Tài liệu Windows Server 2008 Inside Out- P30 pdf

In Safe Mode, Windows Server 2008 loads only basic fi les, services, and driv- ers.. Safe Mode With Command Prompt—Starts the computer and loads only basic fi les, services, and drivers,

on the system recently A new device driver might have been installed or an application might have been installed that incorrectly modifi ed the system confi guration

Often you can resolve startup issues using Safe Mode to recover or troubleshoot system problems In Safe Mode, Windows Server 2008 loads only basic fi les, services, and driv- ers Because Safe Mode loads a limited set of confi guration information, it can help you troubleshoot problems You start a system in Safe Mode by completing the following steps:

1 If the system is currently running and you want to troubleshoot startup, shut

down the server, and then start it again If the system is already powered down or has previously failed to start, start the server again

2 Press F8 during startup to access the Windows Advanced Options menu You

must press F8 before the Windows splash screen appears

3 On the Windows Advanced Options menu, select a startup mode The key

options are as follows:

Safe Mode—Starts the computer and loads only basic fi les, services, and

drivers during the initialization sequence The drivers loaded include the mouse, monitor, keyboard, mass storage, and base video No networking services or drivers are started

Safe Mode With Command Prompt—Starts the computer and loads only basic

fi les, services, and drivers, and then starts a command prompt instead of the Windows Server 2008 graphical interface No networking services or drivers are started

Safe Mode With Networking—Starts the computer and loads only basic

fi les, services, and drivers, and the services and drivers needed to start networking

Enable Boot Logging—Starts the computer with boot logging enabled, which

allows you to create a record of all startup events in a boot log

Enable Low Resolution Video—Starts the computer in low resolution 640×480

display mode, which is useful if the system display is set to a mode that can’t be used with the current monitor

Last Known Good Confi guration—Starts the computer in Safe Mode using

Reg-istry information that Windows Server 2008 saved at the last shutdown

Debugging Mode—Starts the system in debugging mode, which is useful only

for troubleshooting operating system bugs

Directory Services Recovery Mode—Starts the system in Safe Mode and allows

you to restore the directory service This option is available on Windows Server 2008 domain controllers

Disable Automatic Restart On System Failure—Prevents Windows Server 2008

from automatically restarting after an operating system crash

Troubleshooting Startup and Shutdown 1417

Disable Driver Signature Enforcement—Starts the computer in Safe Mode

with-out enforcing digital signature policy settings for drivers If a driver with

an invalid or missing digital signature is causing startup failure, this will resolve the problem temporarily so that you can start the computer and resolve the problem by either getting a new driver or changing the driver signature enforcement settings

4 If a problem doesn’t reappear when you start in Safe Mode, you can eliminate

the default settings and basic device drivers as possible causes If a newly added device or updated driver is causing problems, you can use Safe Mode to remove the device or roll back the update

5 Make other changes as necessary to resolve startup problems If you are still

having a problem starting the system, you might need to uninstall recently installed applications or devices to try to correct the problem

Repairing Missing or Corrupted System Files

Windows Server 2008 enters Windows Error Recovery mode automatically if Windows fails to start In this mode, you have options similar to those you have when working with the Advanced Boot menu For troubleshooting, you can elect to boot the system

in Safe Mode, Safe Mode With Networking, or Safe Mode With Command Prompt You can also choose to use the Last Known Good Confi guration or to start Windows normally

If you can’t start or recover a system in Safe Mode, you can manually run Startup Repair

to try to force Windows Server 2008 to resolve the problem To do this, complete the following steps:

1 Insert the Windows installation or Windows Recovery disc for the hardware

architecture and then boot from the installation disc by pressing a key when prompted If the server does not allow you to boot from the installation disc, you might need to change fi rmware options to allow booting from a CD/DVD-ROM drive

2 With a Windows Recovery disc, select Windows Setup (EMS Enabled) on

the Windows Boot Manager menu to start Windows Setup With a Windows installation disc, Windows Setup should start automatically

3 On the Install Windows page, select the language, time, and keyboard layout

options that you want to use Click Next

4 When prompted, do not click Install Now Instead, click the Repair Your

Computer link in the lower-left corner of the Install Windows page This starts the System Recovery Options wizard If the boot manager is damaged, the wizard will repair it at this point to obtain a list of available operating systems

5 On the System Recovery Options page, click Command Prompt At the command

prompt, enter cd recovery to access the X:\Sources\Recovery directory

6 At the command prompt, enter startrep to run the Startup Repair wizard Follow

the prompts to attempt to repair the server and enable startup

Resolving Restart or Shutdown Issues

Normally, you can shut down Windows Server 2008 by clicking Start, and then ing the Shutdown button, and restart Windows Server 2008 by clicking Start, pointing

click-to the Options butclick-ton, and then clicking Restart Sometimes, however, Windows Server

2008 won’t shut down or restart normally and you are forced to take additional actions

In those cases, follow these steps:

1 Press Ctrl+Alt+Delete The Windows Security screen should be displayed If the

Windows Security screen doesn’t appear, skip to step 4

2 Click Task Manager, and then look for an application that is not responding If all

programs appear to be running normally, skip to step 4

3 Select the application that is not responding, and then click End Task If the

application fails to respond to the request, you’ll see a prompt that allows you to end the application immediately or cancel the end task request Click End Now

4 Try shutting down or restarting the computer Press Ctrl+Alt+Delete, and then

click the Shutdown button As a last resort, you might be forced to perform a hard shutdown by holding down the power button or unplugging the computer If you

do this, run Check Disk the next time you start the computer to check for errors and problems that may have been caused by the hard shutdown

Troubleshooting Startup and Shutdown 1419

Topic Description Page

Index to Troubleshooting Topics

entries See ACEs (access control entries) lists See ACLs (access control lists)

confi guring user policies, 1169–1170

Group Policy objects See GPOs (Group Policy objects)

Kerberos policy settings, 1169, 1173local user accounts, 1169

location of, 1169lockout policy, 1172, 1247password policy enforcement, 1170–1171password settings object creation, 1173–1176accounts

Accounts: Rename Administrator Account policy, 1248Accounts: Rename Guest Account policy, 1248

Administrator See Administrator account authentication of See authentication

built-in capabilities of, 1178contact accounts, 1168creating user accounts, 1184–1187default user accounts, 1168

domain See domain user accounts

expiration options for, 1192Guest account, 1168

InetOrgPerson See InetOrgPerson accounts local See local user accounts

membership in groups, 1178naming accounts, 1168OUs, placing in, 1136

permissions of See permissions policies for See account policies

RODC password replication policies, 1148, 1158–1159

user See user accounts user account control See UAC (User Account Control)

ACEs (access control entries), 1188ACLs (access control lists)Active Directory, role in, 988RODCs, for, 1158

ACPI (Advanced Confi guration and Power Interface), 379–382

ACPI BIOS, 240–241Act As Part Of The Operating System privilege, 1178activation of Windows Server 2008

process for, 88–90viewing status of, 126–127Active Directory

administering See Active Directory Users And

Computers snap-in

architecture of See Active Directory architecture

attribute management, 1014–1016, 1076authoritative restores of, 1412–1414backup strategies for, 1409–1410backups for installation media creation, 1127–1128

bridgehead servers role, 58 See also bridgehead

serversbuilding blocks, logical, 1053business requirements for, 1053–1054changing structure of, 1061–1062classes of objects, 1014

client connection requirements, 1111compatibility issues, 1016–1020Computer objects, 1014confi guration containers in a forest, 1055Contact objects, 1014

counters for, 1303–1304CPUs, requirements for, 1108creating domain controllers for existing domains, 1114–1122

data store architecture, 995–997delegation of administrative rights, 1064–1065, 1136–1139

designing systems of See Active Directory system

designDHCP authorization, 689DHCP set up with, 696, 698, 701

Active Directory, continued

Directory Services log, 328DNs (distinguished names), 1003–1004DNS zones, Active Directory–integrated type, 752–755domain architecture design for, 50

