Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Requirement
Minimum: 1GHz (x86 processor) or 1.4GHz (x64 processor) Recommended:
2GHz or faster Note: An Intel Itanium 2 processor is required for Windows
Server 2008 for Itanium-based Systems
Memory
Minimum: 512MB RAM Recommended: 2GB RAM or greater Maximum
(32-bit systems): 4GB (Standard) or 64GB (Enterprise and Datacenter)
Maximum (64-bit systems): 32GB (Standard) or 2TB (Enterprise, Datacenter and
Itanium-based Systems)
Available Disk Minimum: 10GB Recommended: 40GB or greater Note: Computers with
Space
more than 16GB of RAM will require more disk space for paging, hibernation,
and dump files
Drive
DVD-ROM drive
Display
and Super VGA (800 x 600) or higher-resolution monitor Keyboard Microsoft
Peripherals
Mouse or compatible pointing device
Windows Server Upgrade notes:
If you are currently running:
You can upgrade to:
Windows Server 2003 Standard Edition (R2, Full Installation of Windows
Service Pack 1 or Service Pack 2)
Standard Edition
Full Installation of Windows
Enterprise Edition
Windows Server 2003 Enterprise Edition Full Installation of Windows
(R2, Service Pack 1 or Service Pack 2)
Enterprise Edition
Windows Server 2003 Datacenter Edition Full Installation of Windows
(R2, Service Pack 1 or Service Pack 2)
Datacenter Edition
Procedure to install Windows Server 2008:
Server 2008
Server 2008
Server 2008
Server 2008
1. Insert the appropriate Windows Server 2008 installation media into your DVD drive. If you
dont have an installation DVD for Windows Server 2008, you can download one for free from
Microsofts Windows 2008 Server Trial website.
2. Reboot the computer.
3. When prompted for an installation language and other regional options, make your selection
and press Next.
5. Product activation is now also identical with that found in Windows Vista. Enter your Product
ID in the next window, and if you want to automatically activate Windows the moment the
installation finishes, click Next.
If you do not have the Product ID available right now, you can leave the box empty, and click
Next. You will need to provide the Product ID later, after the server installation is over. Press No.
6. Because you did not provide the correct ID, the installation process cannot determine what
kind of Windows Server 2008 license you own, and therefore you will be prompted to select
your correct version in the next screen, assuming you are telling the truth and will provide the
correct ID to prove your selection later on.
7. If you did provide the right Product ID, select the Full version of the right Windows version
youre prompted, and click Next.
8. Read and accept the license terms by clicking to select the checkbox and pressing Next.
9. In the Which type of installation do you want? window, click the only available option
Custom (Advanced).
10. In the Where do you want to install Windows?, if youre installing the server on a
regular IDE hard disk, click to select the first disk, usually Disk 0, and click Next.
If youre installing on a hard disk thats connected to a SCSI controller, click Load Driver and
insert the media provided by the controllers manufacturer.
If you must, you can also click Drive Options and manually create a partition on the destination
hard disk.
11. The installation now begins, and you can go and have lunch. Copying the setup files from the
DVD to the hard drive only takes about one minute. However, extracting and uncompressing the
files takes a good deal longer. After 20 minutes, the operating system is installed. The exact time
it takes to install server core depends upon your hardware specifications. Faster disks will
perform much faster installs Windows Server 2008 takes up approximately 10 GB of hard
drive space.
The installation process will reboot your computer, so, if in step #10 you inserted a floppy disk
(either real or virtual), make sure you remove it before going to lunch, as youll find the server
hanged without the ability to boot (you can bypass this by configuring the server to boot from a
CD/DVD and then from the hard disk in the booting order on the servers BIOS)
12. Then the server reboots youll be prompted with the new Windows Server 2008 type of login
screen. Press CTRL+ALT+DEL to log in.
14. The default Administrator is blank, so just type Administrator and press Enter.
15. You will be prompted to change the users password. You have no choice but to press Ok.
16. In the password changing dialog box, leave the default password blank (duh, read step
#15), and enter a new, complex, at-least-7-characters-long new password twice. A password
like topsecret is not valid (its not complex), but one like T0pSecreT! sure is. Make sure you
remember it.
