1. Course 6418 Windows ® Server 2008

2. Introduction

3. Prerequisites On-the-job experience in planning, implementing, managing, or supporting Microsoft Windows NT 4.0, Windows Server 2000 or 2003, including Active Directory and Network Infrastructure Working knowledge of networking, for example, TCP/IP and Domain Name System (DNS) Experience with a Microsoft Windows Server 2003 Active Directory and Network Infrastructure Experience with implementing security for a Microsoft Windows Server 2003 Network Experience installing, configuring, and administering Microsoft Windows 2003, Windows XP Professional, or Microsoft Windows Vista

4. Course Outline Module 1: Windows Server 2008 Installation, Installing Active Directory Domain Services Module 2: Server Core Configuration Module 3: Implementing Read Only Domain Controllers Module 4: Windows Deployment Services Module 5: Managing Disks, Volumes, and Partitions and Shrinking Volume in Windows Server 2008, Windows Clustering Module 6: Upgrading and Migrating Active Directory, Group Policy, Trust Relation Ship, Active Directory Site Replication Module 7: Managing Network Access Protection Module 8: Designing a Terminal Services Infrastructure (TS Gateway, TS App) Module 9: Overview of IIS 7.0 Application Server Module 10 : Introduction to Hypervisor

5. Clients OS Windows NT Windows NT workstation 4.0 Windows 2000 Prof Windows XP (Home and Prof) Windows Vista Windows 7.0 Beta Windows 3.x Windows 95 Windows 98 Windows Me

6. Server OS Windows NT 4.0 Windows 2000 Standard Windows 2000 Advanced Windows 2000 Datacenter Windows 2003 Standard Windows 2003 Enterprise Windows 2003 Datacenter Windows 2008

7. Windows Server 2008, Standard Edition Windows Server 2008, Web Edition Windows Server 2008, Enterprise Edition Windows Server 2008, Datacenter Edition

8. Features Virtualization Built-in Built for the Web High Security  NAP  RODC  BitLocker Drive Encryption Server Core Restartable AD Server Manager Terminal Services  TSApp  TSGateway WDS

9. Features Next Generation TCP/IP Stack  Receive Window Auto Tuning  Neighbor Unreachability Detection for IPv4  Fail-back Support for Default Gateway Changes  Network Diagnostics Framework Support Incorrect IP address Default gateway (router) is not available Incorrect default gateway Network Basic Input/Output System (NetBIOS) over TCP/IP (NetBT) name resolution failure Incorrect Domain Name System (DNS) settings Local port is already being used The Dynamic Host Configuration Protocol (DHCP) Client service is not running There is no remote listener The media is disconnected The local port is blocked Low on memory

10. Features DHCPv6 support Domain Name System  Background zone loading  IPv6 support  Support for read-only domain controllers (RODCs)  Global single names Server Message Block 2.0 Network Awareness Windows Firewall Network Access Protection

11. Removal of Technologies Bandwidth Allocation Protocol (BAP) X.25 Serial Line Interface Protocol (SLIP) Asynchronous Transfer Mode (ATM) NWLink IPX/SPX/NetBIOS Compatible Transport Protocol Services for Macintosh (SFM) Open Shortest Path First (OSPF) routing protocol component in Routing and Remote Access Basic Firewall in Routing and Remote Access (replaced with Windows Firewall) Static IP filter APIs for Routing and Remote Access (replaced with Windows Filtering Platform APIs) The SPAP, EAP-MD5-CHAP, and MS-CHAP (also known as MS-CHAP v1) authentication protocols for PPP-based connections

12. Boot Process – Pre Vista System is powered on The CMOS loads the BIOS and then runs POST Looks for the MBR on the bootable device, and loads NTLDR The BIOS/CMOS transfers control to the NTLDR NTLDR first looks for Hiberfil.sys ( if present, the system resumes from where it was hibernated) if the hiberfil.sys is not present, NTLDR looks for boot.ini Boot.ini - option to choose the operating system to boot from. Loading of the kernel After system services and user required DLLs are loaded, finally msgina.dll brings up the login screen.

