Microsoft TechNet Seminar
Technical Deep Dive into pWindows Server 2008
Howard ChowMicrosoft MVPMicrosoft MVP
Prerequisites
Windows Server 2000 or 2003NetworkingActive Directory and Network InfrastructureS iSecurityMicrosoft Windows 2000, Windows XP Professional, or Microsoft Vista Microsoft Vista
Windows Server 2008 Pillars
WebInternet Information Services 7.0 Windows Server Virtualization
Security
Net ork Access Protection
Virtualization
Efficient management and deployment tools Enhanced reliability, security and failure
recovery Customizable platform with .NET extensibility
Windows SharePoint Services - Advanced
do s Se e tua at oHypervisor-based platform for increased
reliability. High availability through Failover Clustering. Resource optimization with server
consolidation
Terminal Services RemoteApp™
Network Access ProtectionHealth validation and compliance checking for
client devices
Read-Only Domain ControllerIncreased security and delegated management
f b h ffistreaming experience with caching and proxy plug-ins
Windows Media Services
Terminal Services RemoteAppAccess and run remote applications locally with
presentation virtualization
Terminal Services Gateway
for branch offices
Federated Rights Management
Solid Foundation for Your Business WorkloadsSolid Foundation for Your Business Workloads
Server ManagerRole based configuration management and reporting
Server CoreMinimal installation option for better security and reliability
ReliabilityReliabilityManagementManagement
Role-based configuration, management and reporting
Windows PowerShell™Command shell and scripting language for task automation
Windows Deployment Services
Minimal installation option for better security and reliability
Next Generation NetworkingNew TCP/IP stack for improved scalability and performance
High Availability Clustering
Seminar Outline
Installing and Configuring
Wi d S Windows Server 2008
Windows Server 2008 Server CoreDEMOS!! 2008 Server Core
Windows Server Windows Backup
Windows Server 2008 Active
Directory Domain Service
Network Policies and Access Protection
Hyper-VProtection
C fi i Wi d Configuring Windows Server 2008Server 2008
Improvements in Setup from Windows 2003 to Windows Server 2008
Server roles streamline managementWindows Server 2003
Windows Server 2003 SetupS it U d t
Windows Server 2008Operating System SetupI iti l C fi ti T kSecurity Updates
Manage Your ServerConfigure Your Server
Initial Configuration TasksServer Manager
Configure Your Server WizardWindows ComponentsComputer ManagementSecurity Configuration WizardWizard
Initial Configuration Tasks Overview
Administrator PasswordNetwork IP AddressDomain MembershipC NComputer NameWindows UpdatesWi d Fi llWindows Firewall
What Works Differently
Overview of Server Manager
Active Directory
Print Server File Server
Demonstration: Using Server Manager
Using Server Manager to add a roleUsing Server Manager to monitor server rolesUsing Server Manager to add a feature
Overview of Role Functions
Web ServerSIIS Management Tools
Server Side IncludesFTP ServerFTP ServerASPCGI
Roles are Secured by DefaultRoles are Secured by Default
Roles Available in Windows Server 2008
DHCP ServerDNS ServerFax Server
File ServerFile ServerPrint Server
Terminal Services
Windows Deployment Deployment
ServicesNetwork Access
Services
Windows Server 2008 Features
Failover Cluster
Backupp
Remote Assistance
New Features Available in Windows Server 2008
Background Intelligent Transfer Intelligent Transfer Service (BITS) Server ExtensionsWindows BitLocker™ Windows BitLocker™ Drive EncryptionMultipath I/O
Storage Manager for Storage Area Networks (SANs)Windows Activation Service (WAS)Wireless NetworkingWireless Networking
Windows PowerShell
New Command-line Shell and Scripting LanguageI d i i d I d i i d Improves productivity and controlAccelerates automation of
t d i
Improves productivity and controlAccelerates automation of
t d isystem adminEasy-to-use Works with existing scripts
system adminEasy-to-use Works with existing scriptsg pg p
Powershell Object Pipelines
Use the output from one cmdlet as the input to anotherExample: Get-Process | Sort-Object –property HandlesExample: Get-Process | Sort-Object –property Handles
Output objects must be compatible with input parametersExample: Get-Process | Stop-Service – will not workE l G t P | St P ill kExample: Get-Process | Stop-Process – will work
Wi d S 2008 Windows Server 2008 Server CoreServer Core
Windows Server Core Overview
Minimal Server InstallationMinimal Server Installation
Easier to Secure, Manage, and Maintain
Supports Unattended Installation
Supports Key Infrastructure Roles
Server Core Architecture
Standard and Enterprise Server Roles
TS IAS WebServer
SharePoint Etc…
Server Core Server RolesDNS DHCP File AD
ServerWith WinFx, Shell, Tools, etc.DNS DHCP File AD With WinFx, Shell, Tools, etc.