Domain objects, 1014Domain Rename utility, 1061–1062

domain trees See trees, Active Directory

domain trust design, 55

domains See domains, Active Directory

failed domain controllers, removing references to, 1415–1416

failover clustering, confi guration for, 1351

forests See forests, Active Directory

functional levels, 1016–1020

global catalog server role, 58 See also global catalog

serversGroup objects, 1014

group policy See Group Policy

InetOrgPerson objects, 1014, 1063infrastructure masters, 57inheritance of permissions, 1137

installing See installing Active Directory

installing DNS Server service with, 767–771

KCCs See KCC (knowledge consistency checker) links See site links

LSA (Local Security Authority), 988–989

managing See Active Directory Users And Computers

snap-inmedia, installing from, 1126–1129memory requirements, 1108namespace design, 54–55nonauthoritative restores of, 1411–1412

operations master role, 57 See also operations masters

OS support issues, 1016–1018

OUs See OUs (organizational units)

PDC emulators, 57Performance Monitor counters for, 1303–1304planning deployments, 54–58

PrintQueue objects, 1014

read-only domain controllers See RODCs (read-only

domain controllers)recovery on SANs, 1110–1111RID masters, 57

RODCs See RODCs (read-only domain controllers)

Schema snap-in, 1047Server objects, 1014server roles, planning for, 57–58share information, publishing, 552

site concept, 58 See also sites, Active Directory

Site objects, 1014

snap-ins, 163Subnet objects, 1014System State fi les, 1110–1111, 1129

system volume See Sysvol Sysvol replication, 1077–1082 See also Sysvol

SYSVOL$ shares, 555task delegation, 1138–1139tools for administering, table of, 107transactional processing, 993–995, 1076

trees See trees, Active Directory

troubleshooting trust relationships, 1039–1040

trust relationships See trusts

uninstalling, 1129–1133User objects, 1014Windows Vista with, 10–11Active Directory architectureACLs, 988

administrator types, 1002attributes of objects, 998authentication mechanisms, list of, 989authentication procedure, 990Checkpoint fi le, 995

common names of objects, 1003Confi guration containers, 1004containers, 998

data fi le types, 995–996data store architecture, 995–997Database Layer, 992–993directory service component, 990–993directory trees, 999–1000

DNs (distinguished names), 1003–1004

domains, 999, 1004 See also domains, Active Directory

ESE (Extensible Storage Engine), 993–995, 997external trusts, 1003

Forest Root Domain containers, 1004

forests, 1000–1001 See also forests, Active Directory

global catalog servers, 1006group policy, role of, 988GUIDs, 992

indexed tables, 996LDAP, 991, 998–999log fi les, 995–997logical architecture overview, 997–998logon/access features used with, 989–990MAPI, 992

multimaster approach to replication, 991–992, 1085names of objects in data store, 992

NET LOGON, 989object class types, 998objects, 988, 998–999

operations masters See operations masters

1422 Active Directory architecture

OUs See OUs (organizational units)

partitions, 1005–1006physical layer overview, 987–988primary data fi les, 995–997purpose of Active Directory, 987RDNs, 1003

replication support, 991–993RODC design considerations, 1145–1148root domains, 1000, 1003–1004rootDSE objects, 1003–1004SAM with, 990, 992Schema containers, 1004schemas, 993, 998–999, 1055security descriptor tables, 996security subsystem key areas, 989–990security subsystem, relation to, 987shortcut trusts, 1003

SIDs (security identifi ers), 993

sites See sites, Active Directory

Temporary data fi les, 995tombstoned objects, 994–995top-level view of, 987–988transaction logs, 994trust paths, 1002–1003trust relationships, 988, 1001–1003user mode, 987

Windows NT 4 with, 992Active Directory Domain Services Installation Wizard

See installing Active Directory

Active Directory Domains And Trusts toolcreating trusts with, 1035–1038raising functional levels, 1019–1020Trust Type property, 1034

UPN suffi xes, adding, 1021validating trust relationships, 1039–1040viewing existing trusts, 1033–1035

Active Directory Migration Tool See ADMT (Active

Directory Migration Tool)Active Directory Schema snap-in, 1047Active Directory Sites And Servicesbridgehead servers, confi guring as preferred, 1300–1301

changing forest connected to, 1284creating sites, 1283–1285

domain controllers, associating with sites, 1286–1287global catalog server designation, 1012–1013site link bridges, confi guring, 1295–1297site link creation, 1289–1292

starting, 1012subnet creation, 1285subnets, associating with, 1285–1286universal group membership caching, 1021–1022

Active Directory system designattribute management, 1014–1016authentication design overview, 1020building blocks for, 1053

business requirements for, 1053–1054compatibility issues, 1016–1020cross-forest transitive trusts, 1030–1032delegating authentication, 1040–1043domain functional level, 1016–1018domain planning overview, 1058–1059elements of, 1007

Exchange Server 2007 with, 1014federated forest design, 1030–1032forest function level, 1018–1020

forests See forests, Active Directory

global catalog access, 1011–1013Kerberos for authentication, 1023–1026LDAP, 1010

multimaster replication model, 1008NTLM (NT LAN Manager), 1023–1024

operations masters See operations masters

OS support issues, 1016–1018

OUs See OUs (organizational units)

planning overview, 1007–1008, 1053–1054read-only domain controllers, 1008relative names of objects, 1010–1011replication attribute designation, 1014–1016

replication design, 1008–1009 See also replication

resource access process, 1025–1026RODC design considerations, 1145–1148security tokens, 1020–1022

session tickets, 1025–1026shortcut trusts, 1028–1029single vs multiple domains, 1060–1061single vs multiple forests, 1056–1057

sites See sites, Active Directory trees, searching, 1010–1011 See also trees, Active

Directory

trusts See trusts

two-way transitive trusts, 1027–1028universal groups, 1020–1022UPNs (user principal names), 1021Windows Server 2008 domain functional level features, 1018

writable domain controllers, 1008Active Directory Users And Computers snap-inaccount options, managing, 1189–1192adding members to groups, 1222administration, delegation of, 1137–1139computer account management, 1225–1231computer account property confi guration, 1229–1230creating computer accounts, 1225–1226

1423

Active Directory Users And Computers snap-in

Active Directory Users And Computers snap-in, continued

creating domain user accounts, 1184–1187creating groups, 1220

default accounts, listing, 1168delegated authentication, 1041–1043deleting computer accounts, 1228disabling computer accounts, 1228

fi nding shared folders, 552group properties, editing, 1223–1224infrastructure master role, managing, 1050–1051joining computers to domains, 1226–1227managing computer accounts remotely, 1228Member Of tab, 1188

moving computer accounts, 1227moving groups, 1224

OU creation with, 1133–1134Password Settings group creation, 1173–1176PDC emulator role, managing, 1050purpose of, 153

queries, saving, 1223renaming groups, 1224renaming user accounts, 1211–1212resetting passwords for computer accounts, 1228–1229resetting user account passwords, 1212–1213

RID (relative ID) role, managing, 1048–1050RODC Password Application Policy, editing, 1160–1162sending mail to groups, 1224

taskpad example, 174unlocking user accounts, 1213–1214user account properties, viewing and setting, 1187–1188active partitions, 77, 429

Active/Active controller model, 411

AD CS (Active Directory Certifi cate Services), 186

AD DS (Active Directory Domain Services)described, 186

installing, 1114 See also installing Active Directory

AD FS (Active Directory Federation Services), 186

AD LDS (Active Directory Lightweight Directory Services), 186

AD RMS (Active Directory Rights Management Services), 186

Add Features Wizardstarting, 114Windows Server Backup, installing, 1388Add Hardware Wizard, 235–236

Add Roles WizardRODC installations with, 1150starting, 114

Terminal Services installation, 936–938Add Workstations To Domain privilege, 1178Add/Remote Programs utility, 285–286

address classes See classes of networks

Address toolbar, 149–150

addresses, IP See IP addresses

Adjust Memory Quotas For A Process privilege, 1178Admin Approval Mode, 290–293

ADMIN$ shares, 554administration

Active Directory, of See Active Directory Users And

Computers snap-indelegation of administrative rights using OUs, 1064–1065

delegation of, for Active Directory objects, 1136–1139planning deployments, 51–54

planning, reviewing for, 42–43

remote See Remote Desktop for Administration tools for See administration tools

tools, legacy compatibility issues, 52administration tools

Active Directory tools, 107Administrative Tools menu, 106–110availability of, 109

Certifi cation Authority tool, 107command-line utilities, 110–111Computer Management console, 115–116computer specifi cation for, 109

Control Panel utilities See Control Panel

Data Sources (ODBC) tool, 107DFS Management tool, 107Event Viewer tool, 107Failover Cluster Management tool, 107File Server Resource Manager tool, 107Initial Confi guration Tasks console, 113–114installing, 109–110

installing full tool set, 160–161Net tools, 111–112

Network Policy Server tool, 108overview of, 105–106

PowerShell, 112–113Registry, effect of tools on, 248Reliability And Performance Monitor, 108