13. Boot Process – Post Vista System is powered on The CMOS loads the BIOS and then runs POST Looks for the MBR on the bootable device Through the MBR the boot sector is located and the BOOTMGR is loaded BOOTMGR looks for active partition BOOTMGR reads the BCD file from the \boot directory on the active partition The BCD (boot configuration database) contains various configuration parameters When windows vista is selected, BOOTMGR transfer control to the Windows Loader (winload.exe) or winresume.exe in case the system was hibernated. Winloader loads drivers that are set to start at boot and then transfers the control to the windows kernel. There is not msgina.dll in windows vista ( the shell draws the login screen)

14. Virtual Machine Environment Virtual PC Virtual Server 2005 R2 SP1 Virtual Machines

15. Windows Server 2008 Installation

16. Module Overview Windows Server 2008 Setup Improvements and Requirements Windows Server 2008 Server Core Installation

17. Lesson 1: Windows Server 2008 Setup Improvements and Requirements Improvements in Setup from Windows Server 2003 to Windows Server 2008 Windows Server 2008 Installation Requirements Pre-Installation Recommendations

18. Improvements in Setup from Windows Server 2003 to Windows Server 2008 Server roles streamline management Windows Server 2003 Windows Server 2003 Setup Security Updates Manage Your Server Configure Your Server Wizard Windows Components Computer Management Security Configuration Wizard Windows Server 2003 Windows Server 2003 Setup Security Updates Manage Your Server Configure Your Server Wizard Windows Components Computer Management Security Configuration Wizard Windows Server 2008 Operating System Setup Initial Configuration Tasks Server Manager Windows Server 2008 Operating System Setup Initial Configuration Tasks Server Manager

19. Windows Server 2008 Installation Requirements Minimum: 512 MB Recommended: 1 GB Optimal: 2 GB Minimum: 512 MB Recommended: 1 GB Optimal: 2 GB Minimum: 1 GHz Recommended: 2 GHz Optimal: 3 GHz Minimum: 1 GHz Recommended: 2 GHz Optimal: 3 GHz Minimum: 8 GB Recommended: 40 GB Optimal: 80 GB Minimum: 8 GB Recommended: 40 GB Optimal: 80 GB

20. Pre-Installation Recommendations Check application compatibility Disconnect UPS devices Back up servers Check application compatibility Disconnect UPS devices Back up servers Disable virus protection software Run windows memory diagnostic Obtain mass storage drivers Disable virus protection software Run windows memory diagnostic Obtain mass storage drivers Plan for Windows Firewall configuration Prepare Active Directory Check upgrade paths Plan for Windows Firewall configuration Prepare Active Directory Check upgrade paths

21. Lesson 2: Windows Server 2008 Server Core Installation Windows Server Core overview Windows Server Core benefits Windows Server Core Architecture

22. Easier to secure, manage, and maintain Supports key infrastructure roles Minimal server installation Supports unattended installation Windows Server Core Overview

23. Windows Server Core Benefits Reduced attack surface Less disk space required Reduced software maintenance Reduced management

24. Roles on Server Core 1. Active Directory Domain Services (AD DS) 2. Active Directory Lightweight Directory Services (AD LDS) 3. DHCP Server 4. DNS Server 5. IIS 7.0 6. File Services 7. Print Services 8. Streaming Media Services 9. Hyper-V

25. Demonstration: Windows Server 2008 Installation Windows Server 2008 installation steps LAB – Windows 2008 Installation

26. Upgrade Scenario Support

28. Lesson 3: Implement a Volume Licensing Strategy Using KMS and MAK Microsoft Volume Activation 2.0 Multiple Activation Keys Key Management Service Planning Volume Activation Deployment Example for MAK Independent Activation and KMS Activation Deployment Example for MAK Proxy Activation

29. What is Windows Activation Product activation is the process of validating software with the manufacturer Activation helps  Copy of Windows is genuine  It has not been used on more computers than the Microsoft Software License Terms allow Product activation refers to a method where a software application hashes hardware serial numbers and Product key to generate a unique Installation ID Installation ID is sent to the manufacturer to verify the authenticity of the product key and determine that the product key is not being used for multiple installations Activation Vs registration

30. Types of Activation OEM (Original Equipment Manufacturer ) Retail Volume

31. Types of Keys and Activation OEM – BIOS Bound – Out of Box Activation Retail – License that applies to single computer Volume – More Complex  Two type of Keys  MAK  KMS  Three type of Activation  MAK  MAK Independent Activation  MAK Proxy Activation  KMS  KMS Activation

32. MAK and KMS MAK Independent Activation - Individually connect (online or phone) and activate with Microsoft MAK Proxy Activation - activate multiple systems with one connection to Microsoft Key Management Service - perform local activations of systems in a managed environment without connecting them to Microsoft individually

33. Volume Activation Management Tool VAMT allows organizations to manage the activation of their Windows Vista and Windows Server 2008 computers using Multiple Activation Key (MAK) keys. A MAK performs a one-time activation of computers with Microsoft. Once activated they require no further communication with Microsoft.

