Info

B ( 1 Computer Configuration Q Policies El 3 Software Settings 3 Windows Settings g Scripts (Startup Shutdown) 3 Security Settings El y Account Policies El 3 Local Policies El J Event Log IB iZj Restricted Groups El ZH System Services El Registry El _ File System El Wired Network (IEEE 802.3) Policies El C3 Windows Firewall with Advanced Security E if Windows Firewall with Advanced Security - LDAP cn 2 Inbound Rules jQ Outbound Rules There are no items to show in this view.

Practice

If necessary, log on to the domain controller with the Kim_Akers account. 2. If the Initial Configuration Tasks window opens when you log on, click Add Roles . Otherwise, open Server Manager from Administrative Tools, right-click Roles in the left pane, and click Add Roles 3. If the Before You Begin page appears, click Next . 4. Select the DHCP Server check box, as shown in Figure 1-16, and click Next. FIGURE 1-16 Selecting to install the DHCP server role. FIGURE 1-16 Selecting to install the...

More Info Using Geteventlog

For more information about Get-EventLog, see http www.microsoft.com technet and http technet.microsoft.com en-us library bb978657.aspx. You can also query the event log in Windows Server 2008 by using the wevtutil command-line tool. For example, the following command displays configuration information about the system log in XML format

Locating Events

You can use filters and custom views to find the events in which you are interested from among the very large number of events in the event logs. You can also use Microsoft PowerShell scripts and command-line utilities to specify and list events. This is especially useful in the Server Core installation, where GUI tools are not available. You can use PowerShell scripts that contain the Get-EventLog cmdlet. This enables you to manage event logs and select events contained within those event...

O

Object identity (OID), 301 Object Protection feature, 434 objects marking as authoritative, 431-432 Object Protection feature, 434 Ocsetup.exe tool functionality, 45 installing Hyper-V, 781 OCSP (Online Certificate Status Protocol), 294, 372 ODBC (Open Database Connectivity), 643, 722 OEM keys, 570, 573 offline maintenance AD DS database storage, 432-433 compaction defragmentation, 431, 438-440 performing database operations, 431- 432 protecting AD DS objects, 434-436 restartable AD DS, 427-431...

Exam Tip

Remember the reasons for which you would choose one type of activation key over another. Deploying Windows Deployment Services In this practice, you perform tasks similar to those you would perform when deploying and configuring a Windows Server 2008 WDS server in a production environment. In the first exercise, you install WDS. In the second exercise, you add images and configure a multicast deployment. In this exercise, you install the Windows Deployment Services role on server Glasgow and...

AD DS Object Protection

You can protect every new object you create in AD DS by specifically assigning the Object Protection feature to the object. Objects you create through a batch process or through migration will not be protected unless you assign the feature during the creation process, and if you create an object interactively, you must also explicitly assign protection . You can assign object protection on the Object tab of the AD DS objects Properties dialog box, shown in Figure 8-18 . This tab is visible only...

More Info Specifying Application Pool Identity As Anonymous User

For more information about specifying the Application Pool Identity as Anonymous User, see If you want all the content on the Web server to be available to all users, then you do not need to configure any further authentication. However, you typically want to restrict access to some content on the Web server. For example, an intranet server might include a Web application or virtual directory that is intended for only members of the Sales department you can use NTFS permissions to implement...

Note Dhcp

DHCPv4 is often simply referred to as DHCP, with DHCPv6 distinguished only by its version number. However, it is probably a good idea to get used to talking about DHCPv4 Configure IPv4 and IPv6 addressing. Configure Dynamic Host Configuration Protocol (DHCP) . Configuring IPv4 and IPv6 Addressing 3 To complete the lessons in this chapter, you must have done the following Installed a Windows Server 2008 Enterprise server configured as a domain controller in the contoso.internal domain. Active...

M

MAC (media access control) address configuring reservations, 39 defined, 11 NLB support, 812 static routing, 69 machine certificate, 322 Macintosh environment, 65 MADCAP (Multicast Address Dynamic Client Allocation Protocol), 41 Mail Exchanger (MX) records, 768 maintenance, offline. See offline maintenance MAK (Multiple Activation Key) activation, 572-574 defined, 571 Independent Activation, 573 Proxy Activation, 573 record keeping, 572 VAMT support, 573 malicious attacks, 639 Manage Auditing...

Configuring Delegation for a Site or an Application

You can configure default delegation settings and custom delegation settings in IIS7 at site and application levels. When you configure default delegation settings at a parent level, you affect all children of that parent. For example, when you delegate a feature at the Web server level, you affect all sites on the server. Similarly, when you delegate a feature on a site, you affect all applications on that site. IIS Manager users and Windows users can then configure delegated features on the...

Tpd

CA Administrator role, 354, 355 CA key pairs, 359 CA Properties dialog box, 357 caching credentials, 268, 269-270, 273-274 file handles, 646 security tokens, 646 CAPoliy.inf file, 360 capture images, 567 CAs (certificate authorities). See also enterprise CAs root CAs AD FS support, 293 AD RMS support, 320 certificate practice statements, 353, 702 certificate servers, 347 configuring VPN servers, 124 Create Domain Certificate option, 700 extranet URL, 326 installing, 361-364 IPsec...

