?LinkID=73076.

In Exercise 9.7, you’ll install a KMS host on a Windows 2008 Server machine.

Configuring Microsoft Windows Activation

385

E XERCISE 9.7

Installing a KMS Host Follow these steps to install a KMS host:

1.

Click Start, right-click Command Prompt, and choose Run as Administrator.

2.

To your KMS key, type the following and press enter: cscript฀C:\windows\system32\slmgr.vbs฀/ipk฀ Replace with your License key

3.

To activate your KMS host, you have two options

a.

To active online, type the following and press enter: cscript฀C:\windows\system32\slmgr.vbs฀/ato

b.

To active over the phone, type the following and press Enter: slui.exe฀4

4.

When the activation completes, restart the Software Licensing Service.

When you install a new KMS key, it will reset your activation count. The KMS count will need to be rebuilt before the KMS host can serve client machines. This will be done automatically because client machines will check back with the KMS server on a regular basis.

Configuring KMS After a KMS host is enabled and activated, no additional configuration is required. There are a number of options that can be configured if your environment has special needs. Table 9.1 lists some provided scripts that can be run in a elevated command prompt to modify the standard configuration. TA B L E 9 .1

Optional KMS Settings

Description

Cscript

Configure the TCP port used by the KMS host

Cscript C:\windows\system32\slmgr.vbs฀/sprt฀

Disable DNS publishing

Cscript C:\windows\system32\slmgr.vbs฀/cdns

Re-enable DNS publishing

Cscript C:\windows\system32\slmgr.vbs฀/sdns

386

Chapter 9

TA B L E 9 .1

N

Deploying Servers

Optional KMS Settings

(continued)

Description

Cscript

Set KMS host process to a lower priority

Cscript C:\windows\system32\slmgr.vbs฀/cpri

Set KMS host process to normal priority

Cscript C:\windows\system32\slmgr.vbs฀/spri

Change activation interval for clients not activated

Cscript C:\windows\system32\slmgr.vbs฀/sai฀

Change activation renewal interval

Cscript C:\windows\system32\slmgr.vbs฀/sri฀



After changing any of the default settings, it is recommended to restart the KMS service or reboot the computer. A very important item to review and make any needed changes to is DNS. If your environment uses Dynamic DNS, which most Active Directory domains do, and you plan to have only a single KMS host, then you might not require any further configuration. However, if your network does not have Dynamic DNS or you have multiple KMS servers, some changes may be needed for KMS clients to receive updated information from DNS. When a domain contains multiple KMS hosts, only one KMS host can update the DNS entries. Any additional KMS hosts will be unable to change or update the SRV records unless changes are made to the DNS server. Think of it this way: For a house to receive mail and packages, it is given a unique address. Only that one house receives that address, and it stays with that house so that delivery services know where to find it. A normal person cannot change that address. Similarly, the first KMS host to record its DNS information becomes the owner of that DNS record. When an environment has more than one KMS host, it requires that we give permission to all the KMS hosts to change or update information. This can be accomplished in two ways: manually change the DNS SRV record or change the default SRV permission on the DNS server. DNS publishing is enabled by default. For KMS publishing to work, the network must support SRV publishing. Many organizations prevent this for security reasons. If this is the case, then it is necessary to create or copy the SRV record manually. If it all possible, it is recommended that you use the KMS publishing in DNS. Using this method will allow the KMS host to make changes in DNS; some of the changes include IP address, computer name, and TCP port. The KMS host will update its record once a day just in case DNS scavenges the information. To configure permissions on the DNS server to allow KMS host to publish SRV information in a single DNS domain, complete Exercise 9.8.

Configuring Microsoft Windows Activation

EXERCISE 9.8

Configuring DNS Permissions for a KMS Host Follow these steps to configure DNS permissions for a KMS host:

1.

Choose Start  All Programs  Administrative Tools  Active Directory Users and Computers.

2.

Expand your organization, right-click on Users, and choose New and then Group.

3.

Provide a name for the KMS host group and ensure that the group type is Global.

387

388

Chapter 9

N

Deploying Servers

E XE RC I S E 9. 8 (continued)

4.

Click OK.

5.

Right-click on the newly created group and choose Properties.

6.

Click on the Members tab and then click Add.

7.

In the Select Users box that opens, click Object Types.

8.

In the Object Types box, check Computers and then click OK.

9.

In the Enter Object Names box, input the names of the KMS host machines and click OK.

10. Click Apply and OK, which will then close the AD group Properties dialog box. 11. Close the Active Directory Users and Computers MMC. 12. Open Windows DNS Manager by choosing, Start  All Programs  Administrative Tools  DNS.

13. Right-click the DNS server and choose Properties. 14. Click the Security tab and then click Add.

Configuring Microsoft Windows Activation

389

E XE RC I S E 9. 8 (continued)

15. Enter the security group that was created in step 4. 16. Give the group that was just added permissions to allow updates on the DNS server. 17. Click OK to finish.

At times, organizations will have more than one DNS domain. If this is the case, you can create a list of DNS domains that the KMS host can use when publishing it records. By default, a KMS host will publish information only to the primary DNS domain. This behavior is modified by editing the Registry. Remember that editing the Registry can lead to serious damage to the operating system if not done properly. As a general practice, you should have a proper backup of the server and the Registry settings before editing the Registry. To change the KMS host to publish in multiple domains, follow the steps outlined in Exercise 9.9. EXERCISE 9.9

Publishing in Multiple Domains To configure a KMS host to publish in multiple domains, complete the following steps:

1.

Click Start, right-click Command Prompt, and choose Run as Administrator.

2.

Type Regedit.exe and then press Enter.

390

Chapter 9

N

Deploying Servers

E XE RC I S E 9. 9 (continued)

3.

Navigate to the following Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SL

4.

Right-click on SL and choose New and then Multi-String Value.

Configuring Microsoft Windows Activation

E XE RC I S E 9. 9 (continued)

5.

For the name of the new value, type DnsDomainPublishList and press Enter.

6.

Right-click DnsDomainPublishList and choose Modify.

7.

In the Value Data section, type each DNS domain suffix that you want the KMS host to publish to; each one should be on a separate line.

8.

Click OK to finish.

9.

Restart the Software Licensing Service.

391

392

Chapter 9

N

Deploying Servers

If your environment has security policies or anything else that would block the KMS host from creating and updating the DNS SVR record, you will need to manually create the entry. If the KMS host is not allowed to create or update the SVR record, then it is recommended that you disable the auto-publishing on all KMS hosts. Exercise 9.10 will walk you through creating a KMS SVR record in a Microsoft DNS server. E X E R C I S E 9 .1 0

Creating a KMS SVR Record Follow these steps to manually create a KMS SVR record in a DNS server:

1.

Choose, Start  All Programs  Administrative Tools  DNS.

2.

Expand the DNS server and expand Forward Lookup Zones.

3.

As seen in the following screen shot, right-click on the first domain that will contain the SRV record and choose Other New Records.

4.

Scroll down and click on Service Location (SRV).

Configuring Microsoft Windows Activation

E X E R C I S E 9 .1 0 ( c o n t i n u e d )

5.

Click Create Record.

6.

In the New Resource Record dialog box, enter the following: Service: _VLMCS Protocol: _TCP Port Number: 1688 Host Offering This Service: (This is the Full Qualified Domain Name of your server.)

7.

Click OK and then Done.

393

394

Chapter 9

N

Deploying Servers

Install from Media When you’re planning to use WDS to deploy a server, using Install from Media (IFM) can create a copy of the Active Directory data to reduce synchronization for the new domain controller. IFM can create install media for writeable (full) and read-only domain controllers (RODC). Although this section may seem to be out of place for a chapter on deploying servers, using IFM can speed up the deployment of Active Directory servers. Knowing how to use IFM is important for passing the 70-643 exam; however, knowing how Active Directory works and how to manage it is outside the scope of this book. IFM uses the ntdsutil utility and is a subcommand of that utility. This utility is built into Windows Server 2008 and is available if you have one of the following two roles installed: NÛ

Active Directory Domain Services (AD DS)

NÛ

Active Directory Lightweight Directory Services (AD LDS)

Earlier versions of IFM required several steps to create the media, including a backup and restore, but in Windows 2008, it is possible to create an IFM set in one step. Again, the NTDSUTIL is used to create the media, with or without the SYSVOL. NTDSUTIL uses Volume Shadow Copy to create a snapshot of AD from a running domain controller; then it defrags the database and replays its logs. When would this feature be of benefit? One example would be when you’re deploying servers to branch offices. In many cases, branch offices have slower WAN links, which in turn may make it take a considerable amount of time and bandwidth to replicate the data. In short, using IFM can deploy domain controllers more quickly and efficiently. There are a number of facts to keep in mind when using IFM: NÛ

NÛ

NÛ

NÛ

NÛ

NÛ

You can use a 32-bit domain controller with Windows Server 2008 to create installation media for a 64-bit DC. Using the NTDSUTIL to create RODC is safe. It will remove any cached secrets like passwords from the media. However, you still want to keep the media in a safe location because it includes the information to create a DC in your network. Full AD DS installation media includes the Registry and SYSVOL data, if that option in chosen. If the during the creation of the IFM media you press Ctrl+C or it gets interrupted in other manners, be sure to remove the temp log files before trying again. IFM cannot be run on a DC that runs Windows 2003. When you install AD DS on another DC, be sure to specify the same subfolder used when running the IFM command.

When a server is deployed using IFM, it will only need to replicate any changes to objects in AD since the IFM media was created. This means that the amount of time that has passed since the creation of the media would affect how much data will be replicated. IFM media is thus time sensitive and is no longer valid after 60 days by default because the domain tombstone threshold would have passed.

Configuring Microsoft Windows Activation

Exercise 9.11 will show you how to capture data for IFM: E X E R C I S E 9 .11

Capturing data for Install from Media To create IFM media, follow these steps:

1.

Click Start, right-click Command Prompt, and choose Run as Administrator.

2.

Type ntdsutil and press Enter.

395

396

Chapter 9

N

Deploying Servers

E X E R C I S E 9 .11 ( c o n t i n u e d )

3.

Type IFM and press Enter.

4.

To create an RODC, type Create฀rodc฀c:\installfrommedialocation.

C:\installfrommedia is the location where you want the media to be created. This will create a installation that does not include SYSVOL. To create an installation that contains SYSVOL, add sysvol after typing create. Here’s an example: Create฀sysvol฀rodc฀c:\installfrommedialocation

5.

When the media creation is successful, you’ll see the message “IFM media created successfully in .”

Exam Essentials

397

Summary Windows Deployment Services can provide an immediate value to both an IT administrator and an organization. It makes images or exact copies of a properly prepared machine that can be used to clone other machines. This allows for increased efficiency and results in standardization in machine builds. Time should be devoted to planning and configuring the WDS server and creating proper build images. An exciting new feature was introduced called Windows 2008 Server Core. This edition of the server family provides a simplified version of the full product. You saw how fast and simple it was to install Server Core in Exercise 9.6. We also reviewed the benefits of having a simple version of Windows Server 2008. The importance of Windows Product Activation (WPA) was stressed when we looked at Key Management Services (KMS). If a product is not properly activated, it functionality will become limited. This reduction in functionality will continue until a user can use a web browser for only 60 minutes. A KMS host server can reduce the footprint of activation on an organization’s network and allow them to continue to use volume license keys.

Exam Essentials Understand how to use images. Know how to capture, prepare, and deploy images. A understanding of the build process works will be beneficial. You should also know when to create an image and how to prepare one. Take the time to get familiar with IFM and the types of IFM you can create along with when you would use each type. Understand how to Deploying Images. Understand how the deployment process works and how to deploy an image to multiple machines at the same time. Understand the Server Core basics. Learn the steps needed to install Server Core and when deploying it would make the most sense. Understand the basic features as well as the perquisites that are necessary for installation. Understand the importance of Windows Activation. Have a thorough knowledge of how KMS works and why it is needed. Understand how it interacts with DNS and how to configure or create SVR records. Take some time to study how to install or enable KMS with a license key.

Chapter 9

398

N

Deploying Servers

Review Questions 1.

What changes have been make in WDS? (Choose all that apply.) A. Support for WinPE as a boot operating system

2.

B.

Support for x64-bit systems

C.

Can be used to deploy Norton Ghost images

D.

Removed the ability to use multicast

What is an install image? A. This is the image a client machine will boot into.

3.

B.

This is the CD that contains the installation media.

C.

This is the image that contains the operating system you want to deploy.

D.

This is a backup image that is used to restore single files.

What two components does WDS rely on for IP addresses and name resolution? A. NTFS

4.

B.

DNS

C.

KMS

D.

DHCP

What is the difference between a transportation server and deployment server when discussing WDS? A. A deployment server gives WDS full functionality.

5.

B.

There is no difference as they are both services of WDS.

C.

A deployment server does not need AD.

D.

A transportation server provides full WDS functions.

What is the name of the utility that Microsoft provides, besides a wizard, to configure WDS? A. Command prompt

6.

B.

DNSLint

C.

FCIV

D.

WDSUTIL

What are some of the options that can be configured in WDS Properties? (Choose all that apply.) A. Boot settings B.

Transportation rules

C.

DHCP port

D.

Activation

Review Questions

7.

Which role must be installed on a server to use IFM? A. Fax

8.

B.

Active Directory Domain Services

C.

DNS

D.

DHCP

What is RODC? A. The protocol in which a domain controller replicates

9.

B.

Redundant Domain Controller

C.

Read-only Domain Controller

D.

Writeable Domain Controller

If the process of creating the IFM media gets interrupted, what files should be deleted before trying again? A. Temp log files B.

Install files

C.

WIM files

D.

PST files

10. What tool or utility is used to configure Windows Server Core? A. COREUtil B.

WDSUTIL

C.

Server manager

D.

Command line

11. What roles are supported by Server Core? (Choose all that apply.) A. DHCP B.

Streaming Media Services

C.

.NET

D.

Desktop Experience

12. How much memory is required to install Server Core? A. 2GB B.

512MB

C.

256MB

D.

1GB

13. How much free space does Server Core require to install? A. 2GB B.

4GB

C.

1GB

D.

8GB

399

Chapter 9

400

N

Deploying Servers

14. What is a prerequisite for a KMS installation? A. 2GB of free space B.

512MB RAM

C.

Volume license key

D.

Windows Installation media

15. What are the activation thresholds for KMS before it will start activating clients? (Choose all that apply.) A. 50 physical Vista computers B.

25 physical Vista computers

C.

100 physical Vista computers or servers

D.

5 physical Windows 2008 servers

16. What information is sent to Microsoft when you activate the first KMS host? A. Web activity B.

DOC file numbers

C.

Product key

D.

Number of computers on the network

17. How do you back up a KMS host? A. No backup is needed. B.

Use NTBACKUP.

C.

Use a third-party backup program.

D.

Microsoft will provide the backup utility when you purchase the KMS key.

18. What operating systems can a KMS host be installed on? (Choose all that apply.) A. Windows Server 2000 B.

Windows Vista

C.

Windows 2008 Server

D.

Windows XP

19. How many other KMS host can the first KMS host activate? A. 5 B.

9

C.

1

D.

7

20. To run the scripts to configure additional settings in KMS, what utility should be used? A. Command prompt B.

KMSUTIL

C.

Elevated command prompt

D.

WDSUTIL

Answers to Review Questions

401

Answers to Review Questions 1.

A, B.

WDS changes include support for WinPE and the ability to support x64 bit systems.

2.

C.

3.

B, D.

4.

A. When the Deployment Server option has been selected, it provides full functionality to the WDS server.

5.

D.

6.

A, C. You can configure the boot settings and change the DHCP port within WDS server properties.

7.

B.

To use the IFM utility, you must install the AD DS role or the AD LDS role.

8.

C.

An RODC is a read-only domain controller.

9.

A.

Delete the temp log files before attempting to retry a failed IFM creation.

Install images contain the operating system that you want to deploy to a machine. WDS relies on DHCP and DNS to provide IP addresses and name resolution.

Microsoft provides the WDSUTIL utility to configure the WDS server.

10. D. As Server Core does not contain a GUI, configuration is accomplished by using the command line. 11. A, B.

Server Core supports DHCP and Streaming Media Services.

12. B.

Server Core requires 512MB of RAM for installation..

13. C.

Server Core requires 1GB of free space to install.

14. C.

You must have a valid volume license key to enable KMS.

15. B, D. KMS requires 25 physical Vista computers and 5 Windows 2008 servers before it will activate clients. 16. C. One of the items that is sent to Microsoft when you activate the first KMS host is the product key. 17. A.

It is not necessary to back up a KMS host because it contains only activation logs.

18. B, C. A KMS host can be installed on both a Windows Vista and a Windows Server 2008 machine. 19. A.

KMS key can activate up to five more hosts on a network.

20. C.

You must run the scripts from an elevated command prompt.

Chapter

10

Configuring High Availability in Windows Server 2008 MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: ÛÛ Configure high availability. May include but is not limited to: failover clustering, Network Load Balancing, hardware redundancy

Windows Server 2008 has improved the options for high availability as well as the ease of configuring them. High availability can be better achieved with Windows Server 2008’s superior software stability and improved failover and network load balanced clustering. The exam will cover the basic configuration and operational functions for both a failover cluster and network load balancing. This chapter will give an introduction to achieving high availability with hardware and operational changes as well as using the high availability features of Windows Server 2008. This chapter will cover the following topics: NÛ

Components of high availability

NÛ

Achieving high availability with failover clustering

NÛ

Achieving high availability with network load balancing

Components of High Availability High availability is a buzzword that many application and hardware vendors like to throw around to get you to purchase their product. Many different options are available to achieve high availability, and there also seem to be a number of different definitions and variations that help vendors sell their products as high availability solutions. But when it comes down to it, high availability is simply providing services with maximum uptime by avoiding unplanned downtime. Often disaster recovery (DR) is also closely lumped into discussions of high availability, but DR encompasses the business and technical processes that are used to recover once a disaster has happened. Defining a high availability plan usually starts with a Service Level Agreement (SLA). At its base, an SLA defines the services and metrics that must be met for availability and performance of an application or service. Often an SLA is created for an IT department or service provider to provide a specific level of service. An example of this might be an SLA for a Microsoft Exchange server. The SLA agreement for an Exchange server might have uptime metrics on how much time during the month the mailboxes need to be available to end users, or it might define performance metrics for the amount of time that it takes for email messages to be delivered. When determining an SLA, two other factors need to be considered, but often you will see them discussed when only in the context of disaster recovery even though they are important for designing a highly available solution. These factors are recovery point objective (RPO) and recovery time objective (RTO). An RTO is the length of time an application

Achieving High Availability

405

can be unavailable before service must be restored to meet the SLA. For example, a single component failure would have an RTO of less than 5 minutes, and a full-site failure might have an RTO of 3 hours. An RPO is essentially the amount of data that must be restored for a failure. For example, in a single server or component failure, the RPO would be 0, but in a site failure, the RPO might allow for up to 20 minutes of lost data. SLAs, on the other hand, are usually expressed in percentages of the time the application is available. These percentages are also often referred to as the number of nines the percentage has, as shown in Table 10.1. TA B L E 1 0 .1

Availability Percentages

Availability Rating

Allowed Unplanned Downtime/year

99%

3.7 days

99.9%

8.8 hours

99.99%

53 minutes

99.999%

5.3 minutes

Two important factors that affect an SLA are the mean time between failure (MTBF) and the mean time to recover (MTTR). To be able to reduce the amount of unplanned downtime, the time between failures must be increased and the time it takes to recover must be reduced. Modifying these two factors will be covered in the next several sections of this chapter.

Achieving High Availability As the information presented during the Windows installation states, Windows Server 2008 is the most secure and reliable Windows version to date. It also is the most stable, mature, and capable of any version of Windows. Although we have seen similar claims in previous versions of Windows Server, we can be sure that Windows Server 2008 is much better than previous versions for a variety of reasons. An honest look at the feature set and real-world experience should prove that this version of Windows provides the most suitable foundation for creating a highly available solution. However, more than just good software is needed to be able to offer high availability for applications. Just as a house needs a good foundation, a highly available Windows Server needs a stable and reliable hardware platform to run on. Although Windows Server 2008 will technically run on desktop-class hardware, high availability is more easily achieved with server-class hardware. What differentiates desktop-class and server-class hardware? Serverclass hardware has more management and monitoring features built in so that the health

406

Chapter 10

N

Configuring High Availability in Windows Server 2008

of the hardware is able to be monitored and maintained. Another large difference is that server-class hardware has redundancy options. Server-class hardware often has options to protect from drive failures, such as RAID controllers, and to protect against power supply failures, such as multiple power supplies. And enterprise-class servers have more. More needs to be done than just installing Windows Server 2008 to ensure that the applications stay running with the best availability possible. A house needs maintenance and upkeep to keep the structure in proper repair, as does a server. In the case of a highly available server, this means patch management. Microsoft releases monthly security updates to fix security problems with its software, both for operating system fixes and for applications. To ensure that your highly available applications are immune to known vulnerabilities, these patches need to be applied in a timely manner during a schedule maintenance window. Also, to address stability and performance issues, updates and service packs are released regularly for many applications, such as Microsoft SQL Server, Exchange Server, and SharePoint Portal Server. Many companies have a set schedule— daily, weekly, or monthly—to apply these patches and updates after they are tested and approved. To continue even further with the house analogy, if you were planning to have crown molding installed, would you rather hire a college student on spring break looking to make some extra money to do the job or a seasoned artisan? Of course you would want someone with experience and a proven record of accomplishment to install your expensive crown molding. Likewise, with any work that needs to be done on your highly available applications, it’s best to hire only adequately qualified individuals. This is why obtaining a Microsoft certification is definitely an excellent start in becoming qualified to properly configure a server to be highly available. There is no substitute for real-life and hands-on experience. Working with highly available configurations in a lab and in production will help you to know not only what configurations are available, but also how the changes should be made. For example, it may be possible to use failover clustering for a WINS server, but in practice it may be easier to support and less expensive in hardware cost to use WINS replication to provide high availability. This is something you would know only if you had enough experience to make this decision. As with your house, once you have a firm and stable foundation built by skilled artisans and a maintenance plan has been put into place, you need to ascertain what more is needed. If you can’t achieve enough uptime with proper server configuration and mature operational processes, a cluster may be needed. Windows Server 2008 provides for two types of clustering: failover clustering and Network Load Balancing (NLB). Failover clustering is used for applications and services such as SQL Server and Exchange Server. Network Load Balancing is used for network-based services such as web and FTP servers. The remaining sections of the chapter will cover both of these clustering options in detail.

Achieving High Availability with Failover Clustering

407

To Cluster or Not to Cluster Clustering is often thrown into the mix when someone wants to achieve higher availability. This is often a good step toward improved availability, but at times the return on the investment of a cluster doesn’t always add up. Although Windows Server 2008 greatly simplifies both the creation and management of a failover cluster, there is added complexity and cost in hardware, software, and personnel. How do you determine whether to cluster applications? Sometimes even though it is possible to cluster applications, they perform worse when clustered. Other times only a small improvement is made when a cluster is created. You have to balance the slight improvement over the increased hardware cost, increased complexity, and the increased level of training required for the administrators.

Achieving High Availability with Failover Clustering Taking high availability to the next level for enterprise services often means creating a failover cluster. In a failover cluster, all of the clustered application or service resources are assigned to one node or server in the cluster. Commonly clustered applications are SQL Server and Exchange Server; commonly clustered services are File and Print. Since the differences between a clustered application and a clustered service are primarily related to the number of functions or features, for simplicity we will refer to both as clustered applications. If there is a failure of the primary node, or if the primary node is taken offline for maintenance, the clustered application is started on another cluster node. The client requests are then automatically redirected to the new cluster node to minimize the impact of the failure. How does failover clustering improve availability? By increasing the number of server nodes that the application has available to run on, you can move the application to a healthy server if there is a problem, if maintenance needs to be completed on the hardware or the operating system, or if patches need to be applied. The clustered application can be moved from node to node without having to restart. Usually, moving an application between nodes is transparent to the clients. Only severe node failures will require the application to be restarted before it is able to service clients. Figure 10.1 shows an example of SQL Server running on the first node of a Windows Server 2008 failover cluster.

408

Chapter 10

F I G U R E 1 0 .1

N

Configuring High Availability in Windows Server 2008

Using failover clustering to cluster SQL Server

Clients

Node A

Node B

SQL Server

Active

Passive

SAN

The clustered SQL Server in Figure 10.2 can be failed over to another node in the cluster and still service database requests. F I G U R E 10 . 2

Failing the SQL Server service to another node

Clients

Node A

Node B SQL Server

Passive

Active

SAN

Failover clustering is notorious for being complicated and expensive. Windows Server 2008 makes strides to remove both of these concerns. Troubleshooting and other advanced concepts are outside the scope of the 70-643 exam and thus this book, so we will cover only the basic requirements and concepts need to configure a failover cluster.

Achieving High Availability with Failover Clustering

409

Failover Clustering Requirements To be able to configure a failover cluster, first you must have the required components. The first requirement is that the correct Windows Server 2008 edition has been installed. Only the Windows Server 2008 Enterprise Edition and Windows Server 2008 Datacenter Edition are allowed to participate in a failover cluster. A single failover cluster can have up to 16 nodes when using the x64 installation and up to 8 nodes when using the x86 installation; however, the clustered service or application must support that number of nodes. The appropriate server hardware is also required. Although the exact hardware will depend on the clustered application, there are a few requirements that are standard. The basic hardware requirements are as follows: NÛ

Server components must be marked with the “Certified for Windows Server 2008” logo.

NÛ

Server hardware should match and contain the same or similar components.

NÛ

All of the Validate a Configuration Wizard tests must pass.

NÛ

All servers in a cluster must run the same processor architecture, such as 32-bit, x64-based, or Itanium-based architecture.

The requirements for failover clustering storage have changed from previous versions of Windows. For example, Parallel SCSI is no longer a supported storage technology for any of the clustered disks. There are, however, additional requirements that need to be met for the storage components: NÛ

Disks available for the cluster must be Fibre Channel, iSCSI, SAS, or SATA-based disk.

NÛ

Each cluster node must have a dedicated network interface card for iSCSI connectivity.

NÛ

Multipath software must be based on Multipath I/O (MPIO).

NÛ

Storage drivers must be based on storport.sys.

NÛ

NÛ

Drivers and firmware for the storage controllers on each server node in the cluster should be the identical. Storage components must be marked with the “Certified for Windows Server 2008” logo. In addition, there are network requirements that must be met for failover clustering:

NÛ

NÛ

NÛ

Cluster nodes should be connected to multiple networks for communication redundancy. Network adapters should be the same make, use the same driver, and have the firmware version in each cluster node. Network components must be marked with the “Certified for Windows Server 2008” logo.

There are two types of network connections in a failover cluster. These should have adequate redundancy as total failure of either could cause loss of functionality of the cluster. The two types are as follows: NÛ

NÛ

Public network. This is the network through which clients are able to connect to the clustered service application. Private network. This is the network used by the nodes to communicate to each other.

410

Chapter 10

N

Configuring High Availability in Windows Server 2008

To provide redundancy for these two network types, additional network adapters would need to be added to the node and configured to connect to the networks. In previous versions of Windows Server, support was given only when the entire cluster configuration was tested and listed on the HCL. The tested configuration listed the server and storage configuration down to the firmware and driver versions. This proved to be very difficult and expensive from both a vendor and consumer perspective to deploy supported Windows clusters. When problems did arise and Microsoft support was needed, it caused undue troubleshooting complexity as well. With Windows Server 2008 failover clustering, simplified requirements, including the “Certified for Windows Server 2008” logo program and the Validate a Configuration Wizard, all but eliminate the guesswork that was put into getting the cluster components configured in a way that will follow best practices and allow for Microsoft support to easily assist in a case it might be needed.