Server Manager See Server Manager console

Services tool, 108Storage Explorer, 108System console, 126–128administrative shares, 553–555Administrative Templates, Group Policy, 1235Administrative Tools menu, 385–388Administrator account

Accounts: Rename Administrator Account policy, 1248defi ned, 1168

renaming, 1168strong passwords recommended, 88administrator applications, 295

1424 active partitions

administrator tokensapplication integrity, assuringdefi ned, 247

administratorsdomain, 1002enterprise, 1002forests, roles in, 1055Administrators groupdefault logon rights assigned to, table of, 1181–1182default privileges assigned to, table of, 1178–1181roaming user profi les, adding to, 1197

ADMT (Active Directory Migration Tool), 1061ADMX fi les, 1237–1238

Advanced Boot Options menu, 383advantages of Windows Server 2008, 3–4aliases, DNS, 797–798

Allowed RODC Password Replication group, 1159–1160alternate IP addressing, 660, 663–665

AMD-V, 10analysis of preexisting system for deployment planningassessing servers and services, 39

disaster recovery, 43–44hardware inventories, 39–40licenses, 39

localization issues, 39network administration review, 42–43network infrastructure evaluation, 38network management tools, assessing, 44network map creation, 38

network services and applications identifi cation, 40–41project worksheets, 37

purpose of, 37remote locations, 38security infrastructure, 41–42storage, 39

task in planning sequence, 29answer fi les

purpose of, 70specifying in Setup, 70APIPA (Automatic Private IP Addressing)troubleshooting, 676–677

use with DHCP, 665Appearance And Personalization console, 120–122application integrity

administrator applications, 295administrator user tokensApplication Information service, 294compliant applications, 294integrity levels, 297legacy applications, 294overview, 294

run levels, 296–299security settings related to, 299–301standard user tokens, 294

UAC role in, 294user applications, 295Application log, 327application serversApplication Server, 186defi ned, 60

applicationshigh-availability guidelines for, 1309–1311

installing See software installation

monitoring with Task Manager, 314

RemoteApps, making programs available as See

RemoteAppsrun levels, security tokens for, 247

running on remote servers See Terminal Services

settings, storage of, 247startup problems from, 388Terminal Services compatibility scripts, 942Terminal Services, installing, 939–943virtualization, security tokens for, 247Applications and Services logs, 327–328Apply Group Policy permission, 1259–1261architecture of Windows Server 2008boot environment, 13–14

DNS design, 762–765kernel architecture, 11–13Network Diagnostics Framework, 15–18support architecture, 14–25

architecture, Active Directory See Active Directory

architecturearchitecture, networkdomain architecture, 50team for planning, 31archives

archive attribute, 1385media rotation, 1386–1387media types supported, 1387atomic permissions, 575attributes

Active Directory architecture object attributes, 998

fi le and folder, 567multi-valued directory attributes, 1159nonresident NTFS attributes, 504OUs attributes, editing, 1135Read Attributes special permission, 573Read Extended Attributes special permission, 574resident NTFS attributes, 503

Write Attributes special permission, fi le sharing, 574

1425

attributes

fi le and folder access, 581–585logging, DHCP, 727–729printer access, 884Registry access, 283–284Security log, 327systemic procedures for, 1319–1320Terminal Services access, 964–966Authenticated Users group

default logon rights assigned to, table of, 1181default privileges assigned to, table of, 1178authentication

Active Directory related mechanisms, list of, 989computer accounts, troubleshooting, 1230–1231cross-forest transitive trusts, 1030–1032

delegation overview, 1040–1041 See also delegating

authenticationdesign overview, 1020forwarded tickets, 1040Kerberos for, 1023–1026NTLM (NT LAN Manager), 1023–1024outgoing trust authentication levels, 1038proxy tickets, 1040

RODC process for, 1144–1145security token generation, 1020–1022session tickets, KDC server, 1025–1026session tickets, Kerberos policy settings, 1173Terminal Services, for, 937

trust paths, 1002–1003

trusts See trusts

universal group membership caching, 1020–1022authoritative restores of Active Directory, 1412–1414Automatic Black Hole Router Detection, 631Automatic Dead Gateway Retry, 631Automatic Updates, 11

availability99.9 percent uptime goal, 1309application requirements for, 1310checklist for application deployments, 1311

clustering servers to improve See clusters, server facilities design See structures and facilities failover capabilities See failover clustering fault tolerance for, 1312 See also fault tolerance

hardware deployment process, 1312hardware planning checklists, 1313hardware standardization for high availability, 1311–1312

hardware strategy for, 1311–1313high, defi ned, 1309

highly available server deployment, 1321–1322integrated testing of applications for, 1310noncritical system goals, 1309

operational plan for See operations management

power supply redundancy, 1314predeployment planning checklist, 1322redundancy, components for improving, 1312server types, standardization by, 1312spare parts, 1312

standardized components for system services, 1310standardized deployment process, 1310

standby systems, 1312

B

backupsActive Directory backup procedure, 1409–1410Active Directory requirements, 1110–1111archive attribute, 1385

Back Up Files And Directories privilege, 1178command-line tools for, 1387

confi guring backup type, 1389copy backups, 1385

daily backups, 1385data considerations, 1382–1383destination selection, 1398DHCP backups, 1384differential backups, 1385–1386disaster preparedness procedures, 1373–1374

disaster preparedness, relation to, 1384 See also disaster

planningDNS backups, 1384DVDs for, 1390event logs for, 1400–1401

fi le server backups, 1384group membership required for, 1388Group Policy backups, 1278–1280, 1384importance of, 1381

incremental backups, 1385–1386installing Windows Server Backup, 1388manual backups, 1396–1400

media rotation, 1386–1387normal backups, 1385–1386one-time backups, 1396–1400optimal technique selection, 1383–1385plans for, 1318–1319

print server, 912–913, 1384programs for, 1384, 1388recommended strategy for, 1383

recovering data See recovery

Registries, 272scheduling, 1391–1395services, backup functions of, 1383–1384Shadow Copy API advantages for, 1383starting Windows Server Backup, 1388storage location selection, 1390strategy considerations, 1382–1383strategy creation questions, 1381–1382

1426 auditing

system fi le considerations, 1382–1383volume specifi cation for, 1390–1391

VSS for fi le servers, 1384 See also VSS (Volume Shadow

Copy Service)Wbadmin command, 1387, 1390Windows Firewall settings for, 1390Windows Server Backup feature, 190Windows Server Backup overview, 1387WINS backups, 1384

baselines for performance, establishing, 344basic disks

compared with dynamic type, 428–430conversions to and from dynamic type, 430–432ESP partition type, 449–450

LDM partitions, 451–452managing GPT partitions on, 449–452managing MBR partitions, 434–448MSR partitions, 450–451

OEM partitions, 452primary partitions, 451basic folder permissions, table of, 572BCD (Boot Confi guration Data) storesboot sequence, temporarily changing, 404commands, table of, 389–390

creating entries, 394–395creating new, 393–394Debugger Settings entries, 397default operating system entry selection, 403deleting entries, 395

deleting options, 395–396DEP (Data Execution Prevention) options, 402Editor, 388–390

EMS Settings entries, 396–397entries in, 388

exporting, 394guidelines for modifying, 390GUIDs with, 392

Hypervisor Settings entries, 397importing, 394

multiple operating systems with, 393operating system display order, 402–403options for boot application entries, 399options for Windows OS Loader applications, 400–401PAE mode options, 402

properties, table of, 391purpose of, 382–383registry for, 382Resume from Hibernate entries, 396sample listing, 390–391

setting entry values, 395system BCD stores, 390timeout default, setting, 404

viewing entries, 390–393, 396–397well-known identifi ers, 392Windows Legacy OS Loader entries, 396Windows Memory Tester entries, 396BIOS (basic input/output system)ACPI requirement, 379entering during boots, 380legacy boots, 382