Managing Databases

AD RMS uses the following three databases The configuration databaseThis database stores all Ad RMS configuration data. Ad RMS servers access the configuration database to provide rights-protection services and information to clients. the logging databasethis database stores data about every activity in either a root or a licensing-only cluster. You can use the logging database to audit Ad RMS events. the directory services databasethis database stores information about users and all their...

Case Scenario Configuring User Isolation and IP Address Restriction Settings

You are the network administrator at an academic institution you are configuring an FTP server hosted on a Windows Server 2008 Web server that is a member of your institution's domain. The server is to be used for the submission of student assignments. Only clients from designated academic networks should access the FTP service. Students should not access other students' directories. Student directory location should be assigned through Active Directory. Answer the following questions. 1. Which...

Understanding AD FS

AD FS is an SSO facility that allows users of external Web-based applications to access and authenticate through a browser. It relies on the internal authentication store of the user's own domain to authenticate a client and does not have a store of its own . It also relies upon the original authentication clients perform in their own networks and passes this authentication to Web applications that are AD FS-enabled. To return to the example earlier in this chapter, Don Hall from Contoso, Ltd.,...

More Info More On Certificate Revocation And Online Responders

For a more detailed look at revoking certificates and the Online Responder role service, consult Chapter 10, Certificate Revocation, in Windows Server 2008 PKI and Security, by Brian Komar (Microsoft Press, 2008). 1. What is the difference between a CRL and a delta CRL 2. Which types of addresses can you use to specify CDPs 1. A CRL contains a list of all revoked certificates. A delta CRL contains a list of certificates revoked since the publication of the last full CRL. 2. CDPs can be...

Note Only Windows Server Updates

Selecting only updates for Windows Server 2008 minimizes the number of updates downloaded from the Microsoft Update servers. Select the Microsoft products to be updated ' You can specify the products for which you want updates. Choose Upstream Server Specify Proxy Server Choose Languages Choose Classifications Configure Sync Schedule Finished What's Next ' You can specify the products for which you want updates. Windows Small Business Server 2003

Note Windows Xp And Windows Server

In Windows XP and Windows Server 2003, the Teredo prefix was originally 3ffe 831f 32. Computers running Windows XP and Windows Server 2003 use the 2001 32 Teredo prefix when updated with Microsoft Security Bulletin MS06-064. The next 16 bits store an obscured version of the external User Datagram Protocol (UDP) port that corresponds to all Teredo traffic for the Teredo client interface. When a Teredo client sends its initial packet to a Teredo server, NAT maps the source UDP port of the packet...

Case Scenario HyperV at Contoso

You are the systems administrator at Contoso, Ltd., a New Zealand-based hovercraft manufacturer. You are consolidating and virtualizing existing servers under Hyper-V. Contoso has five branch offices located throughout the north and south islands. Each branch office has either two or three physically deployed Windows Server 2003 servers. The branch office servers use little in the way of hardware resources, and you would like to replace these with a single computer running Windows Server 2008,...

EXERCiSE Use Network Monitor to Capture Network data

In this exercise, you install and use Network Monitor. 1. Log on to server Glasgow with the Kim_Akers user account. Locate the folder to which you downloaded the Network Monitor installer file. 2. Double-click the Network Monitor installation file to initiate the setup process. Click Run in the Open File - Security Warning dialog box. Click Next when presented with the Welcome page of the Network Monitor Setup Wizard. Accept the terms of the license agreement, and then click Next. 3. On the Use...

Case Scenario Monitoring AD DS

Trey Research recently upgraded all its domain controllers to Windows Server 2008. You must generate baselines and schedule regular AD DS performance monitoring. You need to create data collector sets that enable you do this. Answer the following questions. 1. You want to log data from registry keys, performance counters, and trace events related to AD DS performance as well as information about the status of hardware resources, system response times, and processes on your domain controllers....

Note Stop When All Data Collectors Have Finished

If you have configured an overall duration, select the Stop When All Data Collectors Have Finished check box to allow all data collectors to finish recording the most recent values before Data Collector Set is stopped. My New Data Collector set appears in Server Manager. Note that it is currently stopped 13. Right-click My New Data Collector Set and select Data Manager. Note the defaults on the Data Manager tab . If you are short of hard disk space, you might want to change the Minimum Free...

Note Answers

Answers to these questions and explanations of why each answer choice is right or wrong are located in the Answers section at the end of the book. 1. Several executives in your organization are having problems accessing your VPN server when they visit hotels or airport lounges across the country on business . The executives all have Windows XP Professional SP2-based laptop computers. Which of the following steps can you take to resolve this problem (Choose two . Each correct answer presents...

Note Using An Administrative Group And Delegating Control

In a production environment, you should create and use an administrative group, but the Kim_Akers account is sufficient for the purpose of the exercise. Note that you can use the AD LDS Administrators page to delegate control of an instance. If you want to, you can delegate control of one instance to one group of users and a control of a second instance to another group of users. 12. On the Importing LDIF Files page, select the check boxes for the LDIF files listed in Table 5-1, and then click...

