Startseite Microsoft Windows Server 2008 Administration

Microsoft Windows Server 2008 Administration

Steve Seguis

Categories: Computers\\Programming

Verlag: McGraw-Hill Osborne Media

Sprache: english

Seiten: 514

ISBN 10: 0071595139

File: PDF, 15.45 MB

Download (pdf, 15.45 MB)

Lese Bücher online

You can write a book review and share your experiences. Other readers will always be interested in your opinion of the books you've read. Whether you've loved the book or not, if you give your honest and detailed thoughts then people will find new books that are right for them.

Rent and Save a ton on Microsoft Office Sharepoint Server 2007

McGraw-Hill Osborne Media

Gilster, Ron

Jahr: 2007

Sprache: english

File: PDF, 25.87 MB

Just Enough English Grammar Illustrated

McGraw-Hill Osborne Media

Gabrielle Stobbe

Sprache: english

File: PDF, 3.98 MB

Praise for Microsoft Windows Server 2008 Administration
Steve Seguis’ Microsoft Windows Server 2008 Administration is a wonderful read by
a brilliant and skillful writer. The book is written in concise and easy-to-understand
terms that will benefit both new and experienced administrators.
The book includes hands-on exercises, chapter summaries, and plenty of images. The hands-on exercises allow you to put into practice what you have just
learned or read. The exercises are written in a step-by-step manner so that you can
perform the tasks at hand without the need to reread the accompanying text. The
chapter summaries are brief chapter overviews and are a handy way to refresh
your memory about the contents of the chapter. The images that accompany the
book are great for seeing where you need to be when reading the content.
I recommend this book in part because of the new improvements and
enhancements that Microsoft has added to their flagship Server Operating System.
I also recommend this book because it will make a great addition to your technical
library.
—Don Hite, Microsoft MVP, Systems Management Server,
IBM Global Services

If you’re a professional Windows Server administrator, this book is a musthave. The hands-on exercises alone set this book apart from any other Windows
Server management guide I’ve read in a long time. You can tell that Steve has spent
a great deal of time with Windows Server 2008. I highly recommend it.
—Stuart B. Renes, Microsoft MVP, Windows Server System

Whether you are new to Windows Server 2008 or not, this book will give you
the background to understand the new technologies and get you up to speed
quickly. Although I primarily work with small to medium businesses, this book
will serve me equally well in these smaller environments as well as the larger
enterprise environments. An excellent reference for anyone!
—Kevin Royalty, MCSE 2000/2003, Microsoft MVP, Small Business Server
Managing Partner, Total Care Computer Consulting

This page intentionally left blank

Microsoft Windows
Server 2008
Administration
®

ABOUT THE AUTHOR
Steve Seguis is a Windows Systems Engineer in the financial industry who has been
managing Microsoft Windows environments for more than 10 years. He was a Microsoft
Most Valuable Professional (MVP) for Windows Server Admin Frameworks from 2004
to 2007, and is a contributing writer and technical editor for Scripting Pro VIP (formerly
Windows Scripting Solutions) magazine. His specialty is in systems management and
automation.

About the Technical Editor
Richard Lewis is a Windows Systems Engineer who has been involved in Windows
systems design and automation for more than 11 years and is currently a consultant
to the aerospace industry at Lewis Technology (www.lewistech.com). He has been a
Microsoft Certified Systems Engineer (MCSE) and Microsoft Certified Trainer (MCT)
since 1996 and is a contributing author and technical editor for Windows ITPro magazine
and Scripting Pro VIP. Richard has penned more than 200 articles on Windows training,
administration, scripting, and system automation.

Microsoft Windows
Server 2008
Administration
®

STEVE SEGUIS

New York Chicago San Francisco
Lisbon London Madrid Mexico City Milan
New Delhi San Juan Seoul Singapore Sydney Toronto

Copyright © 2008 by The McGraw-Hill Companies. All rights reserved. Manufactured in the United States of America. Except as permitted
under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or
stored in a database or retrieval system, without the prior written permission of the publisher.
0-07-159513-9
The material in this eBook also appears in the print version of this title: 0-07-149326-3.
All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name,
we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where
such designations appear in this book, they have been printed with initial caps.
McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training
programs. For more information, please contact George Hoare, Special Sales, at george_hoare@mcgraw-hill.com or (212) 904-4069.
TERMS OF USE
This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to the work. Use
of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the
work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute,
disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the work for your own
noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to
comply with these terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE
ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY
INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY
DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant or guarantee that the
functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill nor
its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages
resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed through the work. Under no circumstances
shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from
the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall
apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise.
DOI: 10.1036/0071493263

Professional

Want to learn more?
We hope you enjoy this
McGraw-Hill eBook! If
you’d like more information about this book,
its author, or related books and websites,
please click here.

For my wife Annalene who never fails to support and believe in me!

This page intentionally left blank

AT A GLANCE
▼
▼
▼
▼
▼
▼
▼

▼ 11
▼ 12
▼ 13

Getting Started with Windows Server 2008 . . .
Server Core
.........................
Server Manager
......................
Active Directory Domain Services . . . . . . .
Windows Deployment Services
..........
Internet Information Services 7.0
.........
Resource Management and Performance
Monitoring
........................
Network Policy and Access Services
......
Terminal Services
.....................
Windows DNS, BitLocker Drive Encryption,
and Itanium Support
................
Routing and Remote Access . . . . . . . . . . . . .
Enterprise Public Key Infrastructure
......
Windows PowerShell
..................

▼

Index

1
2
3
4
5
6
7

▼ 8
▼ 9
▼ 10

1
25
51
95
145
177
213
253
285
331
353
401
433

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459

This page intentionally left blank

For more information about this title, click here

CONTENTS
Acknowledgments
....................................
Introduction
.........................................

▼ 1 Getting Started with Windows Server 2008

......
System Requirements . . . . . . . . . . . . . . . . . .
Installation and Configuration . . . . . . . . . . .
Post-Installation Configuration and Initial
Configuration Tasks . . . . . . . . . . . . . .
Boot Configuration Data . . . . . . . . . . . . . . . .
BCD Store . . . . . . . . . . . . . . . . . . . . . . .
BCD Object . . . . . . . . . . . . . . . . . . . . . .
BCD Elements . . . . . . . . . . . . . . . . . . . .
BCD Modification Methods . . . . . . . . .
Chapter Summary . . . . . . . . . . . . . . . . . . . . .

▼ 2 Server Core

..................
Roles Supported by Server Core .
The Ups and Downs of Server Core
Installing Server Core . . . . . . . . .
Requirements . . . . . . . . . . .
Post-Installation Tasks . . . .

...
...
.
...
...
...

.
.
.
.
.
.

................
................
................

xvii
xix
1
2
3

.
.
.
.
.
.
.

8
10
10
13
16
16
23

.
.
.
.
.
.

25
26
27
27
27
30

xii

Microsoft Windows Server 2008 Administration

Installing and Configuring Server Roles
Installing Optional Features . . . . . . . . . .
Server Core Management . . . . . . . . . . . .
Chapter Summary. . . . . . . . . . . . . . . . . . . . . .

.
.
.
.

38
46
46
49

▼ 3 Server Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

51
52
56
58
58
59
59
60
60
61
62
62
67
90
94

What Is Server Manager? . . .
Server Manager Elements . . .
Server Manager Console . . . .
Server Summary . . . . . .
Roles Summary . . . . . .
Features Summary . . . .
Resources and Support.
Server Manager Snap-Ins . . .
Roles Snap-In . . . . . . . .
Features Snap-In. . . . . .
Diagnostics Snap-In . . .
Configuration Snap-In .
Storage Snap-In . . . . . .
Chapter Summary. . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.
.

...
....
....
....

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

▼ 4 Active Directory Domain Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Birth and Evolution of Active Directory . . . . . . . . . .
Active Directory Primer . . . . . . . . . . . . . . . . . . . . . . . . . .
What Is Active Directory? . . . . . . . . . . . . . . . . . . . .
How Is Active Directory Organized? . . . . . . . . . . . .
Active Directory and DNS . . . . . . . . . . . . . . . . . .
Domain and Forest Functional Levels . . . . . . . . .
Windows Server 2008 Active Directory Domain Services
Active Directory Requirements
..............
The New Active Directory Domain Services
Installation Wizard . . . . . . . . . . . . . . . . . . . . . .
Installation Options for Active Directory
Domain Services
.......................
Verifying Active Directory Installation
........
Removing Active Directory Domain Services
...
Unattended Installation . . . . . . . . . . . . . . . . . . . .
Restartable Active Directory Domain Services
..
Auditing Active Directory Domain Services
....
Read-Only Domain Controller
..............
Backup and Recovery
.....................
Migration Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter Summary
............................

.
.
.
.
.
.
.
.

95
96
97
98
99
105
105
106
106

........

107

.
.
.
.
.
.
.
.
.
.

107
126
126
130
132
133
135
137
141
142

.
.
.
.
.
.

.
.
.
.
.
.
.
...

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

Contents

▼ 5 Windows Deployment Services

.....................
Benefits of Using Windows Deployment Services
...
Scenarios for Windows Deployment Services
......
Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
WDS Installation
............................
WDS Properties
.............................
Creating an Operating System Image for WDS
.....
Loading Your Install Image to Your Clients Using WDS
Unattended Install Using WDS
.................
Windows System Image Manager . . . . . . . . . . .
Chapter Summary
...........................

▼ 6 Internet Information Services 7.0

...............
IIS 7.0 Features
.........................
Unattended Installation
..................
IIS Management Console
.................
Remote IIS Administration . . . . . . . . . . . . . . . .
Administration Using APPCMD.EXE
.......
Delegated Administration
................
Server and Application Health and Performance
Runtime Status & Control API
........
Automatic Failed Request Tracing . . . . . .
Xcopy Deployment
.....................
Chapter Summary
......................