Server Core Security, TCP/IP, File Systems, RPC,plus other Core Server Sub-Systems
GUI, CLR, Shell, IE,
Media, OE, EtEtc.
Benefits of Server Core
Reduced software maintenanceReduced software maintenance
Reduced attack surface
Reduced management
Less disk space required
Unattended Install
Same as Vista and Windows Server 2008
Configure attributes not available on command line without editing registrycommand line, without editing registry
Configuring Server Core
S t d i dSet admin passwordSet static IP addressJ i i ti d iJoin existing domainActivate the ServerConfigure the firewallConfigure the firewall
Demonstration: Configuring Server Core
Using ocsetup to add the DNS Server roleUsing dnscmd to configure the DNS Server
Adding Server Roles
> start w/ ocsetup RolePackage
> Dcpromo /unattend:Unattendfile
> start /w ocsetup featurename> start /w ocsetup featurename
Domain Controller Role on Server Core
> Dcpromo /unattend:Unattendfile
Dynamic Host Configuration Protocol (DHCP) Server
> start w/ ocsetup DHCPServerCore
> Netsh dhcp add server dhcpsrv1.example.microsoft.com 10 2 2 210.2.2.2
Domain Name System (DNS) Server
> start w/ ocsetup DNS-Server-Core-RoleCore Role
> Dnscmd /zoneadd test.reskit.com /dsprimarydnscmd reskit com /dsprimarydnscmd reskit.com /zoneadd secondtest.restkit.com /secondary 10.0.0.2
Windows Backup
What’s New in Windows Server 2008 Backup
New, faster backup technology
Simplified Restoration
Simplified recovery of operating system
Improved scheduling
Support for DVD media
New Backup Infrastructure
Writer (SQL)Requestor
Writer (Exchange)
Writer (other
q
Volume Shadow Copy Serviceapp/store)
Writer (other app/store)
Copy Service
Provider (Windows
copy-on-write)
Provider (EMC/Clariion
hardware)Provider (HP)
Disk 1 Disk 2 Disk 3 Disk 4 Disk 5
Shadow Copies
Shadow copy creation Restore from shadow copy
shadow copy storage
Demonstration: Introduce Backup Features
Explore Backup Console
Windows Recovery Environment
Boot managerdetects failure
Fail over into
Wi d RE
Computercrashes Reboot
Auto-launchStartup
Windows RE
Repair
No
>5attempts?Successful boot?OS starts
YesYes
Diagnose and repaircomputer
RebootCannot
auto-repair(try manual)
No
p
Next Generation Networking
Review of Windows Server Network Architecture
Windows Sockets Application
Applications and User Mode Services
NetBIOSApplication
RPC ApplicationWin32
Wnet/Wininet Application
Named Pipes
User
RPC WNet Wininet NetBIOS Support
Windows Sockets
Application Interfaces
Kernel
TCP
Redirector/Server
NetBT AFD
IPICMP IP Forwarder IP Filtering IGMP ARP
Packet Classifier
Packet SchedulerPacket Queue Packet Queue Packet Queue Packet Queue
Traffic Control
Driver Interfaces
NDIS Wrapper
New Networking Features
Next Generation TCP/IP StackNext Generation TCP/IP Stack
IPv6 Enhancements
Policy-Based Quality of Service
The New TCP/IP Architecture
WSK Clients TDI Clients
AFD TDI
Winsock User ModeKernel Mode
PWSK
RAWUDPTCP
Next Generation TCP/IP stack (tcpip.sys)
AFD
TDX
TDIW
ind
ow
s Filterin
g
Platfo
rm A
PI
IPv4
802.3 WLAN Loop-back
IPv4 Tunnel
IPv6 Tunnel
IPv6
NDIS
• Dual-IP layer architecture for native IPv4 and IPv6 support• Better security through expanded IPsec integration• Improved performance via hardware acceleration• Network auto-tuning and optimization algorithms• Greater extensibility and reliability through rich APIs
Security Features
Reduce the risk of network security threatsAn additional layer of defense-in-depthReduced attack surface area to known computersIncreased manageability and more healthy clients
