Startseite
Microsoft Windows Server 2008 Administration
Microsoft Windows Server 2008 Administration
Steve Seguis
Categories:
Computers\\Programming
Verlag:
McGraw-Hill Osborne Media
Sprache:
english
Seiten:
514
ISBN 10:
0071595139
File:
PDF, 15.45 MB
Download (pdf, 15.45 MB)
Lese Bücher online
- Checking other formats...
- Please login to your account first
-
Need help? Please read our short guide how to send a book to Kindle.The file will be sent to your email address. It may take up to 1-5 minutes before you receive it.The file will be sent to your Kindle account. It may takes up to 1-5 minutes before you received it.
Please note you need to add our NEW email km@bookmail.org to approved e-mail addresses. Read more.
You can write a book review and share your experiences. Other readers will always be interested in your opinion of the books you've read. Whether you've loved the book or not, if you give your honest and detailed thoughts then people will find new books that are right for them.
1
|
2
|
Praise for Microsoft Windows Server 2008 Administration Steve Seguis’ Microsoft Windows Server 2008 Administration is a wonderful read by a brilliant and skillful writer. The book is written in concise and easy-to-understand terms that will benefit both new and experienced administrators. The book includes hands-on exercises, chapter summaries, and plenty of images. The hands-on exercises allow you to put into practice what you have just learned or read. The exercises are written in a step-by-step manner so that you can perform the tasks at hand without the need to reread the accompanying text. The chapter summaries are brief chapter overviews and are a handy way to refresh your memory about the contents of the chapter. The images that accompany the book are great for seeing where you need to be when reading the content. I recommend this book in part because of the new improvements and enhancements that Microsoft has added to their flagship Server Operating System. I also recommend this book because it will make a great addition to your technical library. —Don Hite, Microsoft MVP, Systems Management Server, IBM Global Services If you’re a professional Windows Server administrator, this book is a musthave. The hands-on exercises alone set this book apart from any other Windows Server management guide I’ve read in a long time. You can tell that Steve has spent a great deal of time with Windows Server 2008. I highly recommend it. —Stuart B. Renes, Microsoft MVP, Windows Server System Whether you are new to Windows Server 2008 or not, this book will give you the background to understand the new technologies and get you up to speed quickly. Although I primarily work with small to medium businesses, this book will serve me equally well in these smaller environments as well as the larger enterprise environments. An excellent reference for anyone! —Kevin Royalty, MCSE 2000/2003, Microsoft MVP, Small Business Server Managing Partner, Total Care Computer Consulting This page intentionally left blank Microsoft Windows Server 2008 Administration ® ® ABOUT THE AUTHOR Steve Seguis is a Windows Systems Engineer in the financial industry who has been managing Microsoft Windows environments for more than 10 years. He was a Microsoft Most Valuable Professional (MVP) for Windows Server Admin Frameworks from 2004 to 2007, and is a contributing writer and technical editor for Scripting Pro VIP (formerly Windows Scripting Solutions) magazine. His specialty is in systems management and automation. About the Technical Editor Richard Lewis is a Windows Systems Engineer who has been involved in Windows systems design and automation for more than 11 years and is currently a consultant to the aerospace industry at Lewis Technology (www.lewistech.com). He has been a Microsoft Certified Systems Engineer (MCSE) and Microsoft Certified Trainer (MCT) since 1996 and is a contributing author and technical editor for Windows ITPro magazine and Scripting Pro VIP. Richard has penned more than 200 articles on Windows training, administration, scripting, and system automation. Microsoft Windows Server 2008 Administration ® ® STEVE SEGUIS New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto Copyright © 2008 by The McGraw-Hill Companies. All rights reserved. Manufactured in the United States of America. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher. 0-07-159513-9 The material in this eBook also appears in the print version of this title: 0-07-149326-3. All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps. McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. For more information, please contact George Hoare, Special Sales, at george_hoare@mcgraw-hill.com or (212) 904-4069. TERMS OF USE This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms. THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise. DOI: 10.1036/0071493263 Professional Want to learn more? We hope you enjoy this McGraw-Hill eBook! If you’d like more information about this book, its author, or related books and websites, please click here. For my wife Annalene who never fails to support and believe in me! This page intentionally left blank AT A GLANCE ▼ ▼ ▼ ▼ ▼ ▼ ▼ ▼ 11 ▼ 12 ▼ 13 Getting Started with Windows Server 2008 . . . Server Core ......................... Server Manager ...................... Active Directory Domain Services . . . . . . . Windows Deployment Services .......... Internet Information Services 7.0 ......... Resource Management and Performance Monitoring ........................ Network Policy and Access Services ...... Terminal Services ..................... Windows DNS, BitLocker Drive Encryption, and Itanium Support ................ Routing and Remote Access . . . . . . . . . . . . . Enterprise Public Key Infrastructure ...... Windows PowerShell .................. ▼ Index 1 2 3 4 5 6 7 ▼ 8 ▼ 9 ▼ 10 1 25 51 95 145 177 213 253 285 331 353 401 433 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459 ix This page intentionally left blank For more information about this title, click here CONTENTS Acknowledgments .................................... Introduction ......................................... ▼ 1 Getting Started with Windows Server 2008 ...... System Requirements . . . . . . . . . . . . . . . . . . Installation and Configuration . . . . . . . . . . . Post-Installation Configuration and Initial Configuration Tasks . . . . . . . . . . . . . . Boot Configuration Data . . . . . . . . . . . . . . . . BCD Store . . . . . . . . . . . . . . . . . . . . . . . BCD Object . . . . . . . . . . . . . . . . . . . . . . BCD Elements . . . . . . . . . . . . . . . . . . . . BCD Modification Methods . . . . . . . . . Chapter Summary . . . . . . . . . . . . . . . . . . . . . ▼ 2 Server Core .................. Roles Supported by Server Core . The Ups and Downs of Server Core Installing Server Core . . . . . . . . . Requirements . . . . . . . . . . . Post-Installation Tasks . . . . ... ... . ... ... ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ................ ................ ................ xvii xix 1 2 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 10 10 13 16 16 23 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 26 27 27 27 30 xi xii Microsoft Windows Server 2008 Administration Installing and Configuring Server Roles Installing Optional Features . . . . . . . . . . Server Core Management . . . . . . . . . . . . Chapter Summary. . . . . . . . . . . . . . . . . . . . . . . . . . 38 46 46 49 ▼ 3 Server Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 52 56 58 58 59 59 60 60 61 62 62 67 90 94 What Is Server Manager? . . . Server Manager Elements . . . Server Manager Console . . . . Server Summary . . . . . . Roles Summary . . . . . . Features Summary . . . . Resources and Support. Server Manager Snap-Ins . . . Roles Snap-In . . . . . . . . Features Snap-In. . . . . . Diagnostics Snap-In . . . Configuration Snap-In . Storage Snap-In . . . . . . Chapter Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .... .... .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ▼ 4 Active Directory Domain Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Birth and Evolution of Active Directory . . . . . . . . . . Active Directory Primer . . . . . . . . . . . . . . . . . . . . . . . . . . What Is Active Directory? . . . . . . . . . . . . . . . . . . . . How Is Active Directory Organized? . . . . . . . . . . . . Active Directory and DNS . . . . . . . . . . . . . . . . . . Domain and Forest Functional Levels . . . . . . . . . Windows Server 2008 Active Directory Domain Services Active Directory Requirements .............. The New Active Directory Domain Services Installation Wizard . . . . . . . . . . . . . . . . . . . . . . Installation Options for Active Directory Domain Services ....................... Verifying Active Directory Installation ........ Removing Active Directory Domain Services ... Unattended Installation . . . . . . . . . . . . . . . . . . . . Restartable Active Directory Domain Services .. Auditing Active Directory Domain Services .... Read-Only Domain Controller .............. Backup and Recovery ..................... Migration Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter Summary ............................ . . . . . . . . 95 96 97 98 99 105 105 106 106 ........ 107 . . . . . . . . . . 107 126 126 130 132 133 135 137 141 142 . . . . . . . . . . . . . . . . . . . ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Contents ▼ 5 Windows Deployment Services ..................... Benefits of Using Windows Deployment Services ... Scenarios for Windows Deployment Services ...... Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . WDS Installation ............................ WDS Properties ............................. Creating an Operating System Image for WDS ..... Loading Your Install Image to Your Clients Using WDS Unattended Install Using WDS ................. Windows System Image Manager . . . . . . . . . . . Chapter Summary ........................... ▼ 6 Internet Information Services 7.0 ............... IIS 7.0 Features ......................... Unattended Installation .................. IIS Management Console ................. Remote IIS Administration . . . . . . . . . . . . . . . . Administration Using APPCMD.EXE ....... Delegated Administration ................ Server and Application Health and Performance Runtime Status & Control API ........ Automatic Failed Request Tracing . . . . . . Xcopy Deployment ..................... Chapter Summary ...................... ▼ 7 Resource Management and Performance Monitoring Data Is Good! .................... Windows System Resource Manager . . WSRM Architecture . . . . . . . . . . . Managed vs. Unmanaged Processes WSRM Service . . . . . . . . . . . . . . . The WSRM Management Interface Process Matching Criteria ...... Resource Allocation Policies .... Calendar ................... Accounting ................. Conditions . . . . . . . . . . . . . . . . . . Resource Monitor ............ Reliability and Performance Monitor . . Data Collector Sets . . . . . . . . . . . . Reliability Monitor ........... Reports .................... Chapter Summary ................ .... .... .... .. .... ... .... .... .... .... .... .... .... .... .... .... .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... ... ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 146 147 148 148 151 152 162 164 165 174 177 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 181 187 192 194 200 204 204 205 211 212 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 214 215 215 216 216 218 219 222 228 231 235 236 239 242 246 248 252 xiii xiv Microsoft Windows Server 2008 Administration ▼ 8 Network Policy and Access Services ......... Network Access Protection ............ NAP Components ................... IPSec Enforcement . . . . . . . . . . . . . . . 802.1X Enforcement . . . . . . . . . . . . . . VPN Enforcement ............... DHCP Enforcement . . . . . . . . . . . . . . Network Policy Server/Radius ..... NAP Agent .................... System Health Agent . . . . . . . . . . . . . NAP Administration Server ....... System Health Validator .......... Health Policy . . . . . . . . . . . . . . . . . . . Accounts Database .............. Health Registration Authority . . . . . . Remediation Server .............. Dispelling NAP Myths . . . . . . . . . . . . . . . . Architecture ........................ NAP Client Architecture .............. Enforcement Clients ............. System Health Agent . . . . . . . . . . . . . NAP Server Architecture .............. Enforcement Servers ............. Communications Flow . . . . . . . . . . . . . . . . Requirements . . . . . . . . . . . . . . . . . . . Preparation .................... Installing the Network Policy Server . Configuring the Network Policy Server Installing and Configuring DHCP . . . Configuring the Client . . . . . . . . . . . . Testing the NAP Client ........... Chapter Summary ................... ▼ 9 Terminal Services ...................... Terminal Services Core Functionality . . . . . Remote Desktop Connection 6.0 .... Single Sign-On ...................... Installing Terminal Services ............ Terminal Services Licensing . . . . . . . . . . . . License Types . . . . . . . . . . . . . . . . . . . Installing and Configuring TS Licensing Terminal Services Gateway ............ TS Gateway Architecture ......... TS Gateway and NAP ............ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 254 256 256 257 257 258 258 258 258 258 259 259 259 259 259 259 260 261 262 262 262 263 263 265 265 265 266 271 281 283 284 . . . . . . . . ... ... ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286 287 287 291 294 294 295 302 302 317 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 Contents Terminal Services Remote Programs Requirements . . . . . . . . . . . . . Installing Applications ..... Terminal Server Web Access . . . . . . Program Placement and Performance Chapter Summary ............. ... .... .... .... .. .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. Domain Name System ............................ Background Zone Loading .................... IPv6 Support ............................... GlobalNames Zone .......................... Read-Only DNS Zone ........................ Windows Link-Local Multicast Name Resolution . . . Windows BitLocker Drive Encryption ................ Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . BitLocker Architecture . . . . . . . . . . . . . . . . . . . . . . . . Initializing BitLocker . . . . . . . . . . . . . . . . . . . . . . . . . BitLocker Recovery .......................... Turning Off or Uninstalling BitLocker Drive Encryption Windows Server 2008 Itanium Support ............... Chapter Summary ............................... . . . . . . . . . . . . . . . . . . . . . . . . ▼ 10 Windows DNS, BitLocker Drive Encryption, and Itanium Support ▼ 11 Routing and Remote Access .................. Routing Services . . . . . . . . . . . . . . . . . . . . . . . . . Routing Basics ...................... Dynamic Routing ................... Routing Configuration with RRAS ...... Configuring Network Interfaces for Routing Routing Protocols ................... Remote Access .......................... Dial-Up Networking ................. Virtual Private Networks . . . . . . . . . . . . . . DHCP Integration with RRAS . . . . . . . . . . Configuring RRAS Server Properties .... Chapter Summary ....................... ▼ 12 Enterprise Public Key Infrastructure PKI Uses . . . . . . . . . . . Digital Signatures . . . . Digital Certificates ... Certification Authorities Types of CAs ....... Enterprise CAs . Stand-alone CAs .... .... .... ... .... .... .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317 318 318 323 329 330 ... ... ... ... ... ... ... ... ... ... ... ... ... ..... ..... 331 332 333 334 334 334 335 336 336 337 344 350 351 351 352 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353 354 354 356 358 359 361 381 381 383 389 389 398 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401 402 403 404 404 405 405 405 . . . . . . . . . . . . . . . . . . . . . . . . . xv xvi Microsoft Windows Server 2008 Administration Cryptographic Service Providers ........ Certificate Templates ................. Recovery Keys ...................... Certification Authority Management Console Issuing Certificates . . . . . . . . . . . . . . . . . . . Certificate Revocation ................ Chapter Summary ................... .... .... .... .. .... .... .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406 406 409 413 425 426 431 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433 434 436 439 441 442 443 446 448 451 452 454 458 ................................................ 459 ▼ 13 Windows PowerShell ................... PowerShell at a Glance . . . . . . . . . . . . . . . . Getting Your Feet Wet ................ Cmdlets ........................... Windows PowerShell and .NET . . . . . . . . . Windows PowerShell, Scripting, and Security Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . Conditional Statements ............... Going Loopy ....................... PowerShell in Action ................. Working with the Registry . . . . . . . . . Working with Dates and Times ..... Chapter Summary ................... ▼ Index . . . . . . . . . . . . . . . . . . . . . . . . . . ACKNOWLEDGMENTS T his book wouldn’t exist without the concerted efforts of many individuals working together from different disciplines, who made sure that the final product is something of which we can all be proud. First off, I want to thank my literary agent, David Fugate, who initially approached me to ask if I would be interested in putting together a proposal for this book project. He opened up the door for me to write my first book. Jane Brownlow was the sponsoring editor for this book and came up with the initial concept, got the publisher’s approval, and got the ball rolling. Jane took maternity leave shortly after I started writing this book, so Megg Morin (acquisitions editor) and Carly Stapleton (acquisitions coordinator) kept this project going, making sure we stayed focused on meeting our objectives and promptly answering any questions I had. After Jane returned from maternity leave (Congratulations, Jane!), they all worked together to help me finish up the book. Lisa Theobald was the copy editor for this book and together with Janet Walden, the editorial supervisor, put a lot of work into making my writing much clearer and making me look better in the process. I want to thank them all very much for their professionalism and dedication to this project. xvii xviii Microsoft Windows Server 2008 Administration Richard Lewis was the book’s technical editor, and he painstakingly went through several iterations of each chapter as I worked through writing various lab exercises to ensure technical accuracy of both the general content and the hands-on exercises. He also provided lots of good feedback that I believe helped improve the book tremendously. Thanks for paying attention to the details. The effort you put into this project, especially toward the end to ensure that we hit our deadlines, is very much appreciated. Finally, many people didn’t directly participate in the writing of this book but were directly impacted during the time of its writing, and those people are my family. As is the case with most technical writers, I have a regular full-time day job in addition to writing this book. I want to thank my family for being patient and understanding while I spent countless hours night after night, weekend after weekend, month after month, locked away in my lab painstakingly researching and writing instead of spending quality time with them. More specifically, I would like to thank my wife, Annalene, for understanding why I was too busy for the past few months to spend quality time with her and take her to the movies, and for understanding why we had to reschedule every vacation we had planned for so long just to get this book done. She’s always believed in me and has stood by every decision I’ve made in my career. Thanks for being my best friend! I also want to thank my parents, Romeo and Lourdes Seguis, for being great role models, raising me with a good head on my shoulders, and giving me opportunities that helped shape my career and my life. I love you all very much! INTRODUCTION I have read hundreds of books throughout my career, as I’m sure many of you have, and I’ve found three general categories of technical books: On one end of the spectrum are books geared toward beginners that help readers get a basic understanding of each topic but are only skin deep. On the other extreme are highly technical reference books that try to cover every imaginable aspect of the subject (but typically fail to do so). Those types of books go into great detail about every subject, but—let’s face it—there’s no such thing as a book that covers absolutely everything. Those books in the middle of the spectrum cover the basics regarding things you should know, but go into greater detail about things you really need to know. This book was purposely written to be more of a book in the middle, and I’ll tell you why. While I consider myself to be highly technical, I don’t like more complicated explanations than are necessary. This has been my approach while writing this book. My goal was to write a book that satisfies your need for technical details without making your head spin in the process. This book is clearly targeted to professionals, so I have made the assumptions that you already have a healthy understanding of servers and how they work and have managed a Microsoft Windows Server–based operating system in the past (even better if you are currently doing so). xix xx Microsoft Windows Server 2008 Administration In each chapter, I start off with a few basics on each topic, and in some cases a quick review of the subject matter, before diving into specifics of how things work in Windows Server 2008. I hope this greatly enhances the reader experience, since it makes sure that every reader is on the same page (no pun intended) before going into product-specific information. You will also notice that I use plenty of hands-on exercises throughout each chapter. I think that understanding theory and general concepts is a good thing, but most people learn best while actually completing tasks. I hope that you will find the inclusion of many hands-on exercises to be of use to you. One of the major goals of these exercises is to force you to use Windows Server 2008 and its many features. Although each exercise offers step-by-step instructions on how to accomplish a specific task, there is always more than one way to perform a task, so feel free to experiment and try to find other ways to work. One thing you will appreciate with Windows Server 2008 is the flexibility it offers you as an administrator to interact with various elements of the operating system. Take advantage of this and don’t assume that the way I wrote it is necessarily the best way, since I sometimes had to choose steps that were easier to follow rather than faster to do. I also don’t hold back on screenshots. These are not page fillers but serve a specific purpose of showing what you can expect the screens to look like as you work through the exercises. I can’t tell you how many times I’ve read a book and scratched my head while reading some of the step-by-step guides because either the description wasn’t clear or a miscommunication was written about what I should be looking at versus what I actually saw. By providing the screenshots, I hope to clear up a lot of the confusion associated with many of those purely text-based exercises. This book was initially written when Microsoft Windows Server 2008 (then called Windows Server codename “Longhorn”) was still in Beta 2. As you can very well understand, Beta 2, which wasn’t made available to the general public, was still quite rough around the edges, and many features and graphical elements didn’t function the way one might expect. I finished writing the first draft of the book just as Release Candidate 1 was released to the general public. After Windows Server 2008 Release Candidate 1 was made available, we went back and updated every chapter and making changes where appropriate; we recaptured all of the screenshots since Microsoft had thankfully done a wonderful job polishing up the user interface and in many cases fixed major bugs that caused me many sleepless nights. We did our very best to make sure that you got the most accurate information you can get up until product launch so as you read this book, please keep in mind that the screenshots and exercises were taken from Windows Server 2008 Release Candidate 1, and while Microsoft generally doesn’t make any major functionality changes other than bug fixes prior to launch, the screenshots and some of the wording on the screen can potentially be different from that of the final product. This book, Microsoft Windows Server 2008 Administration, is a book written by a Windows administrator for Windows administrators. I know how frustrating it is to read a book and not be able to answer the question of “How do I do that?”