Nwl

HBA (host bus adaptor), 830, 831 HCAP (Health Credential Authorization Protocol), 204 Health Credential Authorization Protocol (HCAP), 204 health policies, NAP, 202-204 Health Registration Authority (HRA) role service, 204, 208 heartbeat, 811 hierarchical databases, 229 high availability DNS round robin, 613, 809-810 failover clusters, 400, 785, 815-821 load balancing, 613-614, 810 network load balancing, 811-814 High Availability Wizard, 820 hop counts, 768 host bus adaptor (HBA), 830, 831...

Configuring a Super Users group

A Super Users group contains the accounts of users who have full access to all content protected by your AD RMS implementation . These users can recover or modify any data that is managed by your AD RMS infrastructure as well as recover data generated by users who have subsequently left the organization . The Super Users group is typically a Universal Group . To configure a Super Users group, log on to a server that is a member of the root cluster with an account that has AD RMS Enterprise...

Ok

FIGURE 13-20 Enabling Failed Request Tracing. FIGURE 13-20 Enabling Failed Request Tracing. You can also view a list of tracing rules for failed requests by entering the following command at an elevated command prompt systemroot system32 inetsrv appcmd configure trace site The variable site is the name of the site for which you want to view a list of failed-request tracing rules. Enable trace logging for failed requests when you want IIS7 to log information about a request that is failing to...

Backing Up Computers Remotely

You can use the Windows Server Backup tool to connect to another computer running Windows Server 2008 and perform backup tasks as though the backup were being performed on the local computer. This enables users who have the Remote Systems Administration Tools (RSAT) installed on their Windows Vista workstations to connect to computers running Windows Server 2008 and perform backup operations as though they were logged on locally. To perform this operation, the user making the connection must be...

Network Monitor

Network Monitor is a tool you can download from the Microsoft Web site that can be used to capture and analyze network traffic. Unlike the MBSA tool, which actively probes other hosts on the network, Network Monitor is a passive tool that listens and records what it hears on the network. After you have installed Network Monitor on a computer running Windows Server 2008, you must add your user account to the Network Configuration Operators local group. On computers running Windows Vista, you...

Chapter Summary

AD FS uses identity federation partnerships and federation trusts to extend AD DS internal IDA services to external networks . It relies on secure communications, and each server in an AD FS partnership trusts the root certificate In AD FS, claims-aware applications allow access based on the claims assigned to each partner in the partnership You create a federation trust between the two partners and assign claims to the account organization AD RMS uses DRM to support data protection services....

D

DACL (discretionary access control list), 372 data collector sets additional information, 520 built-in, 452, 516 creating, 461-464, 519 creating accounts to run, 462 creating custom templates, 445, 452 creating from command prompt, 521 customizing, 520 defined, 452 editing, 520 failure to schedule, 462 functionality, 517-518 Data Encryption Standard (DES), 63, 64 data source, 618, 722 databases configuration, 331 directory services, 331 hierarchical vs. relational, 229 logging, 331 managing,...

Configuring Trust Policies

You cannot enable federation support unless you have a working AD FS infrastructure in place as described in Lesson 1 . AD RMS supports four trust models Windows Live ID trusts These enable users who have a valid Windows Live ID or a Microsoft Passport to use rights-protected content but not to create it Federated trusts These are established through AD FS to extend the operation of an AD RMS cluster to forests with which you establish a federated trust Trusted publishing domains These enable...

Managing Certificate Services Roles

AD CS is an integral component of an organization's security infrastructure. Many organizations assign the responsibility for different aspects of security infrastructure to different people . Partitioning these responsibilities works as a set of checks and balances, ensuring that no one single person is in control of everything. The label assigned to this division of important responsibility is role separation. AD CS supports role separation, so organizations can partition the responsibility...

More Info Multiple Forest Deployment

For more information on multiple forest deployment, see http technet.microsoft.com en-us library cc772182.aspx. AD RMS with AD FS deployment You can extend an AD RMS root cluster to other forests through AD FS . You must assign an SSL certificate to the Web site hosting the AD RMS root cluster, install the root cluster, set up a federated trust relationship, and install the AD RMS Identity Federation Support role service. Next, create a claims-aware application on the AD FS resource partner...

NAP with X Enforcement

NAP with 802.1X enforcement relies upon Ethernet switches and WAPs that support 802.1x authentication . WAPs that support 802.1x authentication are also necessary when you use the WPA2-Enterprise authentication method that was discussed in Lesson 1. If a WAP supports WPA2-Enterprise, it also supports the 802.1X NAP enforcement method. Unlike the DHCP enforcement method, in which a compliance check occurs only when the DHCP lease is renewed, the 802.1X enforcement method allows for an immediate...

Configuring Domain Wide Password Replication Policy

To facilitate the management of PRP, Windows Server 2008 creates two domain local security groups in the Users container of AD DS. The first, named Allowed RODC Password Replication Group, is added to the Allowed List of each new RODC. By default, the group has no members . Therefore, by default, a new RODC will not cache any user's credentials . If there are users whose credentials you want all domain RODCs to cache, add those users to the Allowed RODC Password Replication Group . The second...

Lesson Monitoring Event Logs

Chapter 8 introduced Event Viewer and event logs you likely studied the tool for your Windows Server 2003 examinations and use it professionally in your job. The main difference in Windows Server 2008 is that Event Viewer is now available under Diagnostics in Server Manager as well as through the Administration Tools program group, the messages and event descriptions in Windows Server 2008 are much more informative, and access to an internal database is provided. A number of third-party...

