Windows server 2008 unleashed

.73 Part II Windows Server 2008 Active Directory 4 Active Directory Domain Services Primer.. .399 15 Security Policies, Network Policy Server, and Network Access Protection.. .499 19 Win

2008

U N L E A S H E D

800 East 96th Street, Indianapolis, Indiana 46240 USA

Rand Morimoto, Ph.D., MCSE, CISSP Michael Noel, MCSE+I, CISSP, MCSA, MVP Omar Droubi, MCSE

Ross Mistry, MCTS, MCDBA, MCSE Chris Amaris, MCSE, CISSP

All rights reserved No part of this book shall be reproduced, stored in a

retrieval system, or transmitted by any means, electronic, mechanical,

photo-copying, recording, or otherwise, without written permission from the publisher.

No patent liability is assumed with respect to the use of the information

contained herein Although every precaution has been taken in the preparation

of this book, the publisher and author assume no responsibility for errors or

omissions Nor is any liability assumed for damages resulting from the use of

the information contained herein.

ISBN-13: 978-0-672-32930-2

ISBN-10: 0-672-32930-1

Library of Congress Cataloging-in-Publication Data is on file

Printed in the United States of America

First Printing: February 2008

Trademarks

All terms mentioned in this book that are known to be trademarks or service

marks have been appropriately capitalized Sams Publishing cannot attest to

the accuracy of this information Use of a term in this book should not be

regarded as affecting the validity of any trademark or service mark.

Warning and Disclaimer

Every effort has been made to make this book as complete and as accurate

as possible, but no warranty or fitness is implied The information provided is

on an “as is” basis The authors and the publisher shall have neither liability

nor responsibility to any person or entity with respect to any loss or damages

arising from the information contained in this book.

Bulk Sales

Sams Publishing offers excellent discounts on this book when ordered in

quan-tity for bulk purchases or special sales For more information, please contact

U.S Corporate and Government Sales

Messaging, MCSA,MCP+I, CISSPPublishing CoordinatorCindy TeetersBook DesignerGary AdairSenior CompositorJake McFarlandContributing WritersKimberly Amaris, PMPScott G Chimner, CISSP,MCSE, MCSA Stefan Garaygay, MCSEJeff Guillet, MCSE:

Messaging, MCSA,MCP+I, CISSPRobert Jue, MCSE, MCDBATyson Kopczynski, CISSP,GSEC, GCIH, MCSE SecurityAlec Minty, MCSE

Shirmattie SeenarineColin Spence, MCP James V Walker, MCP, MCSEChris Wallace, MCSA, MCSE

Contents at a Glance

Part I Windows Server 2008 Overview

1 Windows Server 2008 Technology Primer .3

2 Planning, Prototyping, Migrating, and Deploying Windows Server 2008 Best Practices .39

3 Installing Windows Server 2008 and Server Core .73

Part II Windows Server 2008 Active Directory 4 Active Directory Domain Services Primer .105

5 Designing a Windows Server 2008 Active Directory .139

6 Designing Organizational Unit and Group Structure .165

7 Active Directory Infrastructure .185

8 Creating Federated Forests and Lightweight Directories .217

9 Integrating Active Directory in a UNIX Environment .235

Part III Networking Services 10 Domain Name System and IPv6 .251

11 DHCP/WINS/Domain Controllers .297

12 Internet Information Services .331

Part IV Security 13 Sever-Level Security .375

14 Transport-Level Security .399

15 Security Policies, Network Policy Server, and Network Access Protection .415

Part V Migrating to Windows Server 2008 16 Migrating from Windows 2000/2003 to Windows Server 2008 .439

17 Compatibility Testing for Windows Server 2008 .473

Part VI Windows Server 2008 Administration and Management 18 Windows Server 2008 Administration .499

19 Windows Server 2008 Group Policies and Policy Management .533

20 Windows Server 2008 Management and Maintenance Practices 581

23 Integrating Systems Center Operations Manager 2007 with

Windows Server 2008 .715

Part VII Remote and Mobile Technologies 24 Server-to-Client Remote and Mobile Access .737

25 Terminal Services .783

Part VIII Desktop Administration 26 Windows Server 2008 Administration Tools for Desktops .839

27 Group Policy Management for Network Clients .865

Part IX Fault Tolerance Technologies 28 File System Management and Fault Tolerance .935

29 System-Level Fault Tolerance (Clustering/Network Load Balancing) .993

30 Backing Up the Windows Server 2008 Environment .1043

31 Recovering from a Disaster .1077

Part X Optimizing, Tuning, Debugging, and Problem Solving 32 Optimizing Windows Server 2008 for Branch Office Communications .1111

33 Logging and Debugging .1145

34 Capacity Analysis and Performance Optimization .1189

Part XI Integrated Windows Application Services 35 Windows SharePoint Services 3.0 .1233

36 Windows Media Services .1281

37 Deploying and Using Windows Virtualization .1313

Index .1339

Table of Contents

Part I Windows Server 2008 Overview

1 Windows Server 2008 Technology Primer 3

Windows Server 2008 Defined .3

Windows 2008 Under the Hood .4

Windows Server 2008 as an Application Server .6

When Is the Right Time to Migrate? .8

Adding a Windows Server 2008 System to a Windows 2000/2003 Environment .8

Migrating from Windows 2000/2003 Active Directory to Windows Server 2008 Active Directory .9

Versions of Windows Server 2008 .9

Windows Server 2008, Standard Edition .10

Windows Server 2008, Enterprise Edition .10

Windows Server 2008, Datacenter Edition .11

Windows Web Server 2008 .11

Windows Server 2008 Server Core .12

What’s New and What’s the Same About Windows Server 2008? .13

Visual Changes in Windows Server 2008 .13

Continuation of the Forest and Domain Model .13

Changes That Simplify Tasks .14

Increased Support for Standards .16

Changes in Active Directory .16

Renaming Active Directory to Active Directory Domain Services .17

Renaming Active Directory in Application Mode to Active Directory Lightweight Directory Service .17

Expansion of the Active Directory Federation Services .17

Introducing the Read-Only Domain Controller .18

Windows Server 2008 Benefits for Administration .18

Improvements in the Group Policy Management .19

Introducing Performance and Reliability Monitoring Tools .20

Leveraging File Server Resource Manager .21

Introduction of Windows Deployment Services .21

Improvements in Security in Windows Server 2008 .22

Enhancing the Windows Server 2008 Security Subsystem .22 Transport Security Using IPSec and Certificate Services 23

Security Policies, Policy Management, and Supporting

Tools for Policy Enforcement .23

Improvements in Windows Server 2008 for Better Branch Office Support .23

Read-Only Domain Controllers for the Branch Office .24

BitLocker for Server Security .24

Distributed File System Replication .25

Improvements in Distributed Administration .26

Improvements for Thin Client Terminal Services .26

Improvements in RDP v6.x for Better Client Capabilities .26

Terminal Services Web Access .27

Terminal Services Gateway .28

Terminal Services Remote Programs .28

Improvements in Clustering and Storage Area Network Support .29

No Single Point of Failure in Clustering .29

Stretched Clusters .30

Improved Support for Storage Area Networks .30

Improvements in Server Roles in Windows Server 2008 .30

Introducing Internet Information Services 7.0 .30

Windows SharePoint Services .31

Windows Rights Management Services .31

Windows Server Virtualization .32

Identifying Which Windows Server 2008 Service to Install or Migrate to First .33

Windows Server 2008 Core to an Active Directory Environment .33

Windows Server 2008 Running Built-in Application Server Functions .34

Windows Server 2008 Running Add-in Applications Server Functions .36

2 Planning, Prototyping, Migrating, and Deploying Windows Server 2008 Best Practices 39 Determining the Scope of Your Project .40