Cluster Quorum When a group of people sets out to accomplish a single task or goal, a method for settling disagreements and for making decisions is required. In the case of a cluster, the goal is to provide a highly available service in spite of failures. When a problem occurs and a cluster node loses communication with the other nodes due to a network error, the functioning nodes are supposed to try to bring the redundant service back online. How, though, is it determined which node should bring the clustered service back online? If all of the nodes are functional despite the network communications issue, each one might try. Just like a group of people with their own ideas, a method must be put in place to determine which idea, or node, to allow control of the cluster. Windows Server 2008 failover clustering, like other clustering technologies, requires that a quorum exist between the cluster nodes before a cluster becomes available. A quorum is a consensus of the status of each of the nodes in the cluster. Quorum must be achieved in order for a clustered application to come online by obtaining a majority of the votes available. Windows Server 2008 has four quorum models, or methods for determining quorum and for adjusting the number and types of votes available: NÛ

Node Majority

NÛ

Node and Disk Majority

NÛ

Node and File Share Majority

NÛ

No Majority: Disk Only

Node Majority, shown in Figure 10.3, allows only the cluster nodes to vote to obtain quorum. Node Majority is recommended for clusters with an odd number of nodes. When this quorum model is chosen, the cluster can sustain failures of up to one less than half of the nodes. For example, a five-node cluster can sustain two node failures. Node and Disk Majority, shown in Figure 10.4, allows the cluster nodes and a disk on shared storage to vote to obtain quorum. Node and Disk Majority is recommended for clusters with an even number of nodes. When this quorum method is chosen, the cluster can sustain failures of up to half the nodes if the witness disk remains online. For example, an eight-node

Achieving High Availability with Failover Clustering

411

cluster with the witness disk online could sustain four node failures. Similar to a Node Majority quorum, this model can sustain failures of up to one less than half of the nodes if the witness disk goes offline or fails. F I G U R E 10 . 3

Node Majority cluster

When a majority of the nodes are communicating, the cluster is functional.

x When a majority of the nodes are not communicating, the cluster stops.

x F I G U R E 10 . 4

x

x

Node and Disk Majority cluster When two out of the four nodes and the witness disk communicate, the cluster is running.

x

x When three out of the four nodes communicate, the cluster is running.

x x When only one of the four nodes and the witness disk communicate, the cluster is down.

x

x

x

412

Chapter 10

N

Configuring High Availability in Windows Server 2008

Node and File Share Majority allows the cluster nodes and a file share to vote to obtain quorum. Node and File Share Majority is recommended for clusters with non-shared disk configurations such as Exchange Server 2007 Clustered Continuous Replication (CCR) clusters or multi-site clusters. This quorum works in a similar way to Node and Disk Majority, but instead of a witness disk, this cluster uses a witness file share. No Majority: Disk Only, shown in Figure 10.5, uses only a shared disk to obtain quorum. This quorum type is similar to legacy Windows Server cluster types and is not a recommended solution because the shared disk is a single point of failure. If the shared disk fails, none of the clustered applications can come online. It can, however, sustain failures of all nodes except one, assuming the shared disk is online. F I G U R E 10 . 5

No Majority: Disk Only cluster When one node and the disk are communicating, the disk is running.

x

x

When all three of the nodes are communicating with each other but not with the disk, the cluster stops.

x Validating a Cluster Configuration Configuring a failover cluster in Windows Server 2008 is much simpler than in previous versions of Windows Server. Before a cluster can be configured, the Validate a Configuration Wizard should be run to verify that the hardware is configured in a fashion that is supportable. Before you can run the Validate a Configuration Wizard, however, the Failover Clustering feature needs to be installed using Server Manager. The account that is used to create a cluster must have administrative rights on each of the cluster nodes and have permissions to create a cluster name object in Active Directory. Follow these steps: 1.

Prepare hardware and software perquisites.

2.

Install the Failover Clustering feature on each server.

3.

Log in with appropriate user ID and run the Validate a Configuration Wizard.

4.

Create a cluster.

5.

Install and cluster applications and services.

Achieving High Availability with Failover Clustering

413

To install the Failover Clustering feature on a cluster node, follow the steps outlined in Exercise 10.1. E X E R C I S E 1 0 .1

Installing the Failover Cluster Feature Follow these steps to install the Failover Cluster feature:

1.

Click Start  Administrative Tools  Server Manager.

2.

Select Add Features, located in the Features Summary section of Server Manager.

3.

Select the Failover Clustering feature from the displayed list and click Next.

4.

In the Confirm Installation Selections page, review the selection and then click Install.

5.

When the installation process completes, click Close.

Using the Validate a Configuration Wizard before creating a cluster is highly recommended. This wizard validates that the hardware and software configuration for the potential cluster nodes are in a supported configuration. Even if the configuration passes the tests, care should be taken to review all warnings and informational messages so that they can be addressed or documented before the cluster is created. Running the Validate a Configuration Wizard does the following: NÛ

NÛ

Conducts four types of tests: Software and Hardware Inventory, Network, Storage, and System Configuration. Confirms that the hardware and software settings are supportable by Microsoft support staff.

You should run Validate a Configuration Wizard before creating a cluster or after any major hardware or software changes to the cluster. Doing this will help identify any misconfigurations that could cause problems with the failover cluster. In the next section, we will cover the process for running the Validate a Configuration Wizard.

Running the Validate a Configuration Wizard The Validate a Configuration Wizard, shown in Figure 10.6, is simple and straightforward to use, as its “wizard” name would suggest. It must be run after the Failover Clustering feature has been installed on each of the cluster nodes and can be run as many times as required.

When you are troubleshooting cluster problems or have changed the configuration of the cluster hardware, it is a good idea to run the Validate a Configuration Wizard again to help pinpoint potential cluster configuration problems.

414

Chapter 10

F I G U R E 10 .6

N

Configuring High Availability in Windows Server 2008

The Validate a Configuration Wizard

If you already have a cluster configured and want to run the Validate a Configuration Wizard, you can do so; however, you will not be able to run all of the storage tests without taking the clustered resources offline. As shown in Figure 10.7, you will be prompted to either skip the disruptive tests or take the clustered resources offline so the tests can complete. F I G U R E 10 .7

Validating a running cluster

Achieving High Availability with Failover Clustering

Exercise 10.2 shows the exact steps to successfully run the Validate a Configuration Wizard on two servers, named NODEA and NODEB, that are not yet clustered. E X E RC I S E 10. 2

Running the Validate a Configuration Wizard Follow these steps to run the Validate a Configuration Wizard:

1.

Click Start  Administrative Tools  Failover Cluster Management.

2.

In the Actions pane, click Validate a Configuration and click Next.

3.

Type NODEA in the Enter Name field and click Add.

415

416

Chapter 10

N

Configuring High Availability in Windows Server 2008

E X E RC I S E 10. 2 (continued)

4.

Type NODEB in the Enter Name field and click Add.

5.

Click Next.

6.

Leave Run All Tests (Recommended) selected and click Next.

7.

Click Next.

8.

Let the test complete and review the report in the Summary window, and then click Finish.

Achieving High Availability with Failover Clustering

417

Addressing Problems Reported by the Validate a Configuration Wizard After the Validate a Configuration Wizard has been run, it will show the results, as shown in Figure 10.8. This report can also be viewed in detail later using a web browser. The report is named with the date and time the wizard was run and is stored in %windir%\฀ cluster\Reports. F I G U R E 10 . 8

Validate a Configuration Wizard results

How should errors listed in the report be addressed? Often the errors reported by the Validate a Configuration Wizard are self-explanatory; however, there are times when additional help is required. The following three guidelines should help troubleshoot the errors: NÛ

NÛ

NÛ

Read all of the errors because multiple errors may be related. Use the check lists available in the Windows Server help files to ensure that all steps have been completed. Contact the hardware vendor for updated drivers and firmware and guidance for using the hardware in a cluster.

Creating a Cluster After you have successfully validated a configuration and the cluster hardware is in a supportable state, you can create a cluster. The process for creating a cluster is straightforward and similar to process of running the Validate a Configuration Wizard. To create a cluster with NODEA and NODEB, follow the instructions in Exercise 10.3.

418

Chapter 10

N

Configuring High Availability in Windows Server 2008

E X E RC I S E 10. 3

Creating a Cluster Follow these steps to create a cluster:

1.

Click Start  Administrative Tools  Failover Cluster Management.

2.

In the Management section of the center pane, select Create a Cluster.

3.

Read the Before You Begin information and click Next.

4.

In the Enter Server Name box, type NODEA, and then click Add.

5.

Again in the Enter Server Name box, type NODEB, and then click Add.

6.

Verify the entries, and then click Next.

7.

In the Access Point for Administering the Cluster section, enter Cluster1 for the cluster name.

8.

Type 10.10.1.96 as the IP address, type 255.255.255.0 as the subnet mask, and then click Next.

9.

In the Confirmation dialog box, verify the information, and then click Next.

10. On the Summary page, click Finish.

Achieving High Availability with Failover Clustering

419

E X E RC I S E 10. 3 (continued)

By creating a cluster, you have established the foundation for your clustered applications. At this point in the configuration, however, there are only a couple of activities that can be completed, such as adding, pausing, and evicting cluster nodes. One of the configuration settings you can change at this point is the quorum type of the cluster. During the setup of the cluster, the best quorum model is chosen based on the number of cluster nodes and the disk configuration. To change the quorum type, in Failover Cluster Management, choose the cluster name from the Connections pane and then click Quorum Settings from the Actions pane. As shown in Figure 10.9, this will allow you to choose a valid quorum model based on the current cluster configuration.

Working with Cluster Nodes Once a cluster is created, there are a couple actions that are available. First, you can add another node to the cluster by using the Add Node Wizard from the Failover Cluster Management Actions pane. Also at this point, you have the option to pause a node, which prevents resources from being failed over or moved to the node. You typically would pause a node when the node is involved in maintenance or troubleshooting. After a node is paused, it must be resumed to allow resources to again be run on it. Another action available to perform on a node at this time is evict. Eviction is a reversible process. Once you evict the node, it must be re-added to the cluster. You would evict a node when it is damaged beyond repair or is no longer needed in the cluster. If you evict a damaged node, you can repair or rebuild it and then add it back to the cluster using the Add Node Wizard.

420

Chapter 10

F I G U R E 10 . 9

N

Configuring High Availability in Windows Server 2008

Changing the quorum model

Clustering Roles, Services, and Applications Once the cluster is created, applications, services, and roles can be clustered. Windows Server 2008 includes a number of built-in roles and features that can be clustered. The following roles and features can be clustered in Windows Server 2008: NÛ

Virtual Machines File Services

NÛ

Print Services

NÛ

DHCP Server

NÛ

Windows Internet Naming Services (WINS)

In addition, other common services and applications are clustered on Windows Server 2008 clusters: NÛ

Enterprise database services such as Microsoft SQL Server

NÛ

Enterprise messaging services such as Microsoft Exchange Server

To cluster a role or feature such as Print Services, the first step is to install the role or feature on each node of the cluster. The next step is to use the Configure a Service or Application Wizard in the Failover Cluster Management tool. Exercise 10.4 shows how to cluster the Print Services role once an appropriate disk has been presented to the cluster. E X E RC I S E 10. 4

Clustering the Print Service Follow these steps to cluster the Print Service:

1.

Click Start  Administrative Tools  Failover Cluster Management.

Achieving High Availability with Failover Clustering

E X E RC I S E 10. 4 (continued)

2.

In the console tree, click the plus sign next to the cluster name to expand the items underneath it.

3.

In the Actions pane, click Configure a Service or Application and click Next on the Before You Begin page.

4.

Click Print Server in the Select Service or Application Page, and then click Next.

421

422

Chapter 10

N

Configuring High Availability in Windows Server 2008

E X E RC I S E 10. 4 (continued)

5.

Type the name of the print server, such as Print1, and type in the IP address that will be used to access the print service, such as 192.168.1.108. Then click Next.

6.

Select Cluster Disk 1 in the Select Storage page as the storage volume for the print server and then click Next.

7.

Click Next again.

8.

After the wizard runs and the Summary page appears, you can view a report of the tasks the wizard performed by clicking View Report.

9.

Close the report and click Finish.

The built-in roles and features all are configured in a similar fashion. Other applications such as Microsoft Exchange Server 2007 have specialized cluster configuration routines that are outside the scope of this exam. Applications that are not developed to be clustered can also be clustered using the Generic Application, Generic Script, or Generic Service option in the Configure a Service or Application Wizard, as shown in Figure 10.10.

Clustered Application Settings Windows Server 2008 has options that allow an administrator to fine-tune the failover process to meet the needs of their business. In the next few sections, we’ll cover those options.

Achieving High Availability with Failover Clustering

F I G U R E 1 0 .1 0

423

Configuring a generic application

Failover is when a clustered application or service moves from one node to another. The process can be triggered automatically due to a failure or server maintenance or manually by an administrator. The failover process works as follows: 1.

The cluster service takes all the resources in the application offline in the order set in the dependency hierarchy.

2.

The cluster service transfers the application to the node that is listed next on the application’s list of preferred host nodes.

3.

The cluster service attempts to bring all of the application’s resources online, starting at the bottom of the dependency hierarchy.

In a cluster that is hosting multiple applications, it may be important to set specific nodes to be primarily responsible for each clustered application. This can be helpful from a troubleshooting perspective since a specific node is targeted for hosting service. To set a preferred node and an order of preference for failover, use the General tab on the Properties dialog box of the clustered application. Also, the order of failover is set in this same dialog box by moving the order in which the nodes are listed. If NODEA should be the primary node and NODEC should be the server that the application fails to first, NODEA should be listed first and selected as the preferred owner. NODEC should be listed second, and the remaining cluster nodes would be listed after NODEC. As shown in Figure 10.11, there are a number of failover settings that can be configured for the clustered service. The failover settings control the number of times a clustered application can fail in a period of time before the cluster does not try to restart it. Typically, if a clustered application fails a number of times, some sort of manual intervention will be required to return the application to a stable state. Specifying the maximum number of failures will keep

424

Chapter 10

N

Configuring High Availability in Windows Server 2008

the application from trying to restart until it is manually brought back online after the problem has been resolved. This is beneficial because if the application continues to be brought online and then fails, it may show as being functional to the monitoring system even though it continues to fail. After the application is put in a failed state, the monitoring system would not be able to contact the application and should report it as being offline. F I G U R E 1 0 .11

Clustered application failover settings

Figure 10.11 also shows the Failback settings for Print1. Failback settings control whether or not and when a clustered application would fail back to the preferred cluster node once it becomes available. The default setting is Prevent Failback. If failback is allowed, two additional options are available, either to fail back immediately after the preferred node is available or to fail back within a specified time. The time is specified in the 24-hour format. If you want to allow failback between 10:00 p.m. and 11:00 p.m., you would set the failback time to be between 22 and 23. Setting a failback time to off hours is an excellent way to ensure that your clustered applications are running on the designated nodes and automatically scheduling the failover process for a time when it will impact the fewest users. One tool that is valuable in determining how resources affect other resources is the dependency viewer. The dependency viewer is a tool that visualizes the dependency hierarchy created for an application or service. Using this tool can help when troubleshooting why specific resources are causing failures and help an administrator better visualize the current configuration and adjust it to meet business needs. Exercise 10.5 will show you how to run the dependency viewer.

Achieving High Availability with Failover Clustering

425

E X E RC I S E 10.5

Using the Dependency Viewer Follow these steps to run the dependency viewer:

1.

Choose Start  Administrative Tool  Failover Cluster Management.

2.

In the console tree, click the plus sign to expand the cluster.

3.

Under the cluster name, click the plus sign to expand Services and Applications.

4.

In Services and Applications, select a service or application such as Print1.

5.

In the Actions pane, click Show Dependency Report.

6.

Review the dependency report.

7.

Close Internet Explorer.

Exercise 10.5 generated a dependency report that shows how the print service is dependent on a network name and a clustered disk resource. The network name is then dependent on an IP address.

426

Chapter 10

N

Configuring High Availability in Windows Server 2008

Resource Properties Resources are physical or logical objects, like a file share or IP address, that the failover cluster manages. They may be a service or application available to clients or they may be part of the cluster. Resources include physical hardware devices such as disks and logical items such as network names. They are the smallest configurable unit in a cluster and can run on only a single node in a cluster at a time. Like clustered applications, resources have a number of properties available to meeting business requirements for high availability. This section covers resource dependencies and policies. Dependencies can be set on individual resources and control how resources are brought online and offline. Simply put, a dependent resource is brought online after the resources that it depends on and is taken offline before those resources. As shown in Figure 10.12, dependencies can be set on a specific resource, such as the print spooler. F I G U R E 1 0 .1 2

Resource dependencies

Resource policies are settings that control how resources respond when a failure occurs and how resources are monitored for failures. The Policies tab of a resource’s Properties dialog box is shown in Figure 10.13.

Achieving High Availability with Failover Clustering

F I G U R E 1 0 .1 3

427

Resource Policies

The Policies tab sets configuration options for how a resource should respond in the event of a failure. The options available are as follows: If Resource Fails, Do Not Restart failed resource offline.

This option, as it would lead you to believe, leaves the

If Resource Fails, Attempt Restart on Current Node With this option set, the resource tries to restart if it fails on the node on which it is currently running. There are two additional options if this is selected so that the number of restarts can be limited. They set the number of time the resource should restart on the current node in a specified length of time. For example, if you specify 5 for maximum restarts in the specified period and 10:00 (mm:ss) for the period, the cluster service will try to restart the resource five times during that 10-minute period. After the fifth restart, the cluster service will no longer attempt to restart the service on the active node. If Restart Is Unsuccessful, Fail Over All Resources in This Service or Application If this option is selected, when the cluster service is no longer trying to restart the resource on the active node, it will fail the entire service or application to another cluster node. If you wanted to leave the application or service with a failed resource on the current node, you would clear this check box. If All the Restart Attempts Fail, Begin Restarting Again after the Specified Period (hh:mm) If this option is selected, the cluster service will restart the resource at a specified interval if all previous attempts have failed.

428

Chapter 10

N

Configuring High Availability in Windows Server 2008

Pending Timeout This option is used to set the amount of time in minutes and seconds that the cluster service should wait for this resource to respond to changing in states. If a resource takes longer than the cluster expects to change states, the cluster will mark it as having failed. If a resource consistently takes longer than this timer and the problem cannot be resolved, you may need to increase this value. The Advanced Policies tab is shown in Figure 10.14. F I G U R E 1 0 .1 4

Resource Advanced Policies

The options available on the Advanced Policies tab are as follows: Possible Owners This option allows an administrator to remove specific cluster nodes from running this resource. Using this option is valuable when there are issues with resource on a particular node and the administrator wants to keep the applications from failing over to that node until the problem can be repaired. Basic Resource Health Check Interval This option allows an administrator to customize the health check interval for this resource. Thorough Resource Health Check Interval This options allows an administrator to customize the thorough heath check interval for this resource. Run This Resource in a Separate Resource Monitor If the resource needs to be debugged by a support engineer, or if the resource conflicts with other resources, this option may need to be used.

Achieving High Availability with Network Load Balancing

429

Achieving High Availability with Network Load Balancing Some applications that need to be highly available do not require failover clustering, such as applications based on web services. These applications typically are able to use Network Load Balancing to balance connections across a number of server nodes. This is more easily done with applications that are session-less or have a minimal amount of session data. An NLB cluster load-balances client TCP/IP connections between cluster nodes and does not share any application data between nodes. If application data needs to be shared between cluster nodes, another facility such as replicaton will need to be used, or the application will need to be able to retrieve this data. This can be accomplished with data replication, accessing data from a centralized location, or other methods. Network Load Balancing is used both for fault tolerance and for scalability. When it’s used for fault tolerance, a failed node can be removed from the cluster and another node will automatically start servicing requests that were handled by the failed node. In some cases, one server does not have enough resources to handle all of the request; when this occurs, NLB can be used to spread the connection load across multiple nodes. When NLB is configured this way, it is configured for scalability.

How Does Network Load Balancing Work? As the name suggests, an NLB cluster uses the network to provide load balancing and redundancy. It is able to accomplish this using a virtual IP address and a virtual media access control (MAC) address that is shared between all of the nodes in the cluster. Client connections are all made to this virtual IP address, as shown in Figure 10.15. When an incoming packet is addressed to the virtual IP address, all of the NLB nodes receive it, but only the appropriate node responds. When a client request arrives, all hosts simultaneously perform a calculation in order to determine which node should handle the request. The chosen node then accepts and responds to the client request and the other cluster nodes discard it. If all nodes are configured identically, the same percentage of client requests will be load-balanced to each node; however, this can be customized to match server capabilities. All nodes synchronize their data about which node should respond to each request and which nodes are active members of the cluster. There are a number of significant improvements to NLB in Windows Server 2008 and they are as follows: NÛ

NÛ

NÛ

NÛ

Support for IPv6 addresses. Support of Network Driver Interface Specification (NDIS) 6.0 with compatibility with older versions. Network Load Balancing can detect and notify applications of excessive load or attack scenarios. Rolling upgrades can be done from Windows Server 2003 to Windows Server 2008.

430

Chapter 10

F I G U R E 1 0 .1 5

N

Configuring High Availability in Windows Server 2008

Network load balanced cluster

One of the advance features of Network Load Balancing is to create port rules. Port rules specify how requests to a specific port range are sent to the NLB cluster. This allows you to specify which nodes will receive traffic for specific TCP/IP ports. For example, say you have an NLB cluster consisting of four servers and it needs to load-balance a web server and an FTP site. The website that runs on TCP port 80 can be limited to use only three of the NLB nodes and the FTP server can be set to only run on two nodes of the NLB cluster. This will help reduce the number of nodes the FTP services would impact when under load.

Network Load Balancing Requirements Failover clusters require that all of the cluster nodes run either the Enterprise or Datacenter edition of Windows Server 2008. Network Load Balancing is a feature that is available in all editions of Windows Server 2008. However, when you’re using x86 editions of Windows Server 2008, the NLB cluster is limited to 8 nodes. When x64 editions of Windows Server 2008 are used, up to 32 nodes can be achieved. What sort of hardware is required to leverage NLB? The recommended configuration uses two network adapters on each node in the cluster. The primary network adapter is used for client communication and the second network adapter facilitates the communication between the cluster nodes. In some configurations, a single network adapter can be used, but the network hardware must support multicast traffic. If multicast is chosen, additional network hardware requirements must be taken into consideration. For instance, upstream network hardware might need the multicast MAC address statically entered in the Address Resolution Protocol (ARP) table. This is because some network hardware does not accept an ARP response that resolves unicast IP addresses to

Achieving High Availability with Network Load Balancing

431

multicast MAC addresses. Also, using the Internet Group Management Protocol (IGMP) multicast option enables IGMP support for limiting switch flooding by limiting traffic to Network Load Balancing ports only. This ensures that traffic intended for an NLB cluster passes through only those network ports serving the cluster hosts and not all ports. If standard multicasting is used, switches might require additional configuration to set the ports that are used for the multicast traffic.

Creating an NLB Cluster The first step in creating an NLB cluster is to prepare each cluster node. In our example, we are going to use two servers, each with two network adapters. The network adapter that will host the load-balanced virtual IP and is used for client connections is renamed Client Network, and the network adapter used for cluster communications is renamed Cluster Network. Last, the Network Load Balancing feature is installed on both servers to prepare for configuration. Exercise 10.6 walks you through creating a simple NLB cluster. E X E RC I S E 10.6

Creating a Network Load Balancing Cluster Follow these steps to create a network load-balanced cluster:

1.

Click Start  Administrative Tools  Network Load Balancing Manager.

2.

In the left pane, right-click Network Load Balancing Clusters, and then click New Cluster.

3.

In the Host field, type NODEA, and then click Connect.

432

Chapter 10

N

Configuring High Availability in Windows Server 2008

E X E RC I S E 10.6 (continued)

4.

Click Client Network, and then click Next.

5.

Click Next to accept the default values for host parameters.

6.

Click Add to add a cluster IP address.

7.

In the IPv4 address field, type 10.10.0.100.

8.

In the Subnet mask field, type 255.255.0.0, click OK, and then click Next.

9.

In the Full Internet name field, type webapp.sybex.com.

10. Select Unicast, click Next, and then click Finish.

Achieving High Availability with Network Load Balancing

433

E X E RC I S E 10.6 (continued)

11. Right-click webapp.sybex.com, and then click Add Host to Cluster. 12. In the Host field, type NODEB, and then click Connect. 13. Click Client Network, and then click Next. 14. Click Next to accept the default values for host parameters, and then click Finish.

Modifying Cluster Properties As mentioned earlier, port rules modify how traffic is directed to NLB cluster nodes. The filtering mode in a port rule defines how request are distributed among nodes in the NLB cluster. You have the following options for filtering modes, as shown in Figure 10.16: Multiple Host By default, this option is set. It configures all NLB nodes to respond based on the weight assigned to each node. This spreads the load across multiple cluster nodes to increase scalability. If this option is selected, one of the Affinity options also needs to be selected. The higher the weight setting, the more load the node will handle. F I G U R E 1 0 .1 6

NLB port rules

434

Chapter 10

N

Configuring High Availability in Windows Server 2008

Single Host This option, when configured, makes it so only the NLB node with the highest priority responds. If the highest-priority node fails, then the next highest-priority node begins to respond. Sending requests to a single node increases availability but does not increase scalability. Disable This Port Range This option blocks all packets for this port range. This option is used when the cluster does not run any applications on a specific port range. The Affinity options, available when the Multiple Host option is selected in the filter, control how requests are distributed to the available cluster nodes. The options for Affinity are as follows: None When this option is set, any available node can respond to any client request. This is suitable for applications such as static web pages that don’t require state information to be saved. For example, the client may retrieve the first web page from Node A and the second web page from Node B. Single When this option is set, a single node responds to all requests from a single client IP address. This is required for applications that you must authenticate, require session state, or encryption. This would be important for web applications that have user session variables like shopping carts. Network. When this option is set, a single node responds to all requests from a specific Class C network. This is useful when clients are accessing the NLB cluster from behind a group of proxy servers. This option ensures that a client connection can be maintained to a specific server even when the source IP address varies within the same subnet. When changing port rules for a specific node, make sure the changes are reflected on the other nodes, otherwise the cluster nodes may never complete convergence, which is needed for all the available cluster nodes to work properly.

Managing NLB Clusters The Network Load Balancing Manager is the graphical interface used to configure and manage NLB clusters and nlb.exe is the command-line counterpart. As shown in Figure 10.17, there are five main functions that can be performed on active NLB cluster nodes: Start, Stop, Drainstop, Suspend, and Resume. These actions are used when managing an NLB cluster. Each of the options has a slightly different function and reason to use: Start

This action starts a stopped NLB cluster node so that it can handle NLB traffic.

Stop This action stops the node temporarily from participating in the cluster and handling NLB traffic. Drainstop This action stops the node from taking new sessions and then waits for active sessions to end before completely stopping participation in the cluster.

Summary

F I G U R E 1 0 .17

435

Managing an NLB cluster node

Suspend This action is different from Stop because suspending NLB stops NLB on the node and suspends all NLB cluster-control commands on the node except for the resume and query commands. Resume This action will start NLB on a node that has been suspended. After the NLB cluster is created and configured, the application also needs to be installed and configured on each server. In the case of a website, it would need to be created on each server and then the content either copied or provided over a network connection to be served.

Summary High availability is more than just clustering. It is achieved through improved hardware, software, and processes. This chapter focused on how to configure failover clustering and Network Load Balancing (NLB) to achieve high availability and scalability. High availability should be approached through proper hardware configuration, training, and operational discipline. Failover clustering provides a highly available base for many applications such as databases and mail servers. These clusters require either the Enterprise or Datacenter edition of Windows Server 2008. Network load balanced clusters are used to provide high availability and scalability for network-based applications such as VPNs and web servers. Network load balanced clusters can be configured with any edition of Windows Server 2008.

436

Chapter 10

N

Configuring High Availability in Windows Server 2008

Exam Essentials Know how to modify failover and failback settings. These settings are set on the clustered service or application but can be modified by settings on the resources. Know the hardware requirements for failover clustering and Network Load Balancing. Failover clustering and Network Load Balancing have distinct hardware requirements. Know the differences. Know which applications work with Network Load Balancing and which ones work in a failover cluster. Failover clustering is required for applications and services such as file services and database servers, and NLB is suited for network and web services. Know the differences.

Review Questions

437

Review Questions 1.

Which of the following editions of Windows Server 2008 can be configured in a failover cluster? (Choose all that apply.) A. Windows Server 2008 Web Edition

2.

B.

Windows Server 2008 Standard Edition

C.

Windows Server 2008 Enterprise Edition

D.

Windows Server 2008 Datacenter Edition

Which of the following editions of Windows Server 2008 can be configured in a Network Load Balancing cluster? (Choose all that apply.) A. Windows Server 2008 Web Edition

3.

B.

Windows Server 2008 Standard Edition

C.

Windows Server 2008 Enterprise Edition

D.

Windows Server 2008 Datacenter Edition

What is the maximum number of nodes that can participate in a Windows Server 2008 failover cluster? (Choose all that apply.) A. 2

4.

B.

4

C.

8

D.