▼ 7 Resource Management and Performance Monitoring
Data Is Good!
....................
Windows System Resource Manager . .
WSRM Architecture . . . . . . . . . . .
Managed vs. Unmanaged Processes
WSRM Service . . . . . . . . . . . . . . .
The WSRM Management Interface
Process Matching Criteria
......
Resource Allocation Policies
....
Calendar
...................
Accounting
.................
Conditions . . . . . . . . . . . . . . . . . .
Resource Monitor
............
Reliability and Performance Monitor . .
Data Collector Sets . . . . . . . . . . . .
Reliability Monitor
...........
Reports
....................
Chapter Summary
................

....
....
....
..
....
...
....
....
....
....
....
....
....
....
....
....
....

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
...
...
...

.
.
.
.
.
.
.
.
.
.
.

145
146
147
148
148
151
152
162
164
165
174
177

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

178
181
187
192
194
200
204
204
205
211
212

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

213
214
215
215
216
216
218
219
222
228
231
235
236
239
242
246
248
252

xiii

xiv

Microsoft Windows Server 2008 Administration

▼ 8 Network Policy and Access Services

.........
Network Access Protection
............
NAP Components
...................
IPSec Enforcement . . . . . . . . . . . . . . .
802.1X Enforcement . . . . . . . . . . . . . .
VPN Enforcement
...............
DHCP Enforcement . . . . . . . . . . . . . .
Network Policy Server/Radius
.....
NAP Agent
....................
System Health Agent . . . . . . . . . . . . .
NAP Administration Server
.......
System Health Validator
..........
Health Policy . . . . . . . . . . . . . . . . . . .
Accounts Database
..............
Health Registration Authority . . . . . .
Remediation Server
..............
Dispelling NAP Myths . . . . . . . . . . . . . . . .
Architecture
........................
NAP Client Architecture
..............
Enforcement Clients
.............
System Health Agent . . . . . . . . . . . . .
NAP Server Architecture
..............
Enforcement Servers
.............
Communications Flow . . . . . . . . . . . . . . . .
Requirements . . . . . . . . . . . . . . . . . . .
Preparation
....................
Installing the Network Policy Server .
Configuring the Network Policy Server
Installing and Configuring DHCP . . .
Configuring the Client . . . . . . . . . . . .
Testing the NAP Client
...........
Chapter Summary
...................

▼ 9 Terminal Services

......................
Terminal Services Core Functionality . . . . .
Remote Desktop Connection 6.0
....
Single Sign-On
......................
Installing Terminal Services
............
Terminal Services Licensing . . . . . . . . . . . .
License Types . . . . . . . . . . . . . . . . . . .
Installing and Configuring TS Licensing
Terminal Services Gateway
............
TS Gateway Architecture
.........
TS Gateway and NAP
............

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

253
254
256
256
257
257
258
258
258
258
258
259
259
259
259
259
259
260
261
262
262
262
263
263
265
265
265
266
271
281
283
284

.
.
.
.
.
.
.
.
...
...
...

.
.
.
.
.
.
.
.
.
.
.

286
287
287
291
294
294
295
302
302
317

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.

285

Contents

Terminal Services Remote Programs
Requirements . . . . . . . . . . . . .
Installing Applications
.....
Terminal Server Web Access . . . . . .
Program Placement and Performance
Chapter Summary
.............

...
....
....
....
..
....

.
.
.
.
.
.

..
Domain Name System
............................
Background Zone Loading
....................
IPv6 Support
...............................
GlobalNames Zone
..........................
Read-Only DNS Zone
........................
Windows Link-Local Multicast Name Resolution . . .
Windows BitLocker Drive Encryption
................
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
BitLocker Architecture . . . . . . . . . . . . . . . . . . . . . . . .
Initializing BitLocker . . . . . . . . . . . . . . . . . . . . . . . . .
BitLocker Recovery
..........................
Turning Off or Uninstalling BitLocker Drive Encryption
Windows Server 2008 Itanium Support
...............
Chapter Summary
...............................

.
.
.
.
.
.
.
.
.
.
.
.

▼ 10 Windows DNS, BitLocker Drive Encryption, and Itanium Support

▼ 11 Routing and Remote Access

..................
Routing Services . . . . . . . . . . . . . . . . . . . . . . . . .
Routing Basics
......................
Dynamic Routing
...................
Routing Configuration with RRAS
......
Configuring Network Interfaces for Routing
Routing Protocols
...................
Remote Access
..........................
Dial-Up Networking
.................
Virtual Private Networks . . . . . . . . . . . . . .
DHCP Integration with RRAS . . . . . . . . . .
Configuring RRAS Server Properties
....
Chapter Summary
.......................

▼ 12 Enterprise Public Key Infrastructure
PKI Uses . . . . . . . . . . .
Digital Signatures . . . .
Digital Certificates
...
Certification Authorities
Types of CAs
.......
Enterprise CAs
.
Stand-alone CAs

....
....
....
...
....
....
....

.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.

317
318
318
323
329
330

...
...
...
...
...
...
...
...
...
...
...
...
...
.....
.....

331
332
333
334
334
334
335
336
336
337
344
350
351
351
352

.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

353
354
354
356
358
359
361
381
381
383
389
389
398

.
.
.
.
.
.
.
.

401
402
403
404
404
405
405
405

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

xvi

Microsoft Windows Server 2008 Administration

Cryptographic Service Providers
........
Certificate Templates
.................
Recovery Keys
......................
Certification Authority Management Console
Issuing Certificates . . . . . . . . . . . . . . . . . . .
Certificate Revocation
................
Chapter Summary
...................

....
....
....
..
....
....
....

.
.
.
.
.
.
.

406
406
409
413
425
426
431

.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

433
434
436
439
441
442
443
446
448
451
452
454
458

................................................

459

▼ 13 Windows PowerShell

...................
PowerShell at a Glance . . . . . . . . . . . . . . . .
Getting Your Feet Wet
................
Cmdlets
...........................
Windows PowerShell and .NET . . . . . . . . .
Windows PowerShell, Scripting, and Security
Variables . . . . . . . . . . . . . . . . . . . . . . . . . . .
Conditional Statements
...............
Going Loopy
.......................
PowerShell in Action
.................
Working with the Registry . . . . . . . . .
Working with Dates and Times
.....
Chapter Summary
...................

▼

Index

.
.
.
.
.
.
.
.
.
.
.
.
.

ACKNOWLEDGMENTS
T

his book wouldn’t exist without the concerted efforts of many individuals working together from different disciplines, who made sure
that the final product is something of which we can all be proud.
First off, I want to thank my literary agent, David Fugate, who initially approached me to ask if I would be interested in putting together a proposal
for this book project. He opened up the door for me to write my first book.
Jane Brownlow was the sponsoring editor for this book and came up with
the initial concept, got the publisher’s approval, and got the ball rolling. Jane took
maternity leave shortly after I started writing this book, so Megg Morin (acquisitions editor) and Carly Stapleton (acquisitions coordinator) kept this project going,
making sure we stayed focused on meeting our objectives and promptly answering
any questions I had. After Jane returned from maternity leave (Congratulations,
Jane!), they all worked together to help me finish up the book. Lisa Theobald was
the copy editor for this book and together with Janet Walden, the editorial supervisor,
put a lot of work into making my writing much clearer and making me look better
in the process. I want to thank them all very much for their professionalism and
dedication to this project.

xvii

xviii

Microsoft Windows Server 2008 Administration

Richard Lewis was the book’s technical editor, and he painstakingly went through
several iterations of each chapter as I worked through writing various lab exercises to
ensure technical accuracy of both the general content and the hands-on exercises. He also
provided lots of good feedback that I believe helped improve the book tremendously.
Thanks for paying attention to the details. The effort you put into this project, especially
toward the end to ensure that we hit our deadlines, is very much appreciated.
Finally, many people didn’t directly participate in the writing of this book but were
directly impacted during the time of its writing, and those people are my family. As is the
case with most technical writers, I have a regular full-time day job in addition to writing
this book. I want to thank my family for being patient and understanding while I spent
countless hours night after night, weekend after weekend, month after month, locked
away in my lab painstakingly researching and writing instead of spending quality time
with them. More specifically, I would like to thank my wife, Annalene, for understanding why I was too busy for the past few months to spend quality time with her and take
her to the movies, and for understanding why we had to reschedule every vacation we
had planned for so long just to get this book done. She’s always believed in me and has
stood by every decision I’ve made in my career. Thanks for being my best friend! I also
want to thank my parents, Romeo and Lourdes Seguis, for being great role models, raising me with a good head on my shoulders, and giving me opportunities that helped
shape my career and my life. I love you all very much!

INTRODUCTION
I

have read hundreds of books throughout my career, as I’m sure many of
you have, and I’ve found three general categories of technical books: On
one end of the spectrum are books geared toward beginners that help
readers get a basic understanding of each topic but are only skin deep. On
the other extreme are highly technical reference books that try to cover every imaginable aspect of the subject (but typically fail to do so). Those types
of books go into great detail about every subject, but—let’s face it—there’s
no such thing as a book that covers absolutely everything. Those books in
the middle of the spectrum cover the basics regarding things you should
know, but go into greater detail about things you really need to know. This
book was purposely written to be more of a book in the middle, and I’ll tell
you why.