Safeguard sensitive data and intellectual propertyAuthenticated, end-to-end network communicationsScalable tiered access to trusted networked resources
F ll f t d t i f ti lit
Scalable, tiered access to trusted networked resourcesProtect the confidentiality and integrity of data
Full featured, enterprise functionalitySupport for computer and user authentication with IPsecNetwork Access Protection over VPNs and IPsecSecure routing compartments extends isolation to VPN
Windows Firewall with Advanced Security
Performance
Optimized performance without lossIntelligent, automated tuning of TCP receive window sizeBetter packet loss resiliencyAdvanced congestion control for better throughput
Automatically adjusts for maximum efficiencyy j yFaster network transfers, especially across WAN linksOptimized use of available network bandwidthReduced packet loss resulting in fewer retransmitsReduced packet loss, resulting in fewer retransmits
Receive Window Auto Tuning
Replicating data between Tukwila, Bay AreaDefault configurationsDefault configurationsOn Windows Server 2003 SP1
100Mbps NICs, 10Mbps throughputp , p g pOn Windows Server 2008
100Mbps NICs, 80Mbps throughputp , p g p1000Mbps NICs, 400Mbps throughput
Policy-Based Quality of Service
•Source IPv4/IPv6 addresses
•Destination IPv4/IPv6 addresses
•Protocol
•Source or destination ports
Scalability
Cost-effectively scale networking up and outSpecialized hardware frees CPU(s) for applicationsEase consolidation with support for multiple Ease consolidation with support for multiple GbpsMore efficient use of large server resources
Adopt hardware acceleration and offloadingReceive-side scaling optimizes multi-processor systemssystemsArchitected to support latest TCP offload hardwareOffload hardware less expensive than new high-
d PCend PCs
Server and Domain Isolation
Active Directory Domain ControllerCorporate Network Controller
Trusted Resource Server
p
HR Workstation
UnmanagedComputer
X
X
Servers with Sensitive Data
Untrusted
ComputerServer
Isolation
X
Managed ComputerManaged
Domain Isolation
pComputer
New DNS Features in Windows Server 2008
Background Zone Loading
Support for IPv6 Addresses
DNS
RODC Support
GlobalNames Zone
DNS Client Changes
LLMNRLLMNRChanges to the way
DNS Cli t L t LLMNRDNS Clients Locate DCs
DNS
DNS Server
DNS Server
Link-Local Multicast Name Resolution
N t k P li i d A Network Policies and Access ProtectionProtection
Why Use Network Access Protection?
Private NetworkHealthy computer
Unhealthy computerUnhealthy computer
Network Protection Services Overview
Network Policy Server (NPS)Network Access Protection (NAP) Policy ServerIEEE 802.11 WirelessIEEE 802 3 Wi dIEEE 802.3 WiredRADIUS ServerRADIUS PRADIUS ProxyRouting and Remote Access
Remote Access Ser iceRemote Access ServiceRouting
Health Registration Authority (HRA)Health Registration Authority (HRA)
Network Access Protection Solution
Policy ValidationNetwork Restriction Data
Application
Network RestrictionRemediationOngoing Compliance
Host
g g p
Internal Network
Perimeter
Polices, Procedures & Awareness
NAP Architecture Overview
UpdatesNetwork
System Health Servers
Remediation Servers
Health policy
MS Network Policy Server
Client
Q ti A t (QA)
HealthStatements
AccessRequests
HealthC ifi
System Health Agent (SHA)MS and 3rd Parties
System Health Validator
Quarantine Server (QS)
Quarantine Agent (QA) Certificate
Network Access Devices and Servers
System Health Validator
Enforcement Client (EC)(DHCP, IPSec, 802.1X, VPN)
Network Layer Protection with NAP
Remediation Servers
Restricted Network System Health Servers
Here you go.