34. Multiple Activation Keys MAK Proxy MS Activation Clearinghouse

35. MAK Proxy Activation

36. Key Management Service KMS Server

37. Lab 1: Install Windows Server 2008 Exercise 1: Install Windows Server 2008 Exercise 2: Install Windows Server Core

39. Windows NT Flat File, Registry Based Account management system Restricted SAM size Single point of failure at the primary domain controller Poor operational performance Poor replication performance Nontransitive trust relationships

40. What Is a Directory Service? Centralized Administration Dispersed Administration A directory service is both the directory information source and the service that makes the information available and usable

41. What Is AD DS? Active Directory Domain Services (AD DS) is a directory service that provides the following services in a Windows Server 2008 network: User account management User authentication Computer account management Access to networked resources Domain-wide services

42. How Does AD DS Work User and computer objects are created in the directory Groups of these objects then can be created A client can use the user account to authenticate against AD DS The user can try to access networked resources The resources will again validate the authenticated user against AD DS 1 1 3 3 4 4 2 2 5 5 Authenticate against domain Access network resources

43. Features on 2K and 2K3 - Active Directory Services Features  Multi Master Operation  Centralized Data Store  Scalability  Extensibility  Integration with the Domain Name System  Policy--based administration In Active Directory  Can be promoted to a domain controller and demoted back to a member server without the need to reinstall the operating system  Interoperability

44. Features On 2K3  Multiple selection of user objects  Drag-and-drop functionality  Saved queries  Active Directory command-line tools  Application directory partitions  Add additional domain controllers to existing domains using backup media  Universal group membership caching

45. Features Available When All Domain Controllers Are Running Windows Server 2003  Domain controller rename tool  Domain rename  Forest trusts  Forest restructuring

46. Active Directory Improvements List improvements in Active Directory roles Describe new Active Directory features

47. New Features in Windows 2008 AD DS Read-only domain controller (RODC) Staged installation of an RODC RODC filtered attribute set Administrator role separation Improved installation wizard Generate secure installation media Restartable AD DS Auditing AD DS changes Fine-grained password policy Data mounting tool (Dsamain.exe)

48. New DNS Features DNS: IPv6 Support, Background Zone Loading DNS: GlobalNames zone, RODC SupportRead Only DNS

49. The Logical Structure of Active Directory Domain OU Domain Tree Domain Forest Organizational Unit Objects

50. What Are Directory Partitions? Active Directory Database NTDS.DIT Active Directory Database NTDS.DIT Configurable replication Domain Forest Schema Configuration Domain Application Definitions and rules for creating and manipulating objects and attributes Information about the Active Directory structure Information about domain-specific objects Information about applications

51. Operations Masters FSMO Roles

52. The Physical Structure of Active Directory Sites Domain controllers WAN links Site Domain Controllers WAN Link Site

53. Components of Active Directory Infrastructure Active Directory Data Store – NTDS.dit, Several partitions Domain Controllers – KDC Domain OU Forest – Single definition of Network Configuration and Schema – Security Boundary Tree

54. Forest of Trees

55. Lesson 1: Installing Active Directory Domain Services Requirements for Installing AD DS What Are Domain and Forest Functional Levels? AD DS Installation Process Advanced Options for Installing AD DS Installing AD DS from Media Demonstration: Verifying the AD DS Installation Upgrading to Windows Server ® 2008 AD DS Installing AD DS on a Server Core Computer Discussion: Common Configuration for AD DS

56. Requirements for Installing AD DS Local Administrator permissions to install the first domain controller in a forest Domain Administrator permissions to install additional domain controllers in a domain Enterprise Administrator permissions to install additional domains in a forest Administrator permissions TCP/IP must be configured, including DNS client settings DNS Server that supports dynamic updates must be available or will be configured on the domain controller Network configuration A computer running Windows Server 2008 (Web Server edition not supported) Minimum disk space of 250 MB and a partition formatted with NTFS file system Server requirements to install AD DS

57. Functional Level The functionality available in Active Directory domain or Forest depends on its functional level Three Domain Functional level Forest Functional Level

58. What Are Domain and Forest Functional Levels? Functional levels: Determine the AD DS features available in a domain or forest Restrict which Windows Server operating systems can be run on domain controllers in the domain or forest Supported Domain Controller Operating Systems Windows 2000 Windows ® 2000 native Windows Server 2003 Windows Server ® 2003 Windows Server 2008 Forests Domain Windows Server 2008 Windows Server 2003 Windows 2000 Server Windows Server 2008 Windows Server 2003 Windows Server 2008 Supported functional levels:

59. AD DS Installation Process Install the Active Directory Domain Services role using the Server Manager 1 1 Choose the deployment configuration 3 3 Select the additional domain controller features 4 4 Run the Active Directory Domain Services Installation Wizard 2 2 Select the location for the database, log files, and SYSVOL folder 5 5 Configure the Directory Services Restore Mode Administrator Password 6 6

60. Advanced Options for Installing AD DS Use the advanced mode options to: Create a new domain tree Use backup media as the source for AD DS information To access the advanced mode installation options, choose the Advanced Mode option in the Installation Wizard or run DCPromo /adv Select the source domain controller for the installation Modify the default domain NetBIOS name Define the Password Replication Policy for an RODC

61. LAB Install AD Forest  Install AD Role  Dcpromo and install orange.com domain

62. The installation process Starts the security protocol and sets the security policy Creates the: Active Directory partitions, database, and log files Forest root domain SYSVOL folder Configures the site membership of the domain controller Enables security on the directory service and the file replication folders Applies the password for restore mode Starts the security protocol and sets the security policy Creates the: Active Directory partitions, database, and log files Forest root domain SYSVOL folder Configures the site membership of the domain controller Enables security on the directory service and the file replication folders Applies the password for restore mode The Active Directory Installation Process

63. How to Verify the Active Directory Installation Verify the creation of SYSVOL and its shares The directory database and log files The default Active Directory structure Verify the installation results by examining the event logs Verify the creation of SYSVOL and its shares The directory database and log files The default Active Directory structure Verify the installation results by examining the event logs

64. DEMO Install AD Verify the presence of DNS Resource records Install AD using network or backup media  Verify the installation of AD Default Containers Default Domain Controllers Organizational Unit Default-First-Site-Name Active Directory Database Global Catalog Server Root Domain Shared System Volume {31B2F340-016D-11D2-945F-00C04FB984F9} -- Default Domain policy {6AC1786C-016F-11D2-945F-00C04fB984F9} -- Default Domain Controllers policy SRV Resource Records Verify Directory Service Restore mode operational

65. The Active Directory Database and Log Files File Description Ntds.dit Is the Active Directory database file Stores all Active Directory objects on the domain controller Use the default location systemroot\NTDS folder Edb*.log Is a transaction log file Uses the default transaction log file Edb.log Edb.chk Is a checkpoint file Tracks data not yet written to Active Directory database file Res1.log Res2.log Are the reserved transaction log files

66. Demonstration: Verifying the AD DS Installation In this demonstration, you will see how to verify the AD DS installation

67. Module 2: Server Core Configuration

68. Module Overview Server Core Basic Configuration Configuring Server Core Roles

69. Lesson 1: Server Core Basic Configuration Configuring Server Core Configuring Networking and Security on Server Core Configuring System Settings on Server Core

70. Configuring Server Core Set admin password Set static IP address Join existing domain Activate the Server Configure the firewall

71. Configuring Networking and Security on Server Core > net user Administrator > netsh interface ipv4 set address > netsh interface ipv4 add dnsserver

72. Configuring System Settings on Server Core > Slmgr.vbs –ato > Control timedate.cpl > Control intl.cpl

73. Managing ServerCore Locally Using Command Prompt Remotely Using Terminal Server Remotely Using Windows Remote Shell Remotely Using MMC

74. Lesson 2: Configuring Server Core Roles Add and Remove Server Roles and Features Configuring Active Directory Domain Services Role on Server Core Configuring Network Infrastructure Roles on Server Core Configuring File and Print Services on Server Core Configuring IIS7 on Server Core

75. Add and Remove Server Roles and Features > start /w Ocsetup

76. Configuring Active Directory Domain Services Role on Server Core > Dcpromo /unattend:Unattendfile

77. Configuring Network Infrastructure Roles on Server Core > start /w ocsetup DHCPServerCore > Netsh dhcp add server dhcpsrv1.example.microsoft.com 10.2.2.2 > start /w ocsetup DNS-Server- Core-Role

78. Configuring File and Print Services on Server Core > Start /w ocsetup Printing- ServerCore-Role > start /w ocsetup FRS- Infrastructure > start /w ocsetup DFSN-Server

79. Configuring IIS 7.0 on Server Core > start /w pkgmgr /iu:IIS- WebServerRole;WAS- WindowsActivationService;WAS- ProcessModel

80. Scregedit Not all tasks can be performed from the command line or remotely through an MMC snap-in. To allow you to configure these settings, the scregedit.wsf script is included Scregedit.wsf can be used to configure  Pagefile  Enable automatic updates  Enable error reporting  Enable Terminal Server Remote Admin Mode