BirthObjectIDs, 516BirthVolumeIDs, 516BitLocker Drive Encryptionboot fi le validation, 477boot issues, 382data volume encryption, 493–494decrypting data volumes, 495defi ned, 188

deploying, 478–480disabling, 495Drive Preparation Tool, 484–485enabling encryption with PINs, 491enabling encryption with startup keys, 488–491FIPS, 481

installing, 485keys for volumes, 481listing encrypted volumes, 492non-TPM operation of, 477–478partitions for, 479–480, 482–485password management, 492–493performance issues, 477PIN management, 492–493PINs, role of, 491–492planning for, 479policy settings for, 480–481, 486–487purpose of, 11, 477

readiness test, 485–486recovering data, 494–495Recovery mode, 477–478recovery passwords, 487–488remote administration issues, 478setup steps, overview, 481–482Startup Key Only mode, 478startup keys, 488–491system vs data volume encryption, 481TPM and PIN mode, 478

TPM and Startup Key mode, 478TPM with, 468, 477–478TPM-Only mode, 478USB fl ash startup keys, 478Windows Vista vs Windows Server 2008 versions, 479BITS (Background Intelligent Transfer Service) Server Extensions, 188

1427

BITS (Background Intelligent Transfer Service) Server Extensions

boot confi gurationACPI requirement, 379Advanced Boot Options menu, 383applications problems, 388

BCD stores See BCD (Boot Confi guration Data) stores

BIOS legacy boots, 382BitLocker boots, 382boot environment layer, 382–383boot loader applications, list of, 388boot sequence, temporarily changing, 404CPUs, specifying number to use, 386DEP (Data Execution Prevention) options, 402desktop class system issues, 377

EFI legacy boots, 382

fi rmware boot settings, 381–382

fi rmware types, 379

fi rmware, entering during boots, 380hardware capabilities, 379–382memory, specifying amount to use, 386msconfi g.exe command, 385–388

No GUI boots, 386overview, 13–14, 377partition styles, 382power settings in fi rmware, 380–381power state management capabilities, 379–382power state options, 379–380

Safe Boot modes, 386SANs, booting from, 409–411services problems, 387Startup And Recovery dialog box, 384–385startup control within boot environment, 382–383startup issues compounded in 2008, 377Startup Repair Tool, 1408–1409System Confi guration, 385–388timeout default, setting, 404TPM for boot fi le validation, 468Windows Boot Loader, 383Windows Boot Manager, 383Windows Vista power state management, 378boot partitions

defi ned, 77mirrored boot volumes, 459–462system partition allowed with, 429BOOTP (Bootstrap Protocol), 685bottlenecks

disk I/O, 360–362memory, 356–358network-based, 362–363overview of, 356bridgehead serversconfi guring, 1298–1301defi ned, 58

intersite replication with, 1089–1091

listing for sites, 1298multiple, 1094–1095preferred servers, 1299–1301replication attribute options, 1305–1306RODCs not allowed as, 1145

site links, relationship to, 1287sites, role in, 1072

testing replication, 1305–1306bridges, 639

broadcast IP addresses, 636–637budget issues, 47–48

building phase of MSF (Microsoft Solutions Framework), 28

business requirementsActive Directory planning for, 1053–1054goal assessment task for planning deployments, 34–35organizational objectives, specifying, 45–46

system availability See availability

business units as OUs (organizational units), 1066Bypass Traverse Checking privilege, 1178

per-server vs per-user options, 71Terminal Services with, 925–927CAPI2 (CryptoAPI version 2), 18certifi cates

Certifi cation Authority tool, 107OCSP (Online Certifi cate Status Protocol), 18change control procedures, 1317–1318change journals, 514–515

change logs, 1317change management planning process, 54Change Permissions

fi le sharing, 564

fi le special permission, 575printer permission, 880Change The System Time privilege, 1179Change The Time Zone privilege, 1179Check Disk tool

bad sectors, marking, 540command-line parameters, table of, 537–538dirty, marking disks as, 537

FAT volumes, analyzing, 538–539

fi xing errors with, 535–537NTFS volumes, analyzing, 539–540repairing volumes, 540

Self Healing NTFS alternative to, 520–521syntax for, command line, 537

1428 boot configuration

child domains, 653child folders, 569CIDR (classless interdomain routing)nonclassful network nature of, 637notation, 640–641

classes of networksclass A network subnets, 642–644class B network subnets, 644–645class C network subnets, 645–646IDs for, 638–639

purpose of, 633–635clean installationsInitial Confi guration Tasks console, 87installation step, 87

language selection, 86product keys, 85–86rolling back installations, 84starting, 84

steps for, 84–88updates during, 85where to install to, choosing, 86–87

client access licenses See CALs (client access licenses)

cluster-aware applicationsfailover clustering of, 1348high-availability goals for, 1309–1310redundancy role of clustered systems, 1312service compatibility requirements, 1325clusters, fi le system

FAT, 500

fi le system overview, 498–499NTFS, 508

clusters, serveractive nodes, 1327–1328

application software compatibility with See

cluster-aware applicationsavailability goal of, 1324benefi ts of, 1324–1325Cluster Administrator renamed, 1352Cluster service, 1352–1353

failover function See failover clustering

failures, causes of, 1324farms, 1325

fault tolerance not provided by, 1324high availability, 1323–1324

load balancing See NLB (Network Load Balancing)

maximum number of nodes supported, 1326multisite options, 1329–1330

nodes defi ned, 1323operating modes, 1327–1328operating system version differences for, 1326organization of servers in, 1325–1326packs, 1325–1326

passive nodes, 1327–1328

print drivers with, 846purpose of, 1324quorums, 1330redundancy role of, 1312reliability goals, 1324–1325SANs using, 409–411scalability goals, 1325scalability limits, 1326server clusters defi ned, 1323–1324shadow copy issues, 595

three-tier structure for, 1326CMAK (Connection Manager Administration Kit), 188color printers

basics of, 851profi les, confi guring, 906–907color scheme selection, 120–121command-line utilities, list of, 110–111Compact command, 523

compliant applications, 294Compound TCP, 631compressed (zipped) folders, 524–525computer accounts

authentication issues, 1230–1231Computer container, 1225computer name, viewing, 1229creating, 1225–1226

delegated authentication, 1042–1043, 1229deleting, 1228

dial-in settings, 1230disabling, 1228Effective Permissions tool, 1188–1189group membership confi guration, 1229

group policies for See Group Policy

joining computers to domains, 1226–1227Managed By property, 1229

managing remotely, 1228moving, 1227

properties, confi guring, 1229–1230remote install option, 1230resetting passwords, 1228–1229security options, advanced, 1230troubleshooting, 1230–1231user object canonical name, 1229Computer Management consolecomponents of, 115

Computer Management Services And Applications tools, 116

Computer Management Storage tools, 116Computer Management System Tools, 115–116creating shares with, 559–562

fi le sharing, 556MMC nature of, 155offl ine fi les confi guration, 1207–1208

1429

Computer Management console

Computer Management console, continued

publishing shares, 563remote device management, 221shadow copy confi guration, 593–596share permission confi guration, 565–566

TS Session Broker authorization, 946–947computer names

Append Suffi xes settings, 667–668changing, 127

viewing, 117, 126WINS for resolving, 654–655conditional forwarding, DNSbenefi ts of, 754

confi guring, 786–788drawbacks of, 756purpose of, 748

confi guration tools See administration tools

Confi gure A DNS Server Wizard, 773–783confi guring TCP/IP networking

alternate IP addressing, 660, 663–665DNS confi guration, 667–669dynamic IP addressing, 660, 663–665

IP address confi guration methods, 660–661

IP address information needed, 657–658multiple gateway confi guration, 665–666overview of, 660

static IP address assignment, 660–663WINS confi guration, 669–671

confi guring Windows Server 2008 See also specifi c

confi guration topicsdesktop confi guration, 142–143

menu customization See menu system

overview of, 129Quick Launch, 148–149taskbar confi guration, 143–148toolbar optimization, 148–151confl ict detection of IP addresses, 734

consoles See MMCs (Microsoft Management Consoles)

contact accounts, 1168contingency allowances in planning projects, 48–49Control Panel

Appearance And Personalization console, 120–122color scheme selection, 120–121

Date and Time utility, 122–123desktop background selection, 121display settings for monitors, 122Folder Options utility, 123–124mouse pointer selection, 121overview of utilities in, 106Programs And Features page, 287–288Regional and Language Options utility, 125Registry, effect of tools on, 248

screen savers, 121sound schemes, 121themes, 121–122Uninstall Or Change A Program utility, 273views available, 119–120

copy backups, 1385copying items, 135–136core-server installation type, 80counters