Note Virtual Dns Servers

Like DHCP servers, DNS servers particularly secondary DNS servers experience only limited I O activity and are good candidates for virtualization. For example, Trey Research is a single-site organization but has five buildings within its site, connected by fiber-optic links to a layer-3 switch configured to allocate a VLAN to each building. VLAN1, allocated to the main office, supports the majority of the company's computers . VLAN3 supports most of the remainder. VLAN2, VLAN4, and VLAN5 each...

Lesson Summary

You can configure Windows Server 2008 as a dial-up server or as a RADIUS server that authenticates connection requests from dial-up access points configured as RADIUS clients You can configure Windows Server 2008 as a VPN server. Connection requests can be authenticated locally or forwarded to a RADIUS server. Windows Server 2008 supports three VPN protocols, PPTP, L2TP IPsec, and SSTP L2TP IPsec supports client and server certificates . SSTP can be used only by Windows Vista SP1 and Windows...

Defining Delivery Properties

Network routing issues and server failures on the Internet can cause service outages. SMTP servers automatically store copies of messages they are trying to send. If the destination server is unavailable, the SMTP server retries the operation. You can manage the details of this behavior through the properties of the Delivery tab. The Outbound rules define the intervals at which the server will attempt to retry the transmission of a message if a failure occurs. You can also configure the Delay...

Migrating a UNIX Web Site

Migration is possible from non-Microsoft Web sites, for example, from a UNIX Web site on an Apache server to IIS7. In this case, you can use the IIS Migration Wizard. First, download the IIS Migration Wizard Setup file from the Microsoft Download Center. The iismigrationwizard_setup.exe file is available for download at http download.microsoft This file was originally written for Microsoft Windows 2000 Server and IIS5, but it works fine in Windows Server 2008 and IIS7. Choose to save the...

Note Figures Showing Netsh Commands

I have decided not to include figures showing the output of netsh commands in this section. Command prompt captures do not come out very well in a book and are difficult to read. However, the main reason is that I hope you will try out the commands yourself and view the real output. With netsh, you configure your computer's IP address and other TCP IP-related settings. For example, the following command configures the interface named Local Area Connection with the static 172.16.1.100 IP...

Lesson Configuring Active Directory Lightweight Directory Services

AD LDS was formerly called Active Directory Application Mode ADAM , and this name is still used in the Windows Server 2008 folder structure. It supports directory-enabled applications on an application-by-application basis without the need to modify the database schema of the network operating system NOS directory running on AD DS . With AD LDS, you can use directory-enabled applications without integrating them in the NOS directory. This lesson discusses the function and functionality of AD...

AD FS Role Services

Federated identity is the process of authenticating a user's credentials across multiple IT systems and organizations . Identity federation enables users in one domain to access data or systems of another domain securely by using SSO . AD FS relies on the following role services to support identity federation Federation Service A server running the Federation Service a federation server routes authentication requests to the appropriate source directory to generate security tokens for the user...

Managing and Maintaining Certificate Revocation Lists

Certificate revocation lists are just what they sound like lists of revoked certificates. You trust a certificate issued by a CA because you trust the policies under which the CA issues certificates. If you did not trust the CA, you would not trust any certificates issued by that CA. A certificate revocation list shows you which certificates issued by the CA are no longer trustworthy. There are many reasons a certificate might be placed on a CRL list, such as a signing certificate issued to a...

Configuring FTP and SMTP Services

Windows Server 2008 ships with a version of the File Transfer Protocol FTP that can be described as FTP6. It is very similar to the FTP that shipped with Windows Server 2003. A version of FTP, which can be called FTP7, is designed for use with Windows Server 2008 but is provided as a separate download. FTP provides a standard method by which computers can transfer files and other types of data. It is used on both internal networks and on the Internet to upload and download content. Simple Mail...

Using WRSM

Install WSRM by using Add Features in Server Manager. This tool can help you identify the resources an application requires on a regular basis. In this mode, WSRM logs events in the application event log only when the application exceeds its allowed limits . You can also use WSRM in Manage mode, in which the tool uses allocation policies to control how many resources an application can use on a server. If applications exceed their resource allocations, WSRM can stop the application from...

Managing IP Filter Lists and Filter Actions

You can copy the IP filters, IP filter lists, and filter actions you create for an IPsec rule into other IPsec rules. You can also create and configure these features outside of the Security Rule Wizard. To do so, right-click the IP Security Policies node in Local Security Policy or a GPO, and then click Manage IP Filter Lists And Filter Actions, as shown in Figure 2-26 . FIGURE 2-26 Managing IP filter lists and filter actions . FIGURE 2-26 Managing IP filter lists and filter actions .

Caution Do Not Use All As A Name

Do not create a connection security rule with the name all. This creates a conflict with the netsh option. Set In the netsh advfirewall consec context, the set command is used as the set rule command to modify an existing connection security rule identified by name or found by matching the criteria specified. Criteria that precede the keyword new identify the rule s to be modified. Criteria that follow the keyword new indicate properties that are modified or added. For example, the following...