While I consider myself to be highly technical, I don’t like more complicated
explanations than are necessary. This has been my approach while writing this
book. My goal was to write a book that satisfies your need for technical details
without making your head spin in the process. This book is clearly targeted to
professionals, so I have made the assumptions that you already have a healthy
understanding of servers and how they work and have managed a Microsoft
Windows Server–based operating system in the past (even better if you are
currently doing so).

xix

Microsoft Windows Server 2008 Administration

In each chapter, I start off with a few basics on each topic, and in some cases a quick
review of the subject matter, before diving into specifics of how things work in Windows
Server 2008. I hope this greatly enhances the reader experience, since it makes sure that
every reader is on the same page (no pun intended) before going into product-specific
information.
You will also notice that I use plenty of hands-on exercises throughout each chapter.
I think that understanding theory and general concepts is a good thing, but most people
learn best while actually completing tasks. I hope that you will find the inclusion of
many hands-on exercises to be of use to you. One of the major goals of these exercises is
to force you to use Windows Server 2008 and its many features. Although each exercise
offers step-by-step instructions on how to accomplish a specific task, there is always
more than one way to perform a task, so feel free to experiment and try to find other
ways to work. One thing you will appreciate with Windows Server 2008 is the flexibility
it offers you as an administrator to interact with various elements of the operating system. Take advantage of this and don’t assume that the way I wrote it is necessarily the
best way, since I sometimes had to choose steps that were easier to follow rather than
faster to do.
I also don’t hold back on screenshots. These are not page fillers but serve a specific
purpose of showing what you can expect the screens to look like as you work through the
exercises. I can’t tell you how many times I’ve read a book and scratched my head while
reading some of the step-by-step guides because either the description wasn’t clear or a
miscommunication was written about what I should be looking at versus what I actually
saw. By providing the screenshots, I hope to clear up a lot of the confusion associated
with many of those purely text-based exercises.
This book was initially written when Microsoft Windows Server 2008 (then called
Windows Server codename “Longhorn”) was still in Beta 2. As you can very well
understand, Beta 2, which wasn’t made available to the general public, was still quite
rough around the edges, and many features and graphical elements didn’t function
the way one might expect. I finished writing the first draft of the book just as Release
Candidate 1 was released to the general public. After Windows Server 2008 Release
Candidate 1 was made available, we went back and updated every chapter and making
changes where appropriate; we recaptured all of the screenshots since Microsoft had
thankfully done a wonderful job polishing up the user interface and in many cases
fixed major bugs that caused me many sleepless nights. We did our very best to make
sure that you got the most accurate information you can get up until product launch
so as you read this book, please keep in mind that the screenshots and exercises were
taken from Windows Server 2008 Release Candidate 1, and while Microsoft generally
doesn’t make any major functionality changes other than bug fixes prior to launch,
the screenshots and some of the wording on the screen can potentially be different
from that of the final product.
This book, Microsoft Windows Server 2008 Administration, is a book written by a
Windows administrator for Windows administrators. I know how frustrating it is to
read a book and not be able to answer the question of “How do I do that?”. From the
ground up, I focused on one thing and one thing alone, and that is to provide you

Introduction

with the information you need to not only answer the question “What can do I in
Windows Server 2008?”, but also “How do I do that in Windows Server 2008?”. It’s a
direct hands-on approach loaded with step-by-step guides and real examples. Unfortunately, there’s no way to do that and cover every possible feature inside this new
operating system. However, this book will equip you to make good decisions about
how you can use Windows Server 2008 in your environment and take advantage of its
many new features.

xxi

This page intentionally left blank

1
Getting Started with
Windows Server 2008

Microsoft Windows Server 2008 Administration

hen Microsoft started development of Windows Server 2008, the company
took the time to collect user feedback and incorporate this information into
the product’s features. It is the first operating system built by Microsoft under
its new strict security development guidelines. The security “theme” permeates every
aspect of this operating system and can’t be missed. Although future system updates are
inevitable with any OS release, this new architecture allows you to minimize the attack
surface immediately, thereby mitigating the risks. Microsoft has also vastly improved the
user experience by simplifying the installation process and providing a new integrated
Server Manager tool for more effective server management. Before you can take advantage
of any of these features though, your first step is to install Windows Server 2008. Let’s cut
to the chase and see what it takes to get Windows Server 2008 installed.

SYSTEM REQUIREMENTS
To ensure proper installation of Windows Server 2008, you will need to make sure the
server hardware meets these minimum and recommended hardware levels:

Processor

Minimum: 1GHz
Recommended: 2GHz
Optimal: 3GHz or faster
*Intel Itanium 2 processor required for Windows Server 2008
for Itanium-based systems

Memory

Minimum: 512MB RAM
Recommended: 1GB RAM
Optimal: 2GB RAM (Full installation) or 1GB RAM
(Server Core installation) or more
Maximum (32-bit): 4GB (Standard) or 64GB
(Enterprise and Datacenter)
Maximum (64-bit): 32GB (Standard) or 2TB
(Enterprise, Datacenter, and Itanium-based systems)

Disk Space

Minimum: 8GB
Recommended: 40GB (Full installation) or 10GB
(Server Core installation)
Optimal: 80GB (Full installation) or 40GB
(Server Core installation) or more

Drive

DVD-ROM drive

Display

SVGA (800 × 600) or higher resolution
Keyboard
Microsoft mouse or compatible pointing device

Chapter 1:

Getting Started with Windows Server 2008

INSTALLATION AND CONFIGURATION
Windows Server 2008 offers two general types of installations: a typical Full server installation and Server Core. Server Core is a stripped down version of Windows Server
2008 that doesn’t include a GUI or any other unneeded services. Instead, the server installs only key features that are related to the role that it supports—for example, Active
Directory or Domain Name System (DNS). Chapter 2 provides more details about Server
Core. The following paragraphs discuss a typical Windows Server 2008 installation.
One of server engineers’ biggest gripes about the manual Windows Server installation process in the past was that they had to babysit the server as it went through the
installation, because they had to key in bits of information at different times throughout
the process—license information, components to install, and network configuration, for
example. Of course, the easy solution to all this is to perform an unattended installation,
but for the one-offs that require manual installation, the process was far from being
“set and forget.”
In Windows Server 2008, this problem has been addressed by reducing the number
of interactive steps required to get your server up and running. All the necessary questions for the installation are asked up front, before you begin the actual installation process of copying the files and performing the initial server configuration. By doing this,
the installation process no longer has to stop for additional information before it can
proceed. Once the server software installation is complete, installation of components
and the configuration of the server can proceed under the new integrated management
tool called Server Manager.

Hands-On Exercise: Interactive Installation
of Windows Server 2008
1. Start the computer and bootup using the Windows Server 2008 installation
media. Select the installation language, time and currency format, and
keyboard layout, and then click Next (Figure 1-1).
2. Click Install Now to begin the installation process. As you can see in Figure 1-2,
you can access system recovery tools by clicking the Repair Your Computer
option at the bottom of the screen.
3. Enter the product key. If you don’t want to activate Windows as soon as you’re
computer goes online (for example, if you are simply testing the installation or
evaluating Windows Server 2008), you can uncheck the Automatically Activate
Windows When I’m Online checkbox (Figure 1-3). Click Next.
4. Now select whether to install Windows Server 2008 Enterprise (Full Installation)
or Windows Server 2008 Enterprise (Core Installation). For now, select
Windows Server 2008 Enterprise (Full Installation) (as shown in Figure 1-4),
and then click Next.

Microsoft Windows Server 2008 Administration

Figure 1-1. Installation language, time and currency, and keyboard layout screen

Figure 1-2. Installation screen

Chapter 1:

Figure 1-3. Product key screen

Figure 1-4. Operating system selection screen

Getting Started with Windows Server 2008

Microsoft Windows Server 2008 Administration

5. If you accept the terms of the license agreement, check the I Accept the License
Terms checkbox (required to use Windows), and then click Next (Figure 1-5).
6. Select the type of installation you want to perform. In this case, you are
performing a clean install, so you should select Custom (Advanced). You’ll
notice that you can’t select Upgrade unless you initiated the setup from an
existing Windows Server installation (Figure 1-6).
7. If your hard drive is automatically detected, you can create and format a
partition as necessary for the installation. If your drive isn’t detected, most
likely the device driver for your controller isn’t built into Windows, in which
case you can click Load Driver (at the bottom-left of the screen) to load it.
Click Next after you have created the partition to which you are going to install
(Figure 1-7).
8. Now that Windows Server 2008 has all the basic information it needs to
proceed with the installation, it begins the installation process and displays the
status of the install, as shown in Figure 1-8. This is where setup significantly
differs from previous Windows Server builds, as you will not be prompted for
any further details until the installation is complete and Windows fully starts
up. This is a great enhancement, since you can walk away from the server
while the installation proceeds without having to worry about additional
dialog boxes asking for further information to complete the install.

Figure 1-5. License agreement acceptance screen

Chapter 1:

Figure 1-6. Installation type selection screen

Figure 1-7. Installation partition selection screen

Getting Started with Windows Server 2008

Microsoft Windows Server 2008 Administration

Figure 1-8. Installation progress screen

9. When setup has completed installing Windows and has rebooted as many times
as necessary to install and configure everything, you will automatically be logged
in to Windows Server 2008 under the Administrator account, where the Initial
Configuration Tasks screen is loaded.
IMPORTANT By default, the Administrator Password field is blank and should be changed
immediately. Until you set a password, Windows Server 2008 will autologon with the Administrator
account and a blank password. On the first password change, remember that the old password field
is left blank because the password is indeed blank.

Post-Installation Configuration and Initial Configuration Tasks
After the installation has completed, you are prompted for the initial configuration
tasks (Table 1-1). Many of these options would have typically been part of the initial
installation options in previous Windows Server versions—such as setting the administrative password, configuring network options, and specifying computer name and domain
membership information.

Chapter 1:

Getting Started with Windows Server 2008

Task

Description

Set the Administrator
Password

Lets you set the password for the Administrator
account and rename the account.

Set Time Zone

Sets the time zone for the server.

Configure Networking

Opens the Network Connections Control Panel
applet so you can configure your various network
interfaces.

Provide Computer Name
and Domain

Lets you change the computer name as well as join
a domain.

Enable Automatic
Updating and Feedback

Lets you specify how you want to configure
Windows Update, Windows Error Reporting, and
the Customer Experience Improvement Program
(CEIP). You should compare the Windows Error
Reporting information as well as the CEIP settings
against your organization’s policies, since both
features send usage information back to Microsoft.