Identifying the Business Goals and Objectives to Implement Windows Server 2008 .40

High-Level Business Goals .41

Business Unit or Departmental Goals .42

Identifying the Technical Goals and Objectives to Implement Windows Server 2008 .43

Defining the Scope of the Work .44

Determining the Time Frame for Implementation or Migration .46

Defining the Participants of the Design and Deployment Teams .48

The Discovery Phase: Understanding the Existing Environment .49

Understanding the Geographical Depth and Breadth .51

Managing Information Overload .52

The Design Phase: Documenting the Vision and the Plan .52

Collaboration Sessions: Making the Design Decisions .53

Organizing Information for a Structured Design Document .54

Windows Server 2008 Design Decisions .55

Agreeing on the Design .56

The Migration Planning Phase: Documenting the Process for Migration .57

Time for the Project Plan .57

Speed Versus Risk .58

Creating the Migration Document .59

The Prototype Phase: Creating and Testing the Plan .62

How Do You Build the Lab? .63

Results of the Lab Testing Environment .63

The Pilot Phase: Validating the Plan to a Limited Number of Users .64

The First Server in the Pilot .65

Rolling Out the Pilot Phase .66

Fixing Problems in the Pilot Phase .67

Documenting the Results of the Pilot .67

The Migration/Implementation Phase: Conducting the Migration or Installation .67

Verifying End-User Satisfaction .67

Supporting the New Windows Server 2008 Environment .68

3 Installing Windows Server 2008 and Server Core 73 Preplanning and Preparing a Server Installation .73

Verifying Minimum Hardware Requirements .74

Choosing the Appropriate Windows Edition .75

Choosing a New Installation or an Upgrade .75

Determining the Type of Server to Install .77

Gathering the Information Necessary to Proceed .77

Backing Up Files .79

Installing a Clean Version of Windows Server 2008 Operating System .79

1 Customizing the Language, Time, Currency, and Keyboard Preferences .80

2 The Install Now Page .80

3 Entering the Product Key .80

4 Selecting the Type of Operating System to Install .81

5 Accepting the Terms of the Windows Server 2008 License .82

6 Selecting the Type of Windows Server 2008 Installation .82

Contents

7 Selecting the Location for the Installation .82

8 Finalizing the Installation and Customizing the Configuration .83

Upgrading to Windows Server 2008 .88

Backing Up the Server .88

Verifying System Compatibility .89

Ensuring the Drivers Are Digitally Signed .89

Performing Additional Tasks .89

Performing the Upgrade .90

Understanding Server Core Installation .93

Performing a Server Core Installation .93

Managing and Configuring a Server Core Installation .95

Launching the Command Prompt in a Server Core Installation .95

Changing the Server Core Administrator’s Password .95

Changing the Server Core Machine Name .96

Assigning a Static IPV4 IP Address and DNS Settings .96

Adding the Server Core System to a Domain .97

Server Core Roles and Feature Installations .97

Installing the Active Directory Domain Services Role .99

Performing an Unattended Windows Server 2008 Installation .100

Part II Windows Server 2008 Active Directory 4 Active Directory Domain Services Primer 105 Examining the Evolution of Directory Services .106

Reviewing the Original Microsoft Directory Systems .106

Numbering the Key Features of Active Directory Domain Services .107

Understanding the Development of AD DS .107

Detailing Microsoft’s Adoption of Internet Standards .108

Examining AD DS’s Structure .108

Understanding the AD DS Domain .108

Describing AD DS Domain Trees .109

Describing Forests in AD DS .110

Numbering the AD DS Authentication Modes .110

Outlining Functional Levels in Windows Server 2008 AD DS .110

Outlining AD DS’s Components .111

Understanding AD DS’s X.500 Roots .111

Conceptualizing the AD DS Schema .112

Defining the Lightweight Directory Access Protocol (LDAP) .113

Detailing Multimaster Replication with AD DS Domain Controllers .114

Conceptualizing the Global Catalog and Global Catalog Servers .114

Numbering the Operations Master (OM) Roles .114

Understanding Domain Trusts .116

Conceptualizing Transitive Trusts .116

Understanding Explicit Trusts .116

Defining Organizational Units .118

Determining Domain Usage Versus OU Usage .118

Outlining the Role of Groups in an AD DS Environment .119

Choosing Between OUs and Groups .121

Explaining AD DS Replication .121

Sites, Site Links, and Site Link Bridgeheads .121

Understanding Originating Writes .123

Outlining the Role of DNS in AD DS .123

Examining DNS Namespace Concepts .123

Comprehending Dynamic DNS .124

Comparing Standard DNS Zones and AD-Integrated DNS Zones .125

Understanding How AD DS DNS Works with Foreign DNS .125

Outlining AD DS Security .125

Understanding Kerberos Authentication .125

Taking Additional Security Precautions .126

Outlining AD DS Changes in Windows Server 2008 .126

Restarting AD DS on a Domain Controller .126

Implementing Multiple Password Policies per Domain .127

Auditing Changes Made to AD Objects .132

Reviewing Additional Active Directory Services .133

Examining Additional Windows Server 2008 AD DS Improvements .134

Reviewing Legacy Windows Server 2003 Active Directory Improvements .134

5 Designing a Windows Server 2008 Active Directory 139 Understanding AD DS Domain Design .139

Examining Domain Trusts .140

Choosing a Domain Namespace .141

Choosing an External (Published) Namespace .141

Choosing an Internal Namespace .142

Examining Domain Design Features .142

Choosing a Domain Structure .143

Understanding the Single Domain Model .144

Choosing the Single Domain Model .145

Exploring a Single Domain Real-World Design Example .146

Contents

Understanding the Multiple Domain Model .147

Choosing When to Add Additional Domains .148

Exploring a Multiple Domain Real-World Design Example .149

Understanding the Multiple Trees in a Single Forest Model .150

Choosing When to Deploy a Multiple Tree Domain Model .150

Examining a Multiple Tree Domain Real-World Design Example .151

Understanding the Federated Forests Design Model .151

Determining When to Choose Federated Forests .153

Exploring a Federated Forests Real-World Design Example .153

Understanding the Empty-Root Domain Model .154

Determining When to Choose the Empty-Root Model .156

Examining a Real-World Empty-Root Domain Design Example .157

Understanding the Placeholder Domain Model .158

Examining a Placeholder Domain Real-World Design Example .158

Understanding the Special-Purpose Domain Design Model .159

Examining a Special-Purpose Domain Real-World Design Example .160

Renaming an AD DS Domain .160

Domain Rename Limitations .161

Outlining Domain Rename Prerequisites .161

Renaming a Domain .161

6 Designing Organizational Unit and Group Structure 165 Defining Organizational Units in AD DS .166

Defining AD Groups .168

Outlining Group Types: Security or Distribution .168

Understanding Group Scope .170

Examining OU and Group Design .171

Starting an OU Design .172

Examining Overuse of OUs in Domain Design .173

OU Flexibility .173

Using OUs to Delegate Administration .174

Group Policies and OU Design .175

Understanding Group Design .177

Detailing Best Practice for Groups .177

Establishing Group Naming Standards .178

Group Nesting .178

Designing Distribution Groups .178

Exploring Sample Design Models .178

Examining a Business Function–Based Design .178

Understanding Geographically Based Design .181

7 Active Directory Infrastructure 185

Understanding AD DS Replication in Depth .185

Understanding the Role of Replication in AD DS .186

Outlining Multimaster Topology Concepts .186

Explaining Update Sequence Numbers (USNs) .186

Describing Replication Collisions .187

Understanding Property Version Numbers .187

Describing Connection Objects .188

Understanding Replication Latency .189

Understanding Active Directory Sites .190

Outlining Windows Server 2008 Site Improvements .191

Associating Subnets with Sites .191

Using Site Links .192

Defining Site Link Bridging .194

Understanding the Knowledge Consistency Checker (KCC) and the Intersite Topology Generator (ISTG) .195