Wat

A Address records, 768 access control, 745, 760-763 access control lists. See ACLs access control lists account lockout policies Account Lockout Duration policy, 146 Account Lockout Threshold policy, 146 fine-grained password policies, 147 Reset Account Lockout Counter After policy, 146 account organizations, 286, 305 ACLs access control lists AD LDS support, 232 configuring, 567 discretionary, 372 NAP enforcement, 210 ACPI Advanced Configuration and Power Interface , 792 activation case...

Case Scenario Troubleshooting a Performance Problem

You can use data collector sets to record a performance baseline when the server is performing normally. You can then run the same data collector sets manually when a performance problem occurs. If the performance problems occur at about a certain time of day, you can schedule the Performance data sets to record data at that time over an extended period. You can use Performance Monitor to analyze your results, compare them with your baseline, and identify the factors that could be causing...

Understanding the Changes to Windows Server RRAS

As an experienced network administrator, you know that a router is a multihomed device that manages data flow between networks. It directs incoming and outgoing IPv4 or IPv6 packets based on the information it holds about the state of its own network interfaces and a list of possible sources and destinations for network traffic stored in a route table. At the most basic, client computers send all communications not addressed to another station on the same subnet to a single router known as the...

Time Elapsed

To view currently executing requests in a worker process, open IIS Manager and, in the Connections pane, select the server node in the tree. In Features View, double-click Worker Processes and select the worker process from the grid. In the Actions pane, click View Current Requests. You can then view the list of requests in the grid. You can also view a list of currently executing requests by entering the following command from an elevated command prompt systemroot system32 inetsrv appcmd list...

Restartable AD DS

Restartable AD DS reduces the time to perform offline operations such as offline compaction and defragmentation . It also improves the availability of other services that do not depend on AD DS by keeping them running when AD DS is stopped. You can use the Microsoft Management Console MMC Computer Management snap-in or the net.exe command-line utility to stop and restart AD DS . Other services that run on the server but do not depend on AD DS for example, DHCP remain available to service client...

Configuring Messages options

The Messages tab of an SMTP virtual server Properties dialog box accessed through IIS 6.0 Manager, and shown in Figure 14-18, enables you to configure size limitations on messages sent through the server. The first two options specify the maximum size of a message including attachments as well as the maximum amount of data that can be sent through one connection to the server. You can also limit the number of messages sent per connection and the number of recipients to whom they can be sent....

Exporting the SLC

To work with either trusted publishing domains or trusted user domains, you need to export the SLC from your root cluster or from a trusted root cluster. You export certificates and use them to establish trusts. To do this, log on with an account that is a member of the local AD RMS Enterprise Administrators group . In Server Manager, expand Roles Active Directory Rights Management Services, right-click RootClusterServerName, and click Properties. On the Server Certificate tab, click Export...

Health and Diagnostics Features

Health and diagnostics features enable you to monitor and diagnose problems on your servers, sites, and applications. The HTTP Logging and Request Monitor role services are installed by default. The other health and diagnostics features are optional. Health and diagnostics features include the following HTTP Logging This enables support for logging Web site activity and permits IIS7 to store HTTP request information in text files on the server's file system, together with a set of default...

Lesson

A. incorrect Many airport lounge and hotel firewalls block outbound traffic on all ports except common ones such as 80 and 443. SSTP was developed in part because many people found it impossible to establish VPN connections from airport lounges and their hotel rooms by using PPTP or L2TP IPsec. B. Correct VPNs based on the SSTP protocol are likely to work from behind airport lounge and hotel firewalls because these firewalls are unlikely to block the port used for secure Web traffic, 443, which...

Using Virtual Directories

Often, a Web site needs to include content from folders that are located external to the Web site's primary folder structure. For example, multiple Web sites that share a set of images might need to access files from a single path. Virtual directories are designed to meet this requirement. You can create virtual directories at either the Web site level or within a specific Web application. A virtual directory includes an alias name used in the requesting URL and points to a physical file path....

Case Scenario Contoso Ltds WSUS Deployment

You are configuring and deploying WSUS for Contoso's Copenhagen head office. There are 300 client computers and 30 servers at the head office. All the client computers in the Copenhagen office use Windows Vista, and all the servers have the Windows Server 2008 operating system installed. Approximately 50 client computers and servers are located on an isolated network that is not connected to the Internet. With that in mind, answer the following questions. 1. You want to ensure that when an...

More Info Vpn Protocols

To learn more about VPN protocols supported by Windows Server 2008, see the following page on TechNet When you configure Windows Server 2008 as a VPN server, clients can make connections by using all three protocols . You can configure separate network policies that apply different connection settings based on which protocol is used. To disable a particular protocol, clear the Remote Access Connections Inbound Only and Demand-Dial Routing Connections Inbound And Outbound check boxes, as shown...

Simple Network Management Protocol

You can use SNMP to configure remote devices, detect network faults, measure network usage, and record network performance. The Windows Server 2008 SNMP service functions as an SNMP agent. SNMP works by having management applications and agent applications. To access the information the Windows Server 2008 SNMP service provides, you need an SNMP management application such as System Center Essentials 2007 or System Center Operations Manager 2007. Windows Server 2008 does not include an SNMP...

Configuring Site Logging

You configure site logging properties by selecting the relevant Web site in IIS Manager and double-clicking Logging in Features View. Figure 13-5 shows the default logging options. The options available depend on which role services are installed on the Web server. By default, each new site is configured to store text-based log files in the SystemDrive Inetpub Logs LogFiles path on the local server. Each Web site is assigned its own folder that contains one or more log files. The default log...