17. Someone thought it would be cool to nag you once more, so now youll be prompted to
accept the fact that the password had been changed. Press Ok.
18. Finally, the desktop appears and thats it, youre logged on and can begin working. You will
be greeted by an assistant for the initial server configuration, and after performing some initial
configuration tasks, you will be able to start working.
2. Next expand the Active Directory Domain Services section and click on Active Directory
Users and Computers.
3. At this point you should be able to see your domain. In our example we are using the
Globomantics domain. Go ahead and expand your domain.
4. Now we need to create an Organizational Unit for a group to live in. In our example we are
going to create an OU for our Ops Team.
To create a new Organization Unit, right-click on your domain name, point to the New option
and then select Organizational Unit.
5. Type in the name of your OU and make sure that the box is checked next to Protect container
from accidental deletion. When done, click OK.
6. We now have a new Organizational Unit in our Active Directory called OpsOU.
3. The next step is to name your Group, select the scope and then select the type.
In this example we are going to name our group OpsUSers. We are also going to leave the
default selections for group scope, which is Global, and group type, which is Security. When you
are ready, click OK.
2. Then you need to right-click on any one of those accounts and select Add to a group.
3. Next, you need to type in the group name and let the machine find it.
In our example, I will type in OpsUsers and then click on the Check names button. Once the
name is verified and group name is found, the text will become underlined and you can click the
OK button. Since we know our group exists, we are going to click OK without verification.
Note: Another way of accomplishing this would be to click on an account, hold it, then drag and
drop it into a particular group. Depending on how much you like to use your mouse and how
much time you have this may or may not be your preferred way of accomplishing this task
3.3 Analyze the working of Device Manager, Drivers Signing & Signature
Device Manager provides you with a graphical view of the hardware that is installed on your
computer. All devices communicate with Windows through a piece of software called a device
driver. You can use Device Manager to install and update the drivers for your hardware devices,
modify hardware settings for those devices, and troubleshoot problems.
Uses for Device Manager
You can use Device Manager to:
Identify the device drivers that are loaded for each device, and obtain information about
each device driver.
Change advanced settings and properties for devices. Install updated device drivers.
View the devices based on their type, by their connection to the computer, or by the
resources they use.
Show or hide hidden devices that are not critical to view, but might be necessary for
advanced troubleshooting.
You will typically use Device Manager to check the status of your hardware and update device
drivers on your computer. Advanced users who have a thorough understanding of computer
hardware might also use Device Manager's diagnostic features to resolve device conflicts and
change resource settings.
Ordinarily, you will not need to use Device Manager to change resource settings because
resources are allocated automatically by the system during hardware setup.
You can use Device Manager to manage devices only on a local computer. On a remote
computer, Device Manager will work only in read-only mode, allowing you to view, but not
change the hardware configuration of that computer.
Many of the virus, adware, security, and crash problems with Windows occur when someone
installs a driver of dubious origin. The driver supposedly provides some special feature for
Windows but in reality makes Windows unstable and can open doors for people of ill intent who
want your system for themselves. Of course, Microsofts solution is to lock down Windows so
that you can use only signed drivers. A signed driver is one in which the driver creator uses a
special digital signature to sign the driver software. You can examine this signature (as can
Windows) to ensure that the driver is legitimate.
Windows 2008 doesnt load a driver that the vendor hasnt signed. Unfortunately, youll find
more unsigned than signed drivers on the market right now. Vendors havent signed their drivers,
for the most part, because the process is incredibly expensive and difficult. Many vendors see the
new Windows 2008 feature as Microsofts method of forcing them to spend money on something
that they dispute as having value. Theoretically, someone can forge a signature, which means that
the signing process isnt foolproof and may not actually make Windows more secure or reliable.
Of course, the market will eventually decide whether Microsoft or the vendors are correct, but
for now you have to worry about having signed drivers to use with Windows.
Sometimes, not having a signed driver can cause your system to boot incorrectly or not at all.
The Disable Driver Signature Enforcement option lets you override Microsofts decision to use
only signed drivers. When you choose this option, Windows boots as it normally does. The only
difference is that it doesnt check the drivers it loads for a signature. You may even notice that
Windows starts faster. Of course, youre giving up a little extra reliability and security to use this
feature at least in theory.