Active Directory counters, 1303–1304adding to Performance Monitor, 349–350alert confi guration, 369–370

counter list, 352

data collector sets of See data collector sets

default, 349defi ned, 346–347deleting, 350disk I/O, 360–362display of, 350graphing of statistics for, 351Histogram Bar view, 353memory, 357–358Memory\Available Bytes, 357Memory\Commit Limit, 357Memory\Committed Bytes, 357Memory\Page Faults/Sec, 357Memory\Pages Input/Sec, 357Memory\Pages Output/Sec, 357Memory\Pages/Sec, 357Memory\Pool Nonpaged Bytes, 358Memory\Pool Paged Bytes, 358network, 362–363

Paging File\% Usage, 358Paging File\% Usage Peak, 358Paste Counter List button, Performance Monitor, 352performance objects, table of common, 348–349Physical Disk\% Disk Time, 358

Physical Disk\Avg Disk Queue Length, 358Physical Disk\Avg Disk Sec/Transfer, 358PhysicalDisk\ counters, 361–362print server, 909–912

Processor\% Privileged Time, 360Processor\% Processor Time, 360Processor\% User Time, 360Processor\Interrupts/Sec, 360remote monitoring of, 354–355Report view, 353

sample rates, 351System\Processor Queue Length, 360CPUs (central processing units)Active Directory requirements for, 1108bottlenecks, resolving, 359–360

1430 computer names

counters for, 360installation errors caused by, 98–99

Itanium See Itanium-based servers

listing types of, 126multiprocessor affi nity issues, 359performance statistics in Reliability And Performance Monitor, 345

performance statistics in Task Manager, 311–313process usage of, 315

processor scheduling options, 304–305requirements by edition, 72–73specifying number to use, 386WSRM (Windows System Resource Manager), 190crash dump partitions, 77, 429

Create A Pagefi le privilege, 1179Create A Shared Folder Wizard, 560–562Create Files/Write Data special permission, 574Create Folders/Append Data special permission, 574Create privileges, 1179

credentials, logon, 1195cross-forest transitive trusts, 1030–1032, 1035

D

daily backups, 1385DAS (direct-attached storage), 405–406data collector sets

alert confi guration, 369–370capabilities of, 363confi guration sets, 364, 368creating, 365–367

deleting, 365performance counter sets, 364–367purpose of, 343, 363

Reliability And Performance Monitor console for, 363–364

reports, viewing, 368–369saving as templates, 364startup event traces, 364trace data sets, 364, 367–368types of, 364

Data Execution Prevention (DEP) options, 402

data packets See packets

Data Sources (ODBC) tool, 107data streams, 512–513database server failover clustering, 1349–1351Datacenter edition, Windows Server 2008features of, 6

hardware requirements for installations, 72–73selection criteria, 62–63

Date And Time utility, 122–123

day-to-day operations See operations management

Dcgpofi x utility, 1282Dcpromo command, 1112, 1114, 1129

Debug Programs privilege, 1179Default Domain Controllers Policy GPOpurpose of, 1235

restoring defaults, 1282Default Domain Policy GPOpurpose of, 1235restoring defaults, 1282defragmenting drivesconfi guring automated, 541–542Disk Defragmenter for, 543–544fragmentation analysis, 545–546fragmentation process, 541shadow copy issuesdelegating authenticationaccount option for, 1192confi guring, 1041–1043purpose of, 1040ticket models for, 1040delegating management tasksdefi ned, 1249

delegating Group Policy management privileges, 1252–1253

delegating privileges for links and RSoP, 1253GPO creation rights, 1249–1250

reviewing Group Policy management privileges, 1250–1252

Delete special permission, 574Delete Subfolders And Files special permission, 574deleting user accounts, 1210–1211

Denied RODC Password Replication group, 1159–1160DEP (Data Execution Prevention) options, 402department based groups, 1217

deployments of applicationschecklist for, 1311standardized deployment process for high availability, 1310

deployments of hardwarehighly available server deployment, 1321–1322standard process checklist, 1312

deployments of Windows Server 2008MSF deployment phase, 28

planning See planning deployments

designing new networksdomain architecture, 50network operations issues, 50–51overall objectives for, 50place in overall design plan, 30security requirements, 51Desktop Experiencedefi ned, 12–13purpose of, 188recommended, 129Software Explorer, 288

1431

Desktop Experience

Desktop toolbar, 150desktops, confi guring, 142–143development teams, 32Device Managerconfl icting devices, 240–243driver installation steps, 230–232drivers, viewing information about, 224Enable Device command, 225

removing drivers, 234Resources tabs for drivers, 227–228rolling back drivers, 233

shortcut menu options, 220troubleshooting with, 237–243types of devices displayed, options for, 221viewing devices with, 219–220

warning symbols, 220

devices See also hardware drivers for See drivers

installing, 215–221DFS (Distributed File System)architecture of, 1081–1082clustering with, 1363DFS command-line tools, 409DFS management tool, 107Dfscmd tool, 409Dfsdiag tool, 409metatdata of, 1080Namespaces, 415, 417–418optimizing File Services with, 415purpose of, 408

Replication, 415Replication log, 328sites, Active Directory, effects on, 1073–1074Sysvol replication, 1077–1082

DHCP (Dynamic Host Confi guration Protocol) See also

DHCP consoleActive Directory authorization for, 689, 701Active Directory, setting up with, 696, 698APIPA, 665, 676–677

audit logging, 727–729autoconfi guration routine, 687–688availability, 693–695

backups of, 1384client broadcasts, 689–690clients per server guideline, 686clustering with, 1363

confi guring network addresses, 663–665confl ict detection with, 734

confl icting addresses, troubleshooting, 677

console See DHCP console

database management, 735–737defi ned, 685

DHCP Server, 186DHCPv6 capable clients, 632, 687–688DHCPv6 stateless mode, 698

Discover messages, 689–690DNS confi guration with, 667, 686, 697, 730, 757domain controller collocation issue, 689dynamic addressing, 660

dynamic clients, 685dynamic DNS with, 759–760exclusions, 686, 709, 712–713failover, 693–695

fault tolerance, 693–695installing DHCP Server service, 697–700IPCONFIG command for lease control, 680IPv4 autoconfi guration, 687

IPv4 messages and relay agents, 689–691IPv6 autoconfi guration, 687–688IPv6 messages and relay agents, 691–693lease audits, 728

lease broadcast process, 689–693lease databases, 685

lease date stamps, viewing, 673lease duration specifi cation, 705–706lease renewal process, 679–680leases defi ned, 660

limited broadcasts, 637

M and O fl ags, 691–693

management console See DHCP console

message mechanics, 689–693multiple gateway confi guration, 665NAP integration, 731–733

Netsh DHCP command, 700NICs, binding to server’s, 729normal scope creation, 702–710number of clients per server, 696Offer messages, 689–690planning issues, 60, 689–695relay agents, 691–693, 737–742renewing leases, 690–691Request messages, 689–690reservations, 686, 713–716, 718restoring data, 737

Routing and Remote Access Services setup, 737–739RRAS integration, 686–687

saving confi gurations of, 734–735saving data, 737

scopes See scopes for IP addresses

security issues, 688–689server selection guidelines, 689, 696servers, reservations recommended for, 686setting up servers, overview of, 696–697sites, requirements for, 1073

1432 Desktop toolbar

standby servers, 696startup sequence for clients, 687

TCP/IP option confi guration See TCP/IP options under

DHCPtroubleshooting, 679–680user-defi ned classes, 724–726WINS settings, 697

wireless network security issues, 689workgroup setup with, 697

DHCP consoleactivation of scopes, 716domain name specifi cation, 706exclusions, 712–713

lease duration specifi cation, 705–706normal IPv6 scope confi guration, 708–710reservation management, 713–716router address specifi cation, 706scope creation, 702–705starting, 699