Download and Install
Updates

Lets you download and install updates. You
should do this unless you have an alternative
patch-management tool, since you want your
system to be up to date with all critical security
patches before opening it up to your network. You
should manually set the configuration of the updates
based on your own policies to prevent updates from
automatically restarting your server. You should also
keep checking for updates after each reboot until all
the updates have been installed.

Add Roles

Lets you add roles to this server—that is, Dynamic
Host Configuration Protocol (DHCP), DNS, Internet
Information Services (IIS), and so on.

Add Features

This new interface replaces the Add/Remove
Windows Components from the Add/Remove
Programs Control Panel applet in previous versions
of Windows and provides a much easier means of
adding additional Windows components.

Enable Remote Desktop

Lets you configure remote desktop.

Configure Windows
Firewall

Turns on or turns off the Windows Firewall.

Table 1-1. Initial Configuration Task Options

Microsoft Windows Server 2008 Administration

TIP If you change the administrative password by pressing ctrl-alt-del and then select Change
a Password on the Change the Password screen below the Confirm Password line, you’ll see a Create
a Password Reset Disk selection, which is the entry point to the Welcome to the Forgotten Password
Wizard. This same wizard is also available in Control Panel by clicking User Accounts | Prepare for
a Forgotten Password. After launching the wizard, you will be prompted to insert a formatted floppy
disk, which is used to create a password recovery disk. After this disk is created, it can be used to
recover from a forgotten password even if the password has been changed. Consequently, this floppy
disk should be physically secured, as it could be used for unauthorized server access.
Once you close out of the Initial Configuration Tasks interface, the Server Manager tool automatically launches. This is an integrated interface you can use to configure
various items on your computer. You’ll read details about managing your server using
Server Manager in Chapter 3.

BOOT CONFIGURATION DATA
All Windows Server builds since Windows NT have been using NT Loader (NTLDR)
and boot.ini to control the boot process as well as manage multi-boot environments.
With Windows Server 2008 (as well as Windows Vista), the entire boot process has been
re-engineered, resulting in the creation of the Boot Configuration Data (BCD). The BCD
replaces NTLDR completely in its functionality, and, rather than store the boot configuration in a text file such as boot.ini, everything is now stored in a binary format that can
be manipulated only using one of the following editing methods: BCDEdit.exe or coding
using Windows Management Interface (WMI).
The BCD is physically stored in one of two locations. For BIOS-based operating systems, the BCD is stored in the \Boot\BCD directory of the active partition. For Extensible
Firmware Interface (EFI)–based operating systems, the BCD is stored on the EFI system
partition (NVRAM). For those of you who may not be familiar with EFI, you’ll see it implemented in 64-bit systems. Currently, these are the only two systems supported by BCD;
however, in technical terms, it would be possible for Microsoft to extend the BCD to other
boot systems in the future. The internal structure of the BCD is that of a registry hive,
which makes sense due to the hierarchal nature of the data being stored there; however,
you should never attempt to manipulate the BCD using tools designed for the registry.
The BCD architecture is a hierarchy, which is exactly why it made sense to reuse
the registry hive format for this data store. It is composed of three distinct components:
stores, objects, and elements, as described in Table 1-2. The component hierarchy is
shown in Figure 1-9.

BCD Store
The BCD store is the physical binary file that is stored either on the active partition or on
the EFI system partition (ESP). It stores all the information that describes the bootup environment for each Windows instance on the system or other boot loaders such as NTLDR.

Chapter 1:

Getting Started with Windows Server 2008

Component

Description

BCD Store

Top-level component in the hierarchy. Think of this as the root
of all components in the hierarchy; it serves as the starting
namespace for the items it contains. You can also think of the
store as the actual physical BCD file.

BCD Object

In the abstract, this serves as a container for all BCD elements.
In practical terms, information pertaining to the boot
environment for each instance of the Windows boot loader is
typically stored here. For example, in a multi-boot scenario,
each Windows Server 2008 instance installed on the system
would be represented by a distinct BCD object.

BCD Element

Think of these as properties and parameters to the BCD object.
Each element represents one property or parameter—for
example, the name of the operating system or a debugger setting.

Table 1-2. BCD Components

Each system can have more than one BCD store; however, only one store can be the active
system store. A simple example of an additional BCD store would be a backup of the active system store. For BIOS-based systems, this file is stored under the active partition’s
\BOOT folder, whereas for EFI-based systems, it is stored under \Windows\Boot\EFI.

BCD Store

BCD Object

BCD Element

Figure 1-9. BCD component hierarchy

Microsoft Windows Server 2008 Administration

Since the system store knows all about the installed operating systems on the computer, if it detects a multi-boot environment, it is also responsible for displaying the
Windows Boot Manager OS selection menu, as shown in Figure 1-10. Each system store
contains, minimally, two BCD objects as well as additional options (Table 1-3).
Although it all sounds complicated, it really isn’t. You can take apart a simple boot
.ini file, such as the one shown here, and translate it quickly to a BCD format (Table 1-4).

Figure 1-10. Windows Boot Manager showing multi-boot screen and Windows Memory Diagnostic
option

Chapter 1:

Getting Started with Windows Server 2008

BCD Object

Description

Windows Boot
Manager

Think of this as the [boot loader] section of the original boot
.ini file. It contains things like the default boot OS as well as
the timeout before the default OS is launched. The BCD can
store multiple Windows Boot Managers, but only one can hold
the global unique identifier (GUID) that designates the active
boot manager. This GUID is aliased as {bootmgr} and is
used in BCDEdit.exe to make changes to the store.

Windows Boot
Loader

The store must contain at least one Windows Boot Loader
objects. The Windows Boot Loader contains information
regarding the boot environment for each instance of Windows
Server 2008 installed on the system. Each boot loader contains
a number of BCD elements that describe additional boot
parameters such as no-execute, page-protection policies and
debugger options. Two special aliases relate to the Windows
Boot Loader. The first is called {current} and points to the
currently active boot loader. The other is called {default}
and points to the default boot loader if nothing is explicitly
selected by the user.

Windows
NTLDR

This special object points to the old NTLDR if you have an
older Windows installation on the system. This special GUID
is referenced by the alias {ntldr}.

Optional boot
applications

These special applications perform other boot-related tasks.
For example, Windows Server 2008 includes a Windows
Memory Diagnostic tool, an optional boot application used to
perform various memory checks on the system.

Table 1-3. BCD Objects

BCD Object
Each BCD object is identified uniquely using a 128-bit GUID that contains a 32-bit description about the type of object it represents. The three object categories are application
objects, inheritable objects, and device objects. The application objects type is the most
common type and is the object type for the Windows Boot Manager, Windows boot loader objects including NTLDR, Windows resume loader, and Windows memory tester.
Windows resume loader is invoked when you turn on the computer from hibernate mode.

Microsoft Windows Server 2008 Administration

Boot.ini

BCD

Boot Loader section

Windows Boot Manager

timeout

Timeout element

default

Default Boot Loader element

Operating Systems section

Windows Boot Loader objects

multi(0)disk(0)rdisk
(0)partition(1)

Boot Device element

\WINDOWS

Boot environment Application File Path element

/noexecute=optin

No-Execute Page Protection element

Table 1-4. Boot.ini to BCD Mapping

Each application object contains an image type and an application type. The image
type tells the system whether it should be loaded as a firmware, boot, NTLDR-based,
or real-mode application. The application type is a bit more detailed on what the
application does. The most common application types are listed on the next page and in
Table 1-5.

Description

Alias

GUID

Windows Boot
Manager

{bootmgr}

9dea862c-5cdd-4e70-acc1-f32b344d4795

Firmware Boot
Manager

{fwbootmgr}

a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba

Windows memory
tester

{memdiag}

b2721d73-1db4-4c62-bf78c548a880142d

Windows resume
application

None

147aa509-0358-4473-b83bd950dda00615

Legacy Windows
Loader

{ntldr}

466f5a88-0af2-4f76-9038-095b170dc21c

Current boot entry

{current}

fa926493-6f1c-4193-a414-58f0b2456d1e

Default boot entry

{default}

None

Table 1-5. Most Commonly Used Application Objects’ Aliases and GUIDs

Chapter 1:

Getting Started with Windows Server 2008

▼

Firmware Boot Manager (for EFI-based systems)

■

Windows Boot Manager

■

Windows boot loader

■

Windows resume application

■

Windows memory tester

■

NT Loader

▲

Boot sector (can be used to load non-Windows-based systems)

BCD inheritable objects are a way to generalize certain settings and flags so that they
can be reused in more than one BCD object. Rather than having separate instances of an
object, it is globally defined and then referenced by other BCD objects as needed. Some
examples of these inheritable objects are listed in Table 1-6.

Alias

GUID

Description

{badmemory}

5189b25c-55584bf2-bca4289b11bd29e2

Global RAM defect list

{bootloadersettings}

6efb52bf-176641db-a6b30ee5eff72bd7

Settings that should be
inherited by all Windows
boot loaders

{dbgsettings}

4636856e-540f4170-a130a84776f4c654

Debugger settings that can
be inherited by any boot
application

{emssettings}

0ce4991b-e6b34b16-b23c5e0d9250e5d9

Emergency Management
Services settings that can
be inherited by any boot
application

{globalsettings}

7ea2e1ac-2e614728-aaa3896d9d0a9f0e

Settings that should be
inherited by all boot
applications

{resumeloadersettings}

1afa9c49-16ab4a5c-901b212802da9460

Settings that should be
inherited by all resume
applications

Table 1-6. Examples of Inheritable Objects

Microsoft Windows Server 2008 Administration

As you can tell from the sample list, the objects are typically general global settings
that propagate to multiple objects. In addition to this, each inheritable object is classified
under two classes: library class and application class. Library class inheritable objects
can be inherited by any BCD object, whereas application class inheritable objects can be
inherited only by specified BCD applications.
BCD device objects contain BCD elements for complex devices, unlike simple devices
such as partitions, which can be defined as simple BCD elements. BCD device objects are
most commonly used for describing booting RAM disks created from Windows Image
(WIM) files, as this type of device type can contain the location of the WIM file in addition to any relevant port information if loaded from the network.