You cant permanently disable the use of signed drivers in the 64-bit version of Windows Server
2008 at least, not using any Microsoft-recognized technique. Its possible to disable the use of
signed drivers in the 32-bit version by making a change in the global policy. A company named
Linchpin Labs has a product called Atsiv (http://www.linchpinlabs.com/resources/atsiv/usagedesign.htm), which lets you overcome this problem, even on 64-bit systems. Microsoft is
fighting a very nasty war to prevent people from using the product.
Using the boot method of permanently disabling signed driver checking
An undocumented method of disabling the signed driver requirement for both 32-bit and 64-bit
versions of Windows Server 2008 is to use the BCDEdit utility to make a change to the boot
configuration. Because this feature isnt documented, Microsoft could remove it at any time.
This procedure isnt something that a novice administrator should attempt to do, but its doable.
1. Choose Start -> Programs -> Accessories.
You see the Accessories menu.
2. Right-click Command Prompt and choose Run As Administrator from the context menu.
Windows opens a command line with elevated privileges. You can tell that the privileges are
elevated because the title bar states that this is the administrators command prompt rather than a
standard command prompt.
3. Type BCDEdit /Export C:\BCDBackup and press Enter. BCDEdit displays the message This
Operation Completed Successfully. This command saves a copy of your current boot
configuration to the C:\BCDBackup file. Never change the boot configuration without making a
backup.
4. Type BCDEdit /Set LoadOptions DDISABLE_INTEGRITY_CHECKS and press Enter.
BCDEdit displays the message This Operation Completed Successfully. The Driver Disable
(DDISABLE) option tells Windows not to check the signing of your drivers during the boot
process. Be sure to type the BCDEdit command precisely as shown. The BCDEdit utility is very
powerful and can cause your system not to boot when used incorrectly.
5. Restart your system as normal to use the new configuration.
Using the group policy method of permanently disabling signed driver checking
Users of the 32-bit version of Windows Server 2008 also have a documented and Microsoftapproved method of bypassing the signing requirement. (This technique will never work on the
64-bit version of the product.)
In this case, you set a global policy that disables the requirement for the local machine (when
made on the local machine) or the domain (when made on the domain controller). The following
steps describe how to use the Global Policy Edit (GPEdit) console to perform this task.
1. Choose Start -> Run.
You see the Run dialog box.
2. Type GPEdit.MSC (for Group Policy Edit) in the Open field and click OK. Windows displays
the Local Group Policy Editor window.
3. Locate the Local Computer Policy\User Configuration\Administrative
Templates\System\Driver Installation folder.
4. Double-click the Code Signing for Device Drivers policy.
5. Select Enabled.
6. Choose Ignore (installs unsigned drivers without asking), Warn (displays a message asking
whether you want to install the unsigned driver), or Block (disallows unsigned driver installation
automatically) from the drop-down list.
7. Click OK.
The Local Group Policy Editor console sets the new policy for installing device drivers.
8. Close the Local Group Policy Editor console.
9. Reboot the server.
Theoretically, the changes you made should take effect immediately after you log back in to the
system. However, to make sure the policy takes effect for everyone, reboot the server.
configuration can be useful in an environment in which you have guests on the same network but
you want to prevent them from accessing computers that are part of a domain. It can be used as
an alternative or in addition to Virtual LANs (VLANs).
Leave the Firewall Enabled
Most applications are now smart enough to automatically open the necessary port on the firewall
when they're installed, which eliminates the need to manually open inbound ports on the server.
One of the main reasons to have the firewall up during installation is that it protects the OS
before you have the chance to apply the latest updates.
The firewall is well-integrated with Server Manager's roles and features. When a role or feature
is added on the server, the firewall automatically opens the necessary inbound ports. SQL Server
uses the default port of TCP 1433. Therefore, you must manually create an inbound rule that
allows TCP port 1433 on the firewall for SQL Server. (Alternatively, you can change the default.)