16

Which of the following actions should be performed against an NLB cluster node if maintenance needs to be performed while not terminating current connections? A. Evict

5.

B.

Drainstop

C.

Pause

D.

Stop

What is the maximum number of nodes that can participate in a Windows Server 2008 NLB cluster? (Choose all that apply.) A. 4 B.

8

C.

16

D.

32

Chapter 10

438

6.

N

Configuring High Availability in Windows Server 2008

Which of the following applications would be better suited on a failover cluster instead of a network load balanced cluster? (Choose all that apply.) A. SQL Server

7.

B.

Website

C.

Exchange Mailbox Server

D.

VPN Services

Which of the following applications would be better suited on a Network Load Balancing cluster instead of a failover cluster? (Choose all that apply.) A. SQL Server

8.

B.

Website

C.

Exchange Client Access Server

D.

Terminal Services

To configure an NLB cluster with unicast, what is the minimum number of network adapters required in each node? A. 1

9.

B.

2

C.

3

D.

6

Which of the following will help improve the mean time between failure of a server? (Choose all that apply.) A. Use RAID-5 set for data storage. B.

Perform data backup.

C.

Install multiple power supplies.

D.

Use RAID-0 set for data storage.

10. In a three-node cluster set to a Node Majority quorum model, how many cluster nodes can be offline before quorum is lost? A. 0 B.

1

C.

2

D.

3

11. In a four-node cluster set to a Node and File Share Majority quorum model, how many votes can be lost before quorum is lost? A. 1 B.

2

C.

3

D.

4

Review Questions

439

12. In a six-node cluster set to a No Majority: Disk Only quorum model, how many nodes can be lost before quorum is lost? A. 3 B.

5

C.

2

D.

1

13. After installing the operating system and configuring the hardware, what is the first step that should be taken to create a failover cluster. A. Install the Failover Cluster feature. B.

Run the Validate a Configuration Wizard.

C.

Install a clustered application.

D.

Install the Remote Server Administration Tools.

14. When creating a cluster, after successfully completing the Validate a Configuration Wizard, what next step should be taken? A. Run the Create a Cluster Wizard. B.

Run the Configure a Service or Application Wizard.

C.

Install the application that will be clustered.

D.

Reboot each node individually.

15. During a series of troubleshooting events, an administrator evicted one of the cluster nodes. How can the evicted node be made active again in the cluster? A. The cluster should be deleted and re-created with all required nodes. B.

Reboot all cluster nodes simultaneously to restart the cluster.

C.

Use the Add Node Action to add the evicted node.

D.

Pause the remaining nodes of the cluster and resume one at a time.

16. You have just created an NLB cluster for a web site. What other steps must be completed so that end users can access the load-balanced web site? (Choose all that apply.) A. Create a website on each node. B.

Copy or share web content for each node.

C.

Create a DNS entry for each node.

D.

Create a DNS entry for the NLB cluster IP address.

17. Users that are connecting to an NLB cluster have been complaining that after using the site for a few minutes they are prompted to log in using their username. What should you do to fix the problem and retain scalability? A. Create a port rule to allow only ports 80 and 443. B.

Set the cluster affinity to None.

C.

Set the filtering mode to Single Host.

D.

Set the cluster affinity to Single.

Chapter 10

440

N

Configuring High Availability in Windows Server 2008

18. You have a two-node cluster and have a specific resource that fails often but is not crucial to the functionality. What would you do to keep the resource from causing the entire application from failing to the other node while still providing redundancy for the application when needed? A. Remove one node of the possible owners from the cluster nodes. B.

Select the option to run the resource in a separate resource monitor.

C.

Unselect the option to allow the resource to fail over the service or application.

D.

Select the option to allow the resource to fail over the service or application.

19. You have a custom application with custom resources. Several times when the application has started the resources failed initially and then started later after the disk resource came online. What can be done to make the custom resource start after the disk resource comes online? A. Increase the pending time-out of the custom resource. B.

Make the custom resource dependant on the disk resource.

C.

Make the disk resource dependant on the custom resource.

D.

Decrease the pending time-out of the disk resource.

20. If you have a running cluster and need to run the Validate a Configuration Wizard again, which of the following tests may require cluster resources to be taken offline? A. Network tests B.

Storage tests

C.

System Configuration tests

D.

Inventory tests

Answers to Review Questions

441

Answers to Review Questions 1.

C, D. Only the Enterprise and Datacenter editions of Windows Server 2008 can participate in a failover cluster.

2.

A, B, C, D.

3.

C, D. A Windows Server 2008 cluster consisting of servers running the x64 version can contain up to 16 nodes, whereas a cluster consisting of servers running the x86 version can contain up to 8 nodes.

4.

B. Drainstop is the function that allows the current session to end before stopping the cluster on the node. Evict is used to completely remove a node from failover cluster. Pause is used to keep resources from failing over to a failover cluster node. Stop will immediately end the cluster service on the NLB cluster node, not allowing the current sessions to complete.

5.

B, D. A Windows Server 2008 cluster consisting of servers running the x64 version can contain up to 32 nodes, whereas a cluster consisting of servers running the x86 versions can contain up to 8 nodes.

6.

A, C. SQL servers and Exchange servers are only supported on failover clusters. Websites and VPN services are network-based services, so they are better suited for NLB clusters.

7.

B, C, D. Websites, Exchange Server 2007 Client Access Server, and Terminal Services are all designed to work with NLB clusters. Database servers like SQL do not work on NLB clusters.

8.

B. To use unicast communication between NLB cluster nodes, each node must have a minimum of two network adapters.

9.

A, C. Using a RAID-5 set for data storage will survive a disk failure and extend the overall MTBF for the server. Also, adding a second power supply can improve MTBF. Performing backup tasks is important but does not improve MTBF. RAID-0 does not provide any protection from failures.

All editions of Windows Server 2008 can be configured in an NLB cluster.

10. B. In a three-node cluster, only one node can be offline before quorum is lost because a majority of the votes must be available to achieve quorum. 11. B. Up to two votes can be lost before quorum is no longer able to be achieved. These votes can come from the file share witness or a cluster node. 12. B. In a No Majority: Disk Only quorum model cluster, quorum is solely based on access to the quorum disk. Therefore, only one cluster node must be online and have access to the quorum disk to obtain quorum. 13. A.

To create a failover cluster, the first step is to install the Failover Cluster feature.

14. A. After validating the configuration for a cluster, you should create a cluster. After the cluster is created, the applications can be added. A reboot does not need to be done after completing the validation.

442

Chapter 10

N

Configuring High Availability in Windows Server 2008

15. C. To add an evicted node back into the cluster, use the Add Node action in the Failover Cluster Management tool. 16. A, B, C. To allow end users to access the website, the first step would be to create a DNS entry for the cluster IP address. Then each node would need a website and content created. 17. D. Setting the cluster affinity to Single will send all traffic from a specific IP address to a single cluster node. Doing this will keep a client on a specific node where the client should not have to authenticate again. Setting the filtering mode to Single would remove the authentication problem but would not distribute the load to other servers unless the initial server were down. This is not a scalable solution. Creating a port rule for 80 and 443 will not change anything since these ports are already working, judging by the fact that users can access the site. Setting cluster affinity to None is probably what the cluster is set since there is no preference for keeping a client connected to the same node, which may cause additional login prompts. 18. C. To keep the failed resource from causing the entire application to fail over, this option must be unchecked. Removing the possible owners from the clustered application would keep the application from failover even when needed. Running the resource in a separate resource monitor does not change how it affects the failover of the application. 19. B. To start the custom resource after the disk resource, it should be made dependant on the disk resource. Changing the pending time-out will not have any affect if the resource fails because it only affects resources that take longer to respond. 20. B. The storage tests require the clustered disk resource to be offline. If you need to run the storage tests, the Validate a Configuration Wizard will prompt to make sure you want to take the resources offline.

Chapter

11

Monitoring Windows Server 2008 for High Availability MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: ÛÛ Configure high availability. May include but is not limited to: failover clustering, Network Load Balancing, hardware redundancy

Two of the most potent indicators of availability across your network are the performance of the operating system and its reliability. Performance is most commonly represented by the speed at which certain application and system tasks can be completed and hence also the number of tasks that can be completed in a given period of time. A system’s performance can be significantly determined by its hardware configuration, such as the clock speed of the processor, the access speed of the physical hard disk, and the amount of available memory. Therefore, access to such information is crucial for IT professionals to gauge the availability of the system and to decide on the necessary maintenance tasks, configuration changes, and hardware upgrades, if necessary. Reliability, on the other hand, is represented by the ability of the system to perform desirably on a consistent basis. Reliability is hindered when applications, services, or drivers fail to run smoothly and, worst of all, when the operating system itself fails. The Windows Reliability and Performance Monitor, event logs, and Task Scheduler are the vital features of Windows Server 2008 that enable IT professionals to monitor and maintain the performance and availability of the systems.

Monitoring Servers Using Performance Data To monitor the availability of a system across the network, it’s crucial to have access to data relating to the performance and configuration of the system as well as application errors and hardware failures. By using the Windows Reliability and Performance Monitor, IT professionals can get an overview of the major components of the system that affect system availability. These include the utilization of the CPU, the physical hard disk, and network and system memory along with records of key events such as failures and changes to the system configuration. More importantly, the Windows Reliability and Performance Monitor helps you detect and dissect the cause of performance errors in addition to obtaining performance data. It is also a good tool for tasks such as creating performance baselines and troubleshooting.

Monitoring Servers Using Performance Data

445

The Windows Reliability and Performance Monitor is a Microsoft Management Console (MMC) snap-in that includes the following components (please refer to Figure 11.1): NÛ

Resource Overview

NÛ

Performance Monitor

NÛ

Reliability Monitor

NÛ

Data collector sets

NÛ

Reports

F I G U R E 11 .1

Windows Reliability and Performance Monitor main view

The following features are new to the Windows Reliability and Performance Monitor in Windows Server 2008: NÛ

Data collector sets

NÛ

Resource Overview

NÛ

Reliability Monitor

NÛ

User-friendly diagnosis reports

NÛ

Unified property configuration for all data collection, including scheduling

NÛ

Wizards and templates for creating logs

446

Chapter 11

N

Monitoring Windows Server 2008 for High Availability

Working with Data Collector Sets A data collector set (DCS) is a collection of counters to diagnose and monitor anything related to the operating system and applications. DCS is a new feature and is included with Windows Server 2008 and Windows Vista. In the past, gathering different types of data statistics required extra time because counters needed to be re-created. With DCS, however, counters can be created once and scheduled for running through the use of Task Scheduler. A major advantage of DCSs is that they allows for greater control over performance monitoring and data gathering. There are three types of data collector sets: User-defined Created and configured by the user. System XML data collector set templates that are included with Windows Server 2008 and are saved in Windows\PLA\System. Event trace sessions

Configured for Event Tracing for Windows (ETW).

Before creating a data collector set, make sure one of the following requirements is met: NÛ

NÛ

The logged-on user is part of the Local Administrators group. The logged-on user is part of the Performance Log Users group. However, please ensure that the user has been assigned the “Log on as a batch job” user right. (see Exercise 11.1).

Exercise 11.1 will help you assign the “Log on as a batch job” user right to the Performance Log Users group. Providing the “Log on as a batch job” user right allows users to manage performance logs, counters and alerts. E X E R C I S E 11 .1

Assigning the “Log On as a Batch Job” User Right Normal users would not be able to create or manage data collector set by default, until “Log On as a Batch Job” user right has been assigned. To assign the log on as batch job user right complete the following procedures:

1.

Click Start, select Run, type secpol.msc in the Run command dialog, and press Enter. This will open the Local Security Policy snap-in.

2.

In the left pane, expand Local Policies, and click User Rights Assignment.

3.

In the console pane, right-click Log On as a Batch Job, then click Properties.

Monitoring Servers Using Performance Data

447

E X E R C I S E 11 .1 ( c o n t i n u e d )

4.

In the Log On as a Batch Job Properties window, click Add User or Group.

5.

In the Select Users or Groups dialog box, click Object Types.

6.

In the Object Types dialog box, check Groups and click OK.

7.

Return to the Log On as a Batch Job Properties window and click OK.

Exercise 11.2 will walk you through creating a new data collector set. Creating new data collector sets allows system administrators to monitor system performance and simplify troubleshooting of server systems. E X E R C I S E 11 . 2

Creating a Data Collector Set As the first step of collecting performance data automatically through Performance Monitor, Data Collector Set needs to be created. To create a Data Collector Set complete the following:

1.

Open the Reliability and Performance Monitor by clicking Start  Control Panel  Administrative Tools  Reliability and Performance Monitor, or click Start, then select Run, type perfmon.msc in the Run command dialog, and press Enter.

2.

In the left pane, expand Data Collector Sets, and select User Defined.

Chapter 11

448

N

Monitoring Windows Server 2008 for High Availability

E X E R C I S E 11 . 2 ( c o n t i n u e d )

3.

Right-click on the area in the right pane and select New  Data Collector Set. This launches the Create New Data Collector Set Wizard.

4.

Enter a name for the new data collector set and choose from creating from a template and creating manually.

The simplest way to create a new data collector set is by using one of the preconfigured templates listed in the Create New Data Collector Set Wizard. The templates are developed based on the most common monitoring scenarios and are included in Windows Server 2008 to inject speed and convenience in performance and availability monitoring. Three preconfigured templates for creating data collector sets are built into Windows Server 2008. The preconfigured templates create the following sets: Basic

In this DCS, user-defined data collectors will be added on by the user.

System Diagnostics This DCS includes pre-defined data collectors that help the user maximize system performance and streamline system operation. It generates a report of the status of local hardware resources, system response times, and processes on the local computer as well as system information and configuration data. System Performance Predefined data collectors are included here, which help the user identify possible causes of performance issues. It generates a report of the status of local hardware resources, system response times, and processes on the local computer.

Monitoring Servers Using Performance Data

449

In Exercise 11.3, you’ll create a new data collector set from a template by continuing the steps followed in Exercise 11.2. E X E R C I S E 11 . 3

Creating a New Data Collector Set from a Template Continuing the steps followed in Exercise 11.2, Data Collector Set will be created base on a template. To create a new Data Collector Set from a template complete the following steps:

1.

In the Create New Data Collector Set Wizard , after entering a name for the data collector set, select Create from a Template and click Next.

2.

Choose a template and click Finish to save the data in the default root directory, which is %systemdrive%\perflogs\; otherwise, click Next to browse and select the preferred directory or enter the directory name. Please note that if you enter the directory name manually, you must not type a backslash at the end of the directory name.

3.

Click Next if the user intends to run the data collector set as a specific user, which can be done by clicking the Change button and entering the username and password of the specific user if it’s different than the default user listed.

4.

Click Finish to complete the wizard. The user can select Open Properties for This Data Collector Set to view the properties of the data collector set or select Start This Data Collector Set Now to start the data collection immediately. The user can also select Save and Close to save the data collector set without starting collection.

450

Chapter 11

N

Monitoring Windows Server 2008 for High Availability

Members of the Performance Log Users group must configure the newly created data collector sets to run under their own credentials.

Exercise 11.4 shows you how to create a new data collector set manually. E X E R C I S E 11 . 4

Manually Creating a New Data Collector Set Data Collector Set could be created from scratch, without using a template. To manually create a new Data Collector Set use the following steps:

1.

In the Create New Data Collector Set Wizard, after entering a name for the data collector set, select Create Manually and click Next.

2.

To create data logs, select Create Data Logs and then select one or more of the types of logs to be created (Performance Counter, Event Trace Data, and System Configuration Information). Alternatively, select Performance Counter Alert if the above data logs doesn’t want to be created. Click Next. The continuing steps in Exercise 11.4 will varies according to what type of logs are selected to be created in this step.

3.

To create Performance Counter data logs, select the performance counters, if any, that will be collected and click Next.

4.

To create Event Trace Data logs, select the event trace providers, if any, to be enabled and click Next.

5.

To create System Configuration Information data logs, select the Registry keys, if any, to be recorded and click Next.

Monitoring Servers Using Performance Data

451

E X E R C I S E 11 . 4 ( c o n t i n u e d )

6.

Browse and select the preferred root directory in which the data will be saved if the user is not in favor of using the default root directory of %systemdrive%\ perflogs\. Click Next.

7.

Choose the specific user who will run the data collector set, which can be done by clicking the Change button and entering the username and password of the specific user if it’s different than the default user listed. Select one out of the options (Open Properties for This Data Collector Set, Start This Data Collector Set Now, or “Save and Close) and click Finish.

Once the data collector sets are created and selected by the user to help keep track of system performance, the data can be stored as logs for future review. The logs can be further managed and organized into schedules by configuring the properties of the data collector sets and by utilizing the built-in Data Manager in the Windows Reliability and Performance Monitor. A log file is generated automatically by a data collector set. Data management procedures can then be used to configure the storage options for each data collector set. Through data management, the user is able to include information about the log in the filename, choose to overwrite or append data, and limit the file size of individual logs. A Data Manager is included in each data collector set and controls its data management tasks, which consist of conditions/actions, data retention policy, data transfer, and report generation. Once the Data Manager is enabled, a Server Performance Advisor (SPA) overview report is generated to summarize data results upon the completion of data collection. Before creating logs from a data collector set, make sure the following requirements are met: NÛ

NÛ

NÛ

The logged-on user is part of the Local Administrators group. If the logged-on user is not part of the Local Administrators group, the user must be part of the Performance Log Users group. However, please ensure that the user has been assigned the “Log on as a batch job” user right. At least one data collector set has been created. In Exercise 11.5, you’ll schedule the Start condition for a data collector set.

E X E R C I S E 11 . 5

Scheduling the Start Condition for a Data Collector Set Data Collector Set needs to be started to collect performance data. To schedule the start condition for a data collector set, please complete the following:

1.

In the left pane of Windows Reliability and Performance Monitor, expand Data Collector Sets and expand User Defined.

2.

Right-click the data collector set to be scheduled, and click Properties.

452

Chapter 11

N

Monitoring Windows Server 2008 for High Availability

E X E R C I S E 11 . 5 ( c o n t i n u e d )

3.

In the Properties window, select the Schedule tab.

4.

Click Add to configure a starting date and the day or time for data collection. When a new data collector set is being configured, the starting date must be after the current date and time.

5.

If the user wishes to stop the data collection after a certain date, select an expiration date. On a side note, data collection does not stop on the expiration date itself, though new data will not be collected after that date. To further configure how data collection is stopped, select the Stop Condition tab.

6.

Click OK when you’re finished.

In Exercise 11.6, you’ll schedule the Stop condition for a data collector set.

Monitoring Servers Using Performance Data

453

E X E R C I S E 11 . 6

Scheduling the Stop Condition for a Data Collector Set Data Collector Set needs to be stopped after an interval of time. System performance will be affected if Data Collector Set runs continuously, especially on busy hours. To schedule the stop condition for a data collector set, use the following steps:

1.

In the left pane of Windows Reliability and Performance Monitor, expand Data Collector Sets and expand User Defined.

2.

Right-click the data collector set to be scheduled, and click Properties.

3.

In the Properties window, select the Stop Condition tab.

4.

To stop data collection after a specific time period, select Overall Duration and choose the quantity (Time) and unit (Seconds/Minutes/Hours). However, if data collection is to be done indefinitely, the Overall Duration check box needs to be unchecked.

5.

To divide the collected data into separate logs, select “When a limit is reached, restart the data collector set” to specify the desired limits in duration and/or maximum size.

A. Select Duration to specify a time period for data collection to write into a single log. B.

Select Maximum Size, in megabytes (MB), to restart the data collector set or to stop data collection when the limit is reached.

Please note that Overall Duration, if selected, will override limits. If both types of limits are selected, data collection will be stopped or restarted once the first limit is reached.

6.

If an overall duration is configured, the user can select “Stop when all data collectors have finished” to enable all data collectors to finish logging the most recent values before the data collector set is stopped.

7.

Click OK.

The use of limits to automatically organize logs into segments is recommended because large log files slow down the report generation process.

Managing Logs for a Data Collector Set As time passes, logs will grow quickly. It is wise to plan and configure the logs before a data collector set is used. In Exercise 11.7, you’ll configure data management for a data collector set.

Chapter 11

454

N

Monitoring Windows Server 2008 for High Availability

E X E R C I S E 11 . 7

Configuring Data Management for a Data Collector Set Every data collector set could have their own data management settings. Data management settings allow each data collector set to have its own policies. To configure data management for a data collector set, complete these steps:

1.

In the left pane of Windows Reliability and Performance Monitor, expand Data Collector Sets and expand User Defined.

2.

Right-click the data collector set to be configured, and click Data Manager.

3.

On the Data Manager tab, you can make changes according to the user’s data retention policy. Refer to Table 10.1 for details of each option.

A. When Minimum Free Disk or Maximum Folders is selected, previous data will be deleted according to the selected resource policy (Delete Largest or Delete Oldest) setting as part of the data collector set’s Data Manager tab when the limit is reached.

B.

When “Apply policy before the data collector set starts” is selected, previous data will be deleted according to the selected resource policy before the data collector set generates its next log file.

C.

When Maximum Root Path Size is selected, previous data will be deleted according to the selected resource policy when the root log folder size limit is reached.

Please note that Resource Policy is used to define how long a data can be stored before it is deleted, to save storage space. Resource Policy actions are carried out on a folder basis rather than a file basis.

Monitoring Servers Using Performance Data

455

E X E R C I S E 11 . 7 ( c o n t i n u e d )

4.

On the Actions tab, you can choose to perform folder actions when specified data manager conditions are met. New actions can be configured by clicking Add, while existing actions can be changed or removed by clicking Edit or Remove. Folder actions enable the user to configure the way in which data is archived before it is permanently deleted according to the resource policy. Refer to Table 10.2 for details of each option.

5.

When all the desired changes are made, click OK.

If the user prefers to manage data with folder actions, the user may choose to disable the Data Manager limits.

Table 11.1 lists and describes the data management options available in the Data Manager tab. Data size limitation can be configured on individual data collector sets through this tab. TA B L E 11 .1

Data Management Options Available in the Data Manager Tab

Option

Description

Minimum Free Disk

The amount of disk space that is mandatory on the drive where log data is stored. If this option is selected, previous data will be deleted according to the selected resource policy when the limit is reached.

Maximum Folders

The number of subfolders that can be included in the data collector set data directory. If this option is selected, previous data will be deleted according to the selected resource policy when the limit is reached.

Resource Policy

Specifies whether to delete the largest or oldest folder within the data collector set’s root folder when limits are reached.

Maximum Root Path Size

The maximum size of the data directory for the data collector set, including all subfolders. If this option is selected, the minimum free disk and maximum folders limits will be overridden and previous data will be deleted according to the selected resource policy when the root log folder size limit is reached.

Table 11.2 lists and describes the data management options available in the Actions tab. Conditions and actions of a data collector set can be configured through this tab.

456

Chapter 11

N

Monitoring Windows Server 2008 for High Availability

TA B L E 11 . 2

Data Management Options Available in the Actions Tab

Option

Description

Age

A condition based on the age of the data file, in units of either days or weeks. If the value is 0, the criterion will not be used.

Size

A condition based on the size of the folder where the log data is stored in megabytes (MB). If the value is 0, the criterion will not be used.

Cab

A cabinet (.cab) file. These archive files can be created from raw log data and extracted to be used when necessary. Choose to create or delete cabinet files based on the age or size criteria.

Data

Raw log data collected by the data collector set. The data can be deleted after a cabinet file is created. A backup of the original data will be retained.

Report

The report file generated by Windows Reliability and Performance Monitor from raw log data. Report files can be retained even after the raw log data or cabinet file has been deleted.

Log Data in Performance Monitor The collected logs in Windows Reliability and Performance Monitor can be viewed as reports or as Performance Monitor data. All of the display options included in real-time monitoring with Performance Monitor can be viewed as log data. New in the Performance Monitor in Windows Server 2008 is the availability of several view modes to facilitate convenient viewing of log data. The three view modes can be selected in the shortcut menu of each data collector listed under the data collector set in the Reports node on the left pane: Report view If Data Manager is enabled for the selected data collector set, Report view is available and accessible as the Report option when View is highlighted in the shortcut menu, which is opened by clicking and then right-clicking the data collector set in the Reports node. If Data Manager is disabled, the Report option will be inaccessible. The Data Manager report is a Server Performance Advisor (SPA) report that presents a summary of the logged performance data. The Application Counters section can be expanded to show a summarized view of the Mean, Minimum, and Maximum data values from the data collector. The report is saved as an XML file in the Data Collector Set folder associated with the selected data collector. See Figure 11.2. Performance Monitor view If the Performance Monitor view is selected, the Performance Monitor log file is displayed in a line graph by default, with all the configured counters. See Figure 11.3. Folder view If the Folder view is selected, the folder containing all the files of the selected data collector set is displayed. See Figure 11.4.

Monitoring Servers Using Performance Data

457

F I G U R E 11 . 2

Report view of a report generated by a data collector set

F I G U R E 11 . 3

Performance Monitor view of a report generated by a data collector set

458

Chapter 11

F I G U R E 11 . 4

N

Monitoring Windows Server 2008 for High Availability

Folder view of a report generated by a data collector set

Before viewing log data in Performance Monitor, make sure the following requirements are met: NÛ

NÛ

NÛ

The logged-on user is part of the Local Administrators group. If the logged-on user is not part of the Local Administrators group, the user must be part of the Performance Log Users group. You must ensure that the user has been assigned the “Log on as a batch job” user right. At least one log file is generated from a data collector set. Exercise 11.8 will show you how to load log data in Performance Monitor.

E X E R C I S E 11 . 8

Loading Log Data in Performance Monitor Once logs have been created by Data Collector Set, it needs to be loaded into Performance Monitor for viewing by the system administrator. To load the log data in Performance Monitor, please execute the following tasks:

1.

In the left pane of Windows Reliability and Performance Monitor, expand Reports and expand User Defined.

2.

Expand the data collector set whose log data you will view.

3.

Select the log file to view.

4.

To change view modes, right-click the log file in the left pane, select View, and select Performance Monitor to display the Performance Monitor view or Folder to display the Folder view.

Monitoring Servers Using Performance Data

E X E R C I S E 11 . 8 ( c o n t i n u e d )

Exercise 11.9 shows you how to navigate the log view in Performance Monitor. E X E R C I S E 11 . 9

Navigating the Log View in Performance Monitor Viewing and using the Log View could be confusing for inexperience users. To navigate the Log View in Performance Monitor, please execute the following steps:

1.

Log data is displayed in a line chart by default. In the chart, the x-axis of the graph represents the total time included in the log.

2.

To view a specific time frame in the display, click and highlight a section in the chart, and then click the Zoom button or press Ctrl+Z.

3.

Other viewing options are available, and actions can be taken to add performance counters in the log view. For descriptions of the viewing options and actions, refer to the following sections.

Diagnosis Report Two system reports are built into Windows Reliability and Performance Monitor in order to assess the health of the system and to diagnose issues pertaining to system performance. The System Diagnostics report can be viewed once the required data has been collected.

459

460

Chapter 11

N

Monitoring Windows Server 2008 for High Availability

Before running any data collector set reports, make sure either one of the following requirements are met: NÛ

NÛ

The logged-on user is part of the Local Administrators group. The logged-on user starts Windows Reliability and Performance Monitor with elevated privileges.

The System Diagnostics report utilizes the Windows Kernel Trace Provider, which can only be accessed by the Local Administrators Group members.

Exercise 11.10 shows you how to view the system diagnostics report. E X E R C I S E 11 .1 0

Viewing the System Diagnostics Report The default system reports built into Windows Reliability and Performance Monitor offers a deep level of system diagnostics details. To view the System Diagnostics Report, please execute the following steps:

1.

In the left pane of Windows Reliability and Performance Monitor, expand Data Collector Sets and expand System.

2.

Right-click System Diagnostics and click Start to begin collecting data.

3.

In the left pane, expand Reports, expand System, expand System Diagnostics, and click on a date to view the report, which will appear on the console pane.

Monitoring Servers Using Performance Data

461

The System Diagnostics report collects data for 60 seconds, and an additional 60 seconds may be required for the report to be generated.

View System Stability with Reliability Monitor The Reliability Monitor (as shown in Figure 11.5) provides an overview of system availability as well as trend analysis with detailed information on events that can affect the overall availability of the system. Data collection for Reliability Monitor begins at the time of system installation. The data is then presented in the form of a chart that can be utilized to identify the applications, drivers, or hardware that are hampering the reliability and availability of the system. Several categories of events will be recorded in Reliability Monitor: NÛ

Software installations and removals

NÛ

Application failures

NÛ

Hardware failures

NÛ

Windows failures

NÛ

Miscellaneous failures

F I G U R E 11 . 5

Reliability Monitor main view

462

Chapter 11

N

Monitoring Windows Server 2008 for High Availability

Several vital features are included in Reliability Monitor: automatic data collection and processing, the System Stability Chart, the Stability Index, and the System Stability Report.