Configuring x LAN Authentication

802.1x-compatible switches support port-based network access control. This technology limits a host from communicating on the switch port it connects to until it successfully authenticates . This adds an additional layer of security because only authorized people and devices are able to connect to the network. Nefarious third parties will be unable to plug devices in to access the network because when you configure an 802. 1x-compatible switch properly, network access is not possible without...

Enabling Analytic and Debug Logs

Typically, you enable Analytic and Debug logs for a specified period to gather troubleshooting data and then disable them again. To do this, you can use either a Windows interface or command-line commands. To enable Analytic and Debug logs by using Event Viewer, right-click the Analytic or Debug log you want to enable, for example, the Debug log of the encrypting file system EFS , and then select Properties. Select the Enable Logging check box in the Properties dialog box and click OK to clear...

Case Scenario Configuring DHCP

DHCPv6 is implemented by default in Windows Server 2008, and DHCPv6 scopes can be created on the existing DHCP servers. No additional hardware is required to implement DHCPv6. Most of the features of DHCPv4 are implemented in DHCPv6, and IPv6 configurations can be automatically assigned to client computers. It remains good practice to configure infrastructure servers statically. 2. Problems can occur if a virtual server in a Hyper-V cluster is also a DHCP server. If a virtual network is...

VPN Authentication

Windows Server 2008 supports the following authentication protocols for VPN connections MS-CHAPv2 A password-based authentication protocol supported by Windows Vista, Windows Server 2008, Windows Server 2003, and Windows XP. EAP-MS-CHAPv2 A password-based authentication protocol supported only by Windows Vista and Windows Server 2008 VPN clients EAP-TLS A certificate-based authentication protocol supported by Windows Vista, Windows XP, Windows Server 2008, and Windows Server 2003 VPN clients....

Anonymous Authentication

Many Web sites and Web servers permit users to access at least a default page or some selected content without needing to provide authentication information. When you enable the Web Server role with default options, anonymous authentication is enabled for the Default Web Site and its associated Web content. Anonymous authentication provides access to content that is available to all users who can connect to the Web server. When IIS7 receives a request for content, it automatically uses a...

Installing and Configuring the FTP Publishing Service

If you want to enable users to transfer files to or from a site, you must set up FTP on a Web server. The site can be on an intranet, an extranet, or the Internet, but the principles of providing a place to upload and download files using FTP are the same although security considerations are different . You need to put files in directories on the FTP server and configure your site so that users can establish an FTP connection and transfer files by using an FTP client or FTP-enabled Web browser....

Account Lockout Policies

Account lockout policies determine how long an account lock remains in place when a user fails to authenticate successfully for the number of times specified in the password policy. You can configure the Account Lockout Duration policy from not locking accounts to locking accounts for between 1 and 99,999 minutes approximately 70 days . The default setting is that accounts are not locked no matter how many invalid logon attempts occur The Account Lockout Threshold policy governs the number of...

More Info Ts Gateway An D

Gateway Server Port Settings

To learn more about integrating TS Gateway and NAP, consult the following TechNet article In addition to configuring the TS Gateway server, it is necessary to configure the Remote Desktop Connection application on each client to channel traffic through the TS Gateway server. To do this, navigate to the Advanced tab of Remote Desktop Connection and click Settings under Connect From Anywhere. This displays the TS Gateway Server Settings dialog box, shown in Figure 12-24. The settings you can...

Lesson Configuring Windows Server Storage

Data is the most important asset stored within your organization's IT infrastructure. Servers and software can be purchased and replaced if they are lost or destroyed, but data, if not stored correctly and backed up, is, if not always irreplaceable, often far more challenging to replace. SANs simplify the process of storing and accessing data in large network environments. SANs enable data storage to be centralized and simplify the process of provisioning more storage. Rather than haphazardly...

Windows Update Group Policies

A Windows Server 2008 Group Policy object GPO contains 15 policies that relate to software updates. These policies are located under the Computer Configuration Policies Administrative Templates Windows Components Windows Update node. From the perspective of the WSUS administrator, the most important policies are Configure Automatic Updates, Specify Intranet Microsoft Update Service Location, and Enable Client-Side Targeting. These policies have the following functions Configure Automatic...

EXERCiSE Install WSRM

In this exercise, you install the WSRM service and view WRSM policies . 1. Log on to Glasgow with the Kim_Akers account . 2. If necessary, start Server Manager. 3. In Server Manager, right-click Features and select Add Features . 4. Select the Windows System Resource Manager check box on the Select Features page of the Add Features Wizard, and then click Next . 5. If Server Manager prompts you to add Windows Internal Database, click Add Required Features Click Next Windows Internal Database WID...

Managing Failover Clusters

You can manage a failover cluster by using the Failover Cluster Management console. By right-clicking the Services and Applications node, you can start the High Availability Wizard, shown in Figure 16-10, to configure services or applications to run on the cluster. After configuration, this ensures that services and applications fail over to another node when there is a fault. To complete the wizard, specify a name and an IP address for that service and configure storage. FIGURE 16-10 High...