Creating Inbound Rules
Before creating a rule, check to see whether a rule was already created that will allow the desired
inbound traffic to pass. If you find an existing rule, you can simply enable the rule and possibly
change the default scope. If you don't find an existing rule, you can always create one from
scratch.
Select Administrative Tools from the Start menu, then select Windows Firewall with Advanced
Security to start the Firewall with Advanced Security snap-in.
For illustration purposes, how to create a rule to allow inbound SQL Server traffic on TCP port
1433 from a Microsoft Office SharePoint Server front-end server is as follows:
Right-click Inbound Rules and select New Rule.
As Figure 1 shows, you can select Program, Port, Predefined, or Custom for the rule type. Select
Custom, because this option prompts you to enter a scope for the rule. Click Next to continue.
Figure 4: Specifying local and remote IP addresses in a new inbound rule's scope
In the Action dialog box, which Figure 5 shows, select Allow the connection to allow inbound
traffic to pass for SQL Server.
Figure 5: Specifying the action to take when a connection matches the condition in a new
inbound rule
Alternatively, you can allow traffic to pass only if it's encrypted and secured with IPsec, or you
can block the connection. Next, you need to specify the profile(s) for which the rule will apply.
As Figure 6 shows, select all the profiles (which is a best practice).
Figure 6: Specifying profiles for which a new inbound rule will apply
Finally, use a descriptive name for the rule, specifying the allowed service, scope, and ports, as
Figure 7 shows. Using a descriptive name makes it easier to identify what a rule does. Click
Finish to create the new inbound rule.
Printing Process
When a user selects File > Print from an application, a series of steps must be completed for the
printed document to appear. These steps have remained much the same over all recent versions
of Windows:
1. When the user selects File > Print, a new print job is created, which includes all the data,
and eventually, the printer commands that the system requires to output a document.
2. The client computer queries the print server for a version of the print driver for the
default or a selected printer. If necessary, the most recent version of the driver is
downloaded to the client computer.
3. The graphics device interface (GDI) and the printer driver may convert the print job into
a rendered Windows enhanced metafile (EMF). (The GDI is the component that provides
network applications with a system for presenting graphical information.) The GDI
actually does double duty by producing WYSIWYG (what you see is what you get)
screen output and printed output.
4. It is possible for Windows to convert the applications output (the print job) into either a
metafile or a RAW format. (The RAW format is ready to print and requires no further
rendering.) The driver then returns the converted print job to the GDI, which delivers it to
the spooler.
5. The client side of the spooler (Winspool.drv) makes a remote procedure call (RPC) to the
server side of the spooler (Spoolsv.dll). If a network-connected server is managing the
print device, the spooler hands off the print job to the spooler on the print server. Then,
that spooler copies the print job to a temporary storage area on that computers hard disk.
This step does not take place for locally managed print jobs. In that case, the job is
spooled to disk locally.
6. The print server receives the job and passes it to the print router, Spoolss.dll. (You should
not confuse a router in this context with the device that directs network packets from one
subnetwork to another.)
7. The router checks the kind of data it has received and passes it on to the appropriate print
processor component of the local print provider, or the remote print server if the job is
destined for a network printer.
8. The local print provider may request that the print processor perform additional
conversions as needed on the file, typically from EMF to RAW. (Print devices can only
handle RAW information.) The print processor then returns the print job to the local print
provider.
9. The print monitor communicates directly with the print device and sends the ready-toprint print job to the print device.
10. The print device receives the data in the form it requires and translates it to a bitmap,
producing printed output.
Although it may seem complicated, this sequence is designed to make printing more efficient and
faster in a networked environment. In particular, the burden of spooling is distributed between
client and server computers.
Installing, Sharing, and Publishing Printers
By itself, Windows Server 2008 R2 is a very capable print server that provides a large range of
capabilities for working with printers and documents, much like the capabilities that were
included with previous Windows Server versions. The original version of Windows Server 2008
added the Print Services server role, which provided enhanced capabilities for sharing printers on
the network and centralizing printer and print management tasks into its own Microsoft
Management Console (MMC) snap-in. In Windows Server 2008 R2 this role is replaced by the
Print and Document Services role, which adds scanning management to the list of capabilities.