Detailing Site Cost .195

Utilizing Preferred Site Link Bridgeheads .197

Deploying AD DS Domain Controllers on Server Core .197

Planning Replication Topology .198

Mapping Site Design into Network Design .198

Establishing Sites .198

Choosing Between One Site or Many Sites .199

Associating Subnets with Sites .200

Determining Site Links and Site Link Costs .200

Choosing Replication Scheduling .200

Choosing SMTP or IP Replication .201

Windows Server 2008 Replication Enhancements .201

Domain Controller Promotion from Media .201

Identifying Linked-Value Replication/Universal Group Membership Caching .202

Removing Lingering Objects .203

Disabling Replication Compression .203

Understanding How AD Avoids Full Synchronization of Global Catalog with Schema Changes .204

Intersite Topology Generator Algorithm Improvements .204

Outlining Windows Server 2008 IPv6 Support .204

Defining the Structure of IPv6 .205

Understanding IPv6 Addressing .206

Migrating to IPv6 .207

Making the Leap to IPv6 .207

Contents

Detailing Real-World Replication Designs .207

Viewing a Hub-and-Spoke Replication Design .207

Outlining Decentralized Replication Design .209

Deploying Read-Only Domain Controllers (RODCs) .211

Understanding the Need for RODCs .211

Outlining the Features of RODCs .212

Deploying an RODC .212

8 Creating Federated Forests and Lightweight Directories 217 Keeping a Distributed Environment in Sync .217

AD Lightweight Directory Services .218

Understanding the Need for AD LDS .218

Outlining the Features of AD LDS .219

Installing AD LDS .219

Active Directory Federation Services .223

Understanding the Key Components of AD FS .223

Installing AD FS with Windows Server 2008 .224

Working with AD FS .226

Microsoft Identity Lifecycle Manager (ILM) 2007 .226

The History of ILM 2007 .226

Outlining the Identity Integration Feature Pack (IIFP) .227

The SQL Server Database for ILM 2007 .228

ILM 2007 Terminology .228

ILM 2007 Management Agents .229

Management Agent Run Profiles .229

Installing Identity Lifecycle Manager 2007 .229

Harnessing the Power and Potential of ILM 2007 .230

Managing Identities with ILM 2007 .231

Provisioning and Deprovisioning Accounts with ILM 2007 .232

Summarizing ILM 2007 .233

9 Integrating Active Directory in a UNIX Environment 235 Understanding and Using Windows Server 2008 UNIX Integration Components .235

The Development of Windows Server 2008 UNIX Integration Components .236

Understanding the UNIX Interoperability Components in Windows Server 2008 .237

Prerequisites for Windows Server 2008 UNIX Integration .237

Installing Services for Network File System (NFS) .238

Using and Administering Services for NFS .239 Configuring Active Directory Lookup for UNIX GID and

Configuring Client for NFS and Server for NFS Settings .241

Creating NFS Shared Network Resources .241

Reviewing the Subsystem for UNIX-Based Applications (SUA) .242

Installing the Subsystem for UNIX-Based Applications .242

Subsystem for UNIX-Based Applications Scripting .243

Subsystem for UNIX-Based Application Tools and Programming Languages .243

Understanding the Identity Management for UNIX Components .243

Installing Identity Management for UNIX Components .244

Configuring Password Change Capabilities .245

Adding NIS Users to Active Directory .245

Administrative Improvements with Windows Server 2008 .246

Performing Remote Administration with Telnet Server and Client .246

Scripting with ActivePerl .247

Part III Networking Services 10 Domain Name System and IPv6 251 Understanding the Need for DNS .252