More Info Ad Rms Installation

For more information on how to install an AD RMS cluster, see http technet.microsoft ,com en-us library cc771627.aspx. For a step-by-step installation guide, see http technet For more information about installing additional cluster members, see Do not carry out this exercise unless you have finished studying the AD LDS, AD FS, and AD RMS server roles When you have done so and are ready to move on to the next chapter, ensure that you start with a clean slate by removing the roles you installed...

VPN Protocols

Windows Server 2008 supports three VPN protocols SSTP, L2TP, and PPTP. These protocols have the following properties Secure Socket Tunneling protocol SSTp SSTP uses an HTTPS channel for encapsulation and encryption and point-to-point protocol PPP for user authentication . SSTP uses TCP port 443, which is used for SSL traffic, meaning that it will rarely be blocked by firewalls in public access points such as those in hotels or in airport lounges. SSTP can also traverse NAT gateways without a...

Creating Policy Templates

To create a policy template, log on to a server that is a member of the root cluster, using AD RMS Template Administrators credentials In Server Manager, expand Roles Active Directory Rights Management Services RootClusterServerName Rights Policy Templates and, in the Actions pane, select Create Distributed Rights Policy Template This starts the Create Policy Template Wizard On the Add Template Identification Information page, click Add, specify the language, specify the name and description...

Ad Rms Installation Prerequisites

You can install AD RMS in a test environment with very little preparation, and you do this in the practice session later in this lesson. In a production environment, however, you need to satisfy the following prerequisites to AD RMS installation You can install AD RMS on any Windows Server 2008 edition except Windows Server Web and Itanium-based systems . However, Microsoft recommends Windows Server Enterprise or Windows Server Datacenter. You require Message Queuing and IIS preferably, IIS 7....

Note Configuring Routing From The Command Prompt

You can use the routing context of the netsh command to control announcements and route advertisements from the command prompt. For example, the netsh routing ip rip addpeerfilter server 10.10.10.161 command configures RIPv2 to accept announcements from the router at 10.10.10.161. The announcefilter option filters specific advertised routes rather than accepting all updates from a particular router. You can use the netsh routing ipv6 addpersistentroute command to add a static persistent IPv6...

Case Scenario Configuring a VPN Solution at Fabrikam

You are upgrading your existing VPN solution so that all incoming VPN traffic connects to a computer running Windows Server 2008 located on your organization's perimeter network. VPN clients at Fabrikam, Inc ., are a mixture of laptop computers running Windows XP SP3 and Windows Vista SP1. You want to retain the use of a password-based authentication protocol for VPN logons because you do not have the budget to deploy a full certificate services solution. You do not want to use PPTP as a VPN...

Domain Controller States

Microsoft identifies three possible states for a domain controller running Windows Server 2008 AD DS Started AD DS is started, and the computer is operating normally as a domain controller in its domain Ad DS Stopped In this state, AD DS is stopped. The AD DS Stopped state is a feature of restartable AD DS . The AD DS database Ntds.dit on the domain controller is offline . The server is joined to the domain, and all services that do not depend on AD DS are running. If no other domain controller...

Setting a NET Trust Level

To set a .NET trust level, open IIS Manager and navigate to the application you want to manage. In Features View, double-click .NET Trust Levels and, on the .NET Trust Levels page, select a trust level from the Trust Level drop-down list. Click Apply in the Actions pane. You can also set a .NET trust level from an elevated command prompt. To do so, enter a command with the following syntax systemroot system32 inetsrv appcmd set config commit WEBROOT section trust level Full High Medium Low...

Activation of Windows Server

Most IT professionals are familiar with two types of activation key, original equipment manager OEM keys and retail keys. OEM keys are tied to a computer's BIOS. With OEM keys, the vendor usually activates Windows prior to you deploying the computer in your environment, or activation occurs immediately after you first boot and configure the computer. Retail keys come with editions of Windows Server 2008 that you purchase. Retail keys must be manually configured and, in all but a few...

HyperV and Server Core

You can add the Hyper-V Server role to a computer running the Server Core installation option of Windows Server 2008. Computers running Server Core make excellent Hyper-V hosts because the operating system has a smaller hardware footprint than a traditional Windows Server 2008 installation. To install the Hyper-V role on an x64 version of Windows Server 2008 Server Core, use the ocsetup Microsoft-Hyper-V command. You manage Hyper-V on a computer running Windows Server 2008 Server Core by...

Implementing AD RMS

The most straightforward implementation of AD RMS controls the internal use of intellectual property. You create access rights for the documentation you produce, and your colleagues can view, read, and manage only the content with which they are professionally involved. Content cannot be copied except under strict conditions. You can use AD RMS internally to protect confidential company information from being accessed by malicious or careless employees who do not have the right to do so. It can...

Note Firewall Exception

To enable remote connection through File Server Resource Manager, you need to enable the Remote File Server Resource Manager Management exception on the remote computer's firewall. Chapter 4, Network Access Security, discusses Firewall configuration in detail. Many administrators prefer to use command-line tools rather than the MMC snap-in. If your FTP server is running a Server Core installation and you log on interactively, you must use command-line tools. The following utilities are added to...

Recycling Application Pools

Rather than stopping an application pool, you can recycle it using the Recycle command in the Actions pane. This instructs IIS7 to retire any current worker process automatically after it has executed existing requests. Users do not see a service disruption, and the worker process is replaced by a new one as quickly as possible. Typically, you recycle application pools when you encounter memory leaks or when resource usage increases significantly over time and you suspect a defect in the...