BCD Elements
Unlike the older boot.ini system, BCD elements have distinct data types associated with
the data values. For example, an element can contain a String, Object, Integer, or Boolean
data type. In addition to this, BCD elements are limited by their class type. Library elements can be applied to all boot environment applications; application elements can be
applied only to specific application class types; and device elements can be applied only
to device objects.

BCD Modification Methods
As fun as it was describing the BCD architecture and explaining the technical nuances of
each component, I’ll bet you have this burning question in your mind. How do I actually
manipulate the BCD? You can manipulate the BCD in four ways, as shown in Table 1-7.

Using BCDEdit
Since this tool is critical to the manipulation of BCD data, you should take the time to understand it. As with all command-line tools, the best way to learn about available command switches and general functionality is by running it with the /? switch to display
the help screen for the command and, in this case, the primary switches the tool supports. If you want to get into more specifics about a particular command-line switch, you
can type in BCDEdit.exe /? <command> where command is any of the available switches.
For example, if you want to learn more about the export switch, you can type this:
BCDEdit.exe /? /export

The most basic command you’ll need to know lets you retrieve your current configuration:
BCDEdit.exe /enum

This command shows your global Windows Boot Manager settings along with settings associated with each of your Windows OS Loaders. You can see the output of this
command on a dual-boot Windows Server 2003 and Windows Server 2008 computer in
Figure 1-11. You can clearly see the display order for the menu items, the default boot

Chapter 1:

Method

Getting Started with Windows Server 2008

Description

System Control Very limited ability: lets you set the default OS, the time to
Panel applet
display the list of OSs, and the time to display the recover
options when needed.
MSConfig.exe

This GUI allows control of startup options. Select the Boot
tab from the five-tab interface. The General, Services, and
Startup tabs control additional startup options. Most common
boot settings can be set, enabled, or disabled using this tool,
including debug settings and safe mode options.

BCDEdit.exe

This command-line tool is one of the most powerful tools
for BCD manipulation. It’s recommended for systems
administrators when modifying the BCD due to its flexibility
and ease of use. It exposes most of the boot settings and
supports scripting.

WMI

If you are into scripting and need more than even BCDEdit.exe
provides, you can manipulate BCD straight through WMI. This
offers the greatest flexibility since you can use any scripting/
programming language that can use WMI to make the changes.
This is significantly more involved than BCDEdit.exe (but it’s not
brain surgery), so unless you have a strict requirement to code
directly, you should stick with BCDEdit.exe whenever possible.

Table 1-7. Four Ways to Manipulate the BCD

loader, and the timeout. For each of the boot loaders, you can see their unique identifier,
device path, and any options (BCD elements) that have been specified.
You can specify additional parameters with the /enum switch to control what is
displayed, such as displaying only the Windows Boot Manager section or getting information about a particular boot loader. One of the most useful additional switches
to /enum is the /v switch. This switch shows all entry identifiers in full GUID form
rather than their user-friendly aliases. The identifiers are in GUID format—for example,
{0f732d04-e6b2-11da-b631-b722247cd703}. The aliases are those values in
the output that are enclosed in curly braces that are not GUIDs—that is, {ntldr},
{current}, {bootmgr}, and so on. As an additional shortcut, if you simply run
BCDEdit.exe without any switches, it defaults to running the following:
BCDEdit.exe /enum ACTIVE

Microsoft Windows Server 2008 Administration

Figure 1-11. Output of BCDEdit /enum command

The most common changes most administrators will make to the BCD will be around
the Windows Boot Manager, since that controls the boot sequence, default Windows
loader, display order, and timeout before the default selection is made. The help messages give you all the information you’ll ever need, but it’s much easier to understand
this command by looking at some simple examples.
Modifying the Boot Sequence You can do four things with the /bootsequence switch:
▼

List the identifiers for each loader in the order in which you want the boot
sequence to appear.

■

Add a loader to the top of the list, or if it’s already on the list, move it to the top.

■

Add a loader to the bottom of the list, or if it’s already on the list, move it to the
bottom.

▲

Remove a loader from the list completely.

Chapter 1:

Getting Started with Windows Server 2008

The following example shows how you would define the boot sequence explicitly with the NT Loader booting first, followed by the OS Loader with the identifier
{0f732d04-e6b2-11da-b631-b722247cd703} (which in this case is an instance of
Windows Server 2008):
Bcdedit /bootsequence {ntldr} {0f732d04-e6b2-11da-b631-b722247cd703}

The example shown here demonstrates how to add or move the OS loader with the identifier {0f732d04-e6b2-11da-b631-b722247cd703} to the top of the boot sequence:
Bcdedit /bootsequence {0f732d04-e6b2-11da-b631-b722247cd703} /addfirst

The following example shows how to add or move the OS loader with the identifier
{0f732d04-e6b2-11da-b631-b722247cd703} to the bottom of the boot sequence:
Bcdedit /bootsequence {0f732d04-e6b2-11da-b631-b722247cd703} /addlast

Finally, if you want to remove an OS loader from the boot sequence completely—for
example, if you want to remove NT Loader from the sequence if you no longer use the
older Windows version— you could run this command:
Bcdedit /bootsequence {ntldr} /remove

Setting the Default Boot Entry To specify which of the boot menu items will be the default
boot selection, you use the /default switch. For example, to set NT Loader as the
default boot loader selection, you would run this:
Bcdedit /default {ntldr}

Simply replace {ntldr} with the identifier for whatever OS Loader you want to use
as the default.
Setting the Menu Display Order When more than one boot loader is available, a menu is
automatically displayed allowing you to select one. To set the order in which those entries
are displayed, you use the /displayorder switch. As you can with the /bootsequence
switch, you can explicitly define the menu order, add or move an item to the top, add or
move an item to the bottom, or remove an item from the menu completely. In fact, the
syntax for the /displayorder switch is the same as that for /bootsequence—except,
of course, you would replace /bootsequence with /displayorder.
For example, to set up the menu order so that the OS loader entry with the identifier
{0f732d04-e6b2-11da-b631-b722247cd703} is followed by the NT Loader, you
would run this:
Bcdedit /displayorder {0f732d04-e6b2-11da-b631-b722247cd703} {ntldr}

Similarly, to add or move the NT Loader to the top of the menu, you would run this:
Bcdedit /displayorder {ntldr} /addfirst

Microsoft Windows Server 2008 Administration

As you can see, the syntax follows the /bootsequence commands exactly, so the
/addlast and /remove switches would work the same way.
Setting the Boot Manager Timeout By default, the timeout for the boot manager is 30 seconds.
This is probably more time than you will ever need before a selection is made. In practice,
this value is typically set from 3 to 5 seconds. You can even set this timeout to 0 so
that the menu won’t be displayed. To set the timeout period to 5 seconds, run the
following command:
Bcdedit /timeout 5

Simply replace 5 with whatever timeout period you want in terms of seconds, and it
will set it accordingly.
Setting the Tools Display Order If you go through the help menu for BCDEdit as well as
the boot manager configuration, you will see an entry for toolsdisplayorder. If you
recall the discussion about BCD objects, you will remember that not all objects have to
be boot loaders. In fact, the object can be any application designed to run during the
boot process. Out of the box, Windows Server 2008 comes with the Windows Memory
Diagnostic tool, which can be selected from the boot menu. For a typical Windows
installation, you would have only one item in the tools display menu, and that is for
the memory diagnostic tool designated by the alias {memdiag}. If Microsoft or a thirdparty company builds additional tools that can be added to this menu, you can then use
BCDEdit to set the order by which these tools are presented in that menu.
For example, if a BCD object functioned as a tool with the identifier {073332d04e6b2-11da-b631-cdd1327cd703} and you wanted that tool to appear before {memdiag}, you would run the following command:
Bcdedit /toolsdisplayorder {073332d04-e6b2-11da-b631-cdd1327cd703}
{memdiag}

I hope you’re starting to see a pattern here. I bet you’ve already guessed what’s coming next. Yes, the same additional switches that were available in the /bootsequence
switch are all available here as well, specifically /addfirst, /addlast, and /remove.
The syntax is the same, just replace /bootsequence in those commands with /tool
-sdisplayorder.
Backing Up and Restoring the BCD The next critical task an administrator will need to
ensure is the ability to back up and restore the BCD. In pre–Windows Server 2008 days,
you could simply back up the boot.ini file since it was a simple text file. The BCD, on the
other hand, is a binary file, and the active BCD file is locked and marked as in-use, so it
can’t be copied outright. The correct way to back up and restore a BCD is through the
/export and /import switches of BCDEdit. This is all very painless, since the /export
switch requires only the destination file name to export the data to, while the /import
switch requires only the source file name to import the data from.