Detailing the History of DNS .252

Establishing a Framework for DNS .253

Explaining the DNS Hierarchy .253

Outlining the DNS Namespace .254

Getting Started with DNS on Windows Server 2008 .254

Installing DNS Using the Add Roles Wizard .254

Configuring DNS Server to Point to Itself .257

Resource Records .257

Start of Authority (SOA) Records .258

Host (A) Records .258

Name Server (NS) Records .259

Service (SRV) Records .259

Mail Exchanger (MX) Records .260

Pointer (PTR) Records .261

Canonical Name (CNAME) Records .261

Other DNS Record Types .261

Understanding DNS Zones .261

Forward Lookup Zones .262

Reverse Lookup Zones .263

Primary Zones .263

Secondary Zones .263

Stub Zones .263

Contents

Performing Zone Transfers .265

Performing Full Zone Transfers .267

Initiating Incremental Zone Transfers .267

Understanding DNS Queries .268

Performing Recursive Queries .268

Performing Iterative Queries .268

Other DNS Components .269

Dynamic DNS .270

The Time to Live Value .270

Performing Secure Updates .271

Exploring Aging and Scavenging for DNS .272

Examining Root Hints .273

Understanding the Role of Forwarders .273

Using WINS for Lookups .274

Understanding the Evolution of Microsoft DNS .274

Active Directory–Integrated Zones .274

Dynamic Updates .275

Unicode Character Support .275

DNS in Windows Server 2008 .275

Application Partition .275

Automatic Creation of DNS Zones .276

Fix to the “Island” Problem .276

Forest Root Zone for _msdcs .276

DNS in an Active Directory Domain Services Environment .277

The Impact of DNS on Active Directory Domain Services .277

Active Directory Domain Services in Non-Microsoft DNS Implementations .278

Using Secondary Zones in an AD DS Environment .278

SRV Records and Site Resolution .278

GlobalNames Zone .280

Troubleshooting DNS .281

Using the DNS Event Viewer to Diagnose Problems .281

Using Performance Monitor to Monitor DNS .282

Client-Side Cache and HOST Resolution Problems .282

Using the NSLOOKUP Command-Line Utility .282

Using the IPCONFIG Command-Line Utility .283

Using the TRACERT Command-Line Utility .284

Using the DNSCMD Command-Line Utility .284

IPv6 Introduction .285

IPv6 Addressing .286

Comprehending IPv6 Addressing .288

Bridging the Gap with ISATAP .288 Other Compatibility Addresses 289

How to Configure IPv6 on Windows Server 2008 .289

Manually Setting the IPv6 Address .290

Setting Up a DHCPv6 Server on Windows Server 2008 .291

Setting Up a DHCPv6 Scope on Windows Server 2008 .292

Adding an IPv6 Host Record in Windows Server 2008 DNS .292

11 DHCP/WINS/Domain Controllers 297 Understanding the Key Components of an Enterprise Network .298

Detailing the Importance of Network Addressing .298

Understanding Name Resolution .298

Examining Directory Integration .299

Outlining Network Services Changes in Windows Server 2008 .299

Exploring the Dynamic Host Configuration Protocol (DHCP) .300

Detailing the Need for DHCP .300

Outlining DHCP Predecessors: RARP and BOOTP .300

Exploring the DHCP Server Service .300

Examining the DHCP Client Service .301

Understanding Automatic Private IP Addressing (APIPA) .301

Detailing DHCP Relay Agents .302

Examining DHCP and Dynamic DNS .303

Installing DHCP and Creating New Scopes .304

Exploring DHCP Changes in Windows Server 2008 .307

Automating DHCP Database Backup and Restore .307

Understanding DHCP Client Alternate Network Capability .308

Performing DHCP Failover .308

Examining the 50/50 Failover Approach for DHCP Fault Tolerance .309

Exploring the 80/20 Failover Approach to DHCP Fault Tolerance .310

Understanding the 100/100 Failover Approach to DHCP Fault Tolerance .311

Examining the Standby Scopes Approach .312

Clustering DHCP Servers .312

Exploring Advanced DHCP Concepts .312

Understanding DHCP Superscopes .313

Examining DHCP Multicast Scopes .313

Delegating Administration of DHCP .313

Using the Netsh Command-Line Utility .314

Performing DHCP Database Maintenance .314

Securing DHCP .315

Examining DHCP Authorization .315

Understanding DHCP and Domain Controller Security .316

Contents

Reviewing the Windows Internet Naming Service (WINS) .317

Understanding the Need for Legacy Microsoft NetBIOS Resolution .317

Exploring WINS and DNS Integration .317

Reviewing Changes in Windows Server 2008 WINS .318

Installing and Configuring WINS .319

Installing WINS .319

Configuring Push/Pull Partners .320

Examining WINS Replication .322

Understanding NetBIOS Client Resolution and the LMHOSTS File .322

Planning, Migrating, and Maintaining WINS .323

Designing a WINS Environment .323

Upgrading a WINS Environment .323

Maintaining the WINS Database .325

Exploring Global Catalog Domain Controller Placement .325

Understanding the Role of the Active Directory Global Catalog .325

Placing Global Catalog/Domain Controllers .326

Exploring Universal Group Caching .326

Examining Global Catalog and Domain Controller Placement .326

Examining Read-Only Domain Controllers .327

12 Internet Information Services 331 Understanding Internet Information Services (IIS) 7.0 .331

Improvements in Internet Information Services (IIS) 7.0 .332

Understanding the New IIS Manager Tools .333

Exploring the IIS Manager Administration Panes .333

Examining the IIS Manager Administration Nodes in the Connections Pane .335

Planning and Designing Internet Information Services 7.0 .336

Determining Server Requirements .336

Determining Fault-Tolerance Requirements .337

Installing and Upgrading IIS 7.0 .337

Understanding the Modular Approach to Installing IIS 7.0 Installation .337

Installing the Web Server (IIS) Role .340

Upgrading from Other Versions of IIS .342

Installing and Configuring Websites .343

Creating a Website with IIS 7.0 .343

Creating a Virtual Directory .345

Configuring IIS 7.0 Website Properties .346

Installing and Configuring FTP Services .351

Examining the New “Out-of-Band” FTP 7.0 Service Features .352

Installing the “Out-of-the-Box” Legacy FTP Service .353

Downloading and Installing the New “Out-of-Band” FTP 7.0 Service .353

Creating a Secure FTP 7.0 Site Using SSL .354

Configuring the “Out-of-Band” FTP 7.0 Features and Properties .356

Securing Internet Information Services 7.0 .361

Windows Server 2008 Security .362

IIS Authentication .362

Auditing Web Services .363

Using SSL Certificates .363

Administering IIS 7.0 Administrator and User Security .367

Creating an IIS 7.0 User Account .368

Assigning Permissions to an IIS 7.0 User Account .368

Configuring Feature Delegation .369

Using IIS Logging .369

Part IV Security 13 Server-Level Security 375 Defining Windows Server 2008 Security .375

Outlining Microsoft’s Trustworthy Computing Initiative .376

Common Language Runtime .376

Understanding the Layered Approach to Server Security .376

Deploying Physical Security .376

Restricting Physical Access .377

Restricting Logon Access .377

Using the Run As Administrator Command for Administrative Access .378

Using Smart Cards for Logon Access .379

Securing Wireless Networks .380

Firewall Security .380

Using the Integrated Windows Firewall with Advanced Security .381

Understanding Windows Firewall Integration with Server Manager .381

Creating Inbound and Outbound Rules on the Windows Firewall .382

Hardening Server Security .384

Defining Server Roles .385

Securing a Server Using Server Manager .385

Examining File-Level Security .386

Contents

Understanding NT File System (NTFS) Security .386

Examining Share-Level Security Versus NTFS Security .387

Auditing File Access .388

Encrypting Files with the Encrypting File System .389

Additional Security Mechanisms .389

Antivirus Precautions .389

Deploying Backup Security .390

Using Windows Server Update Services .390

Understanding the Background of WSUS: Windows Update .390

Deploying the Automatic Updates Client .391

Understanding the Development of Windows Server Update Services .391

Examining WSUS Prerequisites .392

Installing WSUS on a Windows Server 2008 Server .392

Automatically Configuring Clients via Group Policy .394

Deploying Security Patches with WSUS .396

14 Transport-Level Security 399 Introduction to Transport-Level Security in Windows Server 2008 .400

The Need for Transport-Level Security .400

Deploying Security Through Multiple Layers of Defense .400

Understanding Encryption Basics .401

Deploying a Public Key Infrastructure with Windows Server 2008 .401

Defining Private Key Versus Public Key Encryption .401

Exploring Digital Certificates .402

Understanding Active Directory Certificate Services (AD CS) in Windows Server 2008 .402

Reviewing the Certificate Authority Roles in AD CS .403

Detailing the Role Services in AD CS .403

Installing AD CS .404

Using Smart Cards in a Public Key Infrastructure .407

Using the Encrypting File System (EFS) .407

Integrating PKI with Non-Microsoft Kerberos Realms .408

AD DS Rights Management Services .408

Understanding the Need for AD RMS .408

Understanding AD RMS Prerequisites .409

Installing AD RMS .409

Using IPSec Encryption with Windows Server 2008 .411

Understanding the IPSec Principle .412

Detailing Key IPSec Functionality .412

Exploring IPSec NAT Transversal .412

15 Security Policies, Network Policy Server, and Network

Understanding Network Access Protection (NAP) in Windows

Server 2008 .415

Exploring the Reasons for Deploying NAP .416

Outlining NAP Components .416

Understanding Windows Server 2008 NAP Terminology .417

Deploying a Windows Server 2008 Network Policy Server .417

Exploring NPS Concepts .418

Understanding RADIUS Support on a Network Policy Server .418

Installing a Network Policy Server .419

Enforcing Policy Settings with a Network Policy Server .421

Creating a System Health Validator .421

Creating a Health Policy for Compliant Clients .422

Creating a Health Policy for Noncompliant Clients .422

Creating a Network Policy for Compliant Clients .423

Creating a Network Policy for Noncompliant Clients .424

Configuring a DHCP Server to Restrict Client Leases Based on the NPS Policy .428

Deploying and Enforcing a Virtual Private Network (VPN) Using an RRAS Server .430