Automatic Data Collection and Processing Data collection and processing is carried out by Reliability Monitor through the Reliability Analysis Component (RAC). Data is automatically gathered by the availability analysis metrics calculation executable (racagent.exe), which processes the data based on its analysis, aggregation, and correlation of user disruptions in the operating system, programs, and services into availability metrics. The availability analysis metrics calculation executable runs as a hidden scheduled task named RACAgent to collect specific events from the event log. The RACAgent task runs hourly and processes the acquired data daily. The availability index number that is generated after data processing by the RACAgent task varies on a scale from 0 to 10, with 0 representing the least reliable and 10 representing the most reliable. The availability index, as well as the results of the event tracing, is then displayed in the System Stability Chart in the Windows Reliability and Performance Monitor.

System Stability Chart The System Stability Chart is presented in the Reliability Monitor window together with a calendar control that can be used to select the time range to view. The System Stability Chart can be used to assess the consistency of system availability within a certain time period, as represented by the consistency of the availability index. System availability and availability events of up to one year will be displayed in the System Stability Chart.

Stability Index As mentioned previously, reliability/availability of the system is translated into the form of ratings and is represented by the Stability Index. The index, which ranges from 0 to 10, is generated according to the data that is gathered and processed by Reliability Monitor. Reliability Monitor traces every instance of user disruptions and remembers the number of occurrences each day over a 28-day rolling window period, with the latest day of the rolling window being the current day. Before data collection of 28 days is completed, the Stability Index is displayed as a dotted line in the System Stability Chart as it has yet to establish a valid baseline for calculation. A real number with two decimal places is used as the Stability Index.

System Stability Report The System Stability Report found below the System Stability Chart in the Reliability Monitor window contains the details of the events of the selected date or date range. The report details the application, driver, or other system component that is affecting the system availability index. The report can be used to identify changes in system state that may contribute to system unavailability.

Monitoring Servers Using Performance Data

463

The data files that are created and accessed by the Reliability Monitor are stored in the following folders: \ProgramData\Microsoft\RAC\PublishedData \ProgramData\Microsoft\RAC\StateData

When the files in the two folders are deleted, Reliability Monitor will be reset to its default state with no availability information displayed. The files will be re-created with current availability information once the RACAgent schedules its next task run. The data presented in the default and time-specific views of Reliability Monitor are taken from HTML pages that are created by Reliability Monitor before it displays a particular view. The HTML files, named Rmo(4-digit฀random฀number).tmp.htm, are created in the \Users\\AppData\Local\Temp folder. The files can be used for trend analysis.

The HTML files will be automatically deleted once Reliability Monitor is closed. Also, trend analysis is a method to determine and compare the system availability and availability over a time period. It can also be used to determine the Service Level Agreement (SLA) of the systems.

Availability Before viewing system availability with Reliability Monitor, make sure the following requirements are met: NÛ

NÛ

The computer has been running for a minimum of 24 hours since the installation of the operating system. The RACAgent scheduled task is running. The task runs by default unless it is manually stopped or disabled. In Exercise 11.11, you’ll view system availability with Reliability Monitor.

E X E R C I S E 11 .11

Viewing System Availability in Performance Monitor It is possible to do a quick system availability overview through Performance Monitor. To view System Availability in Performance Monitor, please execute the following steps:

1.

In the left pane of Windows Reliability and Performance Monitor, expand Monitoring Tools and click Reliability Monitor.

2.

View the System Stability Chart on the top half of the console pane, or expand the sections of the System Stability Report below the chart. Refer to the following sections for descriptions of the viewing options and actions.

Chapter 11

464

N

Monitoring Windows Server 2008 for High Availability

The following points will help you make sense of the System Stability Chart: NÛ

NÛ

The date range is represented by the x-axis, while the Stability Index number is represented by the y-axis. If more than 30 days of data have been recorded, the scroll bar at the bottom of the chart can be used to navigate to the desired date or period if it’s not visible by default. NÛ

Within the System Stability Chart, as seen below, records of events that disrupt the availability of the system, as well as installations and removals of software, are presented in five rows of information.

The following points will help you understand the System Stability Report: NÛ

NÛ

When all dates are selected, the reports are sorted first by date in descending order and then by the application or driver name in ascending alphabetical order. When a single date is selected, the reports are sorted by the application or driver name in ascending alphabetical order. The reports are based on specific event data that is organized into the following categories: System Clock Changes, Software (Un)Installs, Application Failures, Hardware Failures, Window Failures, and Miscellaneous Failures.

System Clock Changes Significant changes to the system clock are recorded in this category. Information on clock changes is available only if at least one major clock change has been made on the system. Table 11.3 details the information available in the System Clock Changes report.

Monitoring Servers Using Performance Data

TA B L E 11 . 3

465

Information in the System Clock Changes Report

Data Type

Description

Old Time

Specifies the previous date and time before the clock change.

New Time

Specifies the selected date and time during the clock change.

Date

Specifies the date in which the clock change is made.

The System Clock Changes category appears in the System Stability Report only when a date in which a significant clock change has occurred is selected. Any date that records a significant clock change will be indicated by an information icon on the System Stability graph.

Software (Un)Installs Installations and removals as well as configuration changes and updates of applications, drivers, system components, and Windows Updates are recorded in this category. Table 11.4 details the information available in the Software (Un)Installs report. TA B L E 11 . 4

Information in the Software (Un)Installs Report

Data Type

Description

Software

Specifies name of the operating system, the affected application, the affected driver, or the affected Windows Update.

Version

Specifies the operating system, application, or driver version. This field is not applicable to Windows Updates.

Activity

Indicates whether the event is an installation or removal (uninstall).

Activity Status

Indicates whether the event is a success or a failure.

Date

Specifies the date of the installation or removal.

Application Failures Application hangs and crashes, including the termination of a nonresponding application, are recorded in this category. Table 11.5 lists the information listed in the Application Failures report.

466

Chapter 11

TA B L E 11 . 5

N

Monitoring Windows Server 2008 for High Availability

Information in the Application Failures Report

Data Type

Description

Application

Specifies the name of the executable file of the failed application.

Version

Specifies the version number of the failed application.

Failure Type

Indicates whether the application stopped responding or stopped working.

Date

Specifies the date on which application failure occurred.

Hardware Failures Disk and memory failures are recorded in this category. The information available in the Hardware Failures report is listed in Table 11.6. TA B L E 11 . 6 Data Type

Information in the Hardware Failures Report Description

Component Type Indicates whether the failure occurred in the hard drive or the memory. Device

Specifies the failed device.

Failure Type

Indicates whether the failure is caused by a bad disk or by faulty memory.

Date

Specifies the date on which the hardware failure occurred.

Windows Failures Operating system boot failures, crashes, and sleep failures are recorded in this category. Information listed in the Windows Failures report appears in Table 11.7. TA B L E 11 . 7

Information in the Windows Failures Report

Data Type

Description

Failure Type

Indicates whether the event is a boot failure or an operating system crash.

Version

Specifies the version number of the operating system and service pack.

Monitoring Servers Using Event Logs

TA B L E 11 . 7

467

Information in the Windows Failures Report (continued)

Data Type

Description

Details

Indicates whether the event is an operating system failure, a boot failure, or a sleep failure. An operating system failure is indicated by the stop code, a boot failure is indicated by the reason code, and a sleep failure is indicated by the component veto or failure to enter hibernation.

Date

Specifies the date on which the Windows failure occurred.

Miscellaneous Failures Unexpected system shutdowns as well as other system failures that do not fall under previous categories are recorded in this category. Table 11.8 lists the information available in the Miscellaneous Failures report. TA B L E 11 . 8 :

Information in the Miscellaneous Failures Report

Data Type

Description

Failure Type

Indicates an event of disruptive shutdown.

Version

Specifies the version number of the operating system and service pack.

Failure Detail

Indicates an event in which the computer is not shut down normally.

Date

Specifies the date on which the miscellaneous failure occurred.

Monitoring Servers Using Event Logs Like performance and reliability monitoring, the Windows Eventing features that are available in Windows Server 2008 are used by IT professionals to gather essential information on the state of the hardware, the software, and the system as a whole. While the Performance and Reliability Monitor provides IT professionals with statistics and real-time information on system availability, the Event Viewer provides users with in-depth information and detailed logs of events affecting system health. Event Viewer is used to browse and manage event logs, which contain information on hardware and software problems as well as security events of the system. Event Viewer is thus a valuable tool for troubleshooting issues pertaining to system availability and performance. To see what the Event Viewer looks like, see Figure 11.6.

468

Chapter 11

N

Monitoring Windows Server 2008 for High Availability

In Windows Server 2008, the Event Viewer enables access to component-specific logs that mostly contain operational, analytic, and debug events that are non-administrative. The non-administrative events, which are usually non-actionable and more verbose, are included for the purpose of tracing normal operations and obtaining more details on potential problems. Administrative events are still usually logged in the application or system log. However, cases in which significant volumes of administrative events are associated with certain components or applications will lead to such events being logged in separate component-specific administrative logs. Unlike in previous Windows Server versions, the Event Viewer in Windows Server 2008 is easier to navigate while packing more detailed information and providing easier filtering of events. The updated Windows Eventing 6.0 event log service in Windows Server 2008 is aimed at providing the following services for administrators, developers, and IT professionals: NÛ

Custom views of event logs

NÛ

Forwarding events using industry-standard protocols

NÛ

Local and remote subscription to events

NÛ

Query and selection of events for analysis, diagnostics, and monitoring

F I G U R E 11 . 6

Event Viewer

Monitoring Servers Using Event Logs

469

Using wevtutil.exe to Manage Event Logs Event logs in Windows Server 2008 are divided into two main categories: Windows logs and application and services logs. Apart from the Event Viewer, the wevtutil.exe command-line tool can also be used to manage event logs. If wevtutil.exe is used to manage event logs, the user has to be aware that the messages in wevtutil.exe might refer to event logs as channels. Please refer to the following list here of all available logs which is built in Windows Server 2008. Windows Logs Windows logs are directed to store events from legacy applications and events that apply to the entire system. The Windows Logs category in Event Viewer includes the following logs: Application log The application log comprises events logged by applications or programs. For example, a database program might record a file error in the application log, while program developers would decide which events to log. Security log The security log consists of events such as valid and invalid logon attempts as well as events related to resource use, such as creation, deletion, and opening of files or other objects. For example, the assignment of special privileges to a newly logged-on user is recorded in the security log. Setup log The setup log comprises events related to application setup. System log The system log includes events logged by Windows system components, and the event types are predetermined by Windows. For example, failure of the print spooler to reopen an existing connection is recoded in the system log. Forwarded events log remote computers.

The forwarded events log is made up of events collected from

Application and services logs Application and services logs contain events from a single application or component rather than events that affect the entire system. The Application and Services Logs category in Event Viewer includes the following types of logs: Admin Admin logs comprise events that indicate the problems and well-defined solutions that an administrator can act on. The events are either well documented or come with direct instructions of what must be done to rectify the problem. Error and warning events, for example, are always logged in an admin log, and information events that indicate a service’s return to a healthy state can also be recorded in an admin log. Analytic Analytics logs are made up of events that are used in problem diagnosis or performance analysis. Analytic logs provide information on program operation and indicate problems that cannot be handled by user intervention. They are also known as trace logs and are mainly disabled by default. Debug Debug logs include events that are used by developers for troubleshooting purposes. Debug logs are hidden and disabled by default.

Chapter 11

470

N

Monitoring Windows Server 2008 for High Availability

Operational Operational logs are typically made out of private logs in which components can log events that are helpful for troubleshooting or launching automated actions. Operational logs are normally used to analyze or diagnose a problem or occurrence. Most information events are recorded in operational logs, which are enabled by default. Within every log category in Event Viewer are subcategories of event attributes that enable administrators and tools to filter the events and automate tasks. The event attributes are as follows: Level The Level column indicates whether the event was critical, an error, a warning, or a routine action presented as information. Keyword Keyword refers to the set of categories or tags that can be used to filter or search on events. Keywords are assigned to security logs which, unlike other logs, are not categorized by levels. Date and Time The Date and Time column indicates the date and time in which the event occurred. Source Event ID

Source refers to the name of the component that published the event. Event ID refers to the numeric ID unique to a specific event or source.

Configuring Computers to Forward and Collect Events Before events can be collected and organized in the computer, subscriptions to events have to be made, and before subscriptions can be made, the collecting computer as well as each computer from which events will be collected has to be configured. To learn how to configure computers to forward and collect events, see Exercise 11.12. E X E R C I S E 11 .1 2

Configuring Computers to Forward and Collect Events Before forwarding and collecting of events work, both forwarding and collecting computers need to be configured. To configure computers to forward and collect events, please execute the following steps:

1.

Log on to the collecting computer and all source computers. It is recommended that a domain account with administrative privileges is used to perform the tasks.

2.

On each source computer, click Start, select Run, and type cmd in the Run command dialog. Then press Enter to open the command prompt.

3.

In the command prompt, type winrm฀quickconfig and press Enter. Please note that if the user intends to specify an event delivery optimization of Minimize Bandwidth or Minimize Latency, this command must also be run on the collecting computer.

Monitoring Servers Using Event Logs

471

E X E R C I S E 11 .1 2 ( c o n t i n u e d )

4.

On the collecting computer, open the command prompt, type in wecutil฀qc, and press Enter.

5.

On each source computer, add the account of the collecting computer to the Administrators group.

6.

The computers are now configured to forward and collect events.

Running winrm฀quickconfig will set the startup type for both services Windows Remote Management (WinRM) and Windows Event Collector (Wecsvc) to Automatic. Both of these services are needed for forwarding/ collecting of events to work.

472

Chapter 11

N

Monitoring Windows Server 2008 for High Availability

In addition to the steps in Exercise 11.12, there are a number of considerations that the user has to take note of. When working in a workgroup environment, there are several additional steps and considerations: NÛ

NÛ

NÛ

NÛ

A Windows Firewall exception for Remote Event Log Management has to be added on each source computer. An account with administrator privileges must be added to the Event Log Readers group on each source computer. The account must be specified in the Configure Advanced Subscription Settings dialog when a subscription is created on the collecting computer. On the collecting computer, type winrm฀set฀winrm/config/client฀@ {TrustedHosts=“”} in the command prompt to allow all source computers to use NTLM authentication when communicating with WinRM on the collecting computer. The names of all the participating source computers in the workgroup, separated by commas, are entered in place of . Alternately, wildcards can be used to match the names of all the source computers. This command is run only once. For more information on this command, type winrm฀help฀config in the command prompt. Only Normal mode (Pull) subscriptions can be used.

To specify a user account by using the Specific User option in Advanced Subscription Settings when adding a subscription, you must ensure that the user account is part of the local Administrators group on each of the source computers in step 4. Alternately, the Windows Event Log command-line utility can be used to grant account access to individual logs. For more information on the command-line utility, type wevtutil฀sl฀-? in the command prompt. If a subscription is configured to utilize the HTTPS protocol by using the HTTPS option in Advanced Subscription Settings, corresponding Windows Firewall exceptions for port 443 must be set. For a subscription that uses Normal delivery optimization (PULL mode), the exception must be set only on the source computers. For a subscription that uses Minimize Bandwidth or Minimize Latency delivery optimization (PUSH mode), the exception must be set on source computers and the collecting computer.

Reading Events through Custom Views Event Viewer in Windows Server 2008 has increased the amount of events to log. This poses a challenge when searching through the many events that are logged. Because Event Viewer is now XML based, searching through the Event Viewer could become easy by creating custom views. Custom views allow filtering of events, thus users will see only the events they are interested in. Windows Server 2008 by default has an Administrative Events custom view. If server roles are installed, each one will have its own custom view automatically created by Windows Server 2008. See Figure 11.7.

Monitoring Servers Using Event Logs

F I G U R E 11 . 7

473

Administrative Events custom view

There are two ways to filter events: filter the current log or create a custom view. Exercise 11.13 explains the steps required to filter events within a specific log in Event Viewer. E X E R C I S E 11 .1 3

Filtering Only Informational Events in the Current Log Finding useful information from a comprehensive log will take a lot of time, and it would be more productive to only show the needed logs. To show only the informational events, please execute the following steps:

1.

Open up the event log that needs to be filtered.

2.

With the event log displayed on the screen, under the Actions pane, select Filter Current Log.

3.

The Filter Current Log window appears. Filter Current Log supports filtering based on time, event level, event logs, event sources, event IDs, task category, keywords, user, and computers.

474

Chapter 11

N

Monitoring Windows Server 2008 for High Availability

E X E R C I S E 11 .1 3 ( c o n t i n u e d )

4.

When you click OK, Event Viewer will show only the informational events.

Events can also be filtered through XML’s XPath. XPath is a language for finding information in an XML document. XPath is used to navigate through elements and attributes in an XML document. For more information about XPath, see http://msdn.microsoft.com/en-us/library/ms256115.aspx and www.w3.org/TR/xpath.

The second method for displaying events is through custom views. Custom views can be very useful for administrators because they speed up the troubleshooting process. However, it is best to have fewer than 30 custom views or productivity could be decreased. The Create Custom View window allows the same filtering of data. To create custom view, complete Exercise 11.14. E X E R C I S E 11 .1 4

Creating a Custom View If flexibility in filtering logs is needed, it can be accomplished through the use of custom view. To create a custom view, please execute the following steps:

1.

In Event Viewer, in the navigation pane, right-click on Custom Views, and select Create Custom View.

Monitoring Using Task Scheduler

475

E X E R C I S E 11 .1 4 ( c o n t i n u e d )

2.

The Create Custom View window appears. As with the Filter Current Log feature, Create Custom View also supports event filtering based on time, event level, event logs, event sources, event IDs, task category, keywords, user, and computers.

3.

Specify a name and a description (optional) of the custom view and click OK.

4.

A new custom view is now created and is shown in the navigation pane.

Monitoring Using Task Scheduler Task Scheduler enables the user to perform automated tasks on the system. In this scenario, Task Scheduler is used by IT professionals to monitor server performance by configuring system assessment tasks that will run automatically. Task Scheduler maintains a collection of all scheduled tasks in the Task Scheduler Library presented in an organized view. The user can use Task Scheduler to run, disable, modify, and delete tasks. Any program can be scheduled to run at any time or when a specific event occurs. The selected time and event criteria are monitored by the Task Scheduler, which will execute the task when the criteria are met. See Figure 11.8.

476

Chapter 11

F I G U R E 11 . 8

N

Monitoring Windows Server 2008 for High Availability

Task Scheduler

Task Scheduler in Windows Server 2008 is loaded with improvements in the following key areas: User interface A new Task Scheduler user interface based on the Microsoft Management Console (MMC) is presented in Windows Server 2008. The interface is enhanced with a number of new conditions and filters that are helpful for administrators in defining and managing scheduled tasks. Administrative Task status monitoring has been improved with detailed failure reporting and comprehensive task history. Status feedback has also been significantly improved. An email that includes the complete runtime history of an event can be sent to the administrator in the event of a failure. The complete history of executed scheduled tasks, as well as the list of currently running tasks, can be easily accessed and reviewed by the administrator at any time. Tasks can also be run and stopped on demand. The Task Scheduler API is now fully available to scripting languages, which is extremely helpful for administrators in scripting complex tasks. Platform and manageability Hosting and activation of troubleshooters and other corrective actions are now enabled with the use of Task Scheduler. Periodic data collection has been implemented in order to improve event detection. Quotas may now be assigned in task process prioritization. Computer resources are more efficiently utilized because tasks are activated based on a true idle state, which is defined by CPU, memory, and I/O usage; user presence; and non-presentation mode.

Monitoring Using Task Scheduler

477

Scheduling The time-based task launch has been improved with enhanced scheduling options as well as higher granularity. In a noticeable improvement, the user is now allowed to chain a series of actions together as opposed to creating multiple scheduled tasks one by one. Tasks can be scheduled on demand for execution when a specific event is logged to an event log. Scheduled tasks can be configured to run when the computer is idle or to wake a computer from sleep or hibernation. Previously scheduled tasks can also be executed when a powered-down computer is turned back on. Scalability has also been improved as limitations on the number of registered tasks have been removed and multiple instances of a task have been allowed to run in parallel or in sequence. Security New security features are represented by the ability to securely store passwords needed for running tasks with the use of Credentials Manager and the ability to run Service for User (S4U) for scenarios such that passwords do not need to be stored at all. To further strengthen security, scheduled tasks are now executed in separate sessions instead of the same session as the current user or system services. Therefore, system tasks are executed in the system session (session 0), while user tasks are executed in the user’s session. Separate per-user credentials are required for Winstations and desktops.

Scheduling a Task A task can be scheduled either by creating a basic task with the Create Basic Task Wizard or by creating a task manually by supplying task information in the Create Task dialog box. A task can also be scheduled by using a command line. If the Create Basic Task Wizard is used, most of the task properties will be set according to default values and the trigger for the task will be chosen from the most commonly used triggers. To use a wizard to schedule a basic task, complete Exercise 11.15. E X E R C I S E 11 .1 5

Scheduling a Basic Task by Using a Wizard Scheduling a task is just a step by step wizard in Windows Server 2008. To schedule a basic task using a wizard, please execute the following steps:

1.

Start Task Scheduler by clicking Start  Control Panel  Administrative Tools and then double-clicking Task Scheduler.

2.

In the left pane, select the task folder in which the new task is to be created.

3.

In the Actions pane on the right, click Create Basic Task.

4.

Type a name for the task and a description, if required, and then click Next.

478

Chapter 11

N

Monitoring Windows Server 2008 for High Availability

E X E R C I S E 11 .1 5 ( c o n t i n u e d )

5.

Select a trigger to determine when the task will start, and then click Next. Refer to Table 11.9 for more information on trigger options.

6.

If prompted, fill in the details for the selected trigger. If not, skip to the next step.

7.

Select an action to be performed by the task. The options are Start a Program, Send an E-Mail, and Display a Message. Then click Next.

8.

Fill in the details for the selected action, and then click Next.

9.

Confirm the details of the task in the summary, and then click Finish.

A new task folder can be created if existing folders are not going to be used. To create a new task folder, click Action on the main menu; then click New Folder and enter a name before clicking OK.

To see a listing of triggers for a task, see Table 11.9.

Monitoring Using Task Scheduler

TA B L E 11 . 9

479

Triggers for a Task

Trigger Name

Description

On a schedule

Runs the task according to a specified schedule. Options are available to schedule the tasks to run one time or on a daily, weekly, or monthly schedule. The time that is set by the user is relative to the time zone that is set on the computer that runs the task. If a set of tasks is to be scheduled to run simultaneously in multiple time zones, the Universal check box has to be selected because the time needs to be made relative to Coordinated Universal Time (UTC). The UTC abbreviation corresponds to the French version of the term.

At log on

Runs the task when a user logs on to the computer. Options are available to specify whether the task will be triggered when any user logs on or when a specific user or user group member logs on to the computer.

At startup

Runs the task when the computer starts up.

On idle

Runs the task after the computer enters an idle state. The idle settings can be configured on the Conditions tab in the Create Task or Task Properties dialog box.

On an event

Runs the task when specific event entries are added to an event log. Basic and custom options are available to configure the trigger settings. If basic settings are chosen, the task will be triggered by a single event from a specific event log. If custom settings are chosen, the task will be triggered by events matched by a specified custom event viewer query or XML event query.

At task creation/modification

Runs the task as soon as it is created or modified.

On connection to user session

Runs the task when a user session is connected from a local computer or from a remote desktop connection. Options are available to specify whether the task will be triggered when any user connects to a user session or when a specific user or member of a specific user group connects.

On disconnect from user session

Runs the task when a user session is disconnected from a local computer or from a remote desktop connection. Options are available to specify whether the task will be triggered when any user disconnects to a user session or when a specific user or member of a specific user group disconnects.

480

Chapter 11

TA B L E 11 . 9

N

Monitoring Windows Server 2008 for High Availability

Triggers for a Task

(continued)

Trigger Name

Description

On workstation lock

Runs the task when the computer is locked. Options are available to specify whether the task will be triggered when any user or when a specific user or member of a specific user group locks the computer.

On workstation unlock

Runs the task when the computer is unlocked. Options are available to specify whether the task will be triggered when any user or when a specific user or member of a specific user group unlocks the computer.

Exercise 11.16 shows you how to schedule a task manually by using the Windows interface. E X E R C I S E 11 .1 6

Scheduling a Task Manually by Using the Windows Interface Advance users who wants a fast and straightforward way to schedule a task, can schedule a task without wizards. To schedule a task manually using Windows interface, please execute the following steps:

1.

Start Task Scheduler.

2.

In the left pane, select the task folder in which the new task is to be created.

3.

In the Actions pane on the right, click Create Task. The Create Task dialog box opens.

4.

On the General tab, type a name and, optionally, a description for the task, and specify the desired Security options.

Monitoring Using Task Scheduler

481

E X E R C I S E 11 .1 6 ( c o n t i n u e d )

5.

On the Triggers tab, click the New button to add a trigger for the task.

6.

On the Actions tab, click the New button to add an action for the task.

7.

(Optional) On the Conditions tab, specify conditions for the task.

8.

(Optional) On the Settings tab, change the settings for the task.

9.

Click OK.

To schedule a task by using a command line, complete the steps in Exercise 11.17. E X E R C I S E 11 .17

Scheduling a Task Manually by Using the Command Line Scheduling of a task can be scripted using command line. To schedule a task manually using the command line, please execute the following steps:

1.

Click Start, select Run, and type cmd in the Run command dialog and then press Enter to open command prompt.

2.

Type the following command: schtasks฀/Create฀[/S฀฀[/U฀฀[/P฀[]]]]฀[/RU฀ ฀[/RP฀]]฀/SC฀฀[/MO฀]฀[/D฀]฀฀ [/M฀]฀[/I฀]฀/TN฀฀/TR฀฀[/ST฀]฀฀ [/RI฀]฀[฀{/ET฀฀|฀/DU฀}฀[/K]฀[/XML฀]฀ [/V1]]฀[/SD฀]฀[/ED฀]฀[/IT]฀[/Z]฀[/F]

3.

To view the help topics for this command, type the following command: schtasks฀/Create฀/?

Refer to the section “Using the Command-Line Tool Schtasks.exe” for information on the Schtasks.exe command line tool.

Managing a Task Task management and monitoring is made simple in the Task Scheduler with options to display all running tasks, export tasks, import tasks, and view task history. When you open

482

Chapter 11

N

Monitoring Windows Server 2008 for High Availability

Task Scheduler in Windows Server 2008, you’ll see detailed task information next to all the tasks. Status and last run results will also be shown so administrators would be able to identify problems immediately. Exercise 11.18 shows you how to display and/or end running tasks. E X E R C I S E 11 .1 8

Displaying All Running Tasks Monitoring running tasks can be done through task manager. To display all running tasks, please execute the following steps:

1.

Start Task Scheduler.

2.

In the Actions pane on the right, click Display All Running Tasks. The All Running Tasks window opens.

3.

To manually refresh the display, click the Refresh button.

4.

To stop one or more tasks on demand, select the running task(s) and click the End Task button.

Tasks can be saved and exported to an XML file and then imported when necessary, on either the same computer or on a different computer. The portability of tasks is enhanced by this feature. Exercise 11.19 shows you how to export tasks.

Monitoring Using Task Scheduler

483

E X E R C I S E 11 .1 9

Exporting Tasks Migration or backing up of tasks could be done by exporting the tasks from task manager. To export tasks, please execute the following steps:

1.

Start Task Scheduler.

2.

In the console pane on the center, right-click the task to be exported and select Export.

3.

Browse for a location in which to save the file, type a name for the file, and then click Save.

Tasks that have been exported can be easily imported to the same computer as well as to another computer (see Exercise 11.20). E X E R C I S E 11 . 2 0

Importing Tasks If tasks need to be imported into a newly built or existing server, it could be done through task manager. To import tasks, please execute the following steps:

1.

Start Task Scheduler.

484

Chapter 11

N

Monitoring Windows Server 2008 for High Availability

E X E R C I S E 11 . 2 0 ( c o n t i n u e d )

2.

Under the Task Scheduler Library in the left pane, right-click the desired task folder and select Import Task.