Chapter 1:

Getting Started with Windows Server 2008

Here is an example of backing up the BCD. It will actually create two files after it
runs—one is the backup data file and the other is the backup log file:
Bcdedit /export "C:\backup\BCD-backup"

The following is an example for importing the data that was just backed up. Please
be aware that this deletes all the entries in the BCD system store and replaces them with
whatever data is in the import file.
Bcdedit /import "C:\backup\BCD-backup"

CAUTION If you don’t import the right data, your system may become nonbootable after your next
reboot when it reads this data, so double-check to make sure you are importing the correct file before
you issue the command.
Manipulating BCD Entries So far, you’ve read about the most common BCD commands.
Sometimes you will need to manipulate BCD entries themselves. This includes the need
to create and delete an entry, copy entries within the store, and set entry options. Let’s
say you wanted to create a Windows Loader entry manually in the current BCD. This
would be necessary if you wanted to have a separate set of boot options for the same
install—you could have a normal boot option and one with debugging enabled. Let’s
see this in practice since it demonstrates many of the commands for manipulating BCD
entries.
Let’s assume your current Windows Server 2008 installation is loaded by the Windows
Boot Loader, with the identifier {0f732d04-e6b2-11da-b631-b722247cd703}. The
first step would be to make a copy of this entry:
Bcdedit /copy {0f732d04-e6b2-11da-b631-b722247cd703} /d "Windows Server
2008 (with debug)"

This creates a new entry in the BCD system store with the description “Windows
Server 2008 (with debug).” By default, this entry is added to the bottom of every list
including boot sequence and boot menu order. The output of the previous command is
the identifier for the newly created boot entry, which on my test system resulted in the
identifier {8496b610-6ec8-11db-9581-0003ffaf0a2b}. If you accidentally closed
the window or did not write down the resulting identifier, all you need to do is run
BCDEdit.exe /v and it will output all the entries on your system. Look for the one
with the description you specified, and the ID will be right there.
You can now manipulate this new entry with the debug information you want using
the following command:
Bcdedit /set {8496b610-6ec8-11db-9581-0003ffaf0a2b} debugtype USB
Bcdedit /set {8496b610-6ec8-11db-9581-0003ffaf0a2b} targetname DBG1

The combined effect of the two previous commands is to modify the newly created entry
from your copy command, identifier {8496b610-6ec8-11db-9581-0003ffaf0a2b},

Microsoft Windows Server 2008 Administration

with debugtype set to USB and the USB targetname set to DBG1. This is an example,
of course, and you would adjust the entry options based on whatever values you really
needed.
If you want to delete the entry options you just created, you would run this command:
Bcdedit /deletevalue {8496b610-6ec8-11db-9581-0003ffaf0a2b} debugtype
Bcdedit /deletevalue {8496b610-6ec8-11db-9581-0003ffaf0a2b} targetname

It’s important that you specify the identifier in this command; otherwise, it will delete
the BCD option in whatever BCD entry the alias {current} points to. If you wanted to
delete the copy of the BCD entry you created, you would simply run this:
Bcdedit /delete {8496b610-6ec8-11db-9581-0003ffaf0a2b}

Three important switches are associated with the bcdedit /delete command.
First, if you’re trying to delete an entry with a well-known identifier—for example,
{current}—you also need to specify the /f switch to force the deletion. The other two
switches that accompany the /delete switch are /cleanup and /nocleanup. If you
don’t specify either, the default is /cleanup, which not only deletes the entry from the
BCD, but also deletes any references to it, such as entries in the boot sequence and boot
menu order. If you insist that you want these entries to stay (not generally recommended), you can specify the /nocleanup switch that deletes only the entry for the identifier
you specified and nothing else.
A few more switches for BCDEdit haven’t been covered here, but they aren’t frequently used and are all listed in the BCDEdit help message. Microsoft did an exceptional job with the help message for this command by providing detailed descriptions of
each command along with some easy to understand examples.
TIP If you want to learn more about BCDEdit, read through the entire help message for this
command.
Manipulating the BCD Using WMI As a heavy proponent of automation and scripting, I
was glad to see that Microsoft had built-in support for WMI to help manage the BCD.
The BCD WMI provider is written as a COM object and exposes a number of scriptable
classes that can be used to manipulate the BCD using any programming or scripting
language that can access COM (which is almost anything mainstream—C++, VBScript,
Visual Basic, JScript, and so on). This is not a scripting book, and more than just a simple
discussion is necessary to elaborate fully on using WMI, but if you already know how
to script with WMI, you can visit the BCD documentation on MSDN (http://msdn2
.microsoft.com/en-US/library/aa362692.aspx) to view all the available classes and
methods for working with the BCD. If you’re unfamiliar with VBScript or using WMI,
visit Microsoft’s Scripting Center (www.microsoft.com/technet/scriptcenter/default.
mspx) or pick up a good book on the subject. If you’re serious about administering
Windows Server 2008, this is a skill you will definitely want to have under your belt.

Chapter 1:

Getting Started with Windows Server 2008

CHAPTER SUMMARY
This chapter went through a straightforward installation of Windows Server 2008 and
covered in great detail the new Windows Boot Manager called the Boot Configuration
Data or BCD. Now that you understand how to install and configure Windows Server
2008, you will need to understand how to take advantage of the new features in this
operating system, including the new management tools available, as well as how to
incorporate these into your existing environment. We will tackle all this in upcoming
chapters.
If you’ve worked with previous versions of Windows Server, you will have undoubtedly noticed a more streamlined installation process. However, don’t be fooled by the
marketing hype, because you will still need to perform some significant configuration
tasks after installation has completed. The two initial configuration tasks that you should
never defer until later are setting the Administrator password and installing all the latest
patches. During the installation process covered in this chapter, you read about the option to install Windows Server 2008 as a Server Core installation. This is a very different
type of installation that should be used whenever appropriate, since it minimizes the
potential attack surface. In the next chapter, you will read in great detail how to install
and configure a Server Core installation.

This page intentionally left blank

2
Server Core

Microsoft Windows Server 2008 Administration

ith previous versions of Microsoft Windows Server, critical Windows system
updates for services were often required to be installed on the server even if
they weren’t being used. For example, in 2005, Microsoft released a system
update to address the Universal Plug and Play (UPnP) denial-of-service vulnerability
across Windows operating systems. Although an available workaround meant that you
didn’t necessarily have to install the patch, if your Windows server was performing
the function of only a single role—that is, as a Domain Name System (DNS) Server,
for example—it shouldn’t be using UPnP in the first place, so the patch would’ve
been unnecessary if the service wasn't installed in the first place, thereby exposing the
operating system to unneeded vulnerabilities.
In Windows Server 2008, Microsoft addresses this issue by introducing an installation option called Server Core. This installation option installs the most basic Windows
Server component for the role the Windows Server will perform. There is one caveat,
however, in that currently, Microsoft supports the Server Core installation for only a
handful of predefined roles, such as domain controller (DC), DNS Server, Dynamic Host
Configuration Protocol (DHCP) Server, and file server. This basic installation of Windows
Server 2008 doesn’t even install Windows Explorer, so you have no desktop with which
to interact. Instead, the system must be managed completely through the command line
or via Terminal Services. Microsoft realized that if a server is performing a very distinct
infrastructure role, excess services need not be installed on it—not even a full graphical
user interface (GUI). This minimizes the server’s attack surface and will hopefully help
reduce downtime by reducing the need to install system updates on the server.

ROLES SUPPORTED BY SERVER CORE
Microsoft intended the Server Core installation method to be used for infrastructurerelated services. Because of all this, Microsoft supports only the following seven roles in
the Server Core installations:
▼

Active Directory Domain Services (AD DS)

■

Active Directory Lightweight Directory Services (AD LDS)

■

File Server

■

DHCP Server

■

DNS Server

■

Print Server

▲

Streaming Media Services

These roles are not mutually exclusive. A Server Core instance can have one or more
roles installed and configured without encountering any serious issues.

Chapter 2:

Server Core

THE UPS AND DOWNS OF SERVER CORE
Using a Server Core installation offers many useful benefits. It reduces the potential
vulnerability footprint by not installing any unneeded services and binaries. As a result,
it also reduces the amount of servicing that needs to be done to the operating system
and therefore reduces the amount of management overhead required to maintain these
servers. The downside is that a Server Core installation doesn’t provide much of a user
interface to work with, other than the command prompt. The only way to manage a
Server Core installation is through command-line tools and scripts, Microsoft Management Console (MMC) snap-ins, or other tools that support remote administration and
Terminal Services (although your Terminal Services session will have only a command
prompt anyway). This is quite cumbersome, especially for those who have been spoiled
over the years by point-and-click administration techniques. Luckily, if you do it right,
you will need to run only a minimal number of commands to set up remote management
through some kind of management console.

INSTALLING SERVER CORE
As you might expect, installation of Server Core is not much different from installation
of the regular Windows Server 2008. In fact, both installations share the same steps, except that at the end of the Server Core installation process, rather than facing an Initial
Configuration Tasks screen, you are presented with a command prompt. You will make
all your configuration changes using this command prompt. If you close the command
prompt, you will have to press ctrl-alt-del, click Start Task Manager, click File, then
click Run and enter cmd.exe to open a new command prompt.

Requirements
Windows Server 2008 Server Core shares the same minimum requirements with the
regular Windows Server 2008 installation—with a few caveats. In addition to having
the Windows Server 2008 installation media and a valid product key, you will also need
to perform a clean installation. You cannot upgrade from previous versions of Windows
to a Server Core installation, you cannot upgrade from a regular Windows Server 2008
installation to Server Core, and you cannot move from Server Core to a regular Windows
Server 2008 installation. Server Core must be installed from scratch. You should also have
Internet access so that the server can be activated after the installation completes. Also,
since fewer binaries are installed as part of Server Core, the hard disk space requirements
are much lower for Server Core than they are for the regular Windows Server 2008 installation. You will need only 1GB of disk space for the actual Server Core installation and
2GB of disk space for regular server operations.

Microsoft Windows Server 2008 Administration

Hands-On Exercise: Interactive Installation of Server Core
1. Start the computer and boot up using the Windows Server 2008 installation
media. Select the installation language, time and currency format, and
keyboard layout. Then click Next.
2. Click Install Now to begin the installation process.
3. Enter your product key, and then click Next. If you don’t want to activate
Windows as soon as your computer goes online (for example, if you are simply
testing the installation or evaluating Windows Server 2008), you can uncheck
the Automatically Activate Windows When I’m Online checkbox.
4. Now select whether to install Windows Server 2008 Enterprise (Full Installation)
or Windows Server 2008 Enterprise (Server Core Installation). Select Windows
Server 2008 Enterprise (Server Core Installation), as shown in Figure 2-1, and
then click Next.