Exploring VPN Tunnels .430

Tunneling Protocols .431

PPTP and L2TP Protocols .431

L2TP/IPSec Secure Protocol .431

Enabling VPN Functionality on an RRAS Server .432

Modifying the RRAS Network Policy .434

Part V Migrating to Windows Server 2008 16 Migrating from Windows 2000/2003 to Windows Server 2008 439 Beginning the Migration Process .439

Identifying Migration Objectives .440

Establishing Migration Project Phases .440

Comparing the In-Place Upgrade Versus New Hardware Migration Methods .441

Identifying Migration Strategies: “Big Bang” Versus Phased Coexistence .442

Exploring Migration Options .442

Big Bang Migration .443

Verifying Hardware Compatibility .444 Verifying Application Readiness 444

Contents

Backing Up and Creating a Recovery Process .445

Virtual Domain Controller Rollback Option .445

Performing an Upgrade on a Single Domain Controller Server .445

Phased Migration .447

Migrating Domain Controllers .450

Preparing the Forest and Domains Using adprep .451

Upgrading Existing Domain Controllers .453

Replacing Existing Domain Controllers .454

Moving Operation Master Roles .455

Retiring Existing Windows 2000/2003 Domain Controllers .457

Retiring “Phantom” Domain Controllers .457

Upgrading Domain and Forest Functional Levels .459

Moving AD-Integrated DNS Zones to Application Partitions .460

Multiple Domain Consolidation Migration .460

Understanding ADMT v3.1 Functionality .462

Using ADMT in a Lab Environment .462

ADMT v3.1 Installation Procedure .462

ADMT Domain Migration Prerequisites .463

Exporting Password Key Information .464

Installing PES on the Source Domain .464

Setting Proper Registry Permissions .465

Configuring Domains for SID Migration .465

Migrating Groups .466

Migrating User Accounts .467

Migrating Computer Accounts .468

Migrating Other Domain Functionality .470

17 Compatibility Testing for Windows Server 2008 473 The Importance of Compatibility Testing .474

Preparing for Compatibility Testing .475

Determining the Scope for Application Testing .475

Defining the Goals for Compatibility Testing .478

Documenting the Compatibility Testing Plan .482

Researching Products and Applications .482

Taking Inventory of Network Systems .482

Taking Inventory of Applications on Existing Servers .483

Understanding the Differences Between Applications and Windows Services .483

Completing an Inventory Sheet per Application .484

Prioritizing the Applications on the List .485

Verifying Compatibility with Vendors .485

Tracking Sheets for Application Compatibility Research .485

Creating an Upgrade Decision Matrix .489Assessing the Effects of the Compatibility Results on the

Compatibility Testing Plan .490Lab-Testing Existing Applications .491Allocating and Configuring Hardware .491Allocating and Configuring Windows Server 2008 .491Loading the Remaining Applications .492Certified for Windows Server 2008 .493Testing the Migration and Upgrade Process .493Documenting the Results of the Compatibility Testing .493Determining Whether a Prototype Phase Is Required .494Part VI Windows Server 2008 Administration and Management

18 Windows Server 2008 Administration 499Defining the Administrative Model .500The Centralized Administration Model .500The Distributed Administration Model .500The Mixed Administration Model .501Examining Active Directory Site Administration .501Subnets .502Site Links .502Site Group Policies .503Configuring Sites .503Creating a Site .503Establishing Site Links .506Delegating Control at the Site Level .509Examining Windows Server 2008 Active Directory Groups .510Group Types .510Group Scopes in Active Directory .511Creating Groups .511User Administration in a Single Domain .512User Administration Across a Forest of Domains .512Domain Functionality Level and Groups .512Creating AD Groups .513Populating Groups .514Group Management .514Understanding User Profiles .515Examining Profile Types .515Creating a Default Profile .517Copying Profiles for the Default User Profile .518

Contents

Managing Users with Local Security and Group Policies .518Viewing Policies with the Group Policy Management Console .519Creating New Group Policies .519Configuring and Optimizing Group Policy .521Troubleshooting Group Policy Applications .523Managing Printers with the Print Management Console .525Installing the Print Management Console .526Configuring the Print Management Console .526Adding New Printers as Network Shared Resources .526Adding Print Servers to the Print Management Console .528Using the Print Management Console .528

19 Windows Server 2008 Group Policies and Policy Management 533Group Policy Overview .533Group Policy Processing—How Does It Work? .534Computer GPO Processing .534User GPO Processing .535Network Location Awareness .535Managing Group Policy Processing with GPO Settings .535Local Group Policies .536Local Computer Policy .537Local User Policies for Non-Administrators and Administrators .537Security Templates .538Elements of Group Policy .539Group Policy Objects .539Group Policy Object Storage and Replication .539Group Policy Administrative Templates .541Windows Vista and Windows Server 2008 Central Store .541Starter GPOs .542Policy Settings .542Preference Settings .543Group Policy Object Links .543Group Policy Link Enforcement .543Group Policy Inheritance .544Group Policy Block Inheritance .545Group Policy Order of Processing .545GPO Filtering .546Group Policy Loopback Processing .549Group Policy Slow Link Detection and Network Location

Awareness .549

Group Policy Administrative Templates Explained .550Administrative Templates for Windows 2000, Windows XP,

and Windows Server 2003 .551Group Policy Administrative Templates for Windows Vista

and Windows Server 2008 .552Custom Administrative Templates .553Policy Management Tools .554Group Policy Management Console (GPMC) .554Group Policy Object Editor (GPOE) .555Print Management Console .556gpupdate.exe .557GPO Scripts .558Microsoft Desktop Optimization Pack for Software Assurance .558ADMX Migrator .559Event Viewer .560DFS Management .561Designing a Group Policy Infrastructure .562Active Directory Design and Group Policy .562Separation of GPO Functions .563GPO Administrative Tasks .564Creating a GPO Central Store .564Verifying the Usage of the GPO Central Store .565Creating and Utilizing Starter GPOs .566Backing Up and Restoring Starter GPOs .567Creating New Domain Group Policies .570Creating and Configuring GPO Links .571Managing GPO Status .572Creating and Linking WMI Filters to GPOs .572Managing GPO Security Filtering .573Managing GPO Link Order of Processing .574Viewing GPO Settings and Creating Reports .575Backing Up and Restoring Domain GPOs .575Group Policy Modeling Operations .577Group Policy Results .577GPO Administrative Delegation .577

20 Windows Server 2008 Management and Maintenance Practices 581Initial Configuration Tasks .582Managing Windows Server 2008 Roles and Features .583Roles in Windows Server 2008 .583Features in Windows Server 2008 .585

Contents

Server Manager .587Server Manager Roles and Features .588Server Manager Roles Page .588Server Manager Features Page .592Server Manager Diagnostics Page .592Event Viewer .592Server Manager Reliability and Performance Monitor .593Device Manager .595Server Manager Configuration Page .596Task Scheduler .596Windows Firewall with Advanced Security .598Services .600WMI Control .601Server Manager Storage Page .601Windows Server Backup .601Disk Management .603Auditing the Environment .605Audit Policies .605Audit Policy Subcategories .606Auditing Resource Access .609Managing Windows Server 2008 Remotely .612Remote Server Administration Tools .612Windows Remote Management .615PowerShell .616Server Manager Command-Line Tool .616Print Management Console .618Using Common Practices for Securing and Managing