. From the ground up, I focused on one thing and one thing alone, and that is to provide you Introduction with the information you need to not only answer the question “What can do I in Windows Server 2008?”, but also “How do I do that in Windows Server 2008?”. It’s a direct hands-on approach loaded with step-by-step guides and real examples. Unfortunately, there’s no way to do that and cover every possible feature inside this new operating system. However, this book will equip you to make good decisions about how you can use Windows Server 2008 in your environment and take advantage of its many new features. xxi This page intentionally left blank 1 Getting Started with Windows Server 2008 1 2 Microsoft Windows Server 2008 Administration W hen Microsoft started development of Windows Server 2008, the company took the time to collect user feedback and incorporate this information into the product’s features. It is the first operating system built by Microsoft under its new strict security development guidelines. The security “theme” permeates every aspect of this operating system and can’t be missed. Although future system updates are inevitable with any OS release, this new architecture allows you to minimize the attack surface immediately, thereby mitigating the risks. Microsoft has also vastly improved the user experience by simplifying the installation process and providing a new integrated Server Manager tool for more effective server management. Before you can take advantage of any of these features though, your first step is to install Windows Server 2008. Let’s cut to the chase and see what it takes to get Windows Server 2008 installed. SYSTEM REQUIREMENTS To ensure proper installation of Windows Server 2008, you will need to make sure the server hardware meets these minimum and recommended hardware levels: Processor Minimum: 1GHz Recommended: 2GHz Optimal: 3GHz or faster *Intel Itanium 2 processor required for Windows Server 2008 for Itanium-based systems Memory Minimum: 512MB RAM Recommended: 1GB RAM Optimal: 2GB RAM (Full installation) or 1GB RAM (Server Core installation) or more Maximum (32-bit): 4GB (Standard) or 64GB (Enterprise and Datacenter) Maximum (64-bit): 32GB (Standard) or 2TB (Enterprise, Datacenter, and Itanium-based systems) Disk Space Minimum: 8GB Recommended: 40GB (Full installation) or 10GB (Server Core installation) Optimal: 80GB (Full installation) or 40GB (Server Core installation) or more Drive DVD-ROM drive Display SVGA (800 × 600) or higher resolution Keyboard Microsoft mouse or compatible pointing device Chapter 1: Getting Started with Windows Server 2008 INSTALLATION AND CONFIGURATION Windows Server 2008 offers two general types of installations: a typical Full server installation and Server Core. Server Core is a stripped down version of Windows Server 2008 that doesn’t include a GUI or any other unneeded services. Instead, the server installs only key features that are related to the role that it supports—for example, Active Directory or Domain Name System (DNS). Chapter 2 provides more details about Server Core. The following paragraphs discuss a typical Windows Server 2008 installation. One of server engineers’ biggest gripes about the manual Windows Server installation process in the past was that they had to babysit the server as it went through the installation, because they had to key in bits of information at different times throughout the process—license information, components to install, and network configuration, for example. Of course, the easy solution to all this is to perform an unattended installation, but for the one-offs that require manual installation, the process was far from being “set and forget.” In Windows Server 2008, this problem has been addressed by reducing the number of interactive steps required to get your server up and running. All the necessary questions for the installation are asked up front, before you begin the actual installation process of copying the files and performing the initial server configuration. By doing this, the installation process no longer has to stop for additional information before it can proceed. Once the server software installation is complete, installation of components and the configuration of the server can proceed under the new integrated management tool called Server Manager. Hands-On Exercise: Interactive Installation of Windows Server 2008 1. Start the computer and bootup using the Windows Server 2008 installation media. Select the installation language, time and currency format, and keyboard layout, and then click Next (Figure 1-1). 2. Click Install Now to begin the installation process. As you can see in Figure 1-2, you can access system recovery tools by clicking the Repair Your Computer option at the bottom of the screen. 3. Enter the product key. If you don’t want to activate Windows as soon as you’re computer goes online (for example, if you are simply testing the installation or evaluating Windows Server 2008), you can uncheck the Automatically Activate Windows When I’m Online checkbox (Figure 1-3). Click Next. 4. Now select whether to install Windows Server 2008 Enterprise (Full Installation) or Windows Server 2008 Enterprise (Core Installation). For now, select Windows Server 2008 Enterprise (Full Installation) (as shown in Figure 1-4), and then click Next. 3 4 Microsoft Windows Server 2008 Administration Figure 1-1. Installation language, time and currency, and keyboard layout screen Figure 1-2. Installation screen Chapter 1: Figure 1-3. Product key screen Figure 1-4. Operating system selection screen Getting Started with Windows Server 2008 5 6 Microsoft Windows Server 2008 Administration 5. If you accept the terms of the license agreement, check the I Accept the License Terms checkbox (required to use Windows), and then click Next (Figure 1-5). 6. Select the type of installation you want to perform. In this case, you are performing a clean install, so you should select Custom (Advanced). You’ll notice that you can’t select Upgrade unless you initiated the setup from an existing Windows Server installation (Figure 1-6). 7. If your hard drive is automatically detected, you can create and format a partition as necessary for the installation. If your drive isn’t detected, most likely the device driver for your controller isn’t built into Windows, in which case you can click Load Driver (at the bottom-left of the screen) to load it. Click Next after you have created the partition to which you are going to install (Figure 1-7). 8. Now that Windows Server 2008 has all the basic information it needs to proceed with the installation, it begins the installation process and displays the status of the install, as shown in Figure 1-8. This is where setup significantly differs from previous Windows Server builds, as you will not be prompted for any further details until the installation is complete and Windows fully starts up. This is a great enhancement, since you can walk away from the server while the installation proceeds without having to worry about additional dialog boxes asking for further information to complete the install. Figure 1-5. License agreement acceptance screen Chapter 1: Figure 1-6. Installation type selection screen Figure 1-7. Installation partition selection screen Getting Started with Windows Server 2008 7 8 Microsoft Windows Server 2008 Administration Figure 1-8. Installation progress screen 9. When setup has completed installing Windows and has rebooted as many times as necessary to install and configure everything, you will automatically be logged in to Windows Server 2008 under the Administrator account, where the Initial Configuration Tasks screen is loaded. IMPORTANT By default, the Administrator Password field is blank and should be changed immediately. Until you set a password, Windows Server 2008 will autologon with the Administrator account and a blank password. On the first password change, remember that the old password field is left blank because the password is indeed blank. Post-Installation Configuration and Initial Configuration Tasks After the installation has completed, you are prompted for the initial configuration tasks (Table 1-1). Many of these options would have typically been part of the initial installation options in previous Windows Server versions—such as setting the administrative password, configuring network options, and specifying computer name and domain membership information. Chapter 1: Getting Started with Windows Server 2008 Task Description Set the Administrator Password Lets you set the password for the Administrator account and rename the account. Set Time Zone Sets the time zone for the server. Configure Networking Opens the Network Connections Control Panel applet so you can configure your various network interfaces. Provide Computer Name and Domain Lets you change the computer name as well as join a domain. Enable Automatic Updating and Feedback Lets you specify how you want to configure Windows Update, Windows Error Reporting, and the Customer Experience Improvement Program (CEIP). You should compare the Windows Error Reporting information as well as the CEIP settings against your organization’s policies, since both features send usage information back to Microsoft. Download and Install Updates Lets you download and install updates. You should do this unless you have an alternative patch-management tool, since you want your system to be up to date with all critical security patches before opening it up to your network. You should manually set the configuration of the updates based on your own policies to prevent updates from automatically restarting your server. You should also keep checking for updates after each reboot until all the updates have been installed. Add Roles Lets you add roles to this server—that is, Dynamic Host Configuration Protocol (DHCP), DNS, Internet Information Services (IIS), and so on. Add Features This new interface replaces the Add/Remove Windows Components from the Add/Remove Programs Control Panel applet in previous versions of Windows and provides