In the Import Trusted User Domain dialog provide the location of the Trusted User Domain File given to you by the

To minimize the administrative burden for a small or diverse group of accounts you can use the Windows Live ID service as a source of RACs for users. Before you can do this, you will need to configure your AD RMS cluster to trust the Windows Live ID service. In preparation for this, be sure to enable anonymous access and expose the AD RMS licensing Web service (located at _wmcs licensing on your Web server) for external users to obtain use licenses. Now, we will extend the Trust Policy to...

Settings in Windows Server

You can configure wired policies from the Computer Configuration Policies Windows Settings Security Settings Wired Network (IEEE 802.3) Policies node in the Group Policy Management Editor snap-in via the MMC. By default, there are no wired policies in place. To create a new policy, use the following steps 1. Right-click the Wired Network (IEEE 802.3) Policies in the console tree of the GP Editor snap-in. 2. Click Create A New Windows Vista Wired Policy. 3. The New Windows Vista Wired Policy...

Configuring TS Remote Desktop Web Connection

TS Remote Desktop Web connection is a feature of TS Web Access that allows remote users to connect to a remote desktop, taking full control of the remote system instead of just accessing the remote applications (see Figure 9.16). To configure TS Remote Desktop Web Access 1. Open the Internet Explorer browser. 2. Type http server_name ts (in this example, win-kn3t0cfzmmv.syngress. local ts). 3. Click on the Remote Desktop link. 4. Under the Connection Options provide the Computer Name or IP...

Server Core

Server Core brings a new way not only to manage roles but also to deploy a Windows Server. With Server Core, we can say goodbye to unnecessary GUIs, applications, services, and many more commonly attacked features. Using Server Core and Active Directory For years, Microsoft engineers have been told that Windows would never stand up to Linux in terms of security simply because it was too darn heavy (too much) code, loaded too many modules (services, startup applications, and so on), and was...

Active Directory Certificate Services

In PKI, a digital certificate is a tool used for binding a public key with a particular owner. A great comparison is a driver's license. Consider the information listed on a driver's license Social security number (or another unique number such as a state issued license number) Signature certification by an authority (typically from within the issuing state's government body) The information on a state license photo is significant because it provides crucial information about the owner of that...

Issuance Requirements

These settings can be used to manage the approval requirements in order for a certificate to be issued. These settings allow for a workflow or approval chain to be applied to the certificate type. CA Certificate Manager Approval Using this setting will require that the CA Manager assigned in the CA approve of the certificate before it is released to the end-user of the certificate. Number of Authorized Signatures Under these settings, additional approvals steps may be required to release the...

Configuring a Fine Grain Password Policy

Two new Active Directory object classes have been added to the Active Directory schema to support fine-grain policies. Policies are configured under a Password Settings Container (PSC). The actual policy objects themselves are called Password Figure 3.6 Bringing Up the Connections Settings Dialog Figure 3.6 Bringing Up the Connections Settings Dialog Settings objects (PSO). Creating a PSO involves using a lower-level Active Directory editing tool than you might be familiar with. There are two...

Ad Hoc vs Infrastructure Mode

An ad hoc network tends to feature a small group of devices all in very close proximity to each other. Performance suffers as the number of devices grows, and a large ad hoc network quickly becomes difficult to manage. Ad hoc networks cannot bridge to wired LANs or to the Internet without installing a special-purpose gateway. Ad hoc networks make sense when needing to build a small, all-wireless LAN quickly and spend the minimum amount of money on equipment. Ad hoc networks also work well as a...

Adding Virtual Machines

When attempting to add virtual machines on a Windows Server 2008 you must first be sure that the Hyper-V is installed and correctly set up on the machine. Remember that Hyper-V requires 64-bit hardware and a 64-bit version of the operating system with hardware assisted virtualization enabled to implement virtualization. Be sure that the hardware options of the machine match this criteria and that you are running Windows Server 2008 x64 before attempting to use virtualization options. Also...

Installing and Managing HyperV on Windows Server Core Installations

The Windows server core installation option of Windows Server 2008 and Windows Server virtualization are two new features of Windows Server 2008 that work together to a mutually beneficial end. Windows server core installation option is a new shell-less and GUI-free installation option for Window Server 2008 Standard, Enterprise, and Datacenter Editions. It will lower the level of management and maintenance required by an administrator. The Windows server core installation option provides...

Configuring Windows Firewall

The Windows Firewall is turned on by default on a Windows Server 2008 machine. You can turn it off with the command netsh firewall set opmode mode disable. However, this should only be done in a test environment, not in a production environment. If you want to enable the Windows Firewall, use the same syntax but substitute mode disable with mode enable. If you install a particular role on a Server Core machine, then the required ports to fulfill the role service will be opened. To enable Remote...