WINS server specifi cation, 707

DHCPv6 See also DHCP (Dynamic Host Confi guration

Protocol)clients, 632, 687–688stateless mode, 698diagnostics

key areas, table of, 20–21Network Diagnostics Framework, 15–18overview of, 14–15

startups, diagnostic, 385–388WDI (Windows Diagnostics Infrastructure), 19–25dial-in settings for computer accounts, 1230differential backups, 1385–1386

direct-attached storage See DAS (direct-attached storage) directory See Active Directory

directory partitions See partitions, directory

Directory Replicator remote access to Registry requirement, 282

directory service (Ntdsa.dll)Active Directory with, 992–993defi ned, 990

names of objects, 992replication, role in, 993schemas, 993

SIDs, reading, 993Directory Services log, 328

Directory Systems Agent See DSA (Directory Systems

Agent)

directory trees See trees, Active Directory

disabling user accounts, 1193, 1195, 1211disaster planning

availability issues See availability

backup plans for data, 1370

backup procedures, 1373–1374backups, coordinating with, 1384emergency response teams, 1371escalation procedures, 1372–1373fault tolerance, 1370

identifi cation of essential systems, 1369–1370incident response teams, 1371

Microsoft Product Support, 1375–1376notifi cation procedures, 1372

On Screen Keyboard, 1377overview of, 1369physical security, 1370post-action reporting, 1373power protection plan, 1370–1371preparedness procedures list, 1373priorities systems, 1373

problem resolution policy documents, 1371–1373recovery issues, 43–44, 1370

Rollback wizard, 1378servers, types of essential, 1369staff key data, 1372

Startup Repair, 1374–1375UPS (uninterruptible power supplies), 1370–1371vendor key data, 1372

Disk Defragmenter, 541–546 See also defragmenting

drives

disk drives See hard disk drives; storage

disk I/O subsystem, 497Disk Management snap-inadding new disks, 423–424bad sectors, marking, 438Check Disk, starting, 536

command-line counterpart See DiskPart tool

converting basic to dynamic disks, 431–432converting dynamic to basic disks, 432encrypted BitLocker volumes, 492extending volumes, 443–446moving dynamic disks, 456–457purpose of, 419–420

quotas, setting, 529–532rescanning disks, 455–456shrinking partitions with, 446–447spanned volume creation, 453–454views available, 421

volume creation, 435–439

disk mirroring See mirrored volumes disk quotas See quota management disk striping See striped volumes

DiskPart toolconverting disk types, 432defi ned, 409, 421extending volumes, 445–446

1433

DiskPart tool

DiskPart tool, continued

invoking, 421listing devices with, 422sample session, 422selecting devices, 422shrinking partitions with, 447

Distributed File System See DFS (Distributed File

System)distribution groups, 1216DLT (Distributed Link Tracking) Client, 516–517DNs (distinguished names)

defi ned, 1003–1004searching, 1010–1011DNS (Domain Name System)

A records, 794–797AAAA records, 794–797Active Directory requirements, 1109–1110Add Roles Wizard for installing services, 771aging confi guration, 807–808, 818

aliases, 797–798appending computer names settings, 667–668application directory partitions, confi guring, 804–806architecture for, 762–765

automatic record creation, 794backups of, 1384

cache management, 813canonical names, 748client TCP/IP confi guration checks, 810–811client/server nature of, 743

CNAME records, 797–798conditional forwarding, 748, 754, 756, 786–788confi guration fl ags, table of, 816–818

Confi gure A DNS Server Wizard, 773–783confi guring settings, 667–669

database for, 746defi ned, 743destination caches, 683DHCP-based confi guration, 667, 686, 697, 730, 757DNS console, 771–772

DNS names for domains, setting, 768Dnscmd /Info command, 813–814Dnscmd /Statistics command, 818–819Dnscmd command, 772

DNSSEC (DNS Security), 757–758domain names, 653–654dynamic updates, 668, 759–760, 776, 781–782, 819event logging, 808–809

external name resolution security, 760–761external resource requests, 747–748forward lookup queries, 743forward lookup zone creation, 774–781, 783–785forwarders, 777–778, 782–783, 786–788, 818

global name deployment, 803–804host addresses, 748

host names, 653inappropriate associations, 757installing DNS Server service with Active Directory, 767–771

installing DNS Server service without Active Directory, 771–773

IPv6 addresses for servers, 681, 756–757ISP zone maintenance, 776

LLMNR with, 655–656log confi guration, 808–809lookups, troubleshooting with, 812mail exchange addresses, 749main components of, 746

MX (Mail Exchanger) records, 798–799name resolution in, 654, 746–748name server resource records, 749namespace, Active Directory planning, 54–55namespaces, 744–746

NS records, 794, 799–800parameters, server confi guration, table of, 815–818planning deployments of, 40, 59

planning overview, 744pointer resource records, 749preferred DNS server IP addresses, 773primary DNS servers, 750–751, 771primary zone creation, 775private namespace, 746PTR records, 794–797purpose of, 652query and reply, basic, 746–747query security issues, 757–758query statistics, 818–819query types, 743record change propagation, 795recursion, 778, 786–788registering clients, 809replication scope, 780, 782replication, troubleshooting, 813resolver caches, 681–683, 811resource records, 748–749, 794–802restart issues, 754–755

reverse lookup queries, 743–744reverse lookup zone creation, 781–782, 785–786reverse lookup zones, 774

RODCs with, 1143, 1149root hints fi les, 760–761, 778roots name servers, 760–761roots, namespace, 745round-robin load balancing, 797, 1331scavenging, 807–808

1434 Distributed File System

secondary DNS servers, 750secondary notifi cation confi guration, 793–794secondary zone creation, 775

secondary zone setup, 770–771secure dynamic updates, 759–760separate-name design, 763–765server order, setting, 667server TCP/IP confi guration checks, 812–813service location resource records, 749sites, requirements for, 1073small network confi guration, 774–778SOA records, 794, 800

split-brain design, 762–763SRV records, 794, 801–802start-of-authority resource records, 749static, single label name confi guration, 803–804subdomain confi guration, 788–791

testing, 682top-level domains, 745–746troubleshooting, 680–683troubleshooting client services, 809–812troubleshooting server services, 800–821TTL values, 682

viewing server confi guration, 813–819WINS lookups using, 839

zone transfers, 791–793zones, 749–757

DNS Server See also DNS (Domain Name System)

defi ned, 186log, 328documentation, importance of, 1317domain administrators, 1002domain controllers

authoritative restores of Active Directory, 1412–1414backup media, creating from, 1127–1128

backup requirements, 1110–1111change journals, 514

confi guration containers in a forest, 1055creating domain controllers for existing domains, 1114–1122

Default Domain Controllers Policy GPO, 1235, 1247–1249

delegation of administrative rights, 1136–1139deleting, 1129–1133

designing systems of See Active Directory system

designDHCP server collocation issue, 689domain architecture design, 50failed, removing references to, 1415–1416global catalog access, 1011–1013global catalog servers, 1006hardware guidelines, 1108–1109

IP addresses, 1109

local account issues, 1113–1114moving out of Domain Controllers OU, danger of, 1249NETLOGON share, 555

nonauthoritative restores of Active Directory, 1411–1412

operations master See operations masters

OS support issues, 1016–1018OUs created within, 1133partitions, 1005planning issues, 58–59privileges required for creating, 1112–1113

read-only See RODCs (read-only domain controllers)

recovery strategies for, 1409–1410

replication issues See replication

replication scope, 1008replication topology based on number of, 1092restoring failed with new, 1415–1416

restoring Sysvol data, 1414–1415sites, associating with, 1286–1287sites, locating in separate, advantages of, 1075subdomain, DNS confi guration for, 788–791SYSVOL$ shares, 555

trust paths, 1002–1003domain functional levelsoperations masters, 57planning for, 55–57purpose of, 1016RODC level requirements, 1148Sysvol replication, 1077–1082table of, 1017