81. Lab 1: Perform Server Core Configuration Tasks Exercise 1: Configure Server Core Exercise 2: Add and Configure Server Roles Exercise 3: Add the Backup Feature Exercise 4: Managing Server Core

82. Module 3: Windows Server 2008 Unattended Installation

83. Module Overview Unattended Windows Server 2008 Installation Unattended Domain Controller Installation

84. Lesson 1: Unattended Windows Server 2008 Installation Unattend.xml Format Unattend.xml Syntax Unattended Deployment Scenarios

85. Unattend.xml Format Used to automate setup Located on install media or on the network UI elements can be hidden or shown but pre-configured by Unattend.xml Uses a hierarchical XML format Unattend.xml

86. Unattend.xml Syntax ;Setup will prompt for Product Key value if this entry is not filled …

87. Answer File Each setup-related setting in the Unattend.xml will have a flag called ShowUI= Yes/ No. If the user specifies both the value and ShowUI=Yes, then  the UI will show the value the user has set in the Unattend.xml. By default, all of the values for the showui flag will be No. If the value is not set in the Unattend.xml and ShowUI=Yes, then the user can provide a new value. Elements are the most common containers for Unattend.xml settings Elements begin with a start tag and an end tag.

88. Unattended Deployment Scenarios Elements required for unattended upgrade: Elements required for unattended upgrade:

89. Lesson 2: Unattended Domain Controller Installation Unattended Dcpromo Syntax Example Unattended Dcpromo Procedure Installing a Read-Only Domain Controller Using an Unattend File

90. Unattended Dcpromo Syntax New Options dcpromo /?:unattend shows all options INI Format for Dcpromo Answer File Example: [DCINSTALL] ReplicaOrNewDomain=Domain NewDomain=Child UserName=Jsmith Password=* SiteName=NorthRegion [DCINSTALL] ReplicaOrNewDomain=Domain NewDomain=Child UserName=Jsmith Password=* SiteName=NorthRegion

91. Example Unattended Dcpromo Procedure dcpromo.exe /unattend: \ [DCInstall] ; New forest promotion ReplicaOrNewDomain=Domain NewDomain=Child NewDomainDNSName=research.contoso.local DomainNetbiosName=RESEARCH DomainLevel=3 InstallDNS=Yes ConfirmGc=Yes DatabasePath=C:\Windows\NTDS LogPath=D:\NTDS … [DCInstall] ; New forest promotion ReplicaOrNewDomain=Domain NewDomain=Child NewDomainDNSName=research.contoso.local DomainNetbiosName=RESEARCH DomainLevel=3 InstallDNS=Yes ConfirmGc=Yes DatabasePath=C:\Windows\NTDS LogPath=D:\NTDS …

92. Creating Child Domain

93. What Is a Read-Only Domain Controller? RODCs host read-only partitions of the AD DS database, only accept replicated changes to Active Directory, and never initiate replication RODCs: Cannot hold operation master roles or be configured as replication bridgehead servers Can be deployed on servers running Windows Server 2008 Server core for additional security RODCs provide: Additional security for branch office with limited physical security Additional security if applications must run on a domain controller RODC

95. RODC features Read-only Active Directory database  Except for account passwords, an RODC holds all the Active Directory Domain Services (AD DS) objects and attributes that a writable domain controller holds.  Clients are not able to write changes directly to the RODC.  Lightweight Directory Access Protocol (LDAP) applications that perform a Write operation are referred to a writable domain controller in a hub site.

96. Preparing to Install the RODC Before installing an RODC: Ensure that the domain and forest is at a Windows Server 2003 functional level Ensure a writeable domain controller running Windows Server 2008 is available to replicate the domain partition Run ADPrep /rodcprep to enable the RODC to replicate DNS partitions Run ADPrep /domainprep in all domains if the RODC will be a global catalog server

97. Installing a Read-Only Domain Controller Using an Unattend File Run adprep /rodcprep if necessary Create RODC account:  dcpromo.exe /CreateDCAccount /unattend:"Path to answer file" Attach server to RODC account:  dcpromo.exe /UseExistingAccount:Attach /unattend:"Path to answer file"

98. iiht.com Hub Site Bangalore DC Branch Site Nagpur SRV2 RODC

99. Lab 1: Install Active Directory on Server Core Using an Unattend File Exercise 1: Create and Use an Answer File to Automate Dcpromo

100. Lab 2: Deploy an RODC in a Remote Infrastructure Using an Unattend File Exercise 1: Create an Unattend File to Automate the Installation of an RODC Exercise 2: Deploy an RODC Using an Answer File