Windows Server 2008 .619Identifying Security Risks .619Using System Center Operations Manager 2007 to Simplify

Management .619Leveraging Windows Server 2008 Maintenance Practices .620Keeping Up with Service Packs and Updates .620Manual Update or CD-ROM Update .621Automatic Updates .622Windows Server Update Services .623Maintaining Windows Server 2008 .625Daily Maintenance .626Weekly Maintenance .629Monthly Maintenance .634Quarterly Maintenance .635

21 Automating Tasks Using PowerShell Scripting 639Understanding Shells .639

A Short History of Shells .640Understanding PowerShell .641PowerShell Uses .643PowerShell Features .643Installing Windows PowerShell .644Accessing PowerShell .644Command-Line Interface (CLI) .646Command Types .647.NET Framework Integration .649The Pipeline .652Variables .653Aliases .654Scopes .655Providers .658Profiles .659Security .661Using Windows PowerShell .663Exploring PowerShell .664Managing Services .668Gathering Event Log Information .670Managing the Files and Directories .672Managing the Registry .676Managing Processes .677Using WMI .679Using the New-Object cmdlet .682

22 Documenting a Windows Server 2008 Environment 685Benefits of Documentation .686Organizational Benefits .686Financial Benefits .686Types of Documents .687Planning to Document the Windows Server 2008 Environment .688Knowledge Sharing and Knowledge Management .688Windows Server 2008 Project Documents .689Project Plan .690Design and Planning Document .690Communication Plan .693

Contents

Migration Plan .694Checklists .698Training Plan .698Test Plan .699Pilot Test Plan .702Support and Project Completion Document .702Administration and Maintenance Documents .702Step-by-Step Procedure Documents .702Policies .703Documented Checklists .703Active Directory Infrastructure .703Server Build Procedures .704Configuration (As Built) Documentation .704Topology Diagrams .705Administration Manual .705Using Documentation for Troubleshooting Purposes .706Procedural Documents .706Network Infrastructure .706Documenting the WAN Infrastructure .707Network Device Documentation .707Disaster Recovery Documentation .707Disaster Recovery Planning .709Backup and Recovery Development .709Monitoring and Performance Documentation .710Windows System Failover Documentation .710Change Management Procedures .710Performance Documentation .710Baselining Records for Documentation Comparisons .711Routine Reporting .711Management-Level Reporting .711Technical Reporting .712Security Documentation .712Change Control .713Reviewing Reports .713Management-Level Reporting for Security Assessments .713

23 Integrating System Center Operations Manager 2007 with

Explaining How OpsMgr Works .716Processing Operational Data .717Generating Alerts and Responses .717

Outlining OpsMgr Architecture .717Understanding How OpsMgr Stores Captured Data .719Determining the Role of Agents in System Monitoring .719Defining Management Groups .719Understanding How to Use OpsMgr .720Managing and Monitoring with OpsMgr .720Reporting from OpsMgr .720Using Performance Monitoring .721Using Active Directory Integration .721Integrating OpsMgr Non-Windows Devices .721Exploring Third-Party Management Packs .721Understanding OpsMgr Component Requirements .722Exploring Hardware Requirements .722Determining Software Requirements .722OpsMgr Backup Considerations .723Deploying OpsMgr Agents .723Understanding Advanced OpsMgr Concepts .723Understanding OpsMgr Deployment Scenarios .723Multiple Configuration Groups .724Deploying Geographic-Based Configuration Groups .724Deploying Political or Security-Based Configuration Groups .725Sizing the OpsMgr Database .725Defining Capacity Limits .726Defining System Redundancy .726Securing OpsMgr .727Securing OpsMgr Agents .727Understanding Firewall Requirements .728Outlining Service Account Security .728Downloading and Extracting Management Packs .729Importing the Management Pack File into OpsMgr .729Installing the OpsMgr Agent on the

Windows Server 2008 System .729Monitoring Functionality and Performance with OpsMgr .732Part VII Remote and Mobile Technologies

24 Server-to-Client Remote and Mobile Access 737Windows Server 2008 RRAS Features and Services .738Virtual Private Networking in Windows Server 2008 .739Components Needed to Create a VPN Connection .740The VPN Client .741The RRAS Server .741

Contents

The NPS System .741Certificate Server .743Active Directory Server .743Authentication Options to an RRAS System .743Authentication Protocols for PPTP Connections .744EAP and PEAP Authentication Protocols .744Authentication Protocols for L2TP/IPSec Connections .745Choosing the Best Authentication Protocol .745VPN Protocols .745Tunneling Within a Windows Server 2008 Networking

Environment .746Point-to-Point Tunneling Protocol .746Layer 2 Tunneling Protocol .747

IP Security .748Secure Socket Tunneling Protocol .748Choosing Between PPTP, L2TP/IPSec, and SSTP .749Advantages of L2TP/IPSec .750Advantages of PPTP .751Advantages of SSTP .751Ports Affecting the VPN Connectivity .752VPN Scenario .753Setting Up the Certificate Server .754Setting Up the Network Policy Server .756Configuring the Network Policy Server .758Setting Up the RRAS Server .763Setting Up the VPN Client .766Testing the VPN Connection .769Controlling Unhealthy VPN Clients .772SSTP Troubleshooting .775Preventing SSTP Connections .778Connection Manager .778Connection Manager Client Dialer .778Connection Manager Administration Kit .779

Why Implement Terminal Services .784Remote Desktop for Administration .785Terminal Services for Users .785Terminal Services for Remote User Support .786Terminal Services for Application Service Providers .786How Terminal Services Works .787Modes of Operation .787Client-Side Terminal Services 788

Terminal Services Features .789Local Resource Redirection .789Single Sign-On .792Remote Desktop Connection Display .793Session 0 Isolation .795

TS Web Access .796

TS RemoteApp .796

TS Gateway .797

TS Session Broker .798Granular Session Configuration Control .800Planning for Terminal Services .801Planning for Remote Desktop for Administration Mode .801Planning for Terminal Server Mode .801Planning for Terminal Server Upgrades .802Planning the Physical Placement of Terminal Servers .802Planning for Hosted Applications .803Planning for Networking Requirements .803Planning for Terminal Server Fault Tolerance .803Planning for Terminal Server TS Licensing .803Deploying Terminal Services .804Enabling Remote Desktop for Administration .805Enabling Remote Assistance .806Deploying the Terminal Server Role Service .807Configuring the Terminal Services .810Deploying TS Web Access .812Deploying TS RemoteApp Programs .815Deploying TS Gateway .821Deploying TS Session Broker .824Deploying TS Licensing .827Securing Terminal Services .829Network Authentication .830Changing the RDP Port .830Securely Building Terminal Servers .830Segmenting Resources .830Securing Terminal Services with GPOs .831Sizing and Optimizing Terminal Services Environments .831Scaling Terminal Services .832Optimizing Terminal Services Performance .832Supporting Terminal Services .833Using the Role Administration Tools .834Using the Terminal Server Manager .834Managing the Command-Line Terminal Services .834

Contents

Managing Terminal Services Using WMI .834Remotely Managing a Terminal Session .835Applying Service Packs and Updates .835Performing Disaster Recovery on a Terminal Server .835Part VIII Desktop Administration