3.

Browse for the location in which the XML file is stored, select the file, and click Open.

On the History tab of a task in Task Scheduler, all known events for that task are displayed, allowing you to quickly view the previous status and running time. Only events related to the currently selected task will be displayed. There is no longer an need to review the Task Scheduler event log for individual events from specific tasks. In Exercise 11.21, you’ll view the history of a task. E X E R C I S E 11 . 2 1

Viewing the History of a Task Monitoring of the past history of a task is important when it comes to server auditing. To view the history of a task, please execute the following steps:

1.

Start Task Scheduler.

2.

In the left pane, select the task folder that contains the task you want to view.

3.

In the console pane in the center, select the task.

Monitoring Using Task Scheduler

485

E X E R C I S E 11 . 2 1 ( c o n t i n u e d )

4.

Click the History tab to view the history of the task. In the history list, select an event to view the event description.

Managing or Creating a Task on a Remote Computer You can use the Task Scheduler interface to connect to a remote computer and create and manage tasks. The name or IP address of the remote computer must be specified. The user credential that is used to connect to a remote computer must be part of the Administrators group on the remote computer. If the computer you will be connected to is running Windows Server 2008 or Windows Vista, the Remote Scheduled Tasks Management firewall exception must be enabled on the remote computer. If the computer you will be connected to is running Windows Server 2003 or Windows XP, the File and Printer Sharing firewall exception must be enabled on the remote computer. Exercise 11.22 shows you how to manage and create a task on a remote computer. E X E R C I S E 11 . 2 2

Managing or Creating a Task on a Remote Computer Using Task Scheduler Task Scheduler could be managed remotely, without logging onto the console or doing it on-site. To manage or create a task on a remote computer using Task Scheduler, please execute the following steps:

1.

Start Task Scheduler.

486

Chapter 11

N

Monitoring Windows Server 2008 for High Availability

E X E R C I S E 11 . 2 2 ( c o n t i n u e d )

2.

In the left pane, select Task Scheduler.

3.

In the Actions pane on the right, click Connect to Another Computer. The Select Computer dialog box opens.

4.

In the Select Computer dialog box, select Another Computer.

5.

Enter the name or IP address of the remote computer in the text box or click Browse to search for a remote computer.

6.

(Optional) You can use credentials other than those for the current user to connect to the remote computer. Select the Connect as Another User check box and click Set User. Enter the username and password.

7.

When the remote computer is specified, click OK.

8.

Once the remote computer is connected, you can manage and create tasks by using the same procedures that are performed on a local computer.

Exercise 11.23 shows you how to manage or create a task on a remote computer by the using command line. E X E R C I S E 11 . 2 3

Managing or Creating Task on a Remote Computer Using Command Line An alternative method of managing or creating task on a remote computer is to use command line. To manage or create a task on a remote computer using command line, please execute the following steps:

1.

Click Start, select Run, and type cmd in the Run command dialog and then press Enter to open command prompt.

Monitoring Using Task Scheduler

487

E X E R C I S E 11 . 2 3 ( c o n t i n u e d )

2.

Use the Schtasks.exe tool to manage or create a task. Specify the name or IP address of the remote computer in the /S฀system argument, the username that is used to connect to the remote computer in the /U฀username argument, and the password for the user in the /P฀password argument. Refer to the following section for information on the Schtasks.exe command-line tool.

3.

To view the help topics for this command, type the following: schtasks฀/Create฀/? Schtasks฀/Run฀/? Schtasks฀/End฀/? Schtasks฀/Delete฀/? Schtasks฀/Change฀/?

Using the Command-Line Tool Schtasks.exe Schtasks.exe is the command-line tool used to perform Task Scheduler actions in the command prompt. The Schtasks.exe command-line tool enables administrators to create,

delete, change, run, end, and query scheduled tasks on a local or remote computer. The following command syntax is used by the Schtasks.exe command interface: schtasks฀/฀[arguments]

The command parameters used by the Schtasks.exe command interface are as follows: /Create฀ ฀ Create฀a฀new฀scheduled฀task. /Delete฀ ฀ Delete฀the฀scheduled฀task(s). /Change฀ ฀ Change฀the฀properties฀of฀scheduled฀task. /Run฀ ฀ Run฀the฀scheduled฀task฀immediately.฀ /End฀ ฀ Stop฀the฀running฀scheduled฀task.฀ /Query฀ ฀ Display฀all฀scheduled฀tasks.

You can use Schtasks.exe on various tasks: NÛ

NÛ

Click Start, select Run, and type cmd in the Run command dialog and then press Enter to open a command prompt. To delete tasks, type this: schtasks฀/Delete฀[/S฀฀[/U฀฀[/P฀[]]]]฀ ฀฀฀/TN฀฀[F]

488

NÛ

Chapter 11

N

Monitoring Windows Server 2008 for High Availability

To change tasks, type the following; schtasks฀/Change฀[/S฀฀[/U฀฀[/P฀[]]]]฀ ฀฀฀/TN฀฀{[/RU฀][/RP฀][/TR฀]฀ [/ST฀][/RI฀]฀ ฀฀[฀{/ET฀฀|/DU฀}฀[/K]]฀[/SD฀]฀[/ED฀] [/ENABLE\/DISABLE]฀ ฀฀[/IT]฀[/Z]}

NÛ

To run tasks, type this: schtasks฀/Run฀[/S฀฀[/U฀฀[/P฀[]]]]฀/TN฀฀

NÛ

To end tasks: schtasks฀/End฀[/S฀฀[/U฀฀[/P฀[]]]]฀/TN฀฀

NÛ

To query tasks: schtasks฀/Query฀[/S฀฀[/U฀฀[/P฀[]]]]฀ ฀฀[/FO฀[/NH]฀[/V]฀[/?]

Running a Task in Response to a Given Event The ability to run a task in response to a given event is the result of the integration of Task Scheduler with the Event Viewer. Tasks are configured to run in such a way in order to diagnose and troubleshoot a given event immediately. Exercise 11.24 shows you how to run a task in response to an event. E X E R C I S E 11 . 2 4

Running a Task in Response to an Event Sometimes it is useful to run a script if an error occurs, maybe to notify the system administrator or generate error reports. To run a task as a response to an event, please execute the following steps:

1.

Start Task Scheduler.

2.

In the left pane, select the task folder in which the new task will be created.

3.

In the Actions pane on the right, click Create Task. The Create Task dialog box opens.

4.

On the General tab, type a name and, optionally, a description for the task, and specify the desired security options.

5.

On the Triggers tab, click the New button.

6.

In the New Trigger dialog box, select On an Event in the Begin the Task drop-down list.

Monitoring Using Task Scheduler

E X E R C I S E 11 . 2 4 ( c o n t i n u e d )

7.

To run the task in response to a basic system-created event log, select the Basic bullet box.

8.

In the Log drop-down list, select the event log in which the event is found.

9.

In the Source drop-down list, select the component that published the event to narrow down the criteria. In this example, Source is set to EventCollector.

10. In the Event ID box, enter the unique ID of the specific event to further narrow down the criteria. A list of Event IDs can be found from www.eventid.net.

11. To run the task in response to a new custom event log, select the Custom bullet box and click the New Event Filter button to create a new custom view. Refer to section ”Reading Events Through Custom View” for the step-by-step procedure.

12. On the Actions tab, click the New button to add an action for the task. 13. (Optional) On the Conditions tab, specify conditions for the task. 14. (Optional) On the Settings tab, change the settings for the task. 15. Click OK.

489

490

Chapter 11

N

Monitoring Windows Server 2008 for High Availability

Monitoring System Activity In Windows Server 2008, the Performance Monitor and the Reliability Monitor, which are essential to performance and availability monitoring tasks, are major components of the Windows Performance Diagnostic Console, a Microsoft Management Console (MMC) snap-in. The Windows Performance Diagnostic Console allows the user to perform a number of crucial system activity monitoring tasks: NÛ

Customization of data collection

NÛ

Customized viewing of past performance data

NÛ

Definition of thresholds for alerts and automatic actions

NÛ

Real-time system monitoring

NÛ

Report generation

System activity monitoring can now be more efficiently and speedily done with the introduction of a new Resource View screen and an improved graphical interface in Performance Monitor. The user can choose to monitor system activities in general by using Resource View or to monitor specific system activities by using the Performance Monitor.

Monitoring General System Activity Using Resource Monitor The Resource Monitor is the default page of the Windows Performance Diagnostic Console, which provides a real-time graphical overview of CPU, disk, network, and memory utilization. Details of the specific processes that are utilizing specific resources can be accessed by expanding the four sections. Figure 11.9 shows the Resource View. F I G U R E 11 . 9

Resource View in action

Monitoring System Activity

491

To monitor general system activity using Resource Monitor (Exercise 11.25), you must first ensure that the logged on user is a member of the local Administrators group. E X E R C I S E 11 . 2 5

Monitoring General System Activity Using Resource Monitor Resource Monitor provides a quick overview of the health of the system. To monitor general system activity using Resource Monitor, please execute the following steps:

1.

Click Start  Control Panel  Administrative Tools  Reliability and Performance Monitor. Or you can click Start  Run, type perfmon.msc in the Run dialog box and press Enter.

2.

Obtain a summary of real-time information of CPU, disk, network, and memory utilization on the local computer by viewing the graphs in the Resource Overview pane.

3.

Click a graph to expand its corresponding details.

4.

Obtain process-level details on each resource by expanding the labeled sections below the graphs.

5.

Refer to Tables 11.10 through 11.15 for information on navigating Resource View.

To open Resource View in its own window when it is started, type perfmon฀ /res at a command prompt.

Resource View provides a very brief and general outline of how the system is doing. Through Resource View, it is possible to determine if there are potential bottlenecks being created on any of the four core system components. Table 11.10 shows the four system components. TA B L E 11 .1 0

Resource View Details

Label

Description

CPU

Total percentage of CPU capacity currently in use is displayed in green. Maximum frequency of CPU is displayed in blue.

Disk

Total current I/O is displayed in green. Percentage of highest active time is displayed in blue.

492

Chapter 11

TA B L E 11 .1 0

N

Monitoring Windows Server 2008 for High Availability

Resource View Details

(continued)

Label

Description

Network

Current total network traffic is displayed in green. Percentage of network capacity currently in use is displayed in blue.

Memory

Current hard faults per second is displayed in green. Percentage of physical memory currently in use is displayed in blue.

CPU Resource View works similar to Task Manager’s Process tab. The only difference is that by default, threads and CPU average are not shown in Task Manager’s Process tab, but it is shown under CPU Resource View. If any process is holding a high amount (80 percent and above) of CPU resources for a period of 30 seconds or more, you will need to start monitoring the process. Table 11.11 shows the individual details as part of CPU Resource View. TA B L E 11 .11

CPU Resource View Details

Label

Description

Image

The application that is utilizing CPU resources

PID

The process ID of the application instance

Description

Description of the application

Threads

The number of currently active threads from the application instance

CPU

Currently active CPU cycles from the application instance

Average CPU

The average CPU load resulting from the application instance

Disk Resource View shows the disk performance of all physical disks that are installed on the system. It shows the image (process) and the corresponding file’s read and write performance. To find a bottleneck created by disks, depending on the disk configuration (RAID/Disk controller/iSCSI), or to monitor Read, Write, IO Priority and Response Time. Table 11.12 shows the individual details as part of Disk Resource View.

Monitoring System Activity

TA B L E 11 .1 2

493

Disk Resource View Details

Label

Description

Image

The application that is utilizing disk resources

PID

The process ID of the application instance

File

The file that is being read and/or written by the application instance

Read

The current speed (bytes/min.) at which data is being read by the application instance

Write

The current speed (bytes/min.) at which data is being written by the application instance

IO Priority

The priority of the I/O task for the application

Response Time

The response time of the disk activity in milliseconds

Network Resource View shows the network traffic transfers based on process (or image) and the network address the process is sending to or receiving from. Network Resource View provides a graph showing only basic network traffic information. It is only useful for checking how much data is being transferred. If network troubleshooting is needed, it is always wiser to stick to creating data collector sets. Table 11.13 shows the individual details as part of Network Resource View. TA B L E 11 .1 3

Network Resource View Details

Label

Description

Image

The application that is utilizing network resources

PID

The process ID of the application instance

Address

The network address from which information is exchanged with the local computer

Send

The amount of data (in bytes/min.) that is currently being sent by the application instance from the local computer to the address

Receive

The amount of data (in bytes/min.) that is currently being received by the application instance from the address

Total

The total bandwidth (in bytes/min.) that is currently being sent and received by the application instance

494

Chapter 11

N

Monitoring Windows Server 2008 for High Availability

Memory Resource View shows a basic memory usage based on process (or image). To determine whether memory is the bottleneck of system performance, Memory Resource View can provide some helpful guidance. However, this view will not show you whether read or write access is the bottleneck. It will only show whether the system has enough memory. Table 11.14 shows the individual details as part of Memory Resource View. TA B L E 11 .1 4

Memory Resource View Details

Label

Description

Image

The application that is utilizing memory resources

PID

The process ID of the application instance

Hard Faults/min.

The number of current hard faults per minute resulting from the application instance

Working Set (KB)

The number of kilobytes for the application instance that are currently residing in memory

Shareable (KB)

The number of kilobytes of the application instance working set that may be available to be utilized by other applications

Private (KB)

The number of kilobytes of the application instance working set that are dedicated to the process

Resource View is limited in this version, but you can sort columns and highlight processes (or images) for easier reading. Table 11.15 shows the actions which is supported by Resource View. TA B L E 11 .1 5

Resource View Navigation Tasks

Action

Procedure

Highlight an application instance

To keep highlighting when the application instance position changes in the display, click anywhere in the application instance row.

Sort columns by value

To sort in ascending order, click the column header label once. To sort in descending order, click the column header label twice.

Monitoring System Activity

495

Monitoring Specific System Activity Using Performance Monitor Performance Monitor provides a graphical summary of system performance based on a number of built-in Windows performance counters, which can be viewed in real time or examined as historical data. By adding specific counters to Performance Monitor, you can monitor the activities and performances in specific areas of the system. In Windows Server 2008, Performance Monitor has been upgraded to enable better views, easier navigation, and more precise control. Improvements have been made in the following areas: NÛ

Drag and drop functionality

NÛ

New time range controls

NÛ

Scale to fit option

NÛ

Time-based algorithms

NÛ

Tool tips

NÛ

Zoom functionality

In the Performance Monitor log view, you can add preferred performance counters into the graph or report to observe specific data. In Exercise 11.26, you’ll add counters to the current Performance Monitor view. E X E R C I S E 11 . 2 6

Adding Counters to the Current Performance Monitor View It is possible to add additional counters into performance monitor view. To add counters to performance monitor view, please execute the following steps:

1.

In the left pane of Windows Reliability and Performance Monitor, expand Reports and expand User Defined.

2.

Expand the data collector set for which you want to view log data.

3.

Right-click the data collector of the data collector set and select the Performance Monitor view.

4.

Click the Add (+) button in the menu bar above the graph in the Performance Monitor view, or right-click anywhere in the graph and select Add Counters. This launches the Add Counters dialog box.

496

Chapter 11

N

Monitoring Windows Server 2008 for High Availability

E X E R C I S E 11 . 2 6 ( c o n t i n u e d )

5.

In the Available Counters section, select the counters you want to display in Performance Monitor. Refer to Table 11.16 for details on the common tasks in the Add Counters dialog box.

6.

When you have selected the counters, click OK.

Monitoring System Activity

497

Some navigation tasks, such as displaying a description of a counter, cannot be done when Performance Monitor is displayed as a report view. They can only be done in the process of creating new data collector sets manually.

TA B L E 11 .1 6

Navigation Tasks in the Add Counters Dialog Box

Task

Procedure

Choose the source computer from counters

Select a computer from the Select Counters from Computer drop-down list or click Browse to select other computers. Counters can be added from the local computer or from another computer on the network the user has access to.

Display a description of the selected counter group

Select Show Description in the lower-left corner of the dialog box. The description will be updated when other counter groups are selected.

Add a group of counters

Select by highlighting all counters under the counter group name and click Add.

Add individual counters

Select by highlighting an individual counter under a counter group and click Add.

Add certain instances of a counter

Select the required counter group or individual counter, then select the process from the list in the Instances of Selected Object box. The same counter can be created by multiple processes, though if you choose an instance, only the counters produced by the selected processes will be collected.

Search for instances of a counter

Select the required counter group or individual counter, then type the process name in the drop-down list below the Instances of Selected Object box and click Search. A valid process name will be available in the drop-down list to repeat the search with other counters. The search function will not be available if there are no multiple instances of a counter group or counter.

With so many counters available, it could be confusing to decide which counter to configure to monitor the system performance. Table 11.17 lists recommended system counter thresholds for the commonly used counters.

498

Chapter 11

TA B L E 11 .17

N

Monitoring Windows Server 2008 for High Availability

Recommended System Counter Thresholds

Resource

Object

Counter

Threshold

Disk

LogicalDisk

%Free Space

15%

Disk

LogicalDisk

%Disk Time

80%

Memory

Memory

Available Bytes

16MB

Processor

Processor

% Processor Time

85%

Processor

Processor

Interrupts/sec

1500 per second

Table 11.17 lists only the most important and commonly used system counters. The recommended thresholds are only a guideline and might not work in every environment. Windows Server 2008 also comes with three preconfigured data collector sets (LAN, System Diagnostics, and System Performance) with the necessary counters already added. The following list includes explanations of the recommended thresholds listed in Table 11.17: LogicalDisk - %Free Space Depending on the server’s usage and configuration, some might disagree with the 15% threshold. But a threshold of 15% works on most machines. LogicalDisk - %Disk Time Disk time is also known as the disk usage time. When a disk time is at 80% at a constant rate, the disk will experience hardware failure very easily due to crashing or overheating. Memory - Available Bytes The server will start paging to hard disk as soon as the amount of available memory is reduced to less than 4MB. The server performance degrades due to excessive paging activities. Thus, it is wiser to have the threshold set higher, to 16MB, so system administrators can take action before it goes to 4MB or less. Processor - % Processor Time Sometimes a sudden spike of CPU processor time is caused if SQL Server or Exchange Server is hosted on the server. But if the processor time doesn’t go down, it could cause the server to be unavailable. Use Task Manager to identify which process is using the CPU processor time constantly. Processor - Interrupts/sec This counter can be used to signal hardware problems. If the counter increases dramatically without a corresponding increase in server activity, a piece of hardware is responsible for the flood in interrupts. A hardware failure involving the network card, hard disk controller, or another device needs to be investigated. In the default line graph display in Reliability and Performance Monitor shown in Figure 11.10, two minutes of data is represented in a rolling format from left to right, labeled along the x-axis. With this view, changes in each counter’s activity compared with previous behavior over a short time period can be observed. The performance data can also be represented by other types of graphs as well as by a report.

Monitoring System Activity

F I G U R E 11 .1 0

499

The default line graph view of Performance Monitor

In Exercise 11.27, you’ll change the graph type for the log data in Performance Monitor. E X E R C I S E 11 . 2 7

Changing the Graph Type for the Log Data in Performance Monitor Changing the graph type allows the system administrator to view the report in another perspective. To change the graph type for the log data, please execute the following steps:

1.

In the left pane of Windows Reliability and Performance Monitor, expand Reports and expand User Defined.

2.

Expand the data collector set whose log data you want to view.

3.

Right-click the data collector of the data collector set and select the Performance Monitor view.

4.

In the menu bar above the graph, click the Change Graph Type button to switch types or open the drop-down list and select from Histogram Bar, Report, Area, or Stacked Area.

500

Chapter 11

N

Monitoring Windows Server 2008 for High Availability

Configuring and Monitoring Using Simple Network Management Protocol (SNMP) Simple Network Management Protocol (SNMP) is, as its name suggests, a simple protocol that is commonly utilized in network management and monitoring. SNMP is the choice of IT professionals for network wide system monitoring tasks because it is easy to set up and easy to use. SNMP is designed to integrate the management of TCP/IP-based networks in order to manage devices from a preferred central location. SNMP is used to facilitate data transfer from agent to host. The data is then centralized in logs for effective viewing and subsequent analysis.

Install SNMP Services Windows Server 2008, just like its predecessors, does not have SNMP Services installed by default. To use SNMP Services, you will need to install the SNMP Services feature (Exercise 11.28). E X E R C I S E 11 . 2 8

Installing SNMP Services SNMP Services is not installed by default in Windows Server. To install SNMP Services feature, please execute the following steps:

1.

Click Start  Server Manager.

2.

In the left pane, select Features.

3.

In the right pane, click Add Features. This launches the Add Features Wizard.

4.

Under the Features list, select SNMP Services and click Next.

Configuring and Monitoring Using Simple Network Management Protocol (SNMP)

501

E X E R C I S E 11 . 2 8 ( c o n t i n u e d )

5.

A confirmation window appears with the features to be added. Click Install to start installing.

6.

Once SNMP Services is installed, the results appear. Click Close to complete the installation.

To install the SNMP service in Windows Server 2008 Server Core, type the following in the command prompt: start฀/w฀ocsetup฀SNMP-SC

Configuring Agent Properties Once SNMP Services is installed, the next step is to configure the agent. Agents are servers or devices that will be reporting to the host, telling the host whether the agents are alive or dead. Agent properties also contain information such as the person responsible for managing the agent and the services the agent will interact with on the computer. Exercise 11.29 shows you how to configure agent properties.

502

Chapter 11

N

Monitoring Windows Server 2008 for High Availability

E X E R C I S E 11 . 2 9

Configuring Agent Properties To monitor the system using SNMP, the agent properties need to be configured. Agent, To configure the agent properties, please execute the following steps:

1.

Click Start  Server Manager.

2.

In the left pane, expand Configuration and select Services.

3.

In the details pane, select SNMP Service.

4.

Right-click SNMP Service and click Properties.

5.

On the Agent tab, type the name of the user or administrator in the Contact box.

6.

Type the physical location of the computer or the contact in the Location box.

7.

Under Service, select the services that the agent is hosting, and click OK.

Changes to Contact or Location of the SNMP Agent take effect within a few minutes.

Configuring and Monitoring Using Simple Network Management Protocol (SNMP)

503

Configuring Traps Another option you need to configure as part of SNMP Services is Traps. The Traps tab under the Agent properties dialog box is used to configure computers to which SNMP Services sends traps. As part of the Traps properties, there will be two options that need to be configured: Community and Trap Destinations. A community is like a group, and each Community hosts one or more Trap Destinations. Trap Destinations can be Hostname, IP, or IPX Address. Exercise 11.30 shows you how to configure traps. E X E R C I S E 11 . 3 0

Configuring Traps Traps, just like agent, needs to be configured for SNMP services to work. To configure traps, please execute the following steps:

1.

Click Start Server Manager.

2.

In the left pane, expand Configuration and select Services.

3.

In the details pane, select SNMP Service.

4.

Right-click SNMP Service and click Properties.

5.

On the Traps tab, in the Community Name text box, type a name for the community to which the computer will send trap messages (the name is case-sensitive).

504

Chapter 11

N

Monitoring Windows Server 2008 for High Availability

E X E R C I S E 11 . 3 0 ( c o n t i n u e d )

6.

Under Trap Destinations, click Add.

7.

In the SNMP Service Configuration dialog box, enter the name, the IP address, or the IPX address of the host, and click Add.

8.

Repeat steps 5 through 7 until all the required communities and trap destinations are added.

Changes to SNMP settings take effect immediately.

Configuring SNMP Security Properties Information generated by traps are just like any other data. When transferred across the network, the data could be sniffed by malicious users. Malicious users could also send unauthorized traps to legitimate communities. To prevent these issues from occurring, it is always wise to configure SNMP security (Exercise 11.31). E X E R C I S E 11 . 3 1

Configuring SNMP Security Properties Although configuring SNMP security properties is optional to get SNMP services working, it is still recommended to configure for security reasons. To configure SNMP security properties, please execute the following steps:

1.

Click Start  Server Manager.

2.

In the left pane, expand Configuration and select Services.

3.

In the details pane, select SNMP Service.

4.

Right-click SNMP Service and click Properties.

5.

On the Security tab, select Send Authentication Trap to send a trap message whenever authentication fails.

Configuring and Monitoring Using Simple Network Management Protocol (SNMP)

E X E R C I S E 11 . 3 1 ( c o n t i n u e d )

6.

Under Accepted Community Names, click Add.

7.

In the SNMP Service Configuration dialog box, select a permission level from the Community Rights drop-down list for the host to process SNMP requests from the specified community.

8.

In the Community Name text box, type a case-sensitive community name, then click Add.

9.

Specify which host(s) from which SNMP packets are accepted. NÛ

Accept SNMP Packets from Any Host: Select to accept SNMP requests from any host on the network.

NÛ

Accept SNMP Packets from These Hosts: Select to accept SNMP requests from a limited number of preferred hosts. Click Add to enter the name, the IP address, or the IPX address of the host, and then click Add again.

10. Changes can be made to an entry by selecting the entry and clicking Edit. An entry can be deleted by selecting the entry and clicking Remove.

505

506

Chapter 11

N

Monitoring Windows Server 2008 for High Availability

Starting or Stopping the SNMP Service Starting or stopping the SNMP Service is just like starting or stopping other services. It can be done through Services.msc or through Server Manager (Windows Server 2008 only). Exercise 11.32 shows you how to start or stop the SNMP Service using Server Manager. E X E R C I S E 11 . 3 2

Starting or Stopping SNMP Service SNMP Service could be started or stopped for troubleshooting purposes. To start or stop SNMP Service, please execute the following steps:

1.

Click Start  Server Manager.

2.

On the left pane, expand Configuration and select Services.

3.

On the details pane, select SNMP Service.

4.

Right-click SNMP Service and click Start, Stop, or Restart.

Summary

507

Configuring Event to Trap Translator It is possible to trap events, convert the events into traps, and send that trap across the management systems specified in the Traps properties. To accomplish this, the events will need to be converted into traps, which is done through the trap translator. To configure event to trap translator, see Exercise 11.33. E X E R C I S E 11 . 3 3

Configuring Event to Trap Translator Trapping an event is important for SNMP host to receive server’s trapped events. To configure event to trap translator, please execute the following steps:

1.

Click Start, select Run, and type cmd in the Run command dialog and then press Enter to open command prompt.

2.

Type evntcmd฀/? for options and the syntax for the evntcmd command to configure the event to trap translator.

Summary Monitoring a system proactively is a task that system administrators should do on a daily basis because it provides guidance on how applications and hardware should be configured. This does not mean that system administrators will need to monitor systems on their network manually. The proper way is to let the systems monitor themselves and report to the system administrators if any warnings or errors occur.

508

Chapter 11

N

Monitoring Windows Server 2008 for High Availability

Various monitoring tools are built into Windows Server, and it’s up to system administrators to use them wisely: NÛ

NÛ

NÛ

NÛ

Monitoring system performance through counters has improved in Windows Server 2008. Data collector sets make gathering and troubleshooting server performance data a very simple procedure. System Stability Index provides a quick summary of how a system is working and whether it has experienced any availability issues in the past. Event Viewer is now much more robust and developers can write to Event Viewer through the APIs. It is now XML based, which means easier searching and manipulation of the event logs. It is also possible to push and pull event logs to and from other computers with just a few simple clicks. Task Scheduler has been enhanced in Windows Server 2008. Events can now trigger and run a task , and Task Scheduler comes with a step-by-step wizard to create new tasks. The status of all tasks is also shown in Task Scheduler, increasing the productivity of the system administrators. SNMP Service is considered an old technology by some, but it is still one of the more useful methods to monitor systems and devices.

With a good grip on how to set up and configure the tools we covered tools in this chapter, system administrators can allocate their resources for more important tasks.

Review Questions

509

Review Questions 1.

You want to provide a help desk user with the rights to create logs for data collector sets. What do you need to do? (Choose all that apply.) A. Add the help desk user to Power Users group.

2.

B.

Assign the help desk user with “Log on as a batch job” user right.

C.

Add the help desk user to the Administrators group.

D.

Add the help desk user to the Domain Users group.

You want to use Reliability Monitor to monitor the health of the system. However, no data is shown in Reliability Monitor. What should you do? A. Wait for 12 hours after Windows is installed.

3.

B.

Wait for 18 hours after Windows is installed.

C.

Wait for 24 hours after Windows is installed.

D.

Wait for 36 hours after Windows is installed.

You have SNMP configured. You want to ensure that only trusted traps are collected. What should you do? A. Under the Agent tab of SNMP Service properties, deselect Internet.

4.

B.