a much easier means of adding additional Windows components. Enable Remote Desktop Lets you configure remote desktop. Configure Windows Firewall Turns on or turns off the Windows Firewall. Table 1-1. Initial Configuration Task Options 9 10 Microsoft Windows Server 2008 Administration TIP If you change the administrative password by pressing ctrl-alt-del and then select Change a Password on the Change the Password screen below the Confirm Password line, you’ll see a Create a Password Reset Disk selection, which is the entry point to the Welcome to the Forgotten Password Wizard. This same wizard is also available in Control Panel by clicking User Accounts | Prepare for a Forgotten Password. After launching the wizard, you will be prompted to insert a formatted floppy disk, which is used to create a password recovery disk. After this disk is created, it can be used to recover from a forgotten password even if the password has been changed. Consequently, this floppy disk should be physically secured, as it could be used for unauthorized server access. Once you close out of the Initial Configuration Tasks interface, the Server Manager tool automatically launches. This is an integrated interface you can use to configure various items on your computer. You’ll read details about managing your server using Server Manager in Chapter 3. BOOT CONFIGURATION DATA All Windows Server builds since Windows NT have been using NT Loader (NTLDR) and boot.ini to control the boot process as well as manage multi-boot environments. With Windows Server 2008 (as well as Windows Vista), the entire boot process has been re-engineered, resulting in the creation of the Boot Configuration Data (BCD). The BCD replaces NTLDR completely in its functionality, and, rather than store the boot configuration in a text file such as boot.ini, everything is now stored in a binary format that can be manipulated only using one of the following editing methods: BCDEdit.exe or coding using Windows Management Interface (WMI). The BCD is physically stored in one of two locations. For BIOS-based operating systems, the BCD is stored in the \Boot\BCD directory of the active partition. For Extensible Firmware Interface (EFI)–based operating systems, the BCD is stored on the EFI system partition (NVRAM). For those of you who may not be familiar with EFI, you’ll see it implemented in 64-bit systems. Currently, these are the only two systems supported by BCD; however, in technical terms, it would be possible for Microsoft to extend the BCD to other boot systems in the future. The internal structure of the BCD is that of a registry hive, which makes sense due to the hierarchal nature of the data being stored there; however, you should never attempt to manipulate the BCD using tools designed for the registry. The BCD architecture is a hierarchy, which is exactly why it made sense to reuse the registry hive format for this data store. It is composed of three distinct components: stores, objects, and elements, as described in Table 1-2. The component hierarchy is shown in Figure 1-9. BCD Store The BCD store is the physical binary file that is stored either on the active partition or on the EFI system partition (ESP). It stores all the information that describes the bootup environment for each Windows instance on the system or other boot loaders such as NTLDR. Chapter 1: Getting Started with Windows Server 2008 Component Description BCD Store Top-level component in the hierarchy. Think of this as the root of all components in the hierarchy; it serves as the starting namespace for the items it contains. You can also think of the store as the actual physical BCD file. BCD Object In the abstract, this serves as a container for all BCD elements. In practical terms, information pertaining to the boot environment for each instance of the Windows boot loader is typically stored here. For example, in a multi-boot scenario, each Windows Server 2008 instance installed on the system would be represented by a distinct BCD object. BCD Element Think of these as properties and parameters to the BCD object. Each element represents one property or parameter—for example, the name of the operating system or a debugger setting. Table 1-2. BCD Components Each system can have more than one BCD store; however, only one store can be the active system store. A simple example of an additional BCD store would be a backup of the active system store. For BIOS-based systems, this file is stored under the active partition’s \BOOT folder, whereas for EFI-based systems, it is stored under \Windows\Boot\EFI. BCD Store BCD Object BCD Object BCD Object BCD Element BCD Element BCD Element BCD Element BCD Element BCD Element Figure 1-9. BCD component hierarchy 11 12 Microsoft Windows Server 2008 Administration Since the system store knows all about the installed operating systems on the computer, if it detects a multi-boot environment, it is also responsible for displaying the Windows Boot Manager OS selection menu, as shown in Figure 1-10. Each system store contains, minimally, two BCD objects as well as additional options (Table 1-3). Although it all sounds complicated, it really isn’t. You can take apart a simple boot .ini file, such as the one shown here, and translate it quickly to a BCD format (Table 1-4). Figure 1-10. Windows Boot Manager showing multi-boot screen and Windows Memory Diagnostic option Chapter 1: Getting Started with Windows Server 2008 BCD Object Description Windows Boot Manager Think of this as the [boot loader] section of the original boot .ini file. It contains things like the default boot OS as well as the timeout before the default OS is launched. The BCD can store multiple Windows Boot Managers, but only one can hold the global unique identifier (GUID) that designates the active boot manager. This GUID is aliased as {bootmgr} and is used in BCDEdit.exe to make changes to the store. Windows Boot Loader The store must contain at least one Windows Boot Loader objects. The Windows Boot Loader contains information regarding the boot environment for each instance of Windows Server 2008 installed on the system. Each boot loader contains a number of BCD elements that describe additional boot parameters such as no-execute, page-protection policies and debugger options. Two special aliases relate to the Windows Boot Loader. The first is called {current} and points to the currently active boot loader. The other is called {default} and points to the default boot loader if nothing is explicitly selected by the user. Windows NTLDR This special object points to the old NTLDR if you have an older Windows installation on the system. This special GUID is referenced by the alias {ntldr}. Optional boot applications These special applications perform other boot-related tasks. For example, Windows Server 2008 includes a Windows Memory Diagnostic tool, an optional boot application used to perform various memory checks on the system. Table 1-3. BCD Objects BCD Object Each BCD object is identified uniquely using a 128-bit GUID that contains a 32-bit description about the type of object it represents. The three object categories are application objects, inheritable objects, and device objects. The application objects type is the most common type and is the object type for the Windows Boot Manager, Windows boot loader objects including NTLDR, Windows resume loader, and Windows memory tester. Windows resume loader is invoked when you turn on the computer from hibernate mode. 13 14 Microsoft Windows Server 2008 Administration Boot.ini BCD Boot Loader section Windows Boot Manager timeout Timeout element default Default Boot Loader element Operating Systems section Windows Boot Loader objects multi(0)disk(0)rdisk (0)partition(1) Boot Device element \WINDOWS Boot environment Application File Path element /noexecute=optin No-Execute Page Protection element Table 1-4. Boot.ini to BCD Mapping Each application object contains an image type and an application type. The image type tells the system whether it should be loaded as a firmware, boot, NTLDR-based, or real-mode application. The application type is a bit more detailed on what the application does. The most common application types are listed on the next page and in Table 1-5. Description Alias GUID Windows Boot Manager {bootmgr} 9dea862c-5cdd-4e70-acc1-f32b344d4795 Firmware Boot Manager {fwbootmgr} a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba Windows memory tester {memdiag} b2721d73-1db4-4c62-bf78c548a880142d Windows resume application None 147aa509-0358-4473-b83bd950dda00615 Legacy Windows Loader {ntldr} 466f5a88-0af2-4f76-9038-095b170dc21c Current boot entry {current} fa926493-6f1c-4193-a414-58f0b2456d1e Default boot entry {default} None Table 1-5. Most Commonly Used Application Objects’ Aliases and GUIDs Chapter 1: Getting Started with Windows Server 2008 ▼ Firmware Boot Manager (for EFI-based systems) ■ Windows Boot Manager ■ Windows boot loader ■ Windows resume application ■ Windows memory tester ■ NT Loader ▲ Boot sector (can be used to load non-Windows-based systems) BCD inheritable objects are a way to generalize certain settings and flags so that they can be reused in more than one BCD object. Rather than having separate instances of an object, it is globally defined and then referenced by other BCD objects as needed. Some examples of these inheritable objects are listed in Table 1-6. Alias GUID Description {badmemory} 5189b25c-55584bf2-bca4289b11bd29e2 Global RAM defect list {bootloadersettings} 6efb52bf-176641db-a6b30ee5eff72bd7 Settings that should be inherited by all Windows boot loaders {dbgsettings} 4636856e-540f4170-a130a84776f4c654 Debugger settings that can be inherited by any boot application {emssettings} 0ce4991b-e6b34b16-b23c5e0d9250e5d9 Emergency Management Services settings that can be inherited by any boot application {globalsettings} 7ea2e1ac-2e614728-aaa3896d9d0a9f0e Settings that should be inherited by all boot applications {resumeloadersettings} 1afa9c49-16ab4a5c-901b212802da9460 Settings that should be inherited by all resume applications Table 1-6. Examples of Inheritable Objects 15 16 Microsoft Windows Server 2008 Administration As you can tell from the sample list, the objects are typically general global settings that propagate to multiple objects. In addition to this, each inheritable object is classified under two classes: library class and application class. Library class inheritable objects can be inherited by any BCD object, whereas application class inheritable objects can be inherited only by specified BCD applications. BCD device objects contain BCD elements for complex devices, unlike simple devices such as partitions, which can be defined as simple BCD elements. BCD device objects are most commonly used for describing booting RAM disks created from Windows Image (WIM) files, as this type of device type can contain the location of the WIM file in addition to any relevant port information if loaded from the network. BCD Elements Unlike the older boot.ini system, BCD elements have distinct data types associated with the data values. For example, an element can contain a String, Object, Integer, or Boolean data type. In addition to this, BCD elements are limited by their class type. Library elements can be applied to all boot environment applications; application elements can be applied only to specific application class types; and device elements can be applied only to device objects. BCD Modification Methods As fun as it was describing the BCD architecture and explaining the technical nuances of each component, I’ll bet you have this burning question in your mind. How do I actually manipulate the BCD? You can manipulate the BCD in four ways, as shown in Table 1-7. Using BCDEdit Since this tool is