Figure 2-1. Operating system installation selection screen

Chapter 2:

Server Core

5. If you accept the license agreement, check the I Accept the License Terms
(required to use Windows) checkbox, and then click Next.
6. Select the type of installation you would like to perform. In this case, you’ll
perform a clean install and you can select Custom (Advanced).
7. If your hard drive is automatically detected, you can create and format partitions
as necessary for the installation. If your drive isn’t detected, most likely the device
driver for your controller isn’t built into Windows, in which case you can click
Load Driver to load it. Click Next after you have created the partition to which
you are going to install.
8. Now that Windows Server 2008 has all the basic information it needs to proceed
with the installation, it begins to go through the installation process and displays
the status of the install.
9. Once the installation completes, you will be prompted to press ctrl-alt-del to
log in.
10. Click the Other User button as shown in Figure 2-2 to initiate login. Enter
Administrator as the username, leave the password blank, and then click the
arrow button to log in (or simply press enter).

Figure 2-2. User login selection screen

Microsoft Windows Server 2008 Administration

Figure 2-3. After logging into Server Core, you’ll see only a single command prompt.

11. When logging in for the first time, you will be prompted to change your
password. Leave the current password field blank and enter your new
password in the New Password and Confirm Password fields. Click OK when
your password change has been confirmed.
12. Once you’re logged in, you will see a command prompt and nothing else
(Figure 2-3). At this point, you can manage this server only by using these
command prompts. Remote administration is disabled by default. Your next
step will be to perform initial configuration tasks using the command prompt,
as discussed in detail in the next section.

Post-Installation Tasks
Installing Server Core for Windows Server 2008 is the easy part. Without a real user interface to assist you in configuring the server, you will need to get used to working with
the command prompt if you don’t already work with it. Your first order of business after

Chapter 2:

Server Core

installing Server Core is to run through the initial configuration tasks, except this time
without the help of a handy screen to walk you through it:
1. Set the Administrator password.
2. Configure your network interfaces.
3. Activate the server.
4. Rename the server and join it to a domain (if applicable).
5. Configure Automatic Updates.
6. Enable remote administration (unless you like sitting in front of the server
every time you need to work on it).
7. Configure the Windows Firewall.

Setting the Administrator Password
You were already prompted to change the password the first time you logged on, however, you can change the administrator password locally in two ways. The easiest way is
to press ctrl-alt-del and then select Change a Password. You can accomplish the same
thing straight from the command prompt:
Net user Administrator P@ssword

Simply replace P@ssword with whatever password you want to use. The main difference between these two methods is that the graphical method requires you to enter
the old password and then the new password twice before changing the password; in the
command-line method, the password is changed immediately. Because no confirmation
prompt appears after you change a password from the command line, it is crucial that
you proceed very carefully and record your new password to reduce the possibility of
a typographical error.

Configuring Your Network Interfaces
By default, your new Server Core installation uses DHCP to acquire an IP address. If
you will be using a static IP address for the server, you will need to assign this using
the Netsh command. This requires more than one command sequence since you will
need to take a number of steps. Your first step is to list all your network adapters. This
is important, because most servers come with more than one network interface, plus
the default loopback interface. When you configure the IP address, you will need to
specify which interface you are going to modify. To list all your network adapters, enter
the following:
Netsh interface ipv4 show interfaces

Although IPv6 is not currently widely implemented, except probably in test labs,
Windows Server 2008 natively supports it. An equivalent command for IPv6 is as simple
as replacing ipv4 in this command with ipv6. The output of the command on my Server Core installation is shown in Figure 2-4.

Microsoft Windows Server 2008 Administration

Figure 2-4. List of network interfaces using Netsh

The first column of the command’s output shows a parameter called Idx. This is the
unique number assigned by the system to identify each network interface. Note the Idx
number of the interface you are interested in modifying. On my test server, I have only
one network interface, excluding the loopback interface, so that’s what I will be modifying in this example.
I will set my network interface to have the static IP address 192.168.100.75 with a
subnet mask of 255.255.255.0 and a default gateway of 192.168.100.1. If I look at the Idx
number for my Local Area Connection in Figure 2-4, I can see that the value is 2 for my
network interface. Putting all this information together, I can now run the following
command to set these values:
Netsh interface ipv4 set address name=2 source=static
address=192.168.100.75 mask=255.255.255.0 gateway=192.168.100.1

Since DNS is so critical to Windows Server 2008, especially in an Active Directory
domain, I would also need to configure the DNS Servers for this server. In this case,

Chapter 2:

Server Core

I want to set this interface to use the DNS Server with the IP address 192.168.100.40. To
set this value, I run the following command:
Netsh interface ipv4 add dnsserver name=2 address=192.168.100.40

If more than one interface needs to be configured, I would simply repeat this process
for every interface. If you are trying to set up network interface card (NIC) teaming or
failover, you should consult your vendor’s documentation to determine how to accomplish this task in Server Core, since most vendors supply graphical interfaces to configure these advanced options, and those will not run on a Server Core installation.

Activating Your Server
If you’re setting up a server that will be running Windows Server 2008 for more than
14 days, you will want to activate your server or it will no longer function once the
trial period has elapsed. No graphical method can be used to activate your server in
Windows Server 2008; instead, you will have to rely on the nifty Windows Software
License Management Tool, otherwise known as slmgr.vbs, that sits in the %WINDIR%\
system32 directory. To activate your server, simply run this command:
Slmgr.vbs -ato

It can’t get any easier than that. In fact, the slmgr.vbs script is so powerful you can
actually use it to initiate the activation of a new Windows Server 2008 installation remotely from an existing Windows Server 2008 server. Let’s say, for example, that you
wanted to activate a new Windows Server 2008 installation called Utopia that had a local

Netsh Up Close and Personal
Netsh is the ultimate command-line shell for managing all aspects of the network
components of Windows Server 2008. This command was available in previous
Windows versions but is now an even more critical tool for Windows Server 2008.
It can be used to query and manage everything from a network interface, Windows
Firewall, and DHCP Server parameters including defining scopes and exclusions,
to defining routing and remote access policies. The ability to do all these things
from the command line makes this tool highly useful for Windows administrators
when they want to script various network service-related tasks. However, many
administrators neglect to learn netsh well, since everything they can do in netsh
can be done more easily with any of the Windows GUIs. Server Core makes it necessary for Windows administrators to learn how to use this tool rather than make it
an afterthought. Although many core network services that a Server Core instance
can provide can be managed remotely using an MMC snap-in, many key tasks
cannot be accomplished without netsh, especially with regard to configuring network interfaces, such as setting a static IP address or listing DNS Servers to use.

Microsoft Windows Server 2008 Administration

administrator password of password123. This could be easily accomplished remotely
by running the following command from an existing Windows Server 2008 installation:
Slmgr.vbs Utopia Administrator password123 -ato

Rename the Server and Add It to Your Domain
Since the Windows Server 2008 installation process doesn’t ask for the computer name
before proceeding with the install, the server is given a computer-generated name. This
unintuitive random name is practically useless in most environments, so you’ll need
to rename the server to something more meaningful before joining it to the domain.
Microsoft’s documentation tells you to use the netdom command to rename a computer.
The problem with this command, however, is that you can’t rename a computer until it
has joined the domain. To rename the computer before it joins the domain without having to run a third-party tool, you need to use Windows Management Interface (WMI).
Rather than writing a script and then executing it, the easier way is simply to run WMI
Command-line (WMIC). This command-line tool is specifically designed to run WMI
commands and is ideal for straightforward commands like this. For example, to rename
your server to WINSRV1, you would run this command:
wmic computersystem where name="%computername%" rename name="WINSRV1"

This command should result in a ReturnValue=0 to indicate a successful rename,
as shown in Figure 2-5. Before going on, make sure you reboot the server for the new
computer name to take effect.
After you rename the computer, you can join it to the domain using the netdom
join command. You will need to know three pieces of information to complete this
command: the name of the domain, a username of an account that has rights to join computers to the domain, and of course the password for that user account. For example, if
you wanted to add this server to the TESTLAB domain using an account called SysAdmin with the password P@ssword, you would run the following:
Netdom join %computername% /domain:TESTLAB /userd:SysAdmin /password:P@ssword

If you don’t want to type the password explicitly like this because people around you
can view the console, you can replace /passwordd:P@ssword with /passwordd:" in
which case it will prompt you to type in the password instead. You will need to restart
the computer after it has been joined to the domain.
NOTE Don’t be concerned if this command takes a while to complete. Depending on your network
environment, it could take a minute or two before the command can complete successfully.

Configure Automatic Updates
You would think that Microsoft would have at least provided an easy way to initiate and
configure Automatic Updates, but without Windows Explorer or even Internet Explorer,

Chapter 2:

Server Core

Figure 2-5. Renaming a Server Core installation

getting updates installed can be quite tricky. You’ll have to rely on a Windows script file
called scregedit.wsf, which is located in the %WINDIR%\System32 directory. Unfortunately, with Server Core, it’s all or nothing when it comes to Automatic Updates. You either
enable or disable it completely. Since there’s no GUI, you have no way of controlling which
updates to install. Of course, the workaround to all this is to configure Automatic Updates
using group policy in conjunction with a patch-management solution such as Windows
Server Update Services to control exactly which patches your server will receive.
To enable Automatic Updates manually, you can run this command:
Cscript Scregedit.wsf /AU 4

To turn off Automatic Updates (the default), you would run this command:
Cscript Scregedit.wsf /AU 1

Microsoft Windows Server 2008 Administration

NOTE A graphical warning message is displayed whenever you run Scregedit.wsf commands. To
avoid this, make sure that when you open a command prompt to run these commands, you change
the current directory to %WINDIR%\System32 and run the command using CScript. For example, you
could run cscript.exe scregedit.wsf /AU 4.

