.73 Part II Windows Server 2008 Active Directory 4 Active Directory Domain Services Primer.. .499 19 Windows Server 2008 Group Policies and Policy Management... .8 Migrating from Windows
Trang 22008
U N L E A S H E D
800 East 96th Street, Indianapolis, Indiana 46240 USA
Rand Morimoto, Ph.D., MCSE, CISSP Michael Noel, MCSE+I, CISSP, MCSA, MVP Omar Droubi, MCSE
Ross Mistry, MCTS, MCDBA, MCSE Chris Amaris, MCSE, CISSP
Trang 3Windows Server 2008 Unleashed
Copyright © 2008 by Sams Publishing
All rights reserved No part of this book shall be reproduced, stored in a
retrieval system, or transmitted by any means, electronic, mechanical,
photo-copying, recording, or otherwise, without written permission from the publisher.
No patent liability is assumed with respect to the use of the information
contained herein Although every precaution has been taken in the preparation
of this book, the publisher and author assume no responsibility for errors or
omissions Nor is any liability assumed for damages resulting from the use of
the information contained herein.
ISBN-13: 978-0-672-32930-2
ISBN-10: 0-672-32930-1
Library of Congress Cataloging-in-Publication Data is on file
Printed in the United States of America
First Printing: February 2008
Trademarks
All terms mentioned in this book that are known to be trademarks or service
marks have been appropriately capitalized Sams Publishing cannot attest to
the accuracy of this information Use of a term in this book should not be
regarded as affecting the validity of any trademark or service mark.
Warning and Disclaimer
Every effort has been made to make this book as complete and as accurate
as possible, but no warranty or fitness is implied The information provided is
on an “as is” basis The authors and the publisher shall have neither liability
nor responsibility to any person or entity with respect to any loss or damages
arising from the information contained in this book.
Bulk Sales
Sams Publishing offers excellent discounts on this book when ordered in
quan-tity for bulk purchases or special sales For more information, please contact
U.S Corporate and Government Sales
Development Editor Mark Renfrow Managing Editor Gina Kanouse Project Editor Betsy Harris Copy Editor Karen Annett Senior Indexer Cheryl Lenser Proofreader Kathy Ruiz Technical Editor Jeff Guillet, MCSE:
Messaging, MCSA, MCP+I, CISSP Publishing Coordinator Cindy Teeters Book Designer Gary Adair Senior Compositor Jake McFarland Contributing Writers Kimberly Amaris, PMP Scott G Chimner, CISSP, MCSE, MCSA Stefan Garaygay, MCSE Jeff Guillet, MCSE:
Messaging, MCSA, MCP+I, CISSP Robert Jue, MCSE, MCDBA Tyson Kopczynski, CISSP, GSEC, GCIH, MCSE Security Alec Minty, MCSE
Shirmattie Seenarine Colin Spence, MCP James V Walker, MCP, MCSE Chris Wallace, MCSA, MCSE
Trang 4Contents at a Glance
Part I Windows Server 2008 Overview
1 Windows Server 2008 Technology Primer .3
2 Planning, Prototyping, Migrating, and Deploying Windows Server 2008 Best Practices .39
3 Installing Windows Server 2008 and Server Core .73
Part II Windows Server 2008 Active Directory 4 Active Directory Domain Services Primer .105
5 Designing a Windows Server 2008 Active Directory .139
6 Designing Organizational Unit and Group Structure .165
7 Active Directory Infrastructure .185
8 Creating Federated Forests and Lightweight Directories .217
9 Integrating Active Directory in a UNIX Environment .235
Part III Networking Services 10 Domain Name System and IPv6 .251
11 DHCP/WINS/Domain Controllers .297
12 Internet Information Services .331
Part IV Security 13 Sever-Level Security .375
14 Transport-Level Security .399
15 Security Policies, Network Policy Server, and Network Access Protection .415
Part V Migrating to Windows Server 2008 16 Migrating from Windows 2000/2003 to Windows Server 2008 .439
17 Compatibility Testing for Windows Server 2008 .473
Part VI Windows Server 2008 Administration and Management 18 Windows Server 2008 Administration .499
19 Windows Server 2008 Group Policies and Policy Management .533
20 Windows Server 2008 Management and Maintenance Practices 581
Trang 521 Automating Tasks Using PowerShell Scripting .639
22 Documenting a Windows Server 2008 Environment .685
23 Integrating Systems Center Operations Manager 2007 with Windows Server 2008 .715
Part VII Remote and Mobile Technologies 24 Server-to-Client Remote and Mobile Access .737
25 Terminal Services .783