critical to the manipulation of BCD data, you should take the time to understand it. As with all command-line tools, the best way to learn about available command switches and general functionality is by running it with the /? switch to display the help screen for the command and, in this case, the primary switches the tool supports. If you want to get into more specifics about a particular command-line switch, you can type in BCDEdit.exe /? <command> where command is any of the available switches. For example, if you want to learn more about the export switch, you can type this: BCDEdit.exe /? /export The most basic command you’ll need to know lets you retrieve your current configuration: BCDEdit.exe /enum This command shows your global Windows Boot Manager settings along with settings associated with each of your Windows OS Loaders. You can see the output of this command on a dual-boot Windows Server 2003 and Windows Server 2008 computer in Figure 1-11. You can clearly see the display order for the menu items, the default boot Chapter 1: Method Getting Started with Windows Server 2008 Description System Control Very limited ability: lets you set the default OS, the time to Panel applet display the list of OSs, and the time to display the recover options when needed. MSConfig.exe This GUI allows control of startup options. Select the Boot tab from the five-tab interface. The General, Services, and Startup tabs control additional startup options. Most common boot settings can be set, enabled, or disabled using this tool, including debug settings and safe mode options. BCDEdit.exe This command-line tool is one of the most powerful tools for BCD manipulation. It’s recommended for systems administrators when modifying the BCD due to its flexibility and ease of use. It exposes most of the boot settings and supports scripting. WMI If you are into scripting and need more than even BCDEdit.exe provides, you can manipulate BCD straight through WMI. This offers the greatest flexibility since you can use any scripting/ programming language that can use WMI to make the changes. This is significantly more involved than BCDEdit.exe (but it’s not brain surgery), so unless you have a strict requirement to code directly, you should stick with BCDEdit.exe whenever possible. Table 1-7. Four Ways to Manipulate the BCD loader, and the timeout. For each of the boot loaders, you can see their unique identifier, device path, and any options (BCD elements) that have been specified. You can specify additional parameters with the /enum switch to control what is displayed, such as displaying only the Windows Boot Manager section or getting information about a particular boot loader. One of the most useful additional switches to /enum is the /v switch. This switch shows all entry identifiers in full GUID form rather than their user-friendly aliases. The identifiers are in GUID format—for example, {0f732d04-e6b2-11da-b631-b722247cd703}. The aliases are those values in the output that are enclosed in curly braces that are not GUIDs—that is, {ntldr}, {current}, {bootmgr}, and so on. As an additional shortcut, if you simply run BCDEdit.exe without any switches, it defaults to running the following: BCDEdit.exe /enum ACTIVE 17 18 Microsoft Windows Server 2008 Administration Figure 1-11. Output of BCDEdit /enum command The most common changes most administrators will make to the BCD will be around the Windows Boot Manager, since that controls the boot sequence, default Windows loader, display order, and timeout before the default selection is made. The help messages give you all the information you’ll ever need, but it’s much easier to understand this command by looking at some simple examples. Modifying the Boot Sequence You can do four things with the /bootsequence switch: ▼ List the identifiers for each loader in the order in which you want the boot sequence to appear. ■ Add a loader to the top of the list, or if it’s already on the list, move it to the top. ■ Add a loader to the bottom of the list, or if it’s already on the list, move it to the bottom. ▲ Remove a loader from the list completely. Chapter 1: Getting Started with Windows Server 2008 The following example shows how you would define the boot sequence explicitly with the NT Loader booting first, followed by the OS Loader with the identifier {0f732d04-e6b2-11da-b631-b722247cd703} (which in this case is an instance of Windows Server 2008): Bcdedit /bootsequence {ntldr} {0f732d04-e6b2-11da-b631-b722247cd703} The example shown here demonstrates how to add or move the OS loader with the identifier {0f732d04-e6b2-11da-b631-b722247cd703} to the top of the boot sequence: Bcdedit /bootsequence {0f732d04-e6b2-11da-b631-b722247cd703} /addfirst The following example shows how to add or move the OS loader with the identifier {0f732d04-e6b2-11da-b631-b722247cd703} to the bottom of the boot sequence: Bcdedit /bootsequence {0f732d04-e6b2-11da-b631-b722247cd703} /addlast Finally, if you want to remove an OS loader from the boot sequence completely—for example, if you want to remove NT Loader from the sequence if you no longer use the older Windows version— you could run this command: Bcdedit /bootsequence {ntldr} /remove Setting the Default Boot Entry To specify which of the boot menu items will be the default boot selection, you use the /default switch. For example, to set NT Loader as the default boot loader selection, you would run this: Bcdedit /default {ntldr} Simply replace {ntldr} with the identifier for whatever OS Loader you want to use as the default. Setting the Menu Display Order When more than one boot loader is available, a menu is automatically displayed allowing you to select one. To set the order in which those entries are displayed, you use the /displayorder switch. As you can with the /bootsequence switch, you can explicitly define the menu order, add or move an item to the top, add or move an item to the bottom, or remove an item from the menu completely. In fact, the syntax for the /displayorder switch is the same as that for /bootsequence—except, of course, you would replace /bootsequence with /displayorder. For example, to set up the menu order so that the OS loader entry with the identifier {0f732d04-e6b2-11da-b631-b722247cd703} is followed by the NT Loader, you would run this: Bcdedit /displayorder {0f732d04-e6b2-11da-b631-b722247cd703} {ntldr} Similarly, to add or move the NT Loader to the top of the menu, you would run this: Bcdedit /displayorder {ntldr} /addfirst 19 20 Microsoft Windows Server 2008 Administration As you can see, the syntax follows the /bootsequence commands exactly, so the /addlast and /remove switches would work the same way. Setting the Boot Manager Timeout By default, the timeout for the boot manager is 30 seconds. This is probably more time than you will ever need before a selection is made. In practice, this value is typically set from 3 to 5 seconds. You can even set this timeout to 0 so that the menu won’t be displayed. To set the timeout period to 5 seconds, run the following command: Bcdedit /timeout 5 Simply replace 5 with whatever timeout period you want in terms of seconds, and it will set it accordingly. Setting the Tools Display Order If you go through the help menu for BCDEdit as well as the boot manager configuration, you will see an entry for toolsdisplayorder. If you recall the discussion about BCD objects, you will remember that not all objects have to be boot loaders. In fact, the object can be any application designed to run during the boot process. Out of the box, Windows Server 2008 comes with the Windows Memory Diagnostic tool, which can be selected from the boot menu. For a typical Windows installation, you would have only one item in the tools display menu, and that is for the memory diagnostic tool designated by the alias {memdiag}. If Microsoft or a thirdparty company builds additional tools that can be added to this menu, you can then use BCDEdit to set the order by which these tools are presented in that menu. For example, if a BCD object functioned as a tool with the identifier {073332d04e6b2-11da-b631-cdd1327cd703} and you wanted that tool to appear before {memdiag}, you would run the following command: Bcdedit /toolsdisplayorder {073332d04-e6b2-11da-b631-cdd1327cd703} {memdiag} I hope you’re starting to see a pattern here. I bet you’ve already guessed what’s coming next. Yes, the same additional switches that were available in the /bootsequence switch are all available here as well, specifically /addfirst, /addlast, and /remove. The syntax is the same, just replace /bootsequence in those commands with /tool -sdisplayorder. Backing Up and Restoring the BCD The next critical task an administrator will need to ensure is the ability to back up and restore the BCD. In pre–Windows Server 2008 days, you could simply back up the boot.ini file since it was a simple text file. The BCD, on the other hand, is a binary file, and the active BCD file is locked and marked as in-use, so it can’t be copied outright. The correct way to back up and restore a BCD is through the /export and /import switches of BCDEdit. This is all very painless, since the /export switch requires only the destination file name to export the data to, while the /import switch requires only the source file name to import the data from. Chapter 1: Getting Started with Windows Server 2008 Here is an example of backing up the BCD. It will actually create two files after it runs—one is the backup data file and the other is the backup log file: Bcdedit /export "C:\backup\BCD-backup" The following is an example for importing the data that was just backed up. Please be aware that this deletes all the entries in the BCD system store and replaces them with whatever data is in the import file. Bcdedit /import "C:\backup\BCD-backup" CAUTION If you don’t import the right data, your system may become nonbootable after your next reboot when it reads this data, so double-check to make sure you are importing the correct file before you issue the command. Manipulating BCD Entries So far, you’ve read about the most common BCD commands. Sometimes you will need to manipulate BCD entries themselves. This includes the need to create and delete an entry, copy entries within the store, and set entry options. Let’s say you wanted to create a Windows Loader entry manually in the current BCD. This would be necessary if you wanted to have a separate set of boot options for the same install—you could have a normal boot option and one with debugging enabled. Let’s see this in practice since it demonstrates many of the commands for manipulating BCD entries. Let’s assume your current Windows Server 2008 installation is loaded by the Windows Boot Loader, with the identifier {0f732d04-e6b2-11da-b631-b722247cd703}. The first step would be to make a copy of this entry: Bcdedit /copy {0f732d04-e6b2-11da-b631-b722247cd703} /d "Windows Server 2008 (with debug)" This creates a new entry in the BCD system store with the description “Windows Server 2008 (with debug).” By default, this entry is added to the bottom of every list including boot sequence and boot menu order. The output of the previous command is the identifier for the newly created boot entry, which on my test system resulted in the identifier {8496b610-6ec8-11db-9581-0003ffaf0a2b}. If you accidentally closed the window or did not write down the resulting identifier, all you need to do is run BCDEdit.exe /v and it will output all the entries on your system. Look for the one with the description you specified, and the ID will be right there. You can now manipulate this new entry with the debug information you want using the following command: Bcdedit /set {8496b610-6ec8-11db-9581-0003ffaf0a2b} debugtype USB Bcdedit /set {8496b610-6ec8-11db-9581-0003ffaf0a2b} targetname DBG1 The combined effect of the two previous commands is to modify the newly created entry from your copy command, identifier {8496b610-6ec8-11db-9581-0003ffaf0a2b}, 21 22 Microsoft Windows Server 2008 Administration with debugtype set to USB and the USB targetname set to DBG1. This is an example, of course, and you would adjust the entry options based on whatever values you really needed. If you want to delete the entry options you just created, you would run this command: Bcdedit /deletevalue {8496b610-6ec8-11db-9581-0003ffaf0a2b} debugtype Bcdedit /deletevalue {8496b610-6ec8-11db-9581-0003ffaf0a2b} targetname It’s important that you specify the identifier in this command; otherwise, it will delete the BCD option in whatever BCD entry the alias {current} points to. If you wanted to delete the copy of the BCD entry you created, you would simply run this: Bcdedit /delete {8496b610-6ec8-11db-9581-0003ffaf0a2b} Three important switches are associated with the bcdedit /delete command. First, if you’re trying to delete an entry with a well-known identifier—for example, {current}—you also need to specify the /f switch to force the deletion. The other two switches that accompany the /delete switch are /cleanup and /nocleanup. If you don’t specify either, the default is /cleanup, which not only deletes the entry from the BCD, but also deletes any references to it, such as entries in the boot sequence and boot menu order. If you insist that you want these entries to stay (not generally recommended), you can specify the /nocleanup switch that deletes only the entry for the identifier you specified and nothing else. A few more switches for BCDEdit haven’t been covered here, but they aren’t frequently used and are all listed in the BCDEdit help message. Microsoft did an exceptional job with the help message for this command by providing detailed descriptions of each command along with some easy to understand examples. TIP If you want to learn more about BCDEdit, read through the entire help message for this command. Manipulating the BCD Using WMI As a heavy proponent of automation and scripting, I was glad to see that Microsoft had built-in support for WMI to help manage the BCD. The BCD WMI provider is written as a COM object and exposes a number of scriptable classes that can be used to manipulate the BCD using any programming or scripting language that can access COM (which is almost anything mainstream—C++, VBScript, Visual Basic, JScript, and so on). This is not a scripting book, and more than just a simple discussion is necessary to elaborate fully on using WMI, but if you already know how to script with WMI, you can visit the BCD documentation on MSDN (http://msdn2 .microsoft.com/en-US/library/aa362692.aspx) to view all the available classes and methods for working with the BCD. If you’re unfamiliar with VBScript or using WMI, visit Microsoft’s Scripting Center (www.microsoft.com/technet/scriptcenter/default. mspx) or pick up a good book on the subject. If you’re serious about administering Windows Server 2008, this is a skill you will definitely want to have under your belt. Chapter 1: Getting Started with Windows Server 2008 CHAPTER SUMMARY This chapter went through a straightforward installation of Windows Server 2008 and covered in great detail the new Windows Boot Manager called the Boot Configuration Data or BCD. Now that you understand how to install and configure Windows Server 2008, you will need to understand how to take advantage of the new features in this operating system, including the new management tools available, as well as how to incorporate these into your existing environment. We will tackle all this in upcoming chapters. If you’ve worked with previous versions of Windows Server, you will have undoubtedly noticed a more streamlined installation process. However, don’t be fooled by the marketing hype, because you will still need to perform some significant configuration tasks after installation has completed. The two initial configuration tasks that you should never defer until later are setting the Administrator password and installing all the latest patches. During the installation process covered in this chapter, you read about the option to install Windows Server 2008 as a Server Core installation. This is a very different type of installation that should be used whenever appropriate, since it minimizes the potential attack surface. In the next chapter, you will read in great detail how to install and configure a Server Core installation. 23 This page intentionally left blank 2 Server Core 25 26 Microsoft Windows Server 2008 Administration W ith previous versions of Microsoft Windows Server, critical Windows system updates for services were often required to be installed on the server even if they weren’t being used. For example, in 2005, Microsoft released a system update to address the Universal Plug and Play (UPnP) denial-of-service vulnerability across Windows operating systems. Although an available workaround meant that you didn’t necessarily have to install the patch, if your Windows server was performing the function of only a single role—that is, as a Domain Name System (DNS) Server, for example—it shouldn’t be using UPnP in the first place, so the patch would’ve been unnecessary if the service wasn't installed in the first place, thereby exposing the operating system to unneeded vulnerabilities. In Windows Server 2008, Microsoft addresses this issue by introducing an installation option called Server Core. This installation option installs the most basic Windows Server component for the role the Windows Server will perform. There is one caveat, however, in that currently, Microsoft supports the Server Core installation for only a handful of predefined roles, such as domain controller (DC), DNS Server, Dynamic Host Configuration Protocol (DHCP) Server, and file server. This basic installation of Windows Server 2008 doesn’t even install Windows Explorer, so you have no desktop with which to interact. Instead, the system must be managed completely through the command line or via Terminal Services. Microsoft realized that if a server is performing a very distinct infrastructure role, excess services need not be installed on it—not even a full graphical user interface (GUI). This minimizes the server’s attack surface and will hopefully help reduce downtime by reducing the need to install system updates on the server. ROLES SUPPORTED BY SERVER CORE Microsoft intended the Server Core installation method to be used for infrastructurerelated services. Because of all this, Microsoft supports only the following seven roles in the Server Core installations: ▼ Active Directory Domain Services (AD DS) ■ Active Directory Lightweight Directory Services (AD LDS) ■ File Server ■ DHCP Server ■ DNS Server ■ Print Server ▲ Streaming Media Services These roles are not mutually exclusive. A Server Core instance can have one or more roles installed and configured without encountering any serious issues. Chapter 2: Server Core THE UPS AND DOWNS OF SERVER CORE Using a Server Core installation offers many useful benefits. It reduces the potential vulnerability footprint by not installing any unneeded services and binaries. As a result, it also reduces the amount of servicing that needs to be done to the operating system and therefore reduces the amount of management overhead required to maintain these servers. The downside is that a Server Core installation doesn’t provide much of a user interface to work with, other than the command prompt. The only way to manage a Server Core installation is through command-line tools and scripts, Microsoft Management Console (MMC) snap-ins, or other tools that support remote administration and Terminal Services (although your Terminal Services session will have only a command prompt anyway). This is quite cumbersome, especially for those who have been spoiled over the years by point-and-click administration techniques. Luckily, if you do it right, you will need to run only a minimal number of commands to set up remote management through some kind of management console. INSTALLING SERVER CORE As you might expect, installation of Server Core is not much different from installation of the regular Windows Server 2008. In fact, both installations share the same steps, except that at the end of the Server Core installation process, rather than facing an Initial Configuration Tasks screen, you are presented with a command prompt. You will make all your configuration changes using this command prompt. If you close the command prompt, you will have to press ctrl-alt-del, click Start Task Manager, click File, then click Run and enter cmd.exe to open a new command prompt. Requirements Windows Server 2008 Server Core shares the same minimum requirements with the regular Windows Server 2008 installation—with a few caveats. In addition to having the Windows Server 2008 installation media and a valid product key, you will also need to perform a clean installation. You cannot upgrade from previous versions of Windows to a Server Core installation, you cannot upgrade from a regular Windows Server 2008 installation to Server Core, and you cannot move from Server Core to a regular Windows Server 2008 installation. Server Core must be installed from scratch. You should also have Internet access so that the server can be activated after the installation completes. Also, since fewer binaries are installed as part of Server Core, the hard disk space requirements are much lower for Server Core than they are for the regular Windows Server 2008 installation. You will need only 1GB of disk space for the actual Server Core installation and 2GB of disk space for regular server operations. 27 28 Microsoft Windows Server 2008 Administration Hands-On Exercise: Interactive Installation of Server Core 1. Start the computer and boot up using the Windows Server 2008 installation media. Select the installation language, time and currency format, and keyboard layout. Then click Next. 2. Click Install Now to begin the installation process. 3. Enter your product key, and then click Next. If you don’t want to activate Windows as soon as your computer goes online (for example, if you are simply testing the installation or evaluating Windows Server 2008), you can uncheck the Automatically Activate Windows When I’m Online checkbox. 4. Now select whether to install Windows Server 2008 Enterprise (Full Installation) or Windows Server 2008 Enterprise (Server Core Installation). Select Windows Server 2008 Enterprise (Server Core Installation), as shown in Figure 2-1, and then click Next. Figure 2-1. Operating system installation selection screen Chapter 2: Server Core 5. If you accept the license agreement, check the I Accept the License Terms (required to use Windows) checkbox, and then click Next. 6. Select the type of installation you would like to perform. In this case, you’ll perform a clean install and you can select Custom (Advanced). 7. If your hard drive is automatically detected, you can create and format partitions as necessary for the installation. If your drive isn’t detected, most likely the device driver for your controller isn’t built into Windows, in which case you can click Load Driver to load it. Click Next after you have created the partition to which you are going to install. 8. Now that Windows Server 2008 has all the basic information it needs to proceed with the installation, it begins to go through the installation process and displays the status of the install. 