Under the Agent tab of SNMP Service properties, deselect Datalink and Subnetwork.

C.

Under Security tab of SNMP Service properties, select Send Authentication Trap.

D.

Under Security tab of SNMP Service properties, select Accept SNMP Packets from These Hosts.

You want to change the default Disk Defragmenter schedule. Where do you change it? A. Event Viewer

5.

B.

Task Scheduler

C.

Performance Monitor

D.

Reliability Monitor

You are creating a task to run a program in Task Scheduler. After creating the task, you found out that the program doesn’t run when the task is started. What is your next course of action? A. Select Run with Highest Privileges. B.

Select Run Whether User Is Logged On or Not.

C.

Use another user or group to run the task.

D.

Select Run Task as Soon as Possible after a Scheduled Start Is Missed.

Chapter 11

510

6.

N

Monitoring Windows Server 2008 for High Availability

What is the best way to share the same scheduled tasks? A. Use the command line tool Schtasks.exe to export and import the tasks to other machines.

7.

B.

Use the Task Scheduler GUI to export and import the tasks to other machines.

C.

Use Visual Studio to create a program to import the tasks.

D.

Use Group Policy to push tasks to the users.

A user reports that her computer is always sluggish between 2:00 to 3:00 p.m. daily. What is the best way to troubleshoot the problem? A. Create a data collector set, add all counters into it, and configure it to run from 2:00 to 3:00 p.m. daily.

8.

B.

Request a support personal to be on-site standby from 2:00 to 3:00 p.m.

C.

Create an event-triggered task to collect data when warnings are logged.

D.

Create a data collector set, add the memory counters into it, and set it to run from 2:00 to 3:00 p.m. daily.

A user reports that her computer is sluggish from time to time, inconsistently. What is the best way to troubleshoot the problem? A. Create a data collector set, add only system performance counters into it, and set it to run 24/7.

9.

B.

Request a support personal to be on-site standby daily.

C.

Create an event-triggered task to collect data when warnings are logged.

D.

Create a data collector set, add the memory counters into it, and set it to run 24/7.

The company has a customized performance monitoring software using Windows Management Interface (WMI) to create and modify data collector sets. However, desktop users are unable to run the application when they log on as standard user. What do you do to enable them to use the performance monitoring software? (Choose all that apply.) A. Add the desktop support technician user account to the Performance Log Users user group. B.

Add the desktop support technician user account to the Performance Monitor Users user group.

C.

Open the Local Security Policy (secpol.msc) snap-in and add the desktop support technician user account under “Log on as a batch job.”

D.

Open the Local Security Policy (secpol.msc) snap-in and add the desktop support technician user account under “Log on as a service.”

10. Your company hosts many applications for customers. However, customers are complaining that their hosted applications are running too slow. What is the first step to troubleshoot? A. Run perfmon.msc and check Hard faults/min under Memory. B.

Run perfmon.msc and check Threads under CPU.

C.

Run perfmon.msc and check I/O priority under CPU.

D.

Run perfmon.msc and check Private (KB) under Memory.

Review Questions

511

11. Your company has a Windows Server 2008 file server. Clients are experiencing slower than usual connection speed when they access their files shares on the file server. What can you do to troubleshoot this issue? A. Run Performance Monitor and enable the Packets Received Discarded counter under Network Interface. B.

Run Performance Monitor and enable the Segments Received/sec counter under TCPv4.

C.

Run Performance Monitor and enable the Connections Passive counter under TCPv4.

D.

Run Performance Monitor and enable the Output Queue Length counter under Network Interface.

12. After upgrading from Windows XP to Windows Vista, users are reporting that it’s taking longer than expected to open files and applications. You need to identify the cause of the issue by running Reliability Monitor. What can you do to troubleshoot this issue? (Choose all that apply.) A. Ensure that Windows Vista was installed more than 24 hours ago. B.

Ensure that every publisher is recognized for establishing a baseline to display on the System Stability chart.

C.

Disable Reliability Analysis Component (RAC) if it is running.

D.

Ensure that Reliability Monitor has 28 days of data to display the availability index as a valid baseline for the measurement.

E.

Ensure that only users with administrator rights can access the data that Reliability Monitor uses.

13. You want to enable remote monitoring of performance and availability of the branch offices’ servers running Windows Server 2008. What do you need to do? (Choose all that apply.) A. Enable the Routing and Remote Access Services policy at the main office computer. B.

Enable the Remote Registry Services policy at the branch office computers.

C.

Ensure that the main office computer has RACAgent enabled in Scheduled Task.

D.

Acquire the Local Administrators group permission to view Reliability Monitor on branch office computers.

E.

Ensure that the Diagnostics Service Host Service policy is enabled on branch office computers.

14. How do you create a performance logging file (.blg) in an SQL format? A. Open the data collector set report in Reliability and Performance Monitor. Then highlight date and time of issue and select Save Data As with the option Save as Type set to SQL. B.

Open the data collector set report, point to Properties, and click the Source tab. Under Database radio box, select SQL Server and Log Set.

C.

Run Relog฀perfmon.blg฀–f฀sql฀–b฀M/d/yyyy฀h:mm:ss[AM|PM].

D.

Run Relog฀perfmon.blg฀–f฀sql฀–b฀M/d/yyyy฀h:mm:ss[AM|PM]>฀–q.

Chapter 11

512

N

Monitoring Windows Server 2008 for High Availability

15. Your branch office is experiencing slow connection speed. All computers are configured as part of the same workgroup. You need to configure event forwarding to use the minimal bandwidth. What do you configure? A. Use the Custom setting for event delivery optimization by typing wecutil฀ss฀฀ SUBSCRIPTIONID฀/cm:custom฀฀/hi:100 at the command prompt. B.

Select the Normal setting for event delivery optimization on the subscription properties of the collecting computer.

C.

Select the Minimize Latency setting for event delivery optimization on the subscription properties of the collecting computer.

D.

Use the Minimize Bandwidth setting for event delivery optimization on the subscription properties of the collecting computer.

16. Your office has a slow connection speed to the remote office. The remote file server collects event forwarding logs from your office. The subscription log became corrupted and you re-create it. Users are now complaining that they are not able to access the remote file server. How do you restore the network connectivity? (Choose the best answer.) A. Restart the Windows Remote Management (WinRM) and Windows Event Collector (Wecsvc) services. B.

On the subscription properties of the server, click Minimize Bandwidth.

C.

On the subscription properties of the server, click Minimize Latency.

D.

Restart the server.

17. You set up event forwarding on a source machine and a collecting machine. The collecting computer has a standard user set to run the subscription. The collecting computer displays the subscription status Trying. You need to ensure that the event forwarding works. What should you do? A. Run the command wecutil.exe฀gr฀. B.

Ensure that the Windows Remote Management (WinRM) and Windows Event Collector (Wecsvc) services are running on the collecting computer.

C.

Add Log On As A Batch Job user right to the standard user account from Account Policy to which the event logs are received.

D.

Add Event Log Readers to the standard user account to which the event logs are sent.

18. Your company has multiple branch offices, and all computers are connected in the same domain in Active Directory. Event logs are sent from the branch offices to the main office. You want to prevent hackers from sniffing the logs. What should you do? A. Configure the Kerberos encryption for the user account in the event that you send by using Active Directory. B.

Install a web server certificate and set up the Secure Sockets Layer (SSL) encryption.

C.

Configure the Encrypted File System (EFS) encryption by selecting the Encrypt Contents to Secure Data option on the properties of the event log file.

D.

Set up the Pretty Good Privacy (PGP) encryption through PGP NetShare.

Review Questions

513

19. You have a main office and a branch office. The computers are connected via a workgroup environment. You want to log all critical events from the branch office to a server at the main office. What should you do first? A. Enable event forwarding by migrating to the domain environment. B.

Create a virtual private network (VPN) between the collecting computer at the main office and the server at the branch office.

C.

Start the Windows Remote Management (WinRM) and Windows Event Collector (Wecsvc) services on the source and collecting computers.

D.

Add the Event Log Readers group to the standard user account where the event logs are forwarded.

20. Your company has multiple branch offices. You monitor the main office server by using a system utility. The system utility uses an executable file to inject a DLL file into the explorer.exe process. You discover that the system utility terminates explorer.exe when you use the Run command to run explorer.exe. You need to stop the system utility without logging off users. What should you do? A. End the looping task by using the Schtasks command. B.

Delete the executable file by using the Tasklist command.

C.

Delete the looping task by using the Schtasks command.

D.

Log off the user account by using the Shutdown command.

Chapter 11

514

N

Monitoring Windows Server 2008 for High Availability

Answers to Review Questions 1.

B, C. You will need to assign the “Log on as a batch job” user right or add the help desk user to the Administrators group in order for a user to collect logs from data collector sets.

2.

C. Windows will only generate system availability indexes 24 hours after it is installed.

3.

D. You can configure which SNMP packets to collect by using the option Accept SNMP Packets from These Hosts.

4.

B. Task Scheduler is now used to run Microsoft Windows services and schedules. Configuration can be modified by using Task Scheduler.

5.

A. If the program that is set to run needs elevated privileges, it will not run without the Run with Highest Privilege option.

6.

B. The best way is to export and reimport using the GUI. The Schtasks.exe commandline tool doesn’t support export/import of tasks, and there’s no way to push tasks through Group Policy.

7.

A. Using a data collector set to collect data and statistics about the computer is the best way to gather information for troubleshooting. Collecting just memory data is not enough to troubleshoot.

8.

A. Using a data collector set to collect data and statistics about the computer is the best way to gather information for troubleshooting.

9.

A, C. The standard user will need to be added into Performance Log Users to create and modify collector sets through the use of WMI. And the user will need to have the permission “Log on as a batch job” to have the proper rights to work on the custom application.

10. A. A high number of hard faults may explain the slow response time of an application if it must continually read data back from the disk rather than from physical memory. 11. D. Output Queue Length is the length of the output packet queue (in packets). If this is longer than two, there are delays. And the bottleneck should be found and eliminated, if possible. 12. A, D, E. To use the System Availability Chart, Windows installation must run 24 hours before data is collected. Stability Index will show dotted lines on the graph before 28 days to show that a valid baseline has not been established. 13. B, C. The RACAgent task needs to be running. Since Reliability Monitor data files are stored in the Registry, remote Registry access is needed. 14. C.

You use the relog command to re-create the performance logging file in an SQL format.

15. B.

Only the Normal setting work in a Workgroup environment.

Answers to Review Questions

515

16. B. The Minimize Bandwidth setting uses the push delivery mode and sets a batch time-out of 6 hours and uses an interval of 6 hours. 17. A. The wecutil command-line tool provides the status of the subscription. Wecutil.exe฀ gr฀ provides the user with the subscription information. This will help you understand why the subscription status appears as Trying. 18. B. To set up encryption with event forwarding, the only available option is to use SSL, which requires installing the certificate on both computers before SSL can start working. 19. C.

You need to start the WinRM and Wecsvc services because both do not run by default.

20. A.

By stopping the task that runs the looping executable, you will stop the loop.

Appendix

A

About the Companion CD IN THIS APPENDIX: ÛÛ What you’ll find on the CD ÛÛ System requirements ÛÛ Using the CD ÛÛ Troubleshooting

What You’ll Find on the CD The following sections are arranged by category and provide a summary of the software and other goodies you’ll find on the CD. If you need help with installing the items provided on the CD, refer to the installation instructions in the section “Using the CD”later in this appendix. Some programs on the CD might fall into one of these categories: Shareware programs are fully functional, free, trial versions of copyrighted programs. If you like particular programs, register with their authors for a nominal fee and receive licenses, enhanced versions, and technical support. Freeware programs are free, copyrighted games, applications, and utilities. You can copy them to as many computers as you like—for free—but they offer no technical support. GNU software is governed by its own license, which is included inside the folder of the GNU software. There are no restrictions on distribution of GNU software. See the GNU license at the root of the CD for more details. Trial, demo, or evaluation versions of software are usually limited either by time or functionality (such as not letting you save a project after you create it).

Sybex Test Engine For Windows The CD contains the Sybex Test Engine, which includes all of the assessment test and chapter review questions in electronic format as well as two bonus exams located only on the CD.

PDF of the Book For Windows We have included an electronic version of the text in PDF format. You can view the electronic version of the book with Adobe Reader.

Using the CD

519

Adobe Reader For Windows We’ve also included a copy of Adobe Reader so you can view PDF files of the book’s content. For more information on Adobe Reader or to check for a newer version, visit Adobe’s website at http://www.adobe.com/products/reader/.

Electronic Flashcards For PC, Pocket PC, and Palm These handy electronic flashcards are just what their name implies. One side contains a question or fill in the blank, and the other side shows the answer.

System Requirements Make sure your computer meets the minimum system requirements shown in the following list. If your computer doesn’t match up to most of these requirements, you may have problems using the software and files on the companion CD. For the latest and greatest information, please refer to the ReadMe file located at the root of the CD-ROM. NÛ

A PC running Microsoft Windows 98, Windows 2000, Windows NT4 (with SP4 or later), Windows Me, Windows XP, or Windows Vista.

NÛ

An Internet connection

NÛ

A CD-ROM drive

Using the CD To install the items from the CD to your hard drive, follow these steps. 1.

Insert the CD into your computer’s CD-ROM drive. The license agreement appears.

Windows users: The interface won’t launch if you have autorun disabled. In that case, click Start  Run (for Windows Vista, Start  All Programs  Accessories  Run). In the dialog box that appears, type D:\Start.exe. (Replace D with the proper letter if your CD drive uses a different letter. If you don’t know the letter, see how your CD drive is listed under My Computer.) Click OK.

520

2.

Appendix A

N

About the Companion CD

Read through the license agreement, and then click the Accept button if you want to use the CD.

The CD interface appears. The interface allows you to access the content with just one or two clicks.

Troubleshooting Wiley has attempted to provide programs that work on most computers with the minimum system requirements. Alas, your computer may differ, and some programs may not work properly for some reason. The two likeliest problems are that you don’t have enough memory (RAM) for the programs you want to use and you have other programs running that are affecting installation or running of a program. If you get an error message such as “Not enough memory” or “Setup cannot continue,” try one or more of the following suggestions and then try using the software again: Turn off any antivirus software running on your computer. Installation programs sometimes mimic virus activity and may make your computer incorrectly believe that it’s being infected by a virus. Close all running programs. The more programs you have running, the less memory is available to other programs. Installation programs typically update files and programs, so if you keep other programs running, installation may not work properly. Have your local computer store add more RAM to your computer. This is, admittedly, a drastic and somewhat expensive step. However, adding more memory can really help the speed of your computer and allow more programs to run at the same time.

Customer Care If you have trouble with the book’s companion CD-ROM, please call the Wiley Product Technical Support phone number at (800) 762-2974. Outside the United States, call +1(317) 572-3994. You can also contact Wiley Product Technical Support at http://sybex. custhelp.com. John Wiley & Sons will provide technical support only for installation and other general quality control items. For technical support on the applications themselves, consult the program’s vendor or author. To place additional orders or to request information about other Wiley products, please call (877) 762-2974.

Glossary

522

Glossary

A Active Directory Federated Services (AD FS) A Windows Server 2008 role that provides Web SSO technologies to authenticate a user to multiple web applications over the life of a single online session.

A Windows Server 2008 role that provides the ability to protect and control use of digital content.

Active Directory Rights Management Service (AD RMS)

Functionality provided by IIS 7.0 that allows administrators to manage a web server or website remotely.

Administrative Delegation

A Windows Server 2008 Media Services feature that reduces the time it takes between the time a media stream is accessed and the time that the media can be displayed in the viewer.

Advanced Fast Start

AppCmd.exe A command-line utility that is used to manage Internet Information Services (IIS) 7.0. ASP.NET

Microsoft’s server-based framework for running .NET code on web servers.

B A simple partitioning type used to create partitions, extended partitions, and logical drives.

Basic Disk

Best Practices Analyzer tool

A utility designed to discover and recommend changes to a

SharePoint server.

D Digital Rights Management (DRM)

A system that can provide copyright protection of

data that is distributed. Provides a way to separate and group nodes in an iSNS database into more easily managed groups; similar to how zoning works with Fibre Channel

discovery domain

Display Data Prioritization A Terminal Services feature that helps network utilization, prioritizing keyboard, display, and mouse data over other traffic. dynamic disk An advanced partitioning type used to create simple volumes, spanned volumes, striped volumes, mirrored volumes, and RAID-5 volumes. Dynamic disks allow for advanced features.

Glossary

523

E A way of creating information so that it cannot be read if it is intercepted by an untrusted party.

encryption extranet

A network that is accessible to computers outside of the company.

F The process of moving active clustered resources from one cluster node to another cluster node.

failover

failover cluster fax routing

A cluster type that provides redundancy for applications and services.

A method used to determine who should be the recipient for an incoming fax.

Functionality provided by IIS 7.0 that allows specific options to be controlled by other administrators or by down-level configuration settings.

feature delegation

Fibre Channel A standard for sending SCSI commands at multi-gigabit speeds over either twisted pair or fiber-optic cable.

G GUID Partition Table (GPT) A method of creating a disk partition. A GPT disk can support volumes up to 18 exabytes and 128 partitions. As a result, GPT is recommended for disks larger than 2TB or disks used on Itanium-based computers.

H host bus adapter (HBA)

A network adapter that contains an iSCSI hardware initiator.

host headers A method for publishing multiple websites on a single IP address using the URL passed from the browser. Hyper-V integration components Software installed on a guest machine that optimizes the operating system functions to work with Hyper-V. hypervisor A virtualization interface that allows multiple operating systems to run on a single physical machine. In Windows Server 2008, the hypervisor is one of the main components of Hyper-V.

524

Glossary

I Internet SCSI (iSCSI) A protocol that allows an initiator to send SCSI (Small Computer System Interface) commands to storage devices over TCP/IP. This is used in storage area networks (SANs) as an alterative to Fibre Channel. Internet Storage Name Server (iSNS) A protocol used for automated discovery, management, and configuration of both iSCSI and Fibre Channel devices. This service allows devices to register themselves on the server.

An iSCSI client that sends and receives the iSCSI commands over the network. An initiator can be either software based (using installed software on a computer) or hardware based and be installed in dedicated hardware similar to a network adapter.

iSCSI initiator

A method of identifying targets and initiators on an iSCSI SAN, similar to a fully qualified domain name.

iSCSI Qualified Name (iqn) iSCSI target

Storage resource located on the iSCSI SAN.

L load balance Any method for evenly distributing processing or service requests across devices in a network. logical unit number (LUN)

An address that is assigned to a storage unit that is presented

to a host.

M A method of creating a disk partition. An MBR disk has a partition table that indicates where the partitions are located on the disk drive. With this particular partition style, only volumes up to two terabytes and four primary partitions or three primary partitions and one extended partition that can be divided into unlimited logical drives.

Master Boot Record (MBR)

mean time between failures [MTBF]

A calculation of the average time a component or

system will fail. mirrored volume

A fault-tolerant storage unit that duplicates data onto two physical disks.

modules Discrete components that provide specific functionality in Internet Information Services (IIS) 7.0.

A directory that allows a volume to be configured for access from within a directory on another existing disk.

mount point

Glossary

525

A method of delivering content in which a single data stream is transmitted from a media server to multiple clients.

multicast

Multipath I/O (MPIO) A method for using multiple physical paths to storage such as in a storage area network (SAN) and providing fault tolerance and increased performance.

N Network Attached Storage (NAS) A type of storage that uses network file sharing protocols like Common Internet File System (CIFS) or Network File System (NFS) to provide access to storage.

A shared nothing cluster type that provides redundancy and scalability for network-based services.

Network Load Balancing (NLB) node

A server that participates in a cluster and can host clustered resources.

P port rule In a network load-balanced cluster, a port rule defines how specific TCP or UDP ports that will be handled.

Q quota template

A predefined set of quotas to apply to a Windows SharePoint Services

website.

R A fault-tolerant storage unit that stripes data and parity for the data across three or more disks.

RAID-5 volume

A disaster recovery term that defines the amount of data that can be lost when a disaster occurs. recovery point objective (RPO)

A disaster recovery term that defines the amount of time before a recovery must be complete.

recovery time objective (RTO) relay

Sending email to a server so that it will forward it to another server for delivery.

Remote Desktop Connection (RDC)

Services computer.

Client software used to connect to a Terminal

526

Glossary

Remote Desktop Protocol (RDP) resource

The TCP/IP protocol used to provide Terminal Services.

A building block of a clustered application.

S Service Level Agreement (SLA) An agreement with a provider—whether it be an internal department or external service provider—that defines services and availability levels of a defined set of services.

A protocol for sending (or relaying) email to a server. A TCP/IP-based protocol for sending (or relaying) e-mail to a server.

Simple Mail Transfer Protocol (SMTP)

A storage unit that uses space from a single disk, either in contiguous or noncontiguous space.

simple volume smart host

A server that is configured on an SMTP virtual server to accept all email.

spanned volume

A storage unit that is created from multiple disks (up to a maximum

of 32 disks). Storage Explorer A management utility used by administrators to view and manage Fibre Channel and iSCSI fabrics available in the environment. The Storage Explorer interface provides a tree-structured view of the components by using APIs to collect data about the storage devices. Storage Manger for SANs (SMfS) Utility that is used to create and manage logical unit numbers (LUNs) on both Fibre Channel and iSCSI storage arrays that support Virtual Disk Service (VDS). streaming media

Digital media that can be accessed while continuously being delivered

across a network. striped volume A storage unit that is created from two or more disks. Data is allocated alternately and evenly across each of the volumes.

T A component of Windows Server that allows users to access applications and data remotely.

Terminal Services

Terminal Services client access licenses (TS CALs)

device or user to connect to a terminal server.

Licenses that are required for each

Glossary

527

TS Easy Print A Terminal Server feature that allows proxying of print jobs from the terminal server to local client drivers, removing the need to install drivers on the terminal server. TS Gateway A Windows Server 2008 role service that encapsulates Remote Desktop Protocol (RDP) traffic over HTTPS.

A Windows Server 2008 role service that manages the Terminal Services client access licenses.

TS license server

TS RemoteApp A mode of Terminal Services in Windows Server 2008 where a session can connect to a specific application, making the remote applications appear to run locally to the client.

A Windows Server 2008 role service that supports session load balancing between terminal servers and reconnection to an existing session.

TS Session Broker

A role service for Terminal Services that makes TS RemoteApp programs and remote desktop connections available from a Web browser.

TS Web Access

U A method of delivering content across a network that is used by media servers for providing content to connected clients. Each client receives a discrete stream, and no other client has access to that stream.

unicast

Uniform Resource Locator (URL)

A standard way to identify a resource on the Internet.

V Virtual Disk Service (VDS) A set of application programming interfaces (APIs) created by Microsoft to simplify management and configuration of storage devices.

A method for abstracting physical resources from the way they interact with other resources. Virtualization also makes a single physical resource to function as multiple resources, for example a single physical process can be shared among a number of virtualized computers.

virtualization

VMBus The virtual machine bus used to handle high-speed requests from hypervisor-aware guest operating systems to the physical device in the parent partition. volume set

A collection of drives that can be combined to form a single volume.

528

Glossary

W A software application, executed by a web server that responds to dynamic web page requests over HTTP.

web application

A module that can be added to a Windows SharePoint Services website to increase functionality.

web parts

A system that consists of an agent installed on web servers and an authentication directory to provide a way for users to not be required to log in with multiple sets of credentials.

Web Single Sign On (Web SSO)

A method of identifying components on a Fibre Channel SAN, similar to how a MAC address works on an Ethernet network.

World Wide Name (WWN)

Index Note to the Reader: Page numbers in bold indicate the principle discussion of a topic or the definition of a term. Page numbers in italic indicate illustrations.

A access control applications, 209–210 SMTP server access settings, 169–171 WSS end users, 292–294 access logs, 193–195 formats, 195 overview of, 193–194 per-site and per-server, 194 rollover criteria, 194 ACLs (Access control Lists) creating, 248–249 enabling ACL authorization, 247 activation. See WPA (Windows Product Activation) Active Directory Certificate Services (AD CS), 202 Active Directory Federation Services (ADFS) configuring Web SSO, 300–304 Web SSO, 296 Active Directory Rights Management Service. See AD RMS (Active Directory Rights Management Service) AD (Active Directory), WDS server as member of AD domain, 366 AD Client Certificate Authentication client certificate mapping, 211 types of website authentication, 207 AD CS (Active Directory Certificate Services), 202 AD RMS (Active Directory Rights Management Service) business rules, 252–253 license required by, 253

overview of, 251–252 policy templates, 256–259 user exclusions, 253–254 Add Counters dialog box, 497 Add Features Wizard, 17–18 Add Node Wizard, 423 Add Roles Wizard, 319 ADFS (Active Directory Federation Services) configuring Web SSO, 300–304 Web SSO, 296 Admin logs, 469 admin switch, mstc.exe, 123–124 Administrative Events custom view, 472–473 administrative notices, WSS e-mail settings, 273 administrators event logs and, 472 WDS and, 366 advanced delivery options, SMTP messages, 174–175 advanced streaming options, streaming media, 240 agent properties, SNMP, 501–502 alerts, WSS outgoing e-mail settings, 273 alternate access mapping, WSS, 287–289 American National Standards Institute (ANSI), 195 Analytics logs, 469 Anonymous authentication creating Anonymous account, 245–246 types of website authentication, 207 ANSI (American National Standards Institute), 195 antivirus settings, WSS, 281–282

530

AppCmd.exe – business rules

AppCmd.exe configuring IIS settings, 186 listing and restoring backups, 196–197 listing configured websites, 186–187 objects available for administration by, 187–188 application and services logs, Event Viewer, 469 application logs, 469 application pools, 161–163 application settings, failover clustering, 426–428 application virtualization, 315 applicationHost.config, 160 applications access control, 209–210 DRM exclusions, 255–256 monitoring failures, 465–466 architecture, Hyper-V, 316–317 archiving, fax services and, 230 ASP trace content options, 190 trace provider options, 192 ASP.NET configuration settings, 149 trace content options, 190 trace provider options, 192 WSS supported authentication, 296 ASP.NET Impersonation, 208 authentication media services, 245–246 non-windows, 165 SMTP, 169–170, 174 Terminal Services, 54–55, 129–130 Web SSO (Web Single Sign On), 301–304 website, 207–209 authentication, WSS Digest authentication, 297–300 overview of, 295–296 supported methods, 296

authorization application access and, 209–210 FTP, 165–166 media services, 246–249 TS CAPs (Terminal Services Connection Authorization Policies), 77–80 TS RAPs (Terminal Services Resource Authorization Policies), 80–82 automatic reconnection, Terminal Services, 125 availability, 463–464. See also high availability

B backups, 195–197 history settings, 195–196 listing and restoring with AppCmd.exe, 196–197 manual, 196 overview of, 195 virtual machine snapshots. See snapshots, of virtual machines bandwidth Display Data Prioritization and, 46–47 website settings, 158 Basic authentication SMTP, 174 types of website authentication, 208 basic disks actions performed on, 5 converting to dynamic, 6–8 Basic Input/Output System (BIOS), 342 Best Practices Analyzer tool, 282 BIOS (Basic Input/Output System), 342 block-level access, iSCSI, 19 Boot image, WDS image types, 366 broadcast publishing creating Broadcast Publishing Point, 235–237 for streaming media, 233–234 business rules, DRM, 252–253

caching – console switch

C caching, fast, 240–241 CAs (Certificate Authorities) obtaining/installing certificates for TS Gateways, 74–75 SSL and, 201–202 CEIP (Customer Experience Improvement Program), 278 Central Administration site, WSS configuring diagnostic logging, 280–281 configuring incoming e-mail settings, 272–273 configuring outgoing e-mail settings, 275–276 configuring WSS, 269–270 workflow options, 277 Certificate Authorities (CAs) obtaining/installing certificates for TS Gateways, 74–75 SSL and, 201–202 certificates, SSL client certificate mapping, 211 exporting/importing, 206–207 requesting/renewing, 202–205 CHAP (Challenge Handshake Authentication Protocol), 19 ClearType, 46 client access licenses. See TS CALs (client access licenses) clients configuring client for TS Gateway, 82–83 enabling font smoothing on, 45–46 mapping client certificates, 211 media services connection settings, 244–245 WDS client components, 365 Client-Server Runtime Subsystem (csrss.exe), 124 cloning hard disks, 332–334