Part VIII Desktop Administration 26 Windows Server 2008 Administration Tools for Desktops .839
27 Group Policy Management for Network Clients .865
Part IX Fault Tolerance Technologies 28 File System Management and Fault Tolerance .935
29 System-Level Fault Tolerance (Clustering/Network Load Balancing) .993
30 Backing Up the Windows Server 2008 Environment .1043
31 Recovering from a Disaster .1077
Part X Optimizing, Tuning, Debugging, and Problem Solving 32 Optimizing Windows Server 2008 for Branch Office Communications .1111
33 Logging and Debugging .1145
34 Capacity Analysis and Performance Optimization .1189
Part XI Integrated Windows Application Services 35 Windows SharePoint Services 3.0 .1233
36 Windows Media Services .1281
37 Deploying and Using Windows Virtualization .1313
Index .1339
Trang 6Table of Contents
Part I Windows Server 2008 Overview
1 Windows Server 2008 Technology Primer 3
Windows Server 2008 Defined .3
Windows 2008 Under the Hood .4
Windows Server 2008 as an Application Server .6
When Is the Right Time to Migrate? .8
Adding a Windows Server 2008 System to a Windows 2000/2003 Environment .8
Migrating from Windows 2000/2003 Active Directory to Windows Server 2008 Active Directory .9
Versions of Windows Server 2008 .9
Windows Server 2008, Standard Edition .10
Windows Server 2008, Enterprise Edition .10
Windows Server 2008, Datacenter Edition .11
Windows Web Server 2008 .11
Windows Server 2008 Server Core .12
What’s New and What’s the Same About Windows Server 2008? .13
Visual Changes in Windows Server 2008 .13
Continuation of the Forest and Domain Model .13
Changes That Simplify Tasks .14
Increased Support for Standards .16
Changes in Active Directory .16
Renaming Active Directory to Active Directory Domain Services .17
Renaming Active Directory in Application Mode to Active Directory Lightweight Directory Service .17
Expansion of the Active Directory Federation Services .17
Introducing the Read-Only Domain Controller .18
Windows Server 2008 Benefits for Administration .18
Improvements in the Group Policy Management .19
Introducing Performance and Reliability Monitoring Tools .20
Leveraging File Server Resource Manager .21
Introduction of Windows Deployment Services .21
Improvements in Security in Windows Server 2008 .22
Enhancing the Windows Server 2008 Security Subsystem .22 Transport Security Using IPSec and Certificate Services 23
Trang 7Security Policies, Policy Management, and Supporting
Tools for Policy Enforcement .23
Improvements in Windows Server 2008 for Better Branch Office Support .23
Read-Only Domain Controllers for the Branch Office .24
BitLocker for Server Security .24
Distributed File System Replication .25
Improvements in Distributed Administration .26
Improvements for Thin Client Terminal Services .26
Improvements in RDP v6.x for Better Client Capabilities .26
Terminal Services Web Access .27
Terminal Services Gateway .28
Terminal Services Remote Programs .28
Improvements in Clustering and Storage Area Network Support .29
No Single Point of Failure in Clustering .29
Stretched Clusters .30
Improved Support for Storage Area Networks .30
Improvements in Server Roles in Windows Server 2008 .30
Introducing Internet Information Services 7.0 .30
Windows SharePoint Services .31
Windows Rights Management Services .31
Windows Server Virtualization .32
Identifying Which Windows Server 2008 Service to Install or Migrate to First .33
Windows Server 2008 Core to an Active Directory Environment .33
Windows Server 2008 Running Built-in Application Server Functions .34
Windows Server 2008 Running Add-in Applications Server Functions .36
2 Planning, Prototyping, Migrating, and Deploying Windows Server 2008 Best Practices 39 Determining the Scope of Your Project .40
Identifying the Business Goals and Objectives to Implement Windows Server 2008 .40
High-Level Business Goals .41
Business Unit or Departmental Goals .42
Identifying the Technical Goals and Objectives to Implement Windows Server 2008 .43
Defining the Scope of the Work .44
Determining the Time Frame for Implementation or Migration .46 Defining the Participants of the Design and Deployment Teams 48 Windows Server 2008 Unleashed
Trang 8The Discovery Phase: Understanding the Existing Environment .49
Understanding the Geographical Depth and Breadth .51
Managing Information Overload .52
The Design Phase: Documenting the Vision and the Plan .52
Collaboration Sessions: Making the Design Decisions .53