9. Once the installation completes, you will be prompted to press ctrl-alt-del to log in. 10. Click the Other User button as shown in Figure 2-2 to initiate login. Enter Administrator as the username, leave the password blank, and then click the arrow button to log in (or simply press enter). Figure 2-2. User login selection screen 29 30 Microsoft Windows Server 2008 Administration Figure 2-3. After logging into Server Core, you’ll see only a single command prompt. 11. When logging in for the first time, you will be prompted to change your password. Leave the current password field blank and enter your new password in the New Password and Confirm Password fields. Click OK when your password change has been confirmed. 12. Once you’re logged in, you will see a command prompt and nothing else (Figure 2-3). At this point, you can manage this server only by using these command prompts. Remote administration is disabled by default. Your next step will be to perform initial configuration tasks using the command prompt, as discussed in detail in the next section. Post-Installation Tasks Installing Server Core for Windows Server 2008 is the easy part. Without a real user interface to assist you in configuring the server, you will need to get used to working with the command prompt if you don’t already work with it. Your first order of business after Chapter 2: Server Core installing Server Core is to run through the initial configuration tasks, except this time without the help of a handy screen to walk you through it: 1. Set the Administrator password. 2. Configure your network interfaces. 3. Activate the server. 4. Rename the server and join it to a domain (if applicable). 5. Configure Automatic Updates. 6. Enable remote administration (unless you like sitting in front of the server every time you need to work on it). 7. Configure the Windows Firewall. Setting the Administrator Password You were already prompted to change the password the first time you logged on, however, you can change the administrator password locally in two ways. The easiest way is to press ctrl-alt-del and then select Change a Password. You can accomplish the same thing straight from the command prompt: Net user Administrator P@ssword Simply replace P@ssword with whatever password you want to use. The main difference between these two methods is that the graphical method requires you to enter the old password and then the new password twice before changing the password; in the command-line method, the password is changed immediately. Because no confirmation prompt appears after you change a password from the command line, it is crucial that you proceed very carefully and record your new password to reduce the possibility of a typographical error. Configuring Your Network Interfaces By default, your new Server Core installation uses DHCP to acquire an IP address. If you will be using a static IP address for the server, you will need to assign this using the Netsh command. This requires more than one command sequence since you will need to take a number of steps. Your first step is to list all your network adapters. This is important, because most servers come with more than one network interface, plus the default loopback interface. When you configure the IP address, you will need to specify which interface you are going to modify. To list all your network adapters, enter the following: Netsh interface ipv4 show interfaces Although IPv6 is not currently widely implemented, except probably in test labs, Windows Server 2008 natively supports it. An equivalent command for IPv6 is as simple as replacing ipv4 in this command with ipv6. The output of the command on my Server Core installation is shown in Figure 2-4. 31 32 Microsoft Windows Server 2008 Administration Figure 2-4. List of network interfaces using Netsh The first column of the command’s output shows a parameter called Idx. This is the unique number assigned by the system to identify each network interface. Note the Idx number of the interface you are interested in modifying. On my test server, I have only one network interface, excluding the loopback interface, so that’s what I will be modifying in this example. I will set my network interface to have the static IP address 192.168.100.75 with a subnet mask of 255.255.255.0 and a default gateway of 192.168.100.1. If I look at the Idx number for my Local Area Connection in Figure 2-4, I can see that the value is 2 for my network interface. Putting all this information together, I can now run the following command to set these values: Netsh interface ipv4 set address name=2 source=static address=192.168.100.75 mask=255.255.255.0 gateway=192.168.100.1 Since DNS is so critical to Windows Server 2008, especially in an Active Directory domain, I would also need to configure the DNS Servers for this server. In this case, Chapter 2: Server Core I want to set this interface to use the DNS Server with the IP address 192.168.100.40. To set this value, I run the following command: Netsh interface ipv4 add dnsserver name=2 address=192.168.100.40 If more than one interface needs to be configured, I would simply repeat this process for every interface. If you are trying to set up network interface card (NIC) teaming or failover, you should consult your vendor’s documentation to determine how to accomplish this task in Server Core, since most vendors supply graphical interfaces to configure these advanced options, and those will not run on a Server Core installation. Activating Your Server If you’re setting up a server that will be running Windows Server 2008 for more than 14 days, you will want to activate your server or it will no longer function once the trial period has elapsed. No graphical method can be used to activate your server in Windows Server 2008; instead, you will have to rely on the nifty Windows Software License Management Tool, otherwise known as slmgr.vbs, that sits in the %WINDIR%\ system32 directory. To activate your server, simply run this command: Slmgr.vbs -ato It can’t get any easier than that. In fact, the slmgr.vbs script is so powerful you can actually use it to initiate the activation of a new Windows Server 2008 installation remotely from an existing Windows Server 2008 server. Let’s say, for example, that you wanted to activate a new Windows Server 2008 installation called Utopia that had a local Netsh Up Close and Personal Netsh is the ultimate command-line shell for managing all aspects of the network components of Windows Server 2008. This command was available in previous Windows versions but is now an even more critical tool for Windows Server 2008. It can be used to query and manage everything from a network interface, Windows Firewall, and DHCP Server parameters including defining scopes and exclusions, to defining routing and remote access policies. The ability to do all these things from the command line makes this tool highly useful for Windows administrators when they want to script various network service-related tasks. However, many administrators neglect to learn netsh well, since everything they can do in netsh can be done more easily with any of the Windows GUIs. Server Core makes it necessary for Windows administrators to learn how to use this tool rather than make it an afterthought. Although many core network services that a Server Core instance can provide can be managed remotely using an MMC snap-in, many key tasks cannot be accomplished without netsh, especially with regard to configuring network interfaces, such as setting a static IP address or listing DNS Servers to use. 33 34 Microsoft Windows Server 2008 Administration administrator password of password123. This could be easily accomplished remotely by running the following command from an existing Windows Server 2008 installation: Slmgr.vbs Utopia Administrator password123 -ato Rename the Server and Add It to Your Domain Since the Windows Server 2008 installation process doesn’t ask for the computer name before proceeding with the install, the server is given a computer-generated name. This unintuitive random name is practically useless in most environments, so you’ll need to rename the server to something more meaningful before joining it to the domain. Microsoft’s documentation tells you to use the netdom command to rename a computer. The problem with this command, however, is that you can’t rename a computer until it has joined the domain. To rename the computer before it joins the domain without having to run a third-party tool, you need to use Windows Management Interface (WMI). Rather than writing a script and then executing it, the easier way is simply to run WMI Command-line (WMIC). This command-line tool is specifically designed to run WMI commands and is ideal for straightforward commands like this. For example, to rename your server to WINSRV1, you would run this command: wmic computersystem where name="%computername%" rename name="WINSRV1" This command should result in a ReturnValue=0 to indicate a successful rename, as shown in Figure 2-5. Before going on, make sure you reboot the server for the new computer name to take effect. After you rename the computer, you can join it to the domain using the netdom join command. You will need to know three pieces of information to complete this command: the name of the domain, a username of an account that has rights to join computers to the domain, and of course the password for that user account. For example, if you wanted to add this server to the TESTLAB domain using an account called SysAdmin with the password P@ssword, you would run the following: Netdom join %computername% /domain:TESTLAB /userd:SysAdmin /password:P@ssword If you don’t want to type the password explicitly like this because people around you can view the console, you can replace /passwordd:P@ssword with /passwordd:" in which case it will prompt you to type in the password instead. You will need to restart the computer after it has been joined to the domain. NOTE Don’t be concerned if this command takes a while to complete. Depending on your network environment, it could take a minute or two before the command can complete successfully. Configure Automatic Updates You would think that Microsoft would have at least provided an easy way to initiate and configure Automatic Updates, but without Windows Explorer or even Internet Explorer, Chapter 2: Server Core Figure 2-5. Renaming a Server Core installation getting updates installed can be quite tricky. You’ll have to rely on a Windows script file called scregedit.wsf, which is located in the %WINDIR%\System32 directory. Unfortunately, with Server Core, it’s all or nothing when it comes to Automatic Updates. You either enable or disable it completely. Since there’s no GUI, you have no way of controlling which updates to install. Of course, the workaround to all this is to configure Automatic Updates using group policy in conjunction with a patch-management solution such as Windows Server Update Services to control exactly which patches your server will receive. To enable Automatic Updates manually, you can run this command: Cscript Scregedit.wsf /AU 4 To turn off Automatic Updates (the default), you would run this command: Cscript Scregedit.wsf /AU 1 35 36 Microsoft Windows Server 2008 Administration NOTE A graphical warning message is displayed whenever you run Scregedit.wsf commands. To avoid this, make sure that when you open a command prompt to run these commands, you change the current directory to %WINDIR%\System32 and run the command using CScript. For example, you could run cscript.exe scregedit.wsf /AU 4. Enable Remote Administration Technically, you can already remotely manage your Server Core installation using the Computer Management MMC snap-in; however, access via Terminal Services in Remote Administration mode is disabled by default and you will need to turn it on if you want that capability. To do so, go back to the scregedit.wsf script