Sh ld thi li t b R ti May I have access?
Ongoing policy updates to Network Policy Server
Can I have updates?
A di t li
Should this client be restricted basedon its health?
Requesting access. Here’s my newhealth status.
May I have access?Here’s my current health status.
According to policy, the client is not up to date. Quarantine client, request it to
MS NPSClient
802.1xSwitch
You are given restricted accessuntil fix-up. Client is granted access to
According to policy, the client is up to date. , q
update.Switch g
full intranet. Grant access.
Host Layer Protection with NAP
No Policy
AuthenticationO ti l
No Policy
AuthenticationO ti lOptional
AuthenticationRequired
OptionalAuthentication
Required
HRA
May I have a health certificate? Here’s my SoH.
Client ok?
No. Needs fix-up.You don’t get a health certificate.Go fix up.
I need updates
Here’s your health certificate.Yes. Issue health certificate.
Clienti h k
HRAClient
Accessing the network
NPS
I need updates.
Here you go.
ClientAccessing the network
NPS
Client
Remediation ServerNPS
Remediation ServerNPS
NAP with DHCP
Requesting access. I need to Lease an IP address IEEE 802.1X
Devicesq gHere’s my new health status.
NPS ServerDHCP ServerClient
The client requests and receives updates
You are not within the Health Policy requirements
Access Granted. Here is Remediation your new IP Address
VPN ServerRemediation
Servers
IPsec-based Communication
Secure network
Boundary network
Restricted network
IPsec AuthenticatedUnauthenticated Restricted network
Scenario 1: Roaming Laptops
NAPNAP
Scenario 2: Health of Desktop Computers
Network Policy Server
Scenario 3: Health of Visiting Laptops
Network Policy Server
Scenario 4: Unmanaged Home Computers
Hyper-V
Hyper-V Overview
64-bit Hypervisoryp
Up to 4 Logical Processors per GuestUp to 4 Logical Processors per Guest
VMBus for Hardware Sharing
High Availability Features
Configuring Virtual Machines
Virtual Machines Based on VHD Files
Virtual Machine Off for Most Setting ChangesVirtual Machine Off for Most Setting Changes
Ensure Adequate Disk Space for VM
Ensure Adequate Processor Capacity
Configuring Virtual Machine Files
VHD Files are Virtual Hard Drives.
Multiple VHD Files per VM SupportedMultiple VHD Files per VM Supported.
Snapshots Used to Preserve VM State
Session: Configuring Hyper-V
List the functions of Integration ComponentsImplement configuration best practices for optimized performance
Hyper-V Integration Components
Increase Usability of Guest OSesy
Provide VSCs to some Guest OSesProvide VSCs to some Guest OSes
Provide Snapshot Capability to Guest OSes
Optimizing Performance
Virtual Hardware Challenges Assumptionsg p
Ensure Adequate CPU & RAM for WorkloadsEnsure Adequate CPU & RAM for Workloads
Multiple HD Spindles Ideal for VHDs
Multiple NICs Ideal
A ti Di t D i Active Directory Domain ServicesServices
Active Directory Service Server Roles
Active Directory Certificate Services (AD CS)y ( )
Active Directory Domain Services (AD DS)Active Directory Domain Services (AD DS)
Active Directory Federation Services (AD FS)
Active Directory Lightweight Directory Services (AD LDS)
New Active Directory Features
DNS: IPv6 Support, Background Zone Loadingpp , g g
DNS: GlobalNames zone RODC SupportDNS: GlobalNames zone, RODC Support
AD: Certificate Services, Federation Services
AD: Lightweight Directory Services, Auditing
AD DS Installation Wizard
Advanced Option from th W l
•Access Wizard Easily
R l t d F ti lit the Welcome page•Related Functionality Grouped Together
•Reduced Change or Error•Reduced Change or Error
Active Directory Sites and Services
Common Criteria
Level of Quality Assurance
Higher Security in Higher Security in Implementation and Deployment
DFSR for SYSVOL
SYSVOL SYSVOL
Distributed File System Replication
DNS Improvements
•Support for AD DSSuppo t o S
•Auto-Configuration Installation
Improved DC Location Support •Improved DC Location Support for Clients
•Read-Only Integrated Zone for RODCRODC
Restartable AD DS
Server Off
Directory Services Start as DC?