26 Windows Server Administration Tools for Desktops 839Managing Desktops and Servers .840Operating System Deployment to Bare-Metal Systems .840Managing Updates and Applications .840Supporting End Users and Remote Administration .841Operating System Deployment Options .841Manual Installation Using Installation Media .841Unattended Installation .841Manufacturer-Assisted Installation .841Cloning or Imaging Systems .842Windows Server 2008 Windows Deployment Services .843WDS Image Types .844Boot Images .844Installation Images .844Discover Images .844Capture Images .844Installing Windows Deployment Services (WDS) .845Configuring the WDS Server .845DHCP Configuration .848Adding a Boot Image to the WDS Server .848Adding Install Images to the WDS Server .850Deploying the First Install Image .850Creating Discover Images .853Creating Bootable Media with Discover Boot Images and the

Windows Automated Installation Kit .854Pre-creating Active Directory Computer Accounts for WDS .856Creating Custom Installations Using Capture Images .859Customizing Install Images Using Unattended Answer Files .861Creating Multicast Images .862General Desktop Administration Tasks .863

27 Group Policy Management for Network Clients 865The Need for Group Policies .866Windows Group Policies .866

Local Computer Policy .867Local Security Policy .867Local Administrators and Non-Administrators User Policies .867Domain Group Policies .868Security Configuration Wizard .868Policy Processing Overview .868Group Policy Feature Set .870Computer Configuration Policy Node .870User Configuration Policy Node .873Planning Workgroup and Stand-Alone Local Group Policy

Configuration .874Creating Local Administrators and Non-Administrators

Policies .875Planning Domain Group Policy Objects .877Policies and Preferences .878Domain GPOs .880Domain Controller GPOs .882Active Directory Site GPOs .883Small Business .883Delegated Administration .884Managing Computers with Domain Policies .886Creating a New Domain Group Policy Object .887Creating and Configuring GPO Links .887Managing User Account Control Settings .887Creating a Software Restriction Policy .890Deploying Printers .892Configuring Remote Desktop and Remote

Administration Support .897Configuring Basic Firewall Settings with Group Policy .898Configuring Windows Update Settings .901Creating a Wireless Policy .902Managing Users with Policies .905Configuring Folder Redirection .906Removable Storage Access .909Managing Microsoft Management Console Access .910Managing Active Directory with Policies .911Fine-Grained Password Policies .912Configuring Restricted Groups for Domain Security Groups .915Extending Group Policy Functionality .919Deploying Software Packages Using Domain

Group Policy Objects .921

Contents

Synchronous Foreground Refresh .925GPO Modeling and GPO Results in the GPMC .926Managing Group Policy from Administrative or

Remote Workstations .929Part IX Fault Tolerance Technologies

28 File System Management and Fault Tolerance 935Windows Server 2008 File System Overview/Technologies .935Windows Volume and Partition Formats .936NTFS-Formatted Partition Features .936File System Quotas .936Data Compression .937Data Encryption .937File Screening .937Volume Shadow Copy Service (VSS) .937Remote Storage Service (RSS) .938Distributed File System (DFS) .938Distributed File System Replication (DFSR) .939File System Management Tools .939File System Monitoring and Reporting .939File System Access Services and Technologies .940Windows Folder Sharing .940Distributed File System (DFS) Namespaces and Replication .940WWW Directory Publishing .940File Transfer Protocol Service .940Secure File Transfer Protocol (SFTP) .941Windows SharePoint Services (WSS) .941Services for NFS .941Services for Macintosh .941Windows Server 2008 Disks .942Master Boot Record Disks .942GUID Partition Table (GPT) Disks .942Basic Disk .942Dynamic Disk .943Partition or Volume .943Mount Point .943Simple Volumes .943Spanned Volumes .944Striped Volumes .944Fault-Tolerant Volumes .944Mirrored Volumes .944

Utilizing External Disk Subsystems .945Hardware-Based Disk Arrays .945Boot from Storage Area Networks .945Managing External Storage .945External Storage Support Requirements .946Managing Windows Server 2008 Disks .946The Disk Management MMC Snap-In .946Diskpart.exe Command-Line Utility .946Adding a New Disk to Windows .946Converting Basic Disks to Dynamic Disks .948Creating Fault-Tolerant Volumes Using Disk Management .948Creating a Fault-Tolerant Volume Using Diskpart.exe .950System File Reliability .952System File Stability .952Adding the File Services Role .953Managing Data Access Using Windows Server 2008 Shares .955Access-Based Enumeration .956Client-Side Caching and Offline Files .956Managing Folder Shares .957Volume-Based NTFS Quota Management .960File Server Resource Manager (FSRM) .961Uses of File Server Resource Manager .962Installing the File Server Resource Manager Tools .963FSRM Global Options .964Configuring Quotas with File Server Resource Manager .964Adjusting Quotas .965Creating a Quota Template .966Creating File Screens .967Creating a File Screen Template .968File Screen Exceptions .969Generating Storage Reports with FSRM .970Troubleshooting File System Services .971The Distributed File System .972DFS Namespaces .972DFS Replication .973DFS Terminology .974DFS Replication Terminology .975Planning a DFS Deployment .975Configuring File Share and NTFS Permissions for

DFS Root and Folder Targets .976Choosing a DFS Type .976Planning for DFS Replication .976Determining the Replication Topology 977

Contents

Installing DFS .978Creating the DFS Namespace and Root .978Adding an Additional Namespace Server to a Domain-Based

Namespace .980Creating a DFS Folder and Replication Group .981Best Practices for DFS Replication .984Managing and Troubleshooting DFS .984Taking a Target Offline for Maintenance .985Disabling Replication for Extended Downtime .986Limiting Connections to Site DFS Targets .986Backing Up DFS .987Using the Volume Shadow Copy Service .987Using VSS and Windows Server Backup .988Configuring Shadow Copies .988Recovering Data Using Shadow Copies .989

29 System-Level Fault Tolerance (Clustering/Network Load Balancing) 993Building Fault-Tolerant Windows Server 2008 Systems .994Powering the Computer and Network Infrastructure .994Designing Fault-Tolerant IP Networks .995Designing Fault-Tolerant Server Disks .996Increasing Service and Application Availability .997Windows Server 2008 Clustering Technologies .997Windows Server 2008 Cluster Terminology .999Determining the Correct Clustering Technology .1001Failover Clusters .1002Network Load Balancing .1002Overview of Failover Clusters .1003Failover Cluster Quorum Models .1003Choosing Applications for Failover Clusters .1004Shared Storage for Failover Clusters .1005Failover Cluster Node Operating System Selection .1009Deploying Failover Clusters .1009Installing the Failover Clustering Feature .1011Running the Validate a Configuration Wizard .1011Creating a Failover Cluster .1013Configuring Cluster Networks .1015Adding Nodes to the Cluster .1016Adding Storage to the Cluster .1017Cluster Quorum Configuration .1018Deploying Services or Applications on Failover Clusters .1019Configuring Failover and Failback .1021

Testing Failover Clusters .1022Failover Cluster Maintenance .1026Removing Nodes from a Failover Cluster .1027Cluster Migration and Upgrades .1027Backing Up and Restoring Failover Clusters .1028Failover Cluster Node—Backup Best Practices .1028Restoring an Entire Cluster to a Previous State .1029Deploying Network Load Balancing Clusters .1030NLB Applications and Services .1030Installing the Network Load Balancing Feature .1031Creating Port Rules .1031Port Rules Filtering Mode and Affinity .1032Using Cluster Operation Mode .1033Configuring Network Cards for NLB .1033Creating an NLB Cluster .1033Adding Additional Nodes to an Existing NLB Cluster .1037Managing NLB Clusters .1039Backing Up and Restoring NLB Nodes .1039Performing Maintenance on an NLB Cluster Node .1039