and run the following: Scregedit.wsf /AR 0 Yes, that is a zero. This is actually designed in reverse logic. The 0 means you want to enable Terminal Services in Remote Administration mode and 1 means you want to disable it. If you want to manage your Windows Server 2008 instance from a previous Windows version, you will need to allow these types of “legacy” connections explicitly, since by default, a higher level of security is built around the Terminal Services in Windows Server 2008, called Credential Security Service Provider (CredSSP). To allow terminal service connections from a previous Windows version, run this command: Scregedt.wsf /CS 0 If you set CS to 1, this forces Terminal Services to use CredSSP, which is currently supported only by Windows Server 2008 and Windows Vista. TIP Since the Windows Firewall is enabled on all interfaces on all profiles by default, simply enabling Terminal Services in Remote Administration mode won’t allow you to control the server remotely using Remote Desktop Protocol (RDP). The right way is to explicitly open the Terminal Services port on the server. This can be achieved by adding a firewall rule to allow inbound TCP connections to port 3389 through netsh: Netsh advfirewall firewall add rule name="TS Admin" protocol=TCP dir=in localport=3389 action=allow Configure the Windows Firewall The Windows Firewall is a host-based, bidirectional network traffic filter. Unlike the initial incarnation of the Windows Firewall that debuted in Windows XP SP2 and filtered only inbound traffic, the new Windows Firewall can control both inbound and outbound traffic. The current Windows Firewall is also network-aware, in that you can define policies depending on whether the server is on the network where it can authenticate to the domain, on a public network that is directly attached to the Internet, or on a private network explicitly defined. For example, you can configure policies to allow file and print sharing when in a domain network and then block it if on a public network. Chapter 2: Server Core Configuring the firewall involves either working with the Netsh command at the command prompt or using the Windows Firewall with Advanced Security MMC snapin from a remote Windows Server 2008 server. Unless you’re absolutely hardcore and love playing with the command line, I strongly recommend using the Windows Firewall with Advanced Security MMC snap-in. However, before you can remotely manage the Server Core installation’s firewall using the MMC snap-in, you will have to enable remote management. To enable remote management of the firewall, enter the following: Netsh advfirewall set current settings remotemanagement enable Once remote management is enabled, you can go to another Windows Server 2008 installation and add the Windows Firewall with Advanced Security MMC snap-in and point it to the server you want to manage. Unfortunately, if only one Windows Server 2008 instance is on your network, you will need to configure the firewall using Netsh. To view all the profile-specific properties in all profiles, you can run this command: Netsh advfirewall show allprofiles In the output, you’ll see the general properties of your domain, public and private profiles such as its state (whether it’s enabled or disabled), the general firewall policy such as whether it allows outbound connections but prevents inbound connections, and the name of the log file. If you want to enable a specific profile—for example, the domain profile—you can run this command: Netsh advfirewall set domainprofile state on Let’s say you want a rule to allow inbound TCP connections to port 80. This can be accomplished by running the following command: Netsh advfirewall inbound add name="Port80 Allow" protocol=TCP localport=80 action=allow The Windows Firewall allows you to create a blanket rule to allow or disallow any traffic to and from an application based on a particular executable. For example, if you had an application called myapp.exe in the C:\myapp directory that performed some kind of networking function by listening to several ports on the server, you could allow any connection to this application by running this: Netsh advfirewall inbound add name="Allow Myapp" program="C:\myapp\ myapp.exe" action=allow You can view all your currently defined inbound rules by running this command: Netsh advfirewall inbound show name=all verbose The verbose parameter is optional, but if you omit it, you won’t see the path to the executable for any application-based rules you’ve defined. 37 38 Microsoft Windows Server 2008 Administration This barely scratches the surface of all the netsh commands you can use to configure the Windows Firewall. To find out more about netsh firewall commands, view the netsh advfirewall help file by running this command: Netsh advfirewall help As you can tell, this method of manipulating the Windows Firewall can be quite tedious. It’s most useful when you are creating a script to define the firewall rules. In most cases, though, it’s best to use the Windows Firewall with Advanced Security MMC snap-in, as it offers a more intuitive and easier method for defining rules and configuring profiles. Installing and Configuring Server Roles Up to this point, you have accomplished a base installation of Server Core. Just like the regular Windows Server 2008 installation, there are no roles installed by default in Server Core. If you want your Server Core installation to perform any of the six supported roles, you will need to install each of them individually from the command line. Since only six roles are supported by Server Core, you need to know only a handful of commands. Installing and Configuring the DNS Server Role DNS is a key infrastructure component because it’s so critical to Active Directory. This role is an ideal candidate for Server Core, since once you set it up, you probably won’t touch it much other than to perform regular maintenance. To install the DNS Server role, you run this command: Start /w ocsetup DNS-Server-Core-Role It will take a few minutes to install and it won’t display a progress dialog box, so be patient. Remember that this installs only the DNS Server role, and nothing is really configured yet. You can configure the DNS Server using the DNS MMC snap-in from a different computer or by running dnscmd at the command prompt. To view the general parameters of your newly installed DNS Server, you can run this command: Dnscmd /info The most logical first step after installing a DNS Server would be to configure the DNS zones. For example, to add a zone called testlab.local as a primary zone, you can run this command: Dnscmd /zoneadd "testlab.local" /Primary /file "testlab.local.dns" Now if you want to add an A record for a host called testpc with the IP address 192.168.100.71 to the testlab.local zone, you’d enter this: Dnscmd /recordadd testlab.local testpc A 192.168.100.71 Chapter 2: Server Core The /recordadd switch can be used to add any record type you want to the DNS Server. You would simply replace the A before the IP address with whatever record type you wanted—for example, CNAME or MX followed by the parameters required by that record type. Run this command to see a list of available record types and their parameters: Dnscmd /recordadd /? If you want to view all the records of a particular zone, use the /zoneprint switch. For example, to list all the entries of your testlab.local zone, you would run this: Dnscmd /zoneprint testlab.local If you want to delete a record, you would run dnscmd with the /recorddelete switch. To delete the A record entry for the testpc record created earlier, you’d run this command: Dnscmd /recordadd testlab.local testpc A 192.168.100.71 /f The /f switch at the end indicates that you want to force the deletion of this record; otherwise, dnscmd will politely ask for confirmation before deleting the record. There’s more to DNS than what you’ve learned so far, especially the new features of DNS in Windows Server 2008, which are covered in Chapter 10. Dnscmd is a powerful and useful command for configuring DNS on Windows Server 2008. It’s the only method to make changes to your DNS Server locally on the server, but it can also be executed remotely from a different server. Again, I would recommend using the DNS MMC snap-in whenever possible rather than dnscmd, since the snap-in is far more intuitive. If you later decide that this Server Core instance will no longer provide DNS services, you can uninstall it by running the following: Start /w ocsetup DNS-Server-Core-Role /uninstall Installing and Configuring the DHCP Server Role Whether you are configuring a small environment or an enterprise-size network, you will most likely want to use DHCP to manage the IP addresses in your environment. Before you can do that with Windows Server Core, you will need to install this role using the following command: Start /w ocsetup DHCPServerCore Once installed, you will have the option to configure your DHCP scopes using either netsh or the DHCP MMC snap-in from a remote server. Also, if this DHCP Server is acting within an Active Directory domain, it must also be authorized in Active Directory before it can issue IP addresses. You can authorize a DHCP Server in the domain using the DHCP MMC snap-in, but it can also be done using netsh. For example, if your Server 39 40 Microsoft Windows Server 2008 Administration Core instance is called WINDHCP1 and has the IP address 172.16.0.5, and you want to authorize this on your domain, log onto WINDHCP1 with domain credentials that have rights to authorize DHCP servers, and then run the following command: Netsh dhcp add server WINDHCP1 172.16.0.5 Likewise, if you wanted to unauthorized the server, you can run this: Netsh dhcp delete server WINDHCP1 172.16.0.5 If you later decide that this Server Core instance will no longer provide DHCP services, it can be uninstalled like so: Start /w ocsetup DHCPServerCore /uninstall Installing and Configuring the File Server Role By default, your basic File Server role is installed on Windows Server 2008, including Server Core. If you want to use some more advanced File Server roles, such as the following, they will need to be installed: ▼ File Replication ■ Distributed File System (DFS) ■ Distributed File System Replication ▲ Network File System (NFS) It should come as no surprise that to install these additional roles you will use the ocsetup command as you did for the DNS and DHCP installations. Table 2-1 shows the command to install each File Server role. Currently no command-line tools are used to manage these additional File Server roles, so you will need to resort to managing them remotely via the appropriate MMC snap-ins. To uninstall any of them, you can run the same command used to install them and add a /uninstall switch at the end. Role Installation Command File Replication start /w ocsetup FRS-Infrastructure Distributed File System start /w ocsetup DFSN-Server Distributed File System Replication start /w ocsetup DFSR-InfrastructureServerEdition Network File System start /w ocsetup ServerForNFS-Base start /w ocsetup ClientForNFS-Base Table 2-1. Commands to Install File Server Roles Chapter 2: Server Core Installing and Configuring the Print Server Role One of the most prevalent uses for Windows servers is to act as print servers. This is generally regarded as a core infrastructure role that makes perfect sense to belong in Server Core. In most environments, a print server acts as a print server and nothing else, and fits nicely into the Server Core model of having minimal additional services for key infrastructure roles. To install the Print Server role, simply run this command: Start /w ocsetup Printing-ServerCore-Role If you want to install the Line Printer Daemon (LPD) s