Organizing Information for a Structured Design Document .54
Windows Server 2008 Design Decisions .55
Agreeing on the Design .56
The Migration Planning Phase: Documenting the Process for Migration .57
Time for the Project Plan .57
Speed Versus Risk .58
Creating the Migration Document .59
The Prototype Phase: Creating and Testing the Plan .62
How Do You Build the Lab? .63
Results of the Lab Testing Environment .63
The Pilot Phase: Validating the Plan to a Limited Number of Users .64
The First Server in the Pilot .65
Rolling Out the Pilot Phase .66
Fixing Problems in the Pilot Phase .67
Documenting the Results of the Pilot .67
The Migration/Implementation Phase: Conducting the Migration or Installation .67
Verifying End-User Satisfaction .67
Supporting the New Windows Server 2008 Environment .68
3 Installing Windows Server 2008 and Server Core 73 Preplanning and Preparing a Server Installation .73
Verifying Minimum Hardware Requirements .74
Choosing the Appropriate Windows Edition .75
Choosing a New Installation or an Upgrade .75
Determining the Type of Server to Install .77
Gathering the Information Necessary to Proceed .77
Backing Up Files .79
Installing a Clean Version of Windows Server 2008 Operating System .79
1 Customizing the Language, Time, Currency, and Keyboard Preferences .80
2 The Install Now Page .80
3 Entering the Product Key .80
4 Selecting the Type of Operating System to Install .81
5 Accepting the Terms of the Windows Server 2008 License .82
6 Selecting the Type of Windows Server 2008 Installation 82
Contents
Trang 97 Selecting the Location for the Installation .82
8 Finalizing the Installation and Customizing the Configuration .83
Upgrading to Windows Server 2008 .88
Backing Up the Server .88
Verifying System Compatibility .89
Ensuring the Drivers Are Digitally Signed .89
Performing Additional Tasks .89
Performing the Upgrade .90
Understanding Server Core Installation .93
Performing a Server Core Installation .93
Managing and Configuring a Server Core Installation .95
Launching the Command Prompt in a Server Core Installation .95
Changing the Server Core Administrator’s Password .95
Changing the Server Core Machine Name .96
Assigning a Static IPV4 IP Address and DNS Settings .96
Adding the Server Core System to a Domain .97
Server Core Roles and Feature Installations .97
Installing the Active Directory Domain Services Role .99
Performing an Unattended Windows Server 2008 Installation .100
Part II Windows Server 2008 Active Directory 4 Active Directory Domain Services Primer 105 Examining the Evolution of Directory Services .106
Reviewing the Original Microsoft Directory Systems .106
Numbering the Key Features of Active Directory Domain Services .107
Understanding the Development of AD DS .107
Detailing Microsoft’s Adoption of Internet Standards .108
Examining AD DS’s Structure .108
Understanding the AD DS Domain .108
Describing AD DS Domain Trees .109
Describing Forests in AD DS .110
Numbering the AD DS Authentication Modes .110
Outlining Functional Levels in Windows Server 2008 AD DS .110
Outlining AD DS’s Components .111
Understanding AD DS’s X.500 Roots .111
Conceptualizing the AD DS Schema .112
Defining the Lightweight Directory Access Protocol (LDAP) .113
Detailing Multimaster Replication with AD DS Domain Controllers .114 Windows Server 2008 Unleashed
Trang 10Conceptualizing the Global Catalog and Global Catalog Servers .114
Numbering the Operations Master (OM) Roles .114
Understanding Domain Trusts .116
Conceptualizing Transitive Trusts .116
Understanding Explicit Trusts .116
Defining Organizational Units .118
Determining Domain Usage Versus OU Usage .118
Outlining the Role of Groups in an AD DS Environment .119
Choosing Between OUs and Groups .121
Explaining AD DS Replication .121
Sites, Site Links, and Site Link Bridgeheads .121
Understanding Originating Writes .123
Outlining the Role of DNS in AD DS .123
Examining DNS Namespace Concepts .123
Comprehending Dynamic DNS .124
Comparing Standard DNS Zones and AD-Integrated DNS Zones .125
Understanding How AD DS DNS Works with Foreign DNS .125
Outlining AD DS Security .125
Understanding Kerberos Authentication .125
Taking Additional Security Precautions .126
Outlining AD DS Changes in Windows Server 2008 .126
Restarting AD DS on a Domain Controller .126
Implementing Multiple Password Policies per Domain .127
Auditing Changes Made to AD Objects .132
Reviewing Additional Active Directory Services .133