531

clustering failover. See failover clustering NLB. See NLB (Network Load Balancing) pros/cons, 411 types of, 410 clusters, failover clustered application settings, 426–428 creating, 421–423 print services, 424–426 quorums, 414–416 roles, 424 validating configuration, 416–417 working with cluster nodes, 423–424 clusters, NLB creating, 89–90, 435–437 managing, 438–439 modifying properties, 437–438 color depth, Terminal Services settings, 127 COM ports, virtual machine configuration, 343 comma-delimited files (CSV), 120 communication services digital rights. See DRM (Digital Rights Management) exam essentials, 260 fax services. See fax services media servers. See media services overview of, 219–220 Q&As, 261–265 summary, 260 computer accounts connection authorization, 78–79 resource authorization, 81 condition options, trace logs, 191 configuration backup settings, 195–197 Configuration Wizard, 306–311 connections authorization policies, 77–80 timeout settings for websites, 158 console switch, mstc.exe, 124

532

content – dialing rules

content adding to WSS sites, 295 publishing options for streaming media, 232–235 trace logs, 190 copyrights, 250 counters, Performance Monitor adding, 495–497 recommended system counter thresholds, 498 CPUs Hyper-V hardware requirements, 319 Performance Monitor counters for, 498 resource allocation for Terminal Services, 138 SMP (Symmetric Multiprocessors), 315 virtual machine configuration, 342 Create Capture Image Wizard, 377 Create Task dialog, 480–481 credentials, WDS, 366 csrss.exe (Client-Server Runtime Subsystem), 124 CSV (comma-delimited files), 120 Customer Experience Improvement Program (CEIP), 278

D data collection, Reliability Monitor, 462 Data Collector Sets. See DCS (Data Collector Sets) data management settings, DCS (Data Collector Sets), 454–456 Data Manager, Windows Reliability and Performance Monitor, 451, 454–456 DCS (Data Collector Sets) creating automatically, 447–449 creating from a template, 449 creating manually, 450–451 data management, 454–456 log management, 453

“Log On as a Batch Job” user right, 446–447 overview of, 446 start condition, 451–452 stop condition, 453 DDNS (dynamic DNS), 386 Debug logs, 469 delegation of administration, 197–201 Feature delegation, 199–201 overview of, 197–198 remote administration permissions, 198–199 delivery options, SMTP messages, 172–173 dependency viewer, 429 overview of, 428 running, 429 deploying images, WDS, 365–367 deploying Server Core, 380–381 deploying servers. See WDS (Windows Deployment Services) deploying TS RemoteApps, 67 Deployment Server, WDS, 369 Deployment Services. See WDS (Windows Deployment Services) Desktop Composition making available on Vista client, 50–51 overview of, 50 Desktop Experience Desktop Composition, 50–51 overview of, 48–49 Themes, 49–50 desktop virtualization, 315 device redirection, 51–53 overview of, 51 Plug and Play and, 51–53 POS (Point of Service) and, 53 DHCP (Dynamic Host Configuration Protocol), 366, 372 diagnostic logging, WSS, 278–281 dialing rules, fax services, 225–226

differencing virtual hard disks – dynamic disks

differencing virtual hard disks creating, 331–332 description and use of, 330 Digest authentication configuring, 297–300 overview of, 297 types of website authentication, 208 digital certificates. See also certificates, SSL mapping certificate to TS Gateway server, 75–76 obtaining/installing certificate for TS Gateway, 74–75 Digital Rights Management. See DRM (Digital Rights Management) digital signatures, 134–135 Directory Management Service, WSS e-mail, 271 disaster recovery (DR), 408 disconnect options, Terminal Service, 127 Discovery Domains, 25–26 discovery scopes, TS Licensing servers, 101–102 disk drives converting basic disks to dynamic, 6–8 initializing, 3 Performance Monitor counters, 498 virtual hard disks. See virtual hard disks virtual machine configuration, 342 Disk Management converting basic disks to dynamic, 6–8 creating mount points, 16 creating volume sets, 9–11 initializing disks and, 3 disk storage. See storage management DiskPart utility, 29 DiskRAID, 29 Display Data Prioritization, 46–47 displays, resolution options, 43–44 DNS (Domain Name System) KMS hosts and, 386–392 reverse lookup, 175

TS Session Broker Load Balancing and, 88–89 WDS reliance on, 366 domain controllers, deploying with IFM, 394 Domain Name System. See DNS (Domain Name System) Domain scope, TS Licensing discovery, 101–102 domains configuring for routing SMTP mail, 177 FTP server and domain restrictions, 166–167 DR (disaster recovery), 408 drive letters assigning, 10 mount points for overcoming limitations of, 15 Drive Specific Module (DSM) installing third-party DSM software, 18–19 load balancing and, 17 DRM (Digital Rights Management), 249–259 application exclusions, 255–256 business rules, 252–253 controversy regarding, 250 document protection, 252 encryption, 251 licensed-based delivery, 253 overview of, 249–251 policy templates, 256–259 user exclusions, 253–254 DSM (Drive Specific Module) installing third-party DSM software, 18–19 load balancing and, 17 DVD drives, virtual machine configuration, 342 dynamic disks actions performed on, 6 converting basic disks to, 6–8

533

534

dynamic DNS (DDNS) – Fast Start

dynamic DNS (DDNS), 386 Dynamic Host Configuration Protocol (DHCP), 366, 372 Dynamic Least Queue, 17 dynamically expanding hard disks, 329

E Easy Print, Terminal Services, 53 e-mail, SMTP. See SMTP (Simple Mail Transfer Protcol) e-mail, WSS benefits of, 274 incoming, 270–273 outgoing, 273–275 outgoing e-mail settings for specific web application, 275–276 encryption DRM (Digital Rights Management), 251 TLS (Transport Layer Security), 169–170 end user access, WSS, 292–294 Equal_Per_Session, CPU allocation, 138 Equal_Per_User, CPU allocation, 138 error reporting, WSS diagnostic logging, 278 event logs configuring computers to forward and collect events, 470–472 custom views, 474–475 filters, 473–474 monitoring servers with Event Viewer, 467–468 TS Gateway for specifying, 135–137 wevtutil.exe for managing, 469–470 WSS diagnostic logging, 278–279 event throttling, WSS diagnostic logging settings, 278 Event to Trap Translator, SNMP, 507

Event Viewer application and services logs, 469 custom views for reading events, 472–475 log subcategories, 470 monitoring servers, 467–468 Task Scheduler integrated with, 488–489 Windows logs, 469 exclusion policies application exclusions, 255–256 user exclusions, 253–254 explorer.exe (Windows shell), 124 external virtual network, 326 extranet users, FTP server configured for, 165–166

F failback, 17 failover clustering, 411–433 cluster quorums, 414–416 cluster roles, services, and applications, 424 clustered application settings, 426–428 clustering print services, 424–426 creating clusters, 421–423 dependency viewer and, 429 installing Failover Cluster feature, 417 overview of, 411–412 requirements for, 413–414 resource properties, 430–432 Validate a Configuration Wizard, 417–421 validating cluster configuration, 416–417 working with cluster nodes, 423–424 failovers, 17 Fast Cache, 240–241 Fast Reconnect, 243 Fast Recovery, 243 Fast Start, 241–242

fast streaming – hardware

fast streaming, 240 fault tolerance, NLB and, 433 Fax Service Manager, 221 fax services, 220–229 dialing rules, 225–226 installing Windows Fax and Scan role, 221–222 overview of, 220–221 properties, 223–225 receive configuration, 222–223 routing options, 227–230 FEC (forward error correction), 243–244 Fibre Channel storage devices, 27 Storage Explorer and, 32 File services, clustering and, 411 File Transfer Protocol. See FTP (File Transfer Protocol) filters event log, 473–474 NLB (Network Load Balancing), 437–438 fixed size virtual hard disks creating and migrating physical disk to it, 332–334 description and use of, 329 Folder view, Performance Monitor, 456, 458 font smoothing, 45–46 Forest scope, TS Licensing discovery, 101–102 Forms authentication ASP.NET, 296 types of website authentication, 208 forward error correction (FEC), 243–244 forwarded event logs, 469 FQDNs (Fully Qualified Domain Names), 175 FTP (File Transfer Protocol), 164–167 configuration settings, 149 extranet users, 165–166 IPv4 and domain restrictions, 166–167

535

overview of, 164–165 permissions, 165 FTPS (Secure FTP), 165 Fully Qualified Domain Names (FQDNs), 175

G global deployment settings, TS RemoteApp digital signatures, 134–135 overview of, 130 RDC (Remote Desktop Connection), 133–134 Terminal server settings, 130–132 TS Gateway, 132–133 GPOs (Group Policy Objects). See Group Policy GPT (GUID Partition Table), 3 graphs, Performance Monitor, 499 Group Policy configuring server discovery mode, 117 configuring TS licensing mode, 116 Terminal Services settings, 125–130 Group Policy Objects (GPOs). See Group Policy groups connection authorization policies, 78–79 FTP authorization rules, 165–166 GUID Partition Table (GPT), 3

H hard disks Performance Monitor counters, 498 virtual. See virtual hard disks virtual machine configuration, 342 hardware adding devices to virtual machines, 342 monitoring failures, 466

536

hardware architecture – hypervisor layer

hardware architecture, Hyper-V, 316 hardware requirements failover clustering, 413 Hyper-V, 318–319 NLB (Network Load Balancing) and, 434 HBA (host bus adapter) Fibre Channel, 27 iSCSI and, 19–20 high availability, 407–446 achieving, 409–411 components of, 408–409 exam essentials, 440 with failover clustering. See failover clustering with Network Load Balancing. See NLB (Network Load Balancing) overview of, 407–408 performance and reliability and, 444 Q&As, 441–446 Quick Migration and, 354 summary, 439 home directory, Terminal Services, 127 hop count, advanced delivery options, 174 host bus adapter (HBA) Fibre Channel, 27 iSCSI and, 19–20 host headers, website, 154–155 HTTP (Hypertext Transfer Protocol), 152 HTTP Redirection module, 156–158 HTTPS (Secure HTTP), 152, 154 Hyper-V adding physical (pass-through) disk to virtual machine, 335–336 applying snapshots, 354 architecture, 316–317 changing configuration of existing virtual machine, 342–345 configuring, 325–326 creating differencing virtual hard disks, 331–332

creating fixed size hard disk and migrating physical disk to it, 332–334 creating snapshots, 351–354 creating virtual machines, 338–342 deleting virtual machines, 343 exam essentials, 355–356 exporting/importing virtual machines, 347–350 hardware requirements, 318–319 Hyper-V Manager, 324–325 installing Integration Components, 345–347 installing on Server Core, 322–323 installing on Windows Server 2008, 320–322 integration with Server Manager, 323 key features, 315–316 managing virtual hard disks, 336–337 managing virtual networks, 326–328 OSs supported, 316 overview of, 314 Q&As, 357–362 Quick Migration, 354–355 software requirements, 319 summary, 355 types of virtual hard disks, 329–330 Virtual Machine Connection, 343–345 virtual machines and, 337 virtualization defined, 314–315 Hyper-V Manager configuring Hyper V, 325–326 creating snapshots, 351–354 creating virtual machines, 338–342 installing Integration Components, 346–347 managing virtual hard disks, 336–337 overview of, 324–325 Revert option, 353 Virtual Machine Connection, 344 hypervisor layer, Hyper-V architecture, 317

IDE controllers – keyboard

I IDE controllers, virtual machine configuration, 342 IFM (Install from Media), 394–396 creating, 395–396 overview of, 394 IGMP (Internet Group Management Protocol), 435 IIS (Internet Information Services). See also Web services infrastructure AppCmd.exe for configuring, 186 configuration settings, 149 configuring WSS e-mail, 270 FTP server features, 165–166 installing, 150–152 integration with .NET Framework, 148 Shared Configuration, 164 SMTP servers and, 167 web applications, 148–149 IIS Management Service, 197–198 IIS modules, installing, 156–158 images, WDS. See system images, WDS incoming e-mail settings, WSS, 270–273 incoming fax, routing, 227–228 inheritance, delegation of administration and, 200 in-place upgrade, WSS 2.0 to 3.0, 285 Install from Media. See IFM (Install from Media) Install image, WDS, 366 Integrated Windows Authentication, 169, 174 Integration Components Hyper-V, 345–347 virtual machine configuration, 343 intelligent streaming, 240 internal virtual network creating, 328 overview of, 326 Internet Group Management Protocol (IGMP), 435

537

Internet Information Services. See IIS (Internet Information Services) Internet Information Services (IIS) Manager application pool configuration, 161–163 certificate request by, 202–205 creating website using host headers, 155 creating websites, 153–154 .NET trust level configuration, 160 Internet Small Computer System Interface. See iSCSI (Internet Small Computer System Interface) Internet Storage Naming Service. See iSNS (Internet Storage Naming Service) IP address redirection, 129 IP addresses, allowing/denying, 247–248 IP Security (IPSec), 19 IPSec (IP Security), 19 IPv4, FTP server and, 166–167 IPv6, NLB support for, 433 iSCSI (Internet Small Computer System Interface) configuring storage connections, 20–23 initiating sessions, 19–20 Storage Explorer and, 32 iSCSI Initiator, 20–23 iscsicli command, 23 iSNS (Internet Storage Naming Service), 23–27 installing, 24–27 overview of, 23

K keep-alive connection interval, Terminal Services, 125 Key Management Services. See KMS (Key Management Services) keyboard, Hyper-V settings, 326

538

KMS (Key Management Services) – media services

KMS (Key Management Services) configuring, 385–386 creating KMS SVR record, 392–393 DNS permissions, 387–389 installing KMS host, 384–385 prerequisites for, 382–383 product activation and, 382 publishing in multiple domains, 389–392

L LCD monitors, font smoothing and, 45–46 LDAP (Lightweight Directory Access Protocol), 175–177 licensed-based delivery, DRM, 253 licensing, Terminal Services. See TS Licensing Licensing Diagnosis tool, Terminal Services, 121–123 licensing mode, Terminal Services, 114–116 Lightweight Directory Access Protocol (LDAP), 175–177 Linux servers Hyper-V Integration Component and, 346 Hyper-V support for, 316 load balancing. See also NLB (Network Load Balancing); TS Session Broker configuring DNS for TS Session Load Balancing, 88–89 Group Policy settings for Terminal Services, 129 policies, 17 Local Security Authority Subsystem (lsass.exe), 124 Local Session Manager (lsm.exe), 124 “Log On as a Batch Job” user right, 446–447

logical unit numbers (LUN) Fibre Channel, 27 SMfS for managing, 29 Logon User Interface Host (logonui.exe), 125 logs access logs, 193–195 diagnostic logging in WSS, 278–281 managing DCS logs, 453–456 Performance Monitor, 456–459 reviewing log files during WSS upgrade, 284 trace logs. See trace logs TS Gateway for specifying event logs, 135–137 lsass.exe (Local Security Authority Subsystem), 124 lsm.exe (Local Session Manager), 124 LUN (logical unit numbers) Fibre Channel, 27 SMfS for managing, 29

M MAC (media access control) addresses, 433, 435 management tools, WDS, 365 mandatory profiles, Terminal Service, 128 Master Boot Record (MBR), 3 MBR (Master Boot Record), 3 mean time between failure (MTBF), SLAs and, 409 mean time to recover (MTTR), SLAs and, 409 media access control (MAC) addresses, 433, 435 media services, 229–249 advanced streaming options, 240 authentication settings, 245–246 authorization settings, 246–249 client connection settings, 244–245

memory – network connections

content publishing options, 232–235 creating broadcast publishing point, 235–237 Fast Caching, 240–241 Fast Recovery and Fast Reconnect, 243 Fast Start, 241–242 features, 230–231 FEC (forward error correction), 243–244 installation requirements, 232 multicast streams, 237–239 streaming options, 232 Windows media services, 229–230 memory, virtual machine configuration, 342 memory counters, Performance Monitor, 498 message size, SMTP servers, 171–172 message transport agents (MTA), 168 Microsoft.NET Framework. See .NET Framework migration content to WSS sites, 295 Hyper-V Quick Migration feature, 316, 354–355 mirrored volumes creating RAID sets, 13–15 overview of, 9 monitor spanning, RDC, 44 monitoring performance access logs, 193–195 data collector sets. See DCS (Data Collector Sets) logging events. See event logs Q&As, 509–515 scheduling tasks. See Task Scheduler SNMP (Simple Management Protocol). See SNMP (Simple Management Protocol) summary, 507–508 trace logs, 188–193

Windows Reliability and Performance Monitor. See Windows Reliability and Performance Monitor mount points creating, 16 overview of, 15 MP3s, file sharing controversy, 250 MPIO (Multipath I/O) installing, 17–18 load balancing and, 17 MSI (Windows Installer files), 63–65 mstc.exe, 123–124 MTA (message transport agents), 168 MTBF (mean time between failure), SLAs and, 409 MTTR (mean time to recover), SLAs and, 409 multicast addresses, WDS servers, 372 multicast streams configuring, 237–239 overview of, 234–235 Multipath I/O (MPIO) installing, 17–18 load balancing and, 17

N NAS (Network Attached Storage), 28 .NET Device Redirection, 53 .NET Framework application pools and, 161 components, 160 configuration settings, 149 IIS integration with, 148 trust levels, 160–161 network adapters failover clustering and, 414 virtual machine configuration, 342 Network Attached Storage (NAS), 28 network connections, for failover clusters, 413

539

540

Network Load Balancing – ports

Network Load Balancing. See NLB (Network Load Balancing) Network Load Balancing Manager, 435 network settings, WDS servers, 372, 374 NLB (Network Load Balancing) creating clusters, 89–90, 435–437 how it works, 433–434 Hyper-V support for, 315 installing, 89–90 managing clusters, 438–439 modifying cluster properties, 437–438 overview of, 433 requirements for, 434–435 web farms and, 164 nlb.exe, 438–439 No Majority:Disk Only, cluster quorums, 414, 416 Node and Disk Majority, cluster quorums, 414–415 Node and File Share Majority, cluster quorums, 414, 416 Node Majority, cluster quorums, 414–415 Not Delegated permission, delegation of administration, 200 notifications, WSS outgoing e-mail settings, 273 ntdsutil utility, 394 NTFS filesystem, WDS and, 366

O on-demand publishing, streaming media, 233–234 operating systems (OSs) font smoothing support, 45 Hyper-V supported, 316 operational logs, 470 OSs (operating systems) font smoothing support, 45 Hyper-V supported, 316 outbound connections, SMTP server, 174 outbound security, SMTP server, 173–174 outgoing e-mail settings, WSS, 273–275

P pass-through (physical) virtual hard disks adding to virtual machine, 332–334 description and use of, 330 pass-through hard disk. See physical (passthrough) virtual hard disks Per Device CALs. See TS Per Device CALs (client access licenses) Per User CALs. See TS Per User CALs (client access licenses) Performance Monitor adding counters, 495–497 creating a Data Collector Set, 447–449 graph options, 499 loading log data, 458–459 logs, 456–458 monitoring specific system activity, 495 navigating log view, 459 recommended system counter thresholds, 498 viewing system availability, 463–464 Performance Monitor view, 456–457 performance optimization, Best Practices Analyzer tool, 282 permissions FTP server, 165 remote administration, 198–199 physical (pass-through) virtual hard disks adding to virtual machine, 332–334 description and use of, 330 PKI (Public Key Infrastructure), 201 Plug and Play devices, 51–53 Point of Service (POS), 53 policies load balancing, 17 resource policies, 430–432 policy templates, DRM, 256–259 port rules, NLB, 434 ports HTTP (80), 152 HTTPS (443), 152 resource authorization policies, 82

POS (Point of Service) – redirection

POS (Point of Service), 53 presentation virtualization, 315 Print services clustering, 424–426 clustering and, 411 TS Easy Print, 53 private keys, SSL certificates, 201–202 private networks, failover clustering, 413 private virtual machine network, 327 processor counters, Performance Monitor, 498 processors. See CPUs properties fax services, 223–225 SMTP virtual server, 168–169 WDS server, 372–374 Public Key Infrastructure (PKI), 201 public keys, SSL certificates, 201–202 public networks, failover clustering, 413 publishing points, steaming media enabling FEC on, 243 types of, 233 PXE, WDS servers, 370–372

Q Quick Migration, Hyper-V, 316, 354–355 quota templates, WSS, 290–291

R RAC (Reliability Analysis Component), 462 RAID (Redundant Array of Independent Disks) comparing RAID levels, 12 creating RAID sets, 13–15 high availability and, 410 types of, 11–12 RAID-0 (disk striping), 11 RAID-1 (disk mirroring), 12 RAID-5 (disk striping with parity), 12

541

RDC (Remote Desktop Connection) ClearType settings, 46 client software, 42 Desktop Composition, 50–51 device redirection, 51–53 Display Data Prioritization, 46–47 display resolution options, 43–44 font smoothing, 45–46 improvements to desktop experience, 48–49 monitor spanning, 44 overview of, 43 SSO (Single Sign-On), 54–55 Themes, 49–50 TS Easy Print, 53 RDC switch, mstc.exe, 123 RDP (Remote Desktop Protocol) custom display resolutions, 44 digital signatures, 134–135 distributing RDP files, 67 exporting TS RemoteApp program, 65 global deployment settings, 133–134 monitor spanning, 44 packaging TS RemoteApp program, 63 RDC (Remote Desktop Connection) and, 42–43 RDP-TCP properties, 54 TS Gateway encapsulating RDP traffic, 72 Read Only permissions, delegation of administration, 200 read-only domain controllers (RODCs), 394 Read/Write permissions, delegation of administration, 199–200 receive configuration, fax services, 222–223 recovery point objective (RPO), 408–409 recovery time objective (RTO), 408–409 redirection configuring, 156 Terminal Services settings, 129 redirection, device. See device redirection

542

Redundant Array of Independent Disks – SCSI controllers

Redundant Array of Independent Disks. See RAID (Redundant Array of Independent Disks) redundant systems, 410. See also high availability relaying, SMTP messages, 171 release key, Hyper-V settings, 326 Reliability Analysis Component (RAC), 462 Reliability Monitor features, 462–463 overview of, 461–462 viewing system stability with, 463–464 remote administration creating/managing tasks, 485–487 of licensing servers, 123–125 permissions, 198–199 Remote Desktop Connection. See RDC (Remote Desktop Connection) Remote Installation Services (RIS), 364 remote sessions, Terminal Services settings, 126 RemoteApp. See TS RemoteApps Report view, Performance Monitor, 456 reports, Windows Reliability and Performance Monitor, 459 resolution options, displays, 43–44 resource allocation, Terminal Services. See WSRM (Windows System Resource Manager) Resource Monitor monitoring general system activity, 491–494 overview of, 490 resources authorization policies, 80–82 failover clustering, 430–432 restores, 196–197. See also backups restores, virtual machines. See snapshots, of virtual machines reverse lookup, DNS, 175 Revert option, Hyper-V Manager, 353 RIS (Remote Installation Services), 364

RODCs (read-only domain controllers), 394 role server installation AD RMS (Active Directory Rights Management Service), 251–252 Authentication, 208–209 Hyper-V, 320–322 IIS 7.0, 150–152 IIS Management Service, 197–198 Terminal Services, 56–60 Tracing, 188 TS Gateway, 72–74 TS Licensing, 102–105 TS Session Broker, 85–86 TS Web Access, 67–71 URL Authorization, 209 Windows Deployment Services, 367–369 Windows Fax and Scan, 221 round robin, 17 routing options, fax services, 227–230 adding routing rules, 228–229 archiving and, 230 incoming faxes, 227–228 RPO (recovery point objective), 408–409 RTO (recovery time objective), 408–409

S SANs (Storage Area Networks) managing, 28 SMfS (Storage Manager for SANs), 29–32 scalability, NLB, 433 scanning, for viruses, 281–282 scheduling tasks. See Task Scheduler Schtasks.exe creating task, 481 managing tasks, 487–488 managing tasks remotely, 487 scripting, Hyper-V, 316 SCSI controllers, virtual machine configuration, 342

Secure FTP (FTPS) – Simple Mail Transfer Protocol

Secure FTP (FTPS), 165 Secure Sockets Layer. See SSL (Secure Sockets Layer) security logs, 469 SMTP, 173–174 SNMP, 504–505 Task Scheduler improvements, 477 Windows Media Server, 245 server components, WDS, 365 Server Core Hyper-V installation on, 322–323 installing, 381 overview of, 380 server deployment. See WDS (Windows Deployment Services) server discovery mode, TS Licensing, 116–117 Server Manager Add Roles Wizard, 319 allowing/denying IP addresses, 247–248 configuring client connection settings, 244–245 configuring fax device properties, 222–225 configuring fax routing, 227–229 configuring multicast streaming, 237–239 configuring SNMP agents, 502 configuring SNMP security, 504–505 configuring SNMP traps, 503–504 creating ACL list, 248–249 creating Anonymous account, 245–246 creating Broadcast Publishing Point, 235–237 enabling ACL authorization, 247 enabling Advanced Fast Start, 242 enabling FEC, 243 Hyper-V integration with, 323 installing Failover Cluster feature, 417 installing Hyper V, 320–322 installing IIS 7.0, 150–152

installing IIS modules, 156–158 installing SNMP Services, 500–501 installing Windows Deployment Services, 367–369 installing Windows Fax and Scan, 221–222 installing WSRM, 138–139 starting/stopping SNMP Service, 506 Server Performance Advisor (SPA), 451 server roles. See role server installation server virtualization, 315 servers enabling SSL on Web servers, 205–206 event logs for monitoring, 467–468 remote administration, 123–125 servers, Terminal Services activating TS Licensing, 107–110 adding to Session Directory Computer Local Group, 86–87 adding to TS Broker Farm, 87–88 discovery scopes for TS Licensing, 101–102 global deployment settings, 130–133 installing TS Licensing, 102–105 mapping certificates to TS Gateway, 75–76 Service Control Manager (services.exe), 124 Service Level Agreements (SLAs), 408–409 Service Location (SVR) record, 392–393 Session Directory Computer Local Group, 86–87 Session Manager (smss.exe), 124 session time limits, Terminal Service, 128–129 setup logs, 469 Shared Configuration, IIS 7.0, 164 SharePoint Services. See WSS (Windows SharePoint Services) Simple Mail Transfer Protocol. See SMTP (Simple Mail Transfer Protcol)

543

544

Simple Management Protocol – storage management

Simple Management Protocol. See SNMP (Simple Management Protocol) simple volumes, 8 Single Sign-On (SSO). See also Web SSO (Web Single Sign On) configuring on client computers, 55 for Terminal Services, 54–55 site content, WSS, 295 sites. See websites SLAs (Service Level Agreements), 408–409 smart hosts, advanced delivery options, 175 SMfS (Storage Manager for SANs), 29–32 installing, 30–31 overview of, 29–30 tasks performed with, 31–32 SMP (Symmetric Multiprocessors), 315 smss.exe (Session Manager), 124 SMTP (Simple Mail Transfer Protocol), 167–177 access settings, 169–171 advanced delivery options, 174–175 configuring WSS e-mail and, 270 delivery options, 172–173 domain configuration, 177 LDAP routing, 175–177 message size and transfer limits, 171–172 outbound connections, 174 outbound security, 173–174 overview of, 166–167 virtual server general properties, 168–169 snapshots, of virtual machines applying, 354 creating, 351–354 exporting/importing virtual machines and, 349 file location, 343 overview of, 316 SNMP (Simple Management Protocol) configuring agent properties, 501–502

configuring Event to Trap Translator, 507 configuring security settings, 504–505 configuring traps, 503–504 installing SNMP Services, 500–501 overview of, 500 starting/stopping SNMP Service, 506 software install/uninstall, monitoring, 465 software requirements, Hyper-V, 319 SPA (Server Performance Advisor), 451 spanned volumes, 8 SQL Server, failover clustering, 411–412 SSL (Secure Sockets Layer) digital signatures and, 134–135 enabling on websites, 205–206 exporting/importing certificates, 206–207 FTPS (Secure FTP) and, 165 overview of, 201–202 requesting/renewing certificates, 202–205 SSO (Single Sign-On) configuring on client computers, 55 for Terminal Services, 54–55 Stability Index, Reliability Monitor, 462 start condition, DCS (Data Collector Sets), 451–452 startup/shutdown, virtual machine configuration, 343 state options, virtual machines, 341–342 stop condition, DCS (Data Collector Sets), 453 Storage Area Networks (SANs) managing, 28 SMfS (Storage Manager for SANs), 29–32 Storage Explorer, 32–33 storage management basic disks, 5 configuring iSCSI storage connections, 20–23 converting basic disks to dynamic, 6–8 creating RAID sets, 13–15