Windows 2000 native mode, 1017Windows 2008 mode, 1018Windows Server 2003 mode, 1017–1018domain local groups

defi ned, 1217local domain processing requirement, 1218member inclusion rules, 1218

nesting limitations, 1218permissions rules, 1218reasons for using, 1218–1219domain names

child domains, 653defi ned, 653fully qualifi ed, 654obtaining, 653parent domains, 653

resolving See name resolution services

top-level domains, 653domain naming master role, 1044–1046, 1048Domain Rename utility, 1061–1062

domain trees, 1053 See also trees, Active Directory

domain trustsconfi guring, 1035planning for, 55

1435

domain trusts

domain user accounts

Administrator See Administrator account

backing up passwords, 1214–1215built-in capabilities of, 1178cached credentials, 1195consistency requirement, 1169creating, 1184–1187

default user accounts, 1168defi ned, 1167

deleting, 1210–1211disabling, 1191, 1193, 1195, 1211Effective Permissions tool, 1188–1189enabling, 1211

enabling disabled, 1195expiration options for, 1192folder redirection, 1203–1207group memberships of, 1177–1178Home Folder, 1194

inheritance effects, 1188Kerberos options, 1192Kerberos policy settings, 1173lockout policy, 1172, 1195logon rights of, 1178maintenance overview, 1210moving, 1211

multiple users, selecting, 1211naming accounts, 1168options, managing, 1189–1192password policy enforcement, 1170–1171Password Settings containers, 1169permissions of, 1178

policy confi guration, 1169–1170privileges of, 1178

profi le settings, 1193–1194properties, viewing and setting, 1187–1188renaming, 1211–1212

resetting passwords, 1212–1213security descriptors of, 1188SIDs (security identifi ers) of, 1210smart cards, requiring, 1192top-level account policies, 1169troubleshooting, 1195unlocking, 1213–1214

user profi les See user profi les

DomainIDs, 516domains, Active Directoryassigning user rights for, 1182–1183changing designs for, 1061–1062creating new domains in new forests, 1122–1125creating new domains or trees in existing forests, 1125–1126

creation in Active Directory, 1005

defi ned for Active Directory, 999, 1053delegation of administrative rights, 1136–1139deleting, 1129–1133

design considerations, 1059domain functional level, 1016–1018domain security policies, 1059enforcing inheritance, 1258–1259forests, relationship to, 1054–1055group policies created with, 1235

group policies of See Group Policy

group policy inheritance order, 1254joining computer accounts to, 1226–1227language standardization within, 1059membership options, 83

OUs in See OUs (organizational units)

planning overview, 1058–1059policies on, 1059

privileges required for installing, 1112–1113raising functional levels, 1019–1020renaming, 1061–1062

replication considerations, 1059resource access issues, 1059root domains, 1000

servers for See domain controllers

single vs multiple, design considerations, 1060–1061sites, relationship to, 1071

task delegation, 1138–1139top-level domains, 653

trees See trees, Active Directory

trusted and trusting, 1001–1002DoS attacks, DHCP vulnerability to, 688drive letters

assigning, 436confi guring, 440–442enumeration of, 435drivers

adding print drivers, 888base installation library of, 222bugginess of, 211

Code Signing For Device Drivers policy, 224detection of missing, automatic, 215disabling, 236–237

improvements in, 19installation steps, 230–232installation wizards, 229–230installing available updates, 215–216kernel mode, 845

loading disk drivers during installation, 94–95maintaining lists of, 228

manifest fi les, 222Microsoft Universal Printer Driver, 846network adapters, Advanced settings for, 227

1436 domain user accounts

new device installation, 216–219non–Plug and Play, adding, 235–236Plug and Play installation process, 216–219policies for updates, 230

PostScript, 846printer, 844–846, 887–889printer, client-side, 894–895purpose of, 215, 222Registry, interactions with, 222remote management of, 221removing, 234

removing print drivers, 889resource settings for, 227–228restricting installation using group policy, 232–233rolling back, 233

Setup Information fi les, 222signed, 223

troubleshooting, 237–243Unidrv, 846

uninstalling, 236–237unsigned, 223–224Update Driver settings, 128update settings for, 215updating, 219user mode, 845version issues, 229viewing information about, 224DSA (Directory Systems Agent), 992–993dsadd group command, 1221

dsadd user command, 1186dsget group command, 1221DSM (Device Specifi c Module), 411Dsmgmt command, 1165

dsmod group command, 1221dsquery user -disabled command, 1195dump fi les, 1380

dust and air quality, 1314dynamic disks

converting to and from basic disks, 430–432drive section types, 429

extending partitions, 445–446limitations of, 430

moving, 456–457purpose of, 428shrinking partitions, 446–447spanned volumes, 452–454types of volumes allowed, 452dynamic DNS, 759–760

dynamic IP addressing See also DHCP (Dynamic Host

Confi guration Protocol)confi guring, 663–665confl icting addresses, troubleshooting, 677

dynamic clients, 685temporary vs nontemporary IPv6, 709dynamic updates, DNS, 668, 759–760, 776, 781–782, 819

E

earthquakes, 1315editions of Windows Server 2008Datacenter, 6

determining which to use, 61–63Enterprise, 6

hardware requirements, table of, 72–73for Itanium-Based Systems, 8

list of, 5selection criteria, 61–63Standard, 5

Web Server, 6–7effective permissionsdetermining, 578–579Effective Permissions tool, 578–579, 1188–1189EFI (Extensible Firmware Interface)

ACPI requirement, 379boot maintenance manager of, 78creating new BCD store, 393–394entering during boots, 380installing Windows Server 2008 on Itanium systems, 78–79

EFS (Encrypting File System)EFSInfo utility, 1114evading, 477purpose of, 467vulnerability of, 467EIST (Enhanced Intel SpeedStep Technology), 381elevation

administrator applications requirement for, 295color coding of prompts for, 297–298

defi ned, 290security settings related to, 299–301software installation, required for, 285e-mail

distribution groups, 1216SMTP (Simple Mail Transfer Protocol) Server, 189

emergencies See also disaster planning

data recovery plans, 1318–1319emergency response teams, 1371problem-escalation procedures, 1319EMF (enhanced metafi le format)printing process with, 842–843purpose of, 842–843

server hardware requirements, 847Unidrv support for, 846

EMS (Emergency Management Services), 70–71Enable User And Computer Accounts To Be Trusted For Delegation privilege, 1179

1437

Enable User And Computer Accounts To Be Trusted For Delegation privilege

drive See BitLocker Drive Encryption Encrypting File System See EFS (Encrypting File

System)remote desktop use of, 613Terminal Services, 924, 959Enforce Password History setting, 1170–1171Enhanced Intel SpeedStep Technology (EIST), 381

enhanced metafi le format See EMF (enhanced metafi le

format)enterprise administrators, 1002Enterprise edition, Windows Server 2008hardware requirements for installations, 72–73purpose of, 6

selection criteria, 61–62

TS Session Broker, required for, 944Enterprise Read-Only Domain Controller group, 1159environment variables, 1194

envisioning phase of MSF (Microsoft Solutions Framework), 28

error messages, hardware, table of, 238–240eSATA, 213

ESE (Extensible Storage Engine)operations of, 993–995Utility, 997

ESP partition type, 449–450Event Viewer

archiving logs, 337–338Computer fi eld, 332defi ned, 107entries in, 330–332event levels, 330

fi ltered views, 334–337Help features, 332Properties dialog boxes for events, 332remote systems, viewing, 333searching logs, 334

sorting logs, 334starting, 329subscription creation, 341–342User fi eld, 331

views available, 329–330events

Application log, 327Applications and Services logs, 327–328archiving logs, 337–338

backups, tracking, 1400–1401confi guring logs, 329defi ned, 326DFS Replication log, 328Directory Services log, 328DNS Server log, 328, 808–809

Event Log service, 327File Replication Service log, 328

fi ltered views of, 334–337Forwarded Events log, 327forwarding to logging servers, 341–342Hardware Events log, 328

logging servers, enabling, 341–342Microsoft\Windows logs, 328network load balancing events, 1344

of remote systems, viewing, 333PowerShell for tracking, 338–341searching logs for, 334

Security log, 327Setup log, 327sizing of logs, 328–329sorting within logs, 334subscriptions, 341–342System log, 327

viewing See Event Viewer

Windows logs, 327Exchange Server 2007, 1014exclusions for IP addresses, 686, 709, 712–713Execute File special permission, 573

exFAT, 434expiration options for accounts, 1192explicit trusts, 1028–1029

Explorer, Network See Network Explorer Explorer, Windows See Windows Explorer Extensible Storage Engine See ESE (Extensible Storage

Engine)extension components of MMCs, 155–156external trusts, 1003

F

facilities for servers See structures and facilities

failover clusteringActive Directory confi guration for, 1351active node mode, 1327–1328, 1345adding nodes to clusters, 1360availability planning, 1364cluadmin command, 1356Cluster Administrator renamed, 1352cluster databases, 1354

Cluster Disk Driver, 1353Cluster Network Driver, 1352–1353cluster objects, 1352–1353Cluster service, 1352–1353, 1365cluster-unaware applications with, 1348–1349cluster-aware applications, 1348

confi guration options, 1345–1347controlling nodes, 1365

creating clusters, 1356–1360

1438 encryption

database server requirements, 1349–1351DFS namespace server with, 1363DHCP Server with, 1363failback policy settings, 1366Failed state, 1355–1356Failover Cluster Management tool, 107, 1352failover policy settings, 1365–1366File Server with, 1363