Examining Additional Windows Server 2008 AD DS Improvements .134
Reviewing Legacy Windows Server 2003 Active Directory Improvements .134
5 Designing a Windows Server 2008 Active Directory 139 Understanding AD DS Domain Design .139
Examining Domain Trusts .140
Choosing a Domain Namespace .141
Choosing an External (Published) Namespace .141
Choosing an Internal Namespace .142
Examining Domain Design Features .142
Choosing a Domain Structure .143
Understanding the Single Domain Model .144
Choosing the Single Domain Model .145
Exploring a Single Domain Real-World Design Example .146
Contents
Trang 11Understanding the Multiple Domain Model .147
Choosing When to Add Additional Domains .148
Exploring a Multiple Domain Real-World Design Example .149
Understanding the Multiple Trees in a Single Forest Model .150
Choosing When to Deploy a Multiple Tree Domain Model .150
Examining a Multiple Tree Domain Real-World Design Example .151
Understanding the Federated Forests Design Model .151
Determining When to Choose Federated Forests .153
Exploring a Federated Forests Real-World Design Example .153
Understanding the Empty-Root Domain Model .154
Determining When to Choose the Empty-Root Model .156
Examining a Real-World Empty-Root Domain Design Example .157
Understanding the Placeholder Domain Model .158
Examining a Placeholder Domain Real-World Design Example .158
Understanding the Special-Purpose Domain Design Model .159
Examining a Special-Purpose Domain Real-World Design Example .160
Renaming an AD DS Domain .160
Domain Rename Limitations .161
Outlining Domain Rename Prerequisites .161
Renaming a Domain .161
6 Designing Organizational Unit and Group Structure 165 Defining Organizational Units in AD DS .166
Defining AD Groups .168
Outlining Group Types: Security or Distribution .168
Understanding Group Scope .170
Examining OU and Group Design .171
Starting an OU Design .172
Examining Overuse of OUs in Domain Design .173
OU Flexibility .173
Using OUs to Delegate Administration .174
Group Policies and OU Design .175
Understanding Group Design .177
Detailing Best Practice for Groups .177
Establishing Group Naming Standards .178
Group Nesting .178
Designing Distribution Groups .178
Exploring Sample Design Models .178
Examining a Business Function–Based Design .178
Understanding Geographically Based Design .181 Windows Server 2008 Unleashed
Trang 127 Active Directory Infrastructure 185
Understanding AD DS Replication in Depth .185
Understanding the Role of Replication in AD DS .186
Outlining Multimaster Topology Concepts .186
Explaining Update Sequence Numbers (USNs) .186
Describing Replication Collisions .187
Understanding Property Version Numbers .187
Describing Connection Objects .188
Understanding Replication Latency .189
Understanding Active Directory Sites .190
Outlining Windows Server 2008 Site Improvements .191
Associating Subnets with Sites .191
Using Site Links .192
Defining Site Link Bridging .194
Understanding the Knowledge Consistency Checker (KCC) and the Intersite Topology Generator (ISTG) .195
Detailing Site Cost .195
Utilizing Preferred Site Link Bridgeheads .197
Deploying AD DS Domain Controllers on Server Core .197
Planning Replication Topology .198
Mapping Site Design into Network Design .198
Establishing Sites .198
Choosing Between One Site or Many Sites .199
Associating Subnets with Sites .200
Determining Site Links and Site Link Costs .200
Choosing Replication Scheduling .200
Choosing SMTP or IP Replication .201
Windows Server 2008 Replication Enhancements .201
Domain Controller Promotion from Media .201
Identifying Linked-Value Replication/Universal Group Membership Caching .202
Removing Lingering Objects .203
Disabling Replication Compression .203
Understanding How AD Avoids Full Synchronization of Global Catalog with Schema Changes .204
Intersite Topology Generator Algorithm Improvements .204
Outlining Windows Server 2008 IPv6 Support .204
Defining the Structure of IPv6 .205
Understanding IPv6 Addressing .206
Migrating to IPv6 .207
Making the Leap to IPv6 .207
Contents
Trang 13Detailing Real-World Replication Designs .207
Viewing a Hub-and-Spoke Replication Design .207
Outlining Decentralized Replication Design .209
Deploying Read-Only Domain Controllers (RODCs) .211
Understanding the Need for RODCs .211
Outlining the Features of RODCs .212
Deploying an RODC .212
8 Creating Federated Forests and Lightweight Directories 217 Keeping a Distributed Environment in Sync .217