Success?
Directory Services Restore Mode
Restart
No
No
Yes
Success?
Active Directory St t d
RestartNo
Yes
Started
Stop Active Directory
YesActive Directory
Stopped
Start command No
Start command successful
Read-Only Domain Controller
Read-Only Domain ControllerDomain Controller
Branch Office Guide RecommendationsBranch Office Guide Recommendations
RODC Deployment Prerequisites
1 Works in existing environments1. Works in existing environments2. Windows Server® 2003 Forest Functional Mode
One Windows Server® 2008 DCOne Windows Server® 2008 DC3. No patching to down-level DCs or clients is needed4. Multiple Windows Server 2008 DCs per Domain
One RODC per Domain per Site
Read-Only Active Directory Database
Directory Service “Cloud”
Data Center or Trusted Network
Edge sites or edge\boundary of network
Read-Only Domain Controller Replication
Replication is Unidirectionalp
Cannot Perform Outbound ReplicationCannot Perform Outbound Replication
D i P titi li ti t b d Domain Partition replication must be sourced from Windows Server 2008
Requires writeable 2008 domain controller in nearest site in the topology
Credential Caching
Credential Caching is storing user passwords on RODC
Must be explicitly allowedMust be explicitly allowed
Configured via Password Replication Policy on Configured via Password Replication Policy on RODC’s writeable replication partner
Administrator Role Separation
Problem SolutionToo many domain administrators Provides a new “local
administrator” level of access per RODCPrevents accidental Active Prevents accidental Active Directory modifications by computer administratorsDoes not prevent “local administrator” from maliciously modifying the local databaseThis is a true security feature for Read-Only Domain ControllerR d O l Read-Only Domain ControllerRead-Only
Domain Controller
Read-Only Domain Name System
Does not support client updates directlypp p y
Refers clients to a writeable authoritative DNSRefers clients to a writeable authoritative DNS
Replicates updated records from writeable Replicates updated records from writeable DNS
Recovering from RODC Compromise
Delete the RODC from the domain
Change passwords of accounts that are g pcached on compromised RODC
Manually remove the server object for the Manually remove the server object for the deleted RODC
Session Summary
Windows Server 2008 Innovations
Positioning and Messaging
F M t K F tFocus on Management Key Features
Integrated and robust AD DS for complex
environmentDon’t forget these great TechNet resources:g g
• WS08 –www.microsoft.com/windowsserver2008 • IPsec – http://www.microsoft.com/ipsec
• Scalable Networking – http://www.microsoft.com/snp• QoS http://www microsoft com/technet/network/qos/default mspx• QoS - http://www.microsoft.com/technet/network/qos/default.mspx
• IPv6 – http://www.microsoft.com/ipv6
Windows Server 2008 Pillars
WebInternet Information Services 7.0 Windows Server Virtualization
Security
Net ork Access Protection
Virtualization
Efficient management and deployment tools Enhanced reliability, security and failure
recovery Customizable platform with .NET extensibility
Windows SharePoint Services - Advanced
do s Se e tua at oHypervisor-based platform for increased
reliability. High availability through Failover Clustering. Resource optimization with server
consolidation
Terminal Services RemoteApp™
Network Access ProtectionHealth validation and compliance checking for
client devices
Read-Only Domain ControllerIncreased security and delegated management
f b h ffistreaming experience with caching and proxy plug-ins
Windows Media Services
Terminal Services RemoteAppAccess and run remote applications locally with
presentation virtualization
Terminal Services Gateway
for branch offices
Federated Rights Management
Solid Foundation for Your Business WorkloadsSolid Foundation for Your Business Workloads
Server ManagerRole based configuration management and reporting
Server CoreMinimal installation option for better security and reliability
ReliabilityReliabilityManagementManagement
Role-based configuration, management and reporting
Windows PowerShell™Command shell and scripting language for task automation
Windows Deployment Services
Minimal installation option for better security and reliability
Next Generation NetworkingNew TCP/IP stack for improved scalability and performance
High Availability Clustering
Top Related