Changing Background Settings and More

Imagine you are a system administrator and working in a server park with approximately 200 Core Servers. Ten of them are very important because these are installed with IIS and take care of the companies' core business. You surely don't want to mess up these servers. So you are looking for a manner to distinguish these servers from the others. Well let's use the old fashioned way. We can change the background color to (for instance) red. Type regedit in the console, browse to the key...

Changing the Regional Settings

You can change the regional settings by specifying the settings in an answer file during an unattended setup, or you can set it manually. If you run the command control intl. cpl, you will notice that Server Core is not completely GUI-less see Figure 7.12 . After typing the previous command, the Control Panel applet regional and language options will appear. Because of some dependencies on a few low-level GUI DLLs, it is not yet possible to use a complete command-line version of this applet. Of...

Configuring TS Remote App

Configuring TS RemoteApp includes installing applications in a terminal-server aware mode on the Terminal Server , enabling remote control configuration, configuring application parameters, adding users, and publishing it on TS Web for Web access. To install an application in the Terminal Server mode 1. Click Start Control Panel and double-click on Install Application on Terminal Server see Figure 9.1 . It is recommended to install any new applications only after installing terminal services on...

Administrating Server Core

After installing and configuring the Server Core machine, it's time to administer it. This can be done remotely with WINRM WINRS or you can use the MMCs that become available after you install the Remote Server Administration Tools or RSAT. It's up to the administrator which tools he or she prefers. To be honest, if I have to choose between the command dnscmd.exe or the DNS MMC snap-in, I prefer the snap-in. It's quicker and there's less room for error. The following sections detail the...

Which Roles Can Be Installed

Administrators think of servers in terms of roles. That's our fileserver, that's the DNS server, and so on. A server always fulfills a particular role. For this reason, Microsoft has changed its approach for installing software. A server role provides the key functionality of a particular server. Add Remove Programs doesn't exist anymore and has been replaced by Server Manager. If you want to add a role or feature, the Server Manager is the place to do it. But Server Manager doesn't work in...

Server Manager

Server Manager is likely to be a familiar tool to engineers who have worked with earlier versions of Windows. It is a single-screen solution that helps manage a Windows server, but is much more advanced than the previous version. Although we will be discussing Server Manager Figure 1.1 as an Active Directory Management tool, it's actually much more than just that. Chapter 1 Microsoft Windows Server 2008 An Overview Figure 1.1 Server Manager Perform the following tasks to initially configure...

Get BitLocker RecoveryInfovbs

BitLocker recovery information is stored in Active Directory attributes flagged as confidential. The confidential flag is a feature introduced in Windows Server 2003 Service Pack1 and provides advanced access control for sensitive data. With this feature, only domain administrators and authorized users have read access to those attributes. Therefore Active Directory backup for BitLocker recovery information should be implemented only if your domain controllers are running Windows Server 2003...

Full IIS Installation

If you want to install all available options from Internet Information Services, copy the following command and paste it into the command prompt in Server Core. start w pkgmgr Features IIS-Sta IIS- WindowsAuth en tica tion IIS-DigestAuth en tica tion IIS-Clien tCertifica teMa p If you want to install a feature, type oclist to find the required feature name. If you execute this command, you will see a list with all the roles and features that can be installed on Server Core, and whether they are...

Installing Server Core Roles

We can't use Server Manager because it has .NET Framework dependencies, and we can't use the command servermanagercmd.exe either for the same reason. If we want to install roles or features on Server Core, we need the command ocsetup.exe. ocsetup is often used to perform scripted installations of Windows components, and substitutes the Sysocmgr.exe tool that we know from previous Windows versions. ocsetup has one disadvantage when compared with Server Manager. Server Manager carefully checks...

Setting the Pagefile

After adding memory to your Server Core machine, it's likely you will want to change the pagefile. Even though you don't have a GUI, it's still possible to change the pagefile. By default, the pagefile is configured by the Windows System. If you want to see the current settings, type wmic.exe pagefile list format list. If you want a manually configured pagefile, you must first disable the system-managed pagefile with the command wmic.exe computersystem where name computername set Automatic...

Remote Server Administration Tools RSAT

Server Manager is the single all-in-one tool that you generally use to administer a Server 2008 machine. You can only open the tool if you connect via RDP or sit behind the console. Server Manager is not available on a Server Core installation because it needs .NET Framework 2.0 and MMC 3.0, and these two components are not installed on Server Core. Because the option connect to a different computer is not available within Server Manager, it isn't possible to connect with this tool to a Server...