AD Lightweight Directory Services .218
Understanding the Need for AD LDS .218
Outlining the Features of AD LDS .219
Installing AD LDS .219
Active Directory Federation Services .223
Understanding the Key Components of AD FS .223
Installing AD FS with Windows Server 2008 .224
Working with AD FS .226
Microsoft Identity Lifecycle Manager (ILM) 2007 .226
The History of ILM 2007 .226
Outlining the Identity Integration Feature Pack (IIFP) .227
The SQL Server Database for ILM 2007 .228
ILM 2007 Terminology .228
ILM 2007 Management Agents .229
Management Agent Run Profiles .229
Installing Identity Lifecycle Manager 2007 .229
Harnessing the Power and Potential of ILM 2007 .230
Managing Identities with ILM 2007 .231
Provisioning and Deprovisioning Accounts with ILM 2007 .232
Summarizing ILM 2007 .233
9 Integrating Active Directory in a UNIX Environment 235 Understanding and Using Windows Server 2008 UNIX Integration Components .235
The Development of Windows Server 2008 UNIX Integration Components .236
Understanding the UNIX Interoperability Components in Windows Server 2008 .237
Prerequisites for Windows Server 2008 UNIX Integration .237
Installing Services for Network File System (NFS) .238
Using and Administering Services for NFS .239 Configuring Active Directory Lookup for UNIX GID and
Windows Server 2008 Unleashed
Trang 14Configuring Client for NFS and Server for NFS Settings .241
Creating NFS Shared Network Resources .241
Reviewing the Subsystem for UNIX-Based Applications (SUA) .242
Installing the Subsystem for UNIX-Based Applications .242
Subsystem for UNIX-Based Applications Scripting .243
Subsystem for UNIX-Based Application Tools and Programming Languages .243
Understanding the Identity Management for UNIX Components .243
Installing Identity Management for UNIX Components .244
Configuring Password Change Capabilities .245
Adding NIS Users to Active Directory .245
Administrative Improvements with Windows Server 2008 .246
Performing Remote Administration with Telnet Server and Client .246
Scripting with ActivePerl .247
Part III Networking Services 10 Domain Name System and IPv6 251 Understanding the Need for DNS .252
Detailing the History of DNS .252
Establishing a Framework for DNS .253
Explaining the DNS Hierarchy .253
Outlining the DNS Namespace .254
Getting Started with DNS on Windows Server 2008 .254
Installing DNS Using the Add Roles Wizard .254
Configuring DNS Server to Point to Itself .257
Resource Records .257
Start of Authority (SOA) Records .258
Host (A) Records .258
Name Server (NS) Records .259
Service (SRV) Records .259
Mail Exchanger (MX) Records .260
Pointer (PTR) Records .261
Canonical Name (CNAME) Records .261
Other DNS Record Types .261
Understanding DNS Zones .261
Forward Lookup Zones .262
Reverse Lookup Zones .263
Primary Zones .263
Secondary Zones .263
Contents
Trang 15Performing Zone Transfers .265
Performing Full Zone Transfers .267
Initiating Incremental Zone Transfers .267
Understanding DNS Queries .268
Performing Recursive Queries .268
Performing Iterative Queries .268
Other DNS Components .269
Dynamic DNS .270
The Time to Live Value .270
Performing Secure Updates .271
Exploring Aging and Scavenging for DNS .272
Examining Root Hints .273
Understanding the Role of Forwarders .273
Using WINS for Lookups .274
Understanding the Evolution of Microsoft DNS .274
Active Directory–Integrated Zones .274
Dynamic Updates .275
Unicode Character Support .275
DNS in Windows Server 2008 .275
Application Partition .275
Automatic Creation of DNS Zones .276
Fix to the “Island” Problem .276
Forest Root Zone for _msdcs .276
DNS in an Active Directory Domain Services Environment .277
The Impact of DNS on Active Directory Domain Services .277
Active Directory Domain Services in Non-Microsoft DNS Implementations .278
Using Secondary Zones in an AD DS Environment .278
SRV Records and Site Resolution .278
GlobalNames Zone .280
Troubleshooting DNS .281
Using the DNS Event Viewer to Diagnose Problems .281
Using Performance Monitor to Monitor DNS .282
Client-Side Cache and HOST Resolution Problems .282
Using the NSLOOKUP Command-Line Utility .282
Using the IPCONFIG Command-Line Utility .283
Using the TRACERT Command-Line Utility .284
Using the DNSCMD Command-Line Utility .284
IPv6 Introduction .285
IPv6 Addressing .286
Comprehending IPv6 Addressing .288
Bridging the Gap with ISATAP .288 Other Compatibility Addresses 289 Windows Server 2008 Unleashed