Generic Application resource type, 1363Generic Script resource type, 1363hardware optimization for, 1349–1351heartbeats, 1353

high-availability confi guration for services and applications, 1364–1365

host name, setting for, 1359installing, 1345

iSCSI with, 1350–1351majority node clusters, 1346Microsoft Cluster service, 1345multinode clusters, 1346network adapter interface states, 1355network adapters for, 1350

network optimization for, 1351–1352network settings, modifying, 1361network states, 1355–1356nodes, maximum number of, 1345paging fi les, 1349

passive node mode, 1327–1328print servers with, 1363, 1367purpose of, 188, 1323quorum resources, 1354quorum settings, 1362RAID confi gurations, 1349–1350resources of, 1347–1349resources specifi cation, 1363–1365SAN optimization for, 1351–1352shared folder creation, 1366single node clusters, 1345sites, multiple physical, 1329–1330SQL Server requirements, 1349storage devices for, 1345, 1351storage tests, 1357

storage, adding to clusters, 1361support applications of clustered services, 1364types of clusters, basic, 1345

Unavailable state, 1355–1356

Up state, 1356validation tests, 1356–1358Web server requirements, 1349–1351Windows Server 2008 compatibility, 1350Windows services with, 1363

WINS with, 1363failover, DHCP service, 693–695

farmsfarm names in Terminal Services, 949organization of servers in, 1325–1326FAT (fi le allocation table) fi le systemcapabilities of, 500–501

Check Disk, analyzing volumes with, 538–539clusters, 498–500

converting to NTFS, 432–433data storage calculations, 501–502data streams not supported, 513disadvantages of, 500–501

fi le allocation table structure, 499–500formatting drives as, 437–439integrity of fi les, 535mounting volumes, 502overview of, 499structure of, 499–500versions of, 498volume size issues, 501–502fault tolerance

DHCP, 693–695disaster planning, for, 1370high availability, contribution to, 1312RAID 5, 462–463

faxingFax Server, 186FAX$ shares, 554features

Add Features Wizard, starting, 114adding, 199

component names for, 204–207defi ned, 185

removing, 199–200table of, 188–190federated forest design, 1030–1032

Fibre Channel See also SANs (storage area networks)

arbitrated loop not supported, 410defi ned, 406

services See File Services

File Servicesadding role to servers, 416–419defi ned, 187

DFS with, 415, 417–418disk quota management, 415FRS, 416

1439

File Services

File Services, continued

FSRM with, 415, 418Multipath I/O with, 416NFS with, 416

planning for, 60report generation, 415screening policies, 415search services with, 416, 419Share And Storage Management, 415UNIX interoperability, 417

fi le sharingaccess permissions for, 571–578adding user or group permissions, 566ADMIN$ shares, 554

administrative access to, 555–556administrative shares, 553–555Administrators Have Full Access, Other Users Have No Access permissions, 562

Administrators Have Full Access, Other Users Have Read-Only Access permissions, 561

All Users Have Read-Only Access permissions, 561Apply Onto options, 577–578

attributes of fi les and folders, 567auditing access, 581–585basic folder permissions, table of, 572basic permissions, setting, 572–573C$ type drive shares, 554

Change permissions, 564Change Permissions special permission, 575changing share permissions, 558–559clearing inherited permissions, 569–570combining special permissions for basic permissions, 575–576

Computer Management for, 556Computer Management for share permission confi guration, 565–566

confi guration for, accessing, 549confi guration login script for, 581Create A Shared Folder Wizard, 560–562Create Files/Write Data special permission, 574Create Folders/Append Data special permission, 574creating shares with Computer Management, 559–562creating shares with Windows Explorer, 556–559Custom Permissions option, 562

default shares, 553–555defi ned, 547

Delete special permission, 574Delete Subfolders And Files special permission, 574denying permissions, 565–566

descriptions of shares, entering, 561effective permissions, determining, 578–579Execute File special permission, 573

FAX$ shares, 554

fi le permission management overview, 567

fi nding shared folders, 552folder path, selecting for folder to share, 560folder permission management overview, 567Full Control permissions, 564, 572

group permissions, 564–565hidden shares, 553

inheritance of permissions, 569–570IPC$ share, 554

List Folder Contents permission, 572List Folder special permission, 573listing shares, 579–580

management overview, 563–564mapping share folders as network drives, 550–551membership required for creating shares, 556model options for, 547

Modify permission, 572multiple shares on one folder, 558Net Share command-line tool, 556, 579–581NETLOGON share, 555

Network Discover required, 551Network Explorer for viewing, 551ownership of fi les and folders, 567–568permissions options, 561–562permissions types, 564PRINT$ shares, 555public fi le sharing, 548Public folder, confi guring, 549–550PUBLIC shares, 555

publishing share information, 552publishing shares, 563

Read & Execute permission, 572Read Attributes special permission, 573Read Data special permission, 573Read Extended Attributes special permission, 574Read permissions, 564, 572

Read Permissions special permission, 575remote computers, administration, 556removing users or groups for permissions, 577resetting permissions, 570–571

security logs for, viewing, 585security, importance to choosing sharing model, 548Server service required for, 547

setting special permissions for fi les and folders, 576–577

shadow copies of shared folders See shadow copies

share details, viewing, 580share names, 558, 560share permissions, 563–566shrpubw command, 560special permissions, 573–578special shares, 553–555

1440 file sharing

specifying fi les and folders for auditing, 582–584standard fi le sharing, 547

standard fi le sharing, confi guring, 549stop sharing, 558

SYSVOL$ shares, 555Take Ownership special permission, 575transferring ownership, 568

Traverse Folder special permission, 573troubleshooting, 579–581

UNC paths to shares, 551users and groups, selecting for, 556–558viewing permissions for fi les and folders, 571viewing share permissions, 565

Windows Explorer for, 556Write Attributes special permission, 574Write permission, 572

fi le synchronization, 1209–1210

fi le systems See also storage

bad sectors, marking, 540Check Disk tool for fi xing errors, 535–538clusters, 498–499

compression See fi le-based compression

defragmenting, 541–546dirty, marking disks as, 537error creation, 535

FAT See FAT (fi le allocation table) fi le system

Folder Options utility, 123–124FSutil tool, 409

NTFS See NTFS quotas See quota management

sectors, 497–498structure overview, 497–499type and features, viewing, 502

fi le type associations, Registry, 258–259

fi le-based compressionNTFS, 521–523zipped folders, 524–525FIPS (Federal Information Processing Standard)BitLocker with, 481

purpose of, 924

fi re suppression systems, 1315

fi rewallsbackup exceptions, 1390network troubleshooting issues, 679Remote Desktop for Administration with, 610Windows Firewall, 13

FireWire (IEEE 1394), 213–214

fi rmwareACPI requirement, 379entering during boots, 380installation problems caused by, 100interfaces, 13–14

TPM compliance, 469folders

access permissions for, 571–578attributes of, 567

auditing fi le and folder access, 581–585basic folder permissions, setting, 572–573basic folder permissions, table of, 572child, 569

compressed (zipped), 524–525Delete special permission, 574Folder Options utility, 123–124folder redirection, 1203–1210Home Folder, user accounts, 1194junction points, 1080

ownership of, 567–568parent, 569

permission management overview, 567Public folder, 548

shadow copies of shared folders See shadow copies

shared folders on clustered fi le servers, 1366

sharing See fi le sharing

Force A Shutdown Of A Remote System privilege, 1179forest functional levels

design considerations, 1018–1020operations masters, 57

planning for, 55–57raising, 1019–1020RODC level requirements, 1148setting, 1123–1124

table of, 1018forest trustsarchitecture of, 1030–1032confi guring, 1035trust confi gurations, 1055forests, Active Directoryadministration of, 1057–1058administrator roles in, 1055confi guration containers, 1055creating new domains in new forests, 1122–1125creating new domains or trees in existing forests, 1125–1126

cross-forest transitive trusts, 1030–1032dedicated roots, 1061

defi ned, 1053domains, relationship to, 1054–1055empty roots, 1061

enforcing inheritance, 1258–1259forest root domains, 1054–1055, 1062

functional levels See forest functional levels

global catalogs in, 1055Group Policy Management Console (GPMC) with, 1243merging, 1057

1441

forests, Active Directory