Storage Manager for SANs – Terminal Services

creating volume sets, 9–11 dynamic disks, 6 exam essentials, 34 failover clustering, 413 Fibre Channel, 27 initialization disk drives, 2–5 initiating iSCSI sessions, 19–20 iSNS (Internet Storage Naming Service), 23–27 mount points and, 15–16 MPIO (Multipath I/O), 17–19 NAS (Network Attached Storage), 28 RAID (Redundant Array of Independent Disks), 11–12 review Q&As, 35–39 SANs (Storage Area Networks), 28 SMfS (Storage Manager for SANs), 29–32 Storage Explorer, 32–33 summary, 33 VDS (Virtual Disk Service), 28–29 volumes, 8–9 Storage Manager for SANs. See SMfS (Storage Manager for SANs) streaming media advanced streaming options, 240 content creation, 232–233 content publishing options, 232–235 creating Broadcast Publishing Point, 235–237 multicast streams, 237–239 overview of, 232 striped volumes, 8 SVR (Service Location) record, 392–393 Symmetric Multiprocessors (SMP), 315 system availability, 463–464. See also high availability system clock, monitoring changes to, 464–465 System Diagnostics report, 459–461 overview of, 459–460 viewing, 460–461

545

system images, WDS benefits of, 367 capturing with WDSUTIL, 379 capturing with Wizard, 376–378 creating, 375 deploying, 365–367 system logs, 469 system stability, 461 System Stability Chart, Reliability Monitor, 462 System Stability Report, Reliability Monitor, 462–463 System.applicationHost, IIS settings, 149 System.WebServer, IIS settings, 149

T Task Scheduler creating/managing tasks remotely, 485–487 displaying all running tasks, 482 exporting/importing tasks, 483–484 integration with Event Viewer, 488–489 managing tasks, 481–482 overview of, 475–477 scheduling tasks manually from command line, 481 scheduling tasks manually with Windows interface, 480–481 scheduling tasks with wizard, 477–478 triggers for tasks, 479–480 viewing task history, 484–485 templates, creating DCS from, 449 Terminal Services adding applications to TS Remote App program list, 60–62 adding servers to Session Directory Computer Local Group, 86–87 adding servers to TS Broker Farm, 87–88 ClearType settings, 46

546

Terminal Services client access licenses – triggers

configuring client for TS Gateway, 82–83 configuring DNS for TS Session Broker Load Balancing, 88–89 creating TS CAPs (Terminal Services Connection Authorization Policies), 77–80 creating TS RAPs (Terminal Services Resource Authorization Policies), 80–82 Desktop Composition, 50–51 Desktop Experience, 48–49 device redirection, 51–53 Display Data Prioritization, 46–47 display resolution options, 43–44 distributing TS RemoteApp applications, 67 Easy Print, 53 exam essentials, 92 exporting/importing TS RemoteApp programs and settings, 65–67 font smoothing, 45–46 Group Policy settings for, 125–130 installing Terminal Services role, 56–60 installing TS Gateway role, 72–74 installing TS Session Broker role, 85–86 installing TS Web Access role, 67–71 load balancing, 84 mapping certificate to TS Gateway server, 75–76 monitor spanning, 44 NLB (Network Load Balancing), 89–90 obtaining/installing certificate for TS Gateway, 74–75 overview of, 41–42 packaging TS RemoteApp program, 63–65 Q&As, 93–97 RDC (Remote Desktop Connection), 43

resource allocation. See WSRM (Windows System Resource Manager) SSO (Single Sign-On), 54–55 summary, 90–91 Themes, 49–50 Terminal Services client access licenses. See TS CALs (client access licenses) Terminal Services Configuration tool configuring licensing mode, 114–115 configuring server discovery mode, 116–117 running licensing diagnosis, 122–123 Terminal Services Connection Authorization Policies (TS CAPs), 77–80 Terminal Services Resource Authorization Policies (TS RAPs), 80–82 Terminal Services Role, installing, 56–60 Themes service setting new theme, 49–50 starting, 49 TLS (Transport Layer Security) encrypting SMTP communication, 169–170 SMTP outbound security, 174 trace logs condition options, 191 content options, 190 enabling failed request tracing, 188–190 trace provider options, 192–193 Windows event categories, 279 transfer limits, SMTP messages, 171–172 Transport Layer Security (TLS) encrypting SMTP communication, 169–170 SMTP outbound security, 174 Transportation Server, WDS, 369 traps, SNMP configuring, 503–504 Event to Trap Translator, 507 triggers, for tasks, 479–480

trust levels – TS RemoteApp Manager

trust levels, .NET Framework, 160–161 TS CALs (client access licenses) activating license servers, 107–110 installing, 110–114 revoking CALs, 121 stored in Active Directory Domain Services, 118 tracking issuance of Per User CALs, 117–120 TS CAPs (Terminal Services Connection Authorization Policies), 77–80 TS Easy Print, 53 TS Gateway, 72–83 configuring client for, 82–83 creating TS CAPs (Terminal Services Connection Authorization Policies), 77–80 creating TS RAPs (Terminal Services Resource Authorization Policies), 80–82 global deployment settings, 132–133 Group Policy settings, 129–130 installing TS Gateway role, 72–74 mapping certificates to server, 75–76 monitoring, 135–137 obtaining/installing certificates, 74–75 overview of, 72 viewing user connection information, 137–138 TS Gateway Manager monitoring with, 135–137 viewing user connection information with, 137–138 TS License server discovery mode, 116–117 TS Licensing activating license servers, 107–110 client access licenses, 100–101 configuring licensing mode, 114–116 configuring server discovery mode, 116–117 exam essentials, 140

547

installing, 101 installing CALs, 110–114 installing TS Licensing Manager, 105–106 installing TS Licensing role service, 102–105 Licensing Diagnosis tool, 121–123 overview of, 99–100 Q&As, 141–145 remote administration of servers, 123–125 revoking CALs, 121 server discovery, 101–102 summary, 139–140 tracking TS Per User CALs, 117–120 TS Licensing Manager activating license servers, 107–110 connecting to license servers, 105 installing, 105–106 installing CALs, 111–114 reports on CAL issuance, 119–120 TS licensing mode, 114–116 TS Per Device CALs (client access licenses) revoking, 121 stored in Active Directory Domain Services, 118 types of client access licenses, 100–101 TS Per User CALs (client access licenses) reports on license issuance, 119–120 stored in Active Directory Domain Services, 118 tracking issuance of, 117–118 types of client access licenses, 100–101 TS RAPs (Terminal Services Resource Authorization Policies), 80–82 TS RemoteApp Manager adding applications to TS Remote App program list, 60 configuring digital signatures, 134–135 RDP global deployment settings, 133–134

548

TS RemoteApps – Virtual Disk Service (VDS)

Terminal server global deployment settings, 130–132 TS Gateway global deployment settings, 132–133 TS RemoteApps, 55–72 adding applications to program list, 60–62 applying in large environments, 65 digital signature settings, 134–135 distributing applications, 67 exam essentials, 140 exporting/importing programs and settings, 65–67 global deployment settings, 130–132 installing Terminal Services Role, 56–59 overview of, 55 packaging programs, 63–65 Q&As, 141–145 RDP global deployment settings, 133–134 summary, 139–140 TS Gateway global deployment settings, 132–133 TS Session Broker configuring DNS for load balancing, 88–89 configuring server farms, 84–85 configuring servers to join farm and participate in load balancing, 87–88 Group Policy settings, 129 installing TS Session Broker Role service, 85–86 NLB (Network Load Balancing) and, 89–90 overview of, 84 TS Web Access adding computer account to TS RemoteApp server, 70–71 installing, 67–69

U unicast streaming, 234 Unicode Transformation Format-8 (UTF-8), 195 Uniform Resource Locators. See URLs (Uniform Resource Locators) upgrades, WSS 2.0 to 3.0, 283–285 URL Authorization module, 209 URLs (Uniform Resource Locators) alternate access mapping and, 287–289 host headers relying on, 154 redirection and, 156 user connections, TS Gateway Manager for viewing, 137–138 user credentials, Hyper-V, 326 user exclusions, DRM, 253–254 user interface, Task Scheduler, 476 user profiles, Terminal Service, 128 user rights, “Log On as a Batch Job” user right, 446–447 user-added content, WSS sites, 295 users connection authorization policies, 78 FTP authorization rules, 165–166 resource authorization policies, 81 UTF-8 (Unicode Transformation Format-8), 195

V Validate a Configuration Wizard, 417–421 addressing problems reported by, 421 overview of, 417–419 running, 419–420 VDS (Virtual Disk Service), 28–29 VHD files, 329, 348. See also virtual hard disks virtual directories, 155–156 Virtual Disk Service (VDS), 28–29

virtual hard disks – Web services infrastructure

virtual hard disks adding physical (pass-through) disk to virtual machine, 335–336 configuring, 326 creating differencing disk, 331–332 creating fixed size disk and migrating physical disk to it, 332–334 exporting/importing virtual machines and, 349 managing, 336–337 types of, 329–330 virtual host names, 165 virtual LAN (VLAN), 327 Virtual Machine Connection, 343–345 functions of, 344 overview of, 343–344 window illustration, 345 Virtual Machine Remote Control (VMRC), 343 virtual machines adding physical (pass-through) disk to, 335–336 applying snapshots, 354 changing configuration of existing, 342–345 configuring, 326 creating, 338–342 creating snapshots, 351–354 deleting, 343 exporting/importing, 347–350 installing Integration Components to Windows Server, 346–347 overview of, 337 Virtual Machine Connection, 343–345 Virtual Network Manager, 326 virtual networks, 326–328 creating internal virtual network, 328 overview of, 326 types of, 326–327 virtual server, SMTP, 168–169 virtual switches. See virtual networks virtualization, 314–315. See also Hyper-V virus scans, WSS, 281–282

549

VLAN (virtual LAN), 327 VMC file, 348 VMRC (Virtual Machine Remote Control), 343 volumes creating volume sets, 9–11 types of, 8–9

W WDS (Windows Deployment Services), 363–401 capturing images with WDSUTIL, 379 capturing images with Wizard, 376–378 configuration settings, 369–370 configuring WDS server for first use, 370–372 configuring WDS server properties, 372–374 creating images, 375 deploying images, 365–367 deploying Server Core, 380–381 exam essentials, 397 IFM (Install from Media), 394–396 installing WDS role, 367–369 overview of, 364–365 Q&As, 397–401 summary, 397 WDS image capture utility, 375 WDSUTIL, 379 web applications configuring, 148–149 creating zones for, 289–290 creating/extending with WSS, 284–287 Web farms, configuring, 161–163 Web servers, enabling SSL on, 205–206 Web services infrastructure application pools, 161–163 configuring Web applications, 148–149 creating/configuring websites, 152–153 exam essentials, 178

550

Web services infrastructure – Windows Media Player

FTP service. See FTP (File Transfer Protocol) host headers for creating websites, 154–155 installing IIS 7.0, 150–152 installing IIS modules, 156–158 Internet Services (IIS) Manager for creating websites, 153–154 .NET components, 160 .NET trust levels, 160–161 overview of, 147–148 Q&As, 179–184 redirection, 156 SMTP service. See SMTP (Simple Mail Transfer Protcol) summary, 177–178 virtual directories, 155–156 Web farm configuration, 161–163 website limits, 158–159 Web services infrastructure, advanced access logs, 193–195 AppCmd.exe for configuring IIS settings, 186–188 application access, 209–210 backups and restores, 195 client certificate mapping, 211 configuration backup settings, 195–197 delegation of administration, 197–201 exam essentials, 212 overview of, 185 Q&As, 213–217 SSL. See SSL (Secure Sockets Layer) summary, 211–212 trace logs, 188–193 website authentication, 207–209 Web SSO (Web Single Sign On). See also SSO (Single Sign-On) configured by ADFS, 300–304 federated authorization in WSS, 296 Web.config, IIS settings, 149 websites AppCmd.exe for listing, 186–187 authentication, 207–209

creating/configuring, 152–153 host headers for creating, 154–155 Internet Services (IIS) Manager for creating, 153–154 resource limits, 158–159 SSL enabled on, 205–206 websites, WSS adding content, 295 alternate access mapping, 287–289 configuring, 283 creating site collections, 291–292 creating/extending web applications, 284–287 end user access, 292–294 quota templates, 290–291 upgrading WSS 2.0 and, 283–284 zones for web applications, 289–290 weighted paths, 17 wevtutil.exe, 469–470 WIM files, 375 Windows authentication types of website authentication, 208 WSS and, 296 Windows Deployment Services. See WDS (Windows Deployment Services) Windows Deployment Services Configuration Wizard, 370–372 Windows events, logging, 279 Windows Fax and Scan role, 221–222 Windows Firewall, 472 Windows Installer files (MSI), 63–65 Windows logs, Event Viewer, 469 Windows Management Instrumentation (WMI), 316 Windows Media Encoder, 232–233 Windows Media format, 232 Windows Media Player Advanced Fast Start, 242 creating content, 232–233 Fast Start, 241

Windows Media Services – WSRM (Windows System Resource Manager)

Windows Media Services. See also media services Advanced Fast Start, 242 advanced streaming options, 240 Fast Cache, 240–241 Fast Recovery and Fast Reconnect, 243–244 Fast Start, 241 overview of, 229–230 security, 245 unicast streaming, 234 Windows Media Stream Editor, 232–233 Windows Movie Maker, 232–233 Windows OSs AD RMS support, 251 fax services, 222 Hyper-V availability, 324–325 Hyper-V Integration Component, 345–346 Hyper-V support, 316 KMS support, 384 managing tasks remotely, 485 monitoring failures, 466–467 Windows PE, WDS interface, 366 Windows Performance Diagnostic Console monitoring general system activity, 491–494 overview of, 490 Resource Monitor, 490–491 Windows Process Activation Service (WPAS), 162 Windows Product Activation (WPA) backlash to, 382 configuring, 381–383 Windows Reliability and Performance Monitor application failures, 465–466 components and new features, 445 data collector sets. See DCS (Data Collector Sets) hardware failures, 466 log data, 456–459 miscellaneous failures, 467

overview of, 444 Reliability Monitor features, 462–463 reports, 459 software install/uninstall, 465 system clock changes, 464–465 System Diagnostics report, 459–461 viewing system availability, 463–464 viewing system stability, 461 Windows OS failures, 466–467 Windows Remote Management (WinRM), 471 Windows Servers Hyper-V software requirements, 319 Hyper-V support for, 316 media services and, 229–231 Windows shell (explorer.exe), 124 Windows Startup Application (wininit.exe), 124 Windows System Resource Manager. See WSRM (Windows System Resource Manager) Winlogon (winlogon.exe), 124–125 WinRM (Windows Remote Management), 471 WMI (Windows Management Instrumentation), 316 Word documents, AD RMS protection, 252 workflow options, WSS, 277 Workgroup, TS Licensing discovery scopes, 101–102 World Wide Name (WWN), 27 WPA (Windows Product Activation) backlash to, 382 configuring, 381–383 WPAS (Windows Process Activation Service), 162 WSRM (Windows System Resource Manager) configuring, 139 installing, 138–139 overview of, 138

551

552

WSS (Windows SharePoint Services) – zones

WSS (Windows SharePoint Services), 267–311 alternate access mapping, 287–289 antivirus settings, 281–282 authentication, 295–296 Best Practices Analyzer tool, 282 configuring, 269–270 configuring sites, 283 configuring SSO, 300–304 creating site collections, 291–292 creating/extending web applications, 284–287 diagnostic logging settings, 278–281 Digest authentication, 297–300 end user access, 292–294 exam essentials, 305 incoming e-mail settings, 270–273 outgoing e-mail settings, 273–275

outgoing e-mail settings for specific web application, 275–276 overview of, 267–268 Q&As, 306–311 quota templates, 290–291 site content, 295 summary, 305 upgrading version 2.0, 283–285 workflow options, 277 zones for web applications, 289–290 WWN (World Wide Name), 27 WWW Server, 192

Z zones, web applications authentication and, 297 creating, 289–290

Wiley Publishing, Inc. End-User License Agreement READ THIS. You should carefully read these terms and conditions before opening the software packet(s) included with this book “Book”. This is a license agreement “Agreement” between you and Wiley Publishing, Inc. “WPI”. By opening the accompanying software packet(s), you acknowledge that you have read and accept the following terms and conditions. If you do not agree and do not want to be bound by such terms and conditions, promptly return the Book and the unopened software packet(s) to the place you obtained them for a full refund. 1. License Grant. WPI grants to you (either an individual or entity) a nonexclusive license to use one copy of the enclosed software program(s) (collectively, the “Software,” solely for your own personal or business purposes on a single computer (whether a standard computer or a workstation component of a multi-user network). The Software is in use on a computer when it is loaded into temporary memory (RAM) or installed into permanent memory (hard disk, CD-ROM, or other storage device). WPI reserves all rights not expressly granted herein. 2. Ownership. WPI is the owner of all right, title, and interest, including copyright, in and to the compilation of the Software recorded on the physical packet included with this Book “Software Media”. Copyright to the individual programs recorded on the Software Media is owned by the author or other authorized copyright owner of each program. Ownership of the Software and all proprietary rights relating thereto remain with WPI and its licensers. 3. Restrictions On Use and Transfer. (a) You may only (i) make one copy of the Software for backup or archival purposes, or (ii) transfer the Software to a single hard disk, provided that you keep the original for backup or archival purposes. You may not (i) rent or lease the Software, (ii) copy or reproduce the Software through a LAN or other network system or through any computer subscriber system or bulletin-board system, or (iii) modify, adapt, or create derivative works based on the Software. (b) You may not reverse engineer, decompile, or disassemble the Software. You may transfer the Software and user documentation on a permanent basis, provided that the transferee agrees to accept the terms and conditions of this Agreement and you retain no copies. If the Software is an update or has been updated, any transfer must include the most recent update and all prior versions. 4. Restrictions on Use of Individual Programs. You must follow the individual requirements and restrictions detailed for each individual program in the About the CD-ROM appendix of this Book or on the Software Media. These limitations are also contained in the individual license agreements recorded on the Software Media. These limitations may include a requirement that after using the program for a specified period of time, the user must pay a registration fee or discontinue use. By opening the Software packet(s), you will be agreeing to abide by the licenses and restrictions for these individual programs that are detailed in the About the CD-ROM appendix and/or on the Software Media. None of the material on this Software Media or listed in this Book may ever be redistributed, in original or modified form, for commercial purposes. 5. Limited Warranty. (a) WPI warrants that the Software and Software Media are free from defects in materials and workmanship under normal use for a period of sixty (60) days from the date of purchase of this Book. If WPI receives notification within

the warranty period of defects in materials or workmanship, WPI will replace the defective Software Media. (b) WPI AND THE AUTHOR(S) OF THE BOOK DISCLAIM ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE SOFTWARE, THE PROGRAMS, THE SOURCE CODE CONTAINED THEREIN, AND/ OR THE TECHNIQUES DESCRIBED IN THIS BOOK. WPI DOES NOT WARRANT THAT THE FUNCTIONS CONTAINED IN THE SOFTWARE WILL MEET YOUR REQUIREMENTS OR THAT THE OPERATION OF THE SOFTWARE WILL BE ERROR FREE. (c) This limited warranty gives you specific legal rights, and you may have other rights that vary from jurisdiction to jurisdiction. 6. Remedies. (a) WPI’s entire liability and your exclusive remedy for defects in materials and workmanship shall be limited to replacement of the Software Media, which may be returned to WPI with a copy of your receipt at the following address: Software Media Fulfillment Department, Attn.: MCTS: Windows Server Applications Infrastructure Configuration Study Guide, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, or call 1-800-762-2974. Please allow four to six weeks for delivery. This Limited Warranty is void if failure of the Software Media has resulted from accident, abuse, or misapplication. Any replacement Software Media will be warranted for the remainder of the original warranty period or thirty (30) days, whichever is longer. (b) In no event shall WPI or the author be liable for any damages whatsoever (including without limitation damages for loss of business profits, business interruption, loss of business information, or any other pecuniary loss) arising from the use of or inability to use the Book or the Software, even if WPI has been advised of the possibility of such damages. (c) Because some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation or exclusion may not apply to you. 7. U.S. Government Restricted Rights. Use, duplication, or disclosure of the Software for or on behalf of the United States of America, its agencies and/or instrumentalities “U.S. Government” is subject to restrictions as stated in paragraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause of DFARS 252.227-7013, or subparagraphs (c) (1) and (2) of the Commercial Computer Software - Restricted Rights clause at FAR 52.227-19, and in similar clauses in the NASA FAR supplement, as applicable. 8. General. This Agreement constitutes the entire understanding of the parties and revokes and supersedes all prior agreements, oral or written, between them and may not be modified or amended except in a writing signed by both parties hereto that specifically refers to this Agreement. This Agreement shall take precedence over any other documents that may be in conflict herewith. If any one or more provisions contained in this Agreement are held by any court or tribunal to be invalid, illegal, or otherwise unenforceable, each and every other provision shall remain in full force and effect.

T

he Absolute MCTS: Windows Server 2008 Applications Infrastructure Configuration Book/CD Package on the Market! Get ready for your Microsoft Certified Technology Specialist: Windows Server 2008 Applications Platform, Configuration or MCTIP: Enterprise or Server Administrator certifications with the most comprehensive and challenging sample tests anywhere! The Sybex Test Engine features: N All the review questions, as covered in each chapter of the book N Challenging questions representative of those you’ll find on the real exam N Two full-length bonus exams available only on the CD N An Assessment Test to narrow your focus to certain objective groups.

Use the Electronic Flashcards for PCs or Palm devices to jog your memory and prep last-minute for the exam! N Reinforce your understanding of key concepts with these hardcore flashcard-style questions. N Download the Flashcards to your Palm device and go on the road. Now you can study for the MCTS: Windows Server 2008 Applications Platform, Configuring (70-643) exam any time, anywhere. N CD also includes the PrepLogic’s robust Audio+ exam preparation product for Exam 70-643, exclusive for Sybex Study Guides.

Search through the complete book in PDF! N Access the entire MCTS: Microsoft Windows Server 2008 Applications Platform Configuration Study Guide complete with figures and tables, in electronic format. N Search the MCTS: Microsoft Windows Server 2008 Applications Platform Configuration Study Guide chapters to find information on any topic in seconds.

PrepLogic www.preplogic.com

1-800-418-6789

Learn While... Driving to Work. Get certified more quickly than ever with PrepLogic audio training. Quiz Me & Lecture Series audio give you the freedom and flexibility to learn anywhere – driving to work, sipping morning coffee, or even walking your dog. Want to pass your exam in record time? Use audio training from PrepLogic.

PrepLogic Audio Training Now on CD or MP3!

Try PrepLogic for FREE! Now you can enjoy our high-speed audio training for FREE. Visit PrepLogic today for over 80 free Quiz Me & Lecture Series sample lessons for the most challenging, popular and valuable certifications including MCSE, CCNA, A+, PMP, CISSP® and more. Try PrepLogic today for Free!

www.preplogic.com/freeaudio

PrepLogic

Need More Practice? Preparing for your certification exams just got easier thanks to TestSuccess from Sybex. With 24-hour access to this online test prep environment, you can practice how you want, when you want, from wherever you can access the Internet. With your paid subscription you will be able to: • Gain access to 200 questions per exam covering all exam subject areas • Get explanations of questions and answers in Practice Mode • Select your own questions • Take your own customized practice exams • Create a “quick” exam, pulling questions randomly from the entire test bank • View detailed strength and weakness reports separated by subject area • Compare your performance and scores to other users to see how you rank

Available exams: • CCNA: Cisco Certified Network Associate (640-802)

• MCTS: Microsoft Windows Vista Configuration (70-620)

• CompTIA A+ Essentials

• CISSP: Certified Information System Security Professional

• CompTIA A+ IT Technician • Comp TIA Linux+ • CompTIA Network+ • CompTIA Security+

• PHR/SPHR: Professional/Senior Professional in Human Resources • PMP: Project Management Professional

Go to www.sybextestsuccess.com today for more information and to subscribe!

MCTS: Windows Server 2008 Applications Infrastructure Configuration Study Guide Exam 70-643: TS: Windows Server 2008 Applications Infrastructure, Configuring Objectives OBJECTIVE

CHAPTER

Deploying Servers Deploy images by using Windows Deployment Services. May include but is not limited to: Install from media (IFM), configure Windows Deployment Services, capture Windows Deployment Services images, deploy Windows Deployment Services images, server core Configuring Windows Deployment Services, capture Windows Deployment Services images, deploy Windows Deployment Services images, server core

9

Configure Microsoft Windows activation. May include but is not limited to: install a KMS server; create a DNS SRV record; replicate volume license data

9

Configure Windows Server Hyper-V and virtual machines. May include but is not limited to: virtual networking; virtualization hardware requirements; Virtual Hard Disks; migrate from physical to virtual; VM additions; backup; optimization; server core

8

Configure high availability. May include but is not limited to: failover clustering; Network Load Balancing; hardware redundancy

10, 11

Configure storage. May include but is not limited to: RAID types; Virtual Disk Specification (VDS) API; Network Attached Storage; iSCSI and fibre channel Storage Area Networks; mount points

1

Configuring Terminal Services Configure Windows Server 2008 Terminal Services RemoteApp (TS RemoteApp). May include but is not limited to: Configuring Terminal Services Web Access; configuring Terminal Services Remote Desktop Web Connection

2

Configure Terminal Services Gateway. May include but is not limited to: certificate configuration; Terminal Services Gateway Manager (TS Gateway Manager); specifying resources that users can access through TS Gateway by using Terminal Services resource authorization policy (TS RAP) and Terminal Services connection authorization policy (TS CAP); Terminal Services group policy

2

Configure Terminal Services load balancing. May include but is not limited to: Terminal Services Session Broker redirection modes; DNS registration; setting through group policy

2

OBJECTIVE

CHAPTER

Configure and monitor Terminal Services resources. May include but is not limited to: allocate resources by using Windows Server Resource Manager; configure application logging

3

Configure Terminal Services licensing. May include but is not limited to: deploy licensing server; connectivity between terminal servers and Terminal Services licensing server; recovering Terminal Services licensing server; managing Terminal Services client access licenses (TS CALs)

3

Configure Terminal Services client connections. May include but is not limited to: connecting local devices and resources to a session; Terminal Services profiles; Terminal Services home folders; Remote Desktop Connection (RDC); single sign-on; Remote Desktop Snap-In; MSTSC.exe

2, 3

Configure Terminal Services server options. May include but is not limited to: logoff; disconnect; reset; remote control; monitor; Remote Desktop Protocol (RDP) permissions; connection limits; session time limits; managing by using GPOs; viewing processes; session permissions; display data prioritization

3

Configuring a Web Services Infrastructure Configure Web applications. May include but is not limited to: directorydependent; publishing; URL-specified configuration; Microsoft .NET components, for example, .NET and aspx; configure application pools

4

Manage Web sites. May include but is not limited to: migrate sites and Web applications; publish IIS Web sites; configure virtual directories

4

Configure a File Transfer Protocol (FTP) server. May include but is not limited to: configure for extranet users; configure permissions

4

Configure Simple Mail Transfer Protocol (SMTP). May include but is not limited to: setting up smart hosts; configuring size limitations; setting up security and authentication to the delivering server; creating proper service accounts; authentication; SMTP relay

4

Manage Internet Information Services (IIS). May include but is not limited to: Web site content backup and restore; IIS configuration backup; monitor IIS; configure logging; delegation of administrative rights

5

Configure SSL security. May include but is not limited to: configure certificates; requesting SSL certificate; renewing SSL certificate; exporting and importing certificates

5

Configure Web site authentication and permissions. May include but is not limited to: configure site permissions and authentication; configure application permissions; client certificate mappings

5

Exam objectives are subject to change at any time without prior notice and at Microsoft’s sole discretion. Please visit Microsoft’s website ( www.microsoft.com/ learning) for the most current listing of exam objectives.

OBJECTIVE

CHAPTER

Configuring Network Application Services Configure Windows Media server. May include but is not limited to: on-demand replication; configure time-sensitive content; caching and proxy

6

Configure Digital Rights Management (DRM). May include but is not limited to: encryption; sharing business rules; configuring license delivery; configuring policy templates

6

Configure Microsoft Windows SharePoint Services server options. May include but is not limited to: site permissions; backup; antivirus; configuring Windows SharePoint Services service accounts

7

Configure Windows SharePoint Services e-mail integration. May include but is not limited to: configuring a document library to receive e-mail; configuring incoming vs. outgoing e-mail

7