Enable Remote Administration
Technically, you can already remotely manage your Server Core installation using the
Computer Management MMC snap-in; however, access via Terminal Services in Remote
Administration mode is disabled by default and you will need to turn it on if you want
that capability. To do so, go back to the scregedit.wsf script and run the following:
Scregedit.wsf /AR 0

Yes, that is a zero. This is actually designed in reverse logic. The 0 means you want to
enable Terminal Services in Remote Administration mode and 1 means you want to disable it. If you want to manage your Windows Server 2008 instance from a previous Windows version, you will need to allow these types of “legacy” connections explicitly, since
by default, a higher level of security is built around the Terminal Services in Windows
Server 2008, called Credential Security Service Provider (CredSSP). To allow terminal
service connections from a previous Windows version, run this command:
Scregedt.wsf /CS 0

If you set CS to 1, this forces Terminal Services to use CredSSP, which is currently
supported only by Windows Server 2008 and Windows Vista.
TIP Since the Windows Firewall is enabled on all interfaces on all profiles by default, simply enabling
Terminal Services in Remote Administration mode won’t allow you to control the server remotely using
Remote Desktop Protocol (RDP). The right way is to explicitly open the Terminal Services port on the
server. This can be achieved by adding a firewall rule to allow inbound TCP connections to port 3389
through netsh:
Netsh advfirewall firewall add rule name="TS Admin" protocol=TCP
dir=in localport=3389 action=allow

Configure the Windows Firewall
The Windows Firewall is a host-based, bidirectional network traffic filter. Unlike the initial incarnation of the Windows Firewall that debuted in Windows XP SP2 and filtered
only inbound traffic, the new Windows Firewall can control both inbound and outbound
traffic. The current Windows Firewall is also network-aware, in that you can define policies depending on whether the server is on the network where it can authenticate to the
domain, on a public network that is directly attached to the Internet, or on a private network explicitly defined. For example, you can configure policies to allow file and print
sharing when in a domain network and then block it if on a public network.

Chapter 2:

Server Core

Configuring the firewall involves either working with the Netsh command at the
command prompt or using the Windows Firewall with Advanced Security MMC snapin from a remote Windows Server 2008 server. Unless you’re absolutely hardcore and
love playing with the command line, I strongly recommend using the Windows Firewall
with Advanced Security MMC snap-in. However, before you can remotely manage the
Server Core installation’s firewall using the MMC snap-in, you will have to enable remote management. To enable remote management of the firewall, enter the following:
Netsh advfirewall set current settings remotemanagement enable

Once remote management is enabled, you can go to another Windows Server 2008
installation and add the Windows Firewall with Advanced Security MMC snap-in and
point it to the server you want to manage. Unfortunately, if only one Windows Server
2008 instance is on your network, you will need to configure the firewall using Netsh.
To view all the profile-specific properties in all profiles, you can run this command:
Netsh advfirewall show allprofiles

In the output, you’ll see the general properties of your domain, public and private
profiles such as its state (whether it’s enabled or disabled), the general firewall policy
such as whether it allows outbound connections but prevents inbound connections, and
the name of the log file. If you want to enable a specific profile—for example, the domain
profile—you can run this command:
Netsh advfirewall set domainprofile state on

Let’s say you want a rule to allow inbound TCP connections to port 80. This can be
accomplished by running the following command:
Netsh advfirewall inbound add name="Port80 Allow" protocol=TCP
localport=80 action=allow

The Windows Firewall allows you to create a blanket rule to allow or disallow any
traffic to and from an application based on a particular executable. For example, if you
had an application called myapp.exe in the C:\myapp directory that performed some
kind of networking function by listening to several ports on the server, you could allow
any connection to this application by running this:
Netsh advfirewall inbound add name="Allow Myapp" program="C:\myapp\
myapp.exe" action=allow

You can view all your currently defined inbound rules by running this command:
Netsh advfirewall inbound show name=all verbose

The verbose parameter is optional, but if you omit it, you won’t see the path to the
executable for any application-based rules you’ve defined.

Microsoft Windows Server 2008 Administration

This barely scratches the surface of all the netsh commands you can use to configure the Windows Firewall. To find out more about netsh firewall commands, view the
netsh advfirewall help file by running this command:
Netsh advfirewall help

As you can tell, this method of manipulating the Windows Firewall can be quite
tedious. It’s most useful when you are creating a script to define the firewall rules. In
most cases, though, it’s best to use the Windows Firewall with Advanced Security MMC
snap-in, as it offers a more intuitive and easier method for defining rules and configuring profiles.

Installing and Configuring Server Roles
Up to this point, you have accomplished a base installation of Server Core. Just like the
regular Windows Server 2008 installation, there are no roles installed by default in Server
Core. If you want your Server Core installation to perform any of the six supported roles,
you will need to install each of them individually from the command line. Since only six
roles are supported by Server Core, you need to know only a handful of commands.

Installing and Configuring the DNS Server Role
DNS is a key infrastructure component because it’s so critical to Active Directory. This
role is an ideal candidate for Server Core, since once you set it up, you probably won’t
touch it much other than to perform regular maintenance. To install the DNS Server role,
you run this command:
Start /w ocsetup DNS-Server-Core-Role

It will take a few minutes to install and it won’t display a progress dialog box, so
be patient. Remember that this installs only the DNS Server role, and nothing is really
configured yet. You can configure the DNS Server using the DNS MMC snap-in from a
different computer or by running dnscmd at the command prompt. To view the general
parameters of your newly installed DNS Server, you can run this command:
Dnscmd /info

The most logical first step after installing a DNS Server would be to configure the
DNS zones. For example, to add a zone called testlab.local as a primary zone, you can
run this command:
Dnscmd /zoneadd "testlab.local" /Primary /file "testlab.local.dns"

Now if you want to add an A record for a host called testpc with the IP address
192.168.100.71 to the testlab.local zone, you’d enter this:
Dnscmd /recordadd testlab.local testpc A 192.168.100.71

Chapter 2:

Server Core

The /recordadd switch can be used to add any record type you want to the DNS
Server. You would simply replace the A before the IP address with whatever record
type you wanted—for example, CNAME or MX followed by the parameters required by
that record type. Run this command to see a list of available record types and their
parameters:
Dnscmd /recordadd /?

If you want to view all the records of a particular zone, use the /zoneprint switch.
For example, to list all the entries of your testlab.local zone, you would run this:
Dnscmd /zoneprint testlab.local

If you want to delete a record, you would run dnscmd with the /recorddelete
switch. To delete the A record entry for the testpc record created earlier, you’d run this
command:
Dnscmd /recordadd testlab.local testpc A 192.168.100.71 /f

The /f switch at the end indicates that you want to force the deletion of this record;
otherwise, dnscmd will politely ask for confirmation before deleting the record.
There’s more to DNS than what you’ve learned so far, especially the new features of
DNS in Windows Server 2008, which are covered in Chapter 10. Dnscmd is a powerful
and useful command for configuring DNS on Windows Server 2008. It’s the only method
to make changes to your DNS Server locally on the server, but it can also be executed remotely from a different server. Again, I would recommend using the DNS MMC snap-in
whenever possible rather than dnscmd, since the snap-in is far more intuitive.
If you later decide that this Server Core instance will no longer provide DNS services,
you can uninstall it by running the following:
Start /w ocsetup DNS-Server-Core-Role /uninstall

Installing and Configuring the DHCP Server Role
Whether you are configuring a small environment or an enterprise-size network, you
will most likely want to use DHCP to manage the IP addresses in your environment.
Before you can do that with Windows Server Core, you will need to install this role using
the following command:
Start /w ocsetup DHCPServerCore

Once installed, you will have the option to configure your DHCP scopes using either
netsh or the DHCP MMC snap-in from a remote server. Also, if this DHCP Server is acting within an Active Directory domain, it must also be authorized in Active Directory before it can issue IP addresses. You can authorize a DHCP Server in the domain using the
DHCP MMC snap-in, but it can also be done using netsh. For example, if your Server

Microsoft Windows Server 2008 Administration

Core instance is called WINDHCP1 and has the IP address 172.16.0.5, and you want to
authorize this on your domain, log onto WINDHCP1 with domain credentials that have
rights to authorize DHCP servers, and then run the following command:
Netsh dhcp add server WINDHCP1 172.16.0.5

Likewise, if you wanted to unauthorized the server, you can run this:
Netsh dhcp delete server WINDHCP1 172.16.0.5

If you later decide that this Server Core instance will no longer provide DHCP services, it can be uninstalled like so:
Start /w ocsetup DHCPServerCore /uninstall

Installing and Configuring the File Server Role
By default, your basic File Server role is installed on Windows Server 2008, including
Server Core. If you want to use some more advanced File Server roles, such as the following, they will need to be installed:
▼

File Replication

■

Distributed File System (DFS)

■

Distributed File System Replication

▲

Network File System (NFS)

It should come as no surprise that to install these additional roles you will use the
ocsetup command as you did for the DNS and DHCP installations. Table 2-1 shows the
command to install each File Server role.
Currently no command-line tools are used to manage these additional File Server
roles, so you will need to resort to managing them remotely via the appropriate MMC
snap-ins. To uninstall any of them, you can run the same command used to install them
and add a /uninstall switch at the end.

Role

Installation Command

File Replication

start /w ocsetup FRS-Infrastructure

Distributed File System

start /w ocsetup DFSN-Server

Distributed File System
Replication

start /w ocsetup DFSR-InfrastructureServerEdition

Network File System

start /w ocsetup ServerForNFS-Base
start /w ocsetup ClientForNFS-Base

Table 2-1. Commands to Install File Server Roles

Chapter 2:

Server Core

Installing and Configuring the Print Server Role
One of the most prevalent uses for Windows servers is to act as print servers. This is
generally regarded as a core infrastructure role that makes perfect sense to belong in
Server Core. In most environments, a print server acts as a print server and nothing else,
and fits nicely into the Server Core model of having minimal additional services for key
infrastructure roles. To install the Print Server role, simply run this command:
Start /w ocsetup Printing-ServerCore-Role

If you want to install the Line Printer Daemon (LPD) s