Configuring Outbound Rules

Outbound rules apply to traffic leaving the computer for a remote host . The default configuration of WFAS allows all outbound traffic. Blocking all outbound traffic will stop many built-in Windows features and applications from communicating with other hosts on the network. This can have unintended side effects for example, a computer cannot retrieve updates from a local WSUS server when all outbound communication is blocked unless a rule related to this type of traffic is enabled. If you do...

Failover Cluster Quorum Models

A cluster quorum is the number of nodes in the cluster that must be active for the cluster to remain online. Different cluster quorum models have different benchmarks for when a cluster remains online, although the cluster quorum model you select also depends on the hardware you have available. There are four cluster quorum models, as follows Node Majority Each node's system disk stores the cluster configuration, and each node gets a vote. The cluster remains operational when half the nodes...

Backing up AD DS

Multimaster replication provides both failover support and Active Directory protection. A copy of the AD DS database is stored on all domain controllers within a domain, so if one is lost and you do not have access to backup data, you can perform a recovery by reinstalling the domain controller from scratch and replicating the database from other domain controllers . In addition, methods exist for retrieving deleted or tombstoned items in AD DS . Also, you can configure items so they cannot be...

More Info Windows System Resource Manager

For more information on using Windows System Resource Manager with Terminal Services, consult the following TechNet article cc731377.aspx. Managing Terminal Services from the Command Line Windows Server 2008 includes a large number of command-line utilities with which you can query and manage Terminal Services servers. Some of the more useful commands include Change.exe Changes Terminal Services server settings for logons. Logoff.exe Logs a user session off from a Terminal Services server....

More Info Performance Counters

Find out what each of the listed performance counters does and how it can help you do your job. You can look up each individual counter in TechNet or the Windows Server 2008 Help files, but a good place to start is cc718984. aspx. As a Windows Server 2003 professional, you should know how to add counters to Performance Monitor, but if you have forgotten, click the plus sign on the toolbar at the top of the details pane. In some cases, you might need subcounters or instances under a specific...

Managing Fabrics with Storage Explorer

Fabric is a term for a network topology in which one or more data paths connect storage devices. ISCSI fabrics include multiple iSNS servers. Fibre Channel fabrics include multiple Fibre Channel switches that connect servers and storage devices, using virtual point-to-point connections. The Storage Explorer console, available through the Administrative tools menu and shown in Figure 16-20, enables you to view and manage both iSCSI and Fibre Channel fabrics. Most of the iSCSI-specific management...

Using the Schema Snapin to Work with Instances

You can use the Active Directory Schema snap-in to create custom consoles to manage AD LDS instance schemas. If you want to use this snap-in, you must first register it on the server. To register and use the Active Directory Schema snap-in, carry out the following procedure 1. In an elevated command prompt, enter regsvr32 schmmgmt.dll . 2. Click Start and type mmc in the Search box. Press Enter. 3. In the empty console, click Add Remove Snap-in from the File menu. 4. Select Active Directory...

Lesson Capturing Performance and Reliability Data

You monitor performance and reliability to improve server performance, identify potential bottlenecks, and upgrade the appropriate resources. You especially want to identify sources of critical performance problems that could make services unacceptably slow or completely unusable. Reliability monitoring helps you correlate events, such as application installations, with failures. For example, if you find that reliability decreases and problems start to occur after the installation of a new...

Installing AD LDS

AD LDS can be installed on both the full Windows Server 2008 installation and Server Core Also, AD LDS is a good candidate for virtualization through Windows Server 2008 Hyper-V. AD LDS can easily run within a virtual instance of the Windows Server 2008 operating system, and you should consider doing so unless the application that is tied to the AD LDS instance has specific requirements for physical installation. Microsoft recommends that you avoid installing AD LDS on domain controllers...

Resource Monitor

Resource Monitor combines the CPU, disk, memory, and network usage graphs into a single view, as shown in Figure 8-24. It provides expandable components for each resource so you can identify which process might be the culprit if problems are encountered. Task Manager and Resource Monitor are used for on-the-spot verifications of resource usage that can identify immediate problems. They are less suitable for periodic monitoring of resources that can identify potential bottlenecks and problems...

Note You Can Deploy Only A Single Ad Rms Root Cluster In A Forest

Because AD RMS creates an SCP during installation and only one SCP can exist per forest, you can deploy only a single AD RMS root cluster in an AD DS forest. 19. On the Web Server IIS page, read the information and click Next. 20. On the Select Role Services page, do not change the role services settings. Click Next. 21. On the Confirm Installation Selections page, review your choices and click Install. 22. When the installation is complete, click Finish to close the installation wizard. 23....

Note Do Not Be Too Hasty In Raising Domain And Forest Functional Levels

It is easy to raise a functional level. It is difficult to reduce one this requires a re-install or a restore from backups of the lower functional level. If, for example, you raised the domain functional level to Windows Server 2008 and then found you needed to add a Windows Server 2003 domain controller to your domain, you have a serious problem. Similarly, if you raised your organization's forest functional level to Windows Server 2008 and your organization acquired another that had a domain...