30 Backing Up the Windows Server 2008 Environment 1043Understanding Your Backup and Recovery Needs and Options .1044Identifying the Different Services and Technologies .1044Identifying Single Points of Failure .1044Evaluating Different Disaster Scenarios .1044Prioritizing the Environment .1046Identifying Bare Minimum Services .1046Determining the Service-Level Agreement and

Return-to-Operation Requirements .1047Creating the Disaster Recovery Solution .1048Disaster Recovery Solution Overview Document .1048Getting Disaster Recovery Solutions Approved .1049Documenting the Enterprise .1049Developing a Backup Strategy .1050Assigning Tasks and Designating Team Members .1050Creating Regular Backup Procedures .1051Windows Server Backup Overview .1051Backup Storage Support and Media Management .1051Backup Media Files .1053Backup Options .1053Windows Server Backup MMC Snap-In .1054Windows Backup Command-Line Utility .1054

Contents

Using Windows Server Backup .1054Installing Windows Server Backup .1054Scheduling a Backup Using Windows Server

Backup and Allocating Disks .1058Running a Manual Backup to a Remote Server Share .1060Storing a Backup on DVD .1062Managing Backups Using the Command-Line Utility wbadmin.exe .1063Viewing Backup History .1064Running a Manual Backup to Remote Storage Using

wbadmin.exe .1064Backing Up Windows Server 2008 Role Services .1064Backing Up the System State .1065Backing Up Active Directory .1066Certificate Services .1068Domain Name Service .1069Windows Internet Naming Service .1070Dynamic Host Configuration Protocol .1070Distributed File System .1071Internet Information Services .1071Windows SharePoint Services .1071Volume Shadow Copy Service (VSS) .1073Enabling Shadow Copies for Shared Volumes .1074Windows Server 2008 Startup Options .1075Emergency Management Services Console Redirection .1075

Ongoing Backup and Recovery Preparedness .1077Project Management Office (PMO) .1078Change Control .1079Disaster Recovery Delegation of Responsibilities .1080Achieving 99.999% Uptime Using Windows Server 2008 .1081When Disasters Strike .1081Qualifying the Disaster or Failure .1081Validating Priorities .1082Assume and Be Doomed .1082Synchronizing with Business Owners .1082Communicating with Vendors and Staff .1082Assigning Tasks and Scheduling Resources .1083Keeping the Troops Happy .1083Recovering the Infrastructure .1083Postmortem Meeting .1083

Disaster Scenario Troubleshooting .1084Network Outage .1084Physical Site Failure .1084Server or System Failure .1085Recovering from a Server or System Failure .1087Access Issues .1087Data Corruption and File and Folder Recovery .1092Managing and Accessing Windows Server Backup Media .1095Windows Server Backup Managed Disks .1095DVD Media .1095Windows Server Backup Volume Recovery .1096Windows Server 2008 Data Volume Recovery .1096Windows Server 2008 System Volume Recovery .1097Windows Complete PC Restore .1099Complete PC Restore to Alternate Hardware .1099Recovering Role Services and Features .1099Windows Server 2008 System State Recovery .1100System State Recovery for Domain Controllers .1101DHCP .1104Windows SharePoint Services .1104Part X Optimizing, Tuning, Debugging, and Problem Solving

32 Optimizing Windows Server 2008 for Branch Office Communications 1111Understanding Read-Only Domain Controllers (RODCs) .1112Organizations’ Branch Office Concerns and Dilemmas .1113Understanding When to Leverage RODCs .1114Installing a Read-Only Domain Controller .1116Examining Prerequisite Tasks When Deploying an RODC .1117Limitations Associated with Windows Server 2008 RODCs .1117Conducting a RODC Installation .1118Performing a Staged RODC Installation .1125Understanding BitLocker Drive Encryption .1129Examining BitLocker’s Drive Encryption Components and

Windows Server 2008 Enhancements .1130Comprehending BitLocker’s Drive Encryption

Hardware Requirements .1131Understanding BitLocker Deployment Scenarios .1131Configuring BitLocker Drive Encryption on a

Windows Server 2008 Branch Office Domain Controller .1131Configuring the System Partitions for BitLocker .1132Installing BitLocker Drive Encryption .1133

Contents

Enabling BitLocker Drive Encryption .1135Utilizing the BitLocker Recovery Password .1139Removing BitLocker Drive Encryption .1140Enhancing Replication and WAN Utilization at the Branch Office .1140Read-Only Domain Controllers .1140Next Generation TCP/IP Stack .1140Distributed File System (DFS) .1141Group Policies .1142SMB Version 2.0 .1142

Using the Task Manager for Logging and Debugging .1145Monitoring Applications .1147Monitoring Processes .1147Monitoring Services .1147Monitoring Performance .1147Monitoring Network Performance .1148Monitoring User Activity .1149Using Event Viewer for Logging and Debugging .1149Examining the New Event Viewer User Interface .1151Conducting Additional Event Viewer Management Tasks .1155Performance and Reliability Monitoring .1159Resource Monitor .1160Performance Monitor .1161Reliability Monitor .1164Data Collector Sets .1165Reports .1167Setting Baseline Values .1169Reducing Performance Monitoring Overhead .1169Important Objects to Monitor .1170Using the Debugging Tools Available in Windows Server 2008 .1171TCP/IP Tools .1171System Startup and Recovery .1178Windows Memory Diagnostics Tool .1179Resources and Support Tools .1180Task Scheduler .1182Understanding Task Scheduler .1182Understanding Trigger Options and Settings .1183Understanding the Advanced Settings Associated with Triggers .1184Understanding the Actions Associated with a Task .1185Understanding Conditions Associated with a Task .1185

Understanding Task Settings .1186Understanding Task History .1187

34 Capacity Analysis and Performance Optimization 1189Defining Capacity Analysis .1189The Benefits of Capacity Analysis and Performance

Optimization .1190Establishing Policy and Metric Baselines .1191Benchmark Baselines .1192Using Capacity-Analysis Tools .1194Task Manager .1194Network Monitor .1196Windows Reliability and Performance Monitor .1202Other Microsoft Assessment and Planning Tools .1207Third-Party Toolset .1213Monitoring System Performance .1214Key Elements to Monitor for Bottlenecks .1215Monitoring System Memory and Pagefile Usage .1215Analyzing Processor Usage .1219Evaluating the Disk Subsystem .1219Monitoring the Network Subsystem .1221Optimizing Performance by Server Roles .1223Domain Controllers .1223Terminal Services Server .1228Virtual Servers .1228Part XI Integrated Windows Application Services

35 Windows SharePoint Services 3.0 1233Understanding the History of SharePoint Technologies .1234SharePoint Origins .1234SharePoint 2003 Technologies Arrive .1234Understanding the Need for SharePoint 2007 Products .1235What Are the Differences Between Windows SharePoint

Services 3.0 and SharePoint Server 2007? .1236Basic Features of Windows SharePoint Services 3.0 .1236What Is Not Included in Windows SharePoint

Services 3.0 but Is Included in SharePoint Server 2007 .1237Identifying the Need for Windows SharePoint Services .1238Customizing WSS to Suit Organizational Needs .1240

Contents