Installing the Print and Document Services Role
Use the following procedure to install the Print and Document Services server role on a
Windows Server 2008 R2 computer:
1. Open Server Manager and expand the Roles node.
2. Click Add Roles to start the Add Roles Wizard.
3. From the Select Server Roles page, select Print and Document Services (as shown in
Figure -1) and click Next.
5. The Select Role Services page shown in Figure -2 enables you to select additional role
services. The Print Server role is included by default. Make any desired selections and
click Next.
Figure -2. You can select optional role services from the Select Role Services page.
6. On the Confirm Installation Selections page, click Install.
7. The Installation Progress page tracks the progress of installing the Print and Document
services server role. When informed that the installation is complete, click Close.
When finished, the Print Management snap-in is accessible from the Administrative Tools folder.
This snap-in enables you to perform a large range of printer management tasks on printers
installed on computers running any version of Windows from Windows 2000 or later.
Installing Printers
You can install a printer on your Windows Server 2008 R2 computer from Control Panel even
without installing the Print and Document Services server role. If you installed this role, you can
also install a printer from the Print Management snap-in.
Using Control Panel to Install a Printer
Use the following procedure to install a printer from Control Panel:
1. Click Start > Control Panel > Hardware.
2. Under Devices and Printers, select Add a printer. The Add Printer Wizard starts and
provides two options, as shown in Figure -3.
Figure -3. Windows Server 2008 enables you to choose between installing a local or
network printer.
3. Select the appropriate option and click Next.
4. If you select the Add a network, wireless, or Bluetooth printer option, Windows
searches for network printers. Select the desired printer and click Next. If you select the
Add a local printer option, the Add Printer page asks you to choose a printer port. Select
the port to which the printer is attached and click Next.
5. You receive the Install the printer driver page. Select the make and model of the print
device for which youre installing the printer (as shown in Figure -4) and click Next. To
install a driver from an installation CD, click Have Disk and follow the instructions
provided.
Figure -4. Selecting the make and model for which youre installing a printer.
6. The Type a Printer Name page provides a default name for the printer. Accept this or type
a different name, and then click Next.
7. The Printer Sharing page shown in Figure -5 enables you to share the printer. Accept the
share name or type a different name if necessary. Optionally, type location and comment
information in the text boxes provided. (This information helps users when selecting a
network printer.) When finished, click Next.
Figure -5. You are provided with options for sharing your printer.
8. You are informed that you successfully installed your printer. Click Print a test page to
print a test page if desired to confirm printer installation. When done, click Finish.
Using the Print Management Console to Install a Printer
After you install the Print and Document Management server role as described earlier, you can
install a printer directly from this console. Use the following procedure:
1. Click Start > Administrative Tools > Print Management to open the Print
Management console.
2. Expand the Print Server node to locate your print server.
3. Right-click your print server and choose Add Printer. The Network Printer Installation
Wizard starts and displays options, as shown in Figure -6.
Figure -6. The Network Printer Installation Wizard facilitates installation of printers on
the network.
4. Select the appropriate option and click Next.
5. If you select the Add a TCP/IP or Web Services Printer by IP address or hostname
option, specify the host name or IP address as well as the port name on the Printer
Address page, and then click Next. If you select the Search the network for printers
option, the Network Printer Search page appears and displays the printers it finds. Select
the desired printer and click Next.
6. On the Printer Driver page, select the make and model of the print device for which
youre installing the printer, and then click Next.
7. The Type a printer name page provides a default name for the printer. Accept this or type
a different name, and then click Next.
8. The Printer Sharing page provides options similar to those previously shown in Figure -5
that are provided when installing from Control Panel. Specify the required options and
click Next.
9. If you receive a page asking for printer-specific configuration options, select the required
options and then click Next. Options provided depend on the make and model of the print
device associated with the printer youre installing.
10. You are informed that you successfully installed your printer. Click Finish.
When you finish installing the printer (whether from the Print Management snap-in or from
Control Panel), the printer is displayed in the details pane of the Print Management snap-in when
you select the Printers subnode under the node for your print server.
Sharing Printers
You can share a printer at the time you install it. You can configure printer sharing at any time.
Use the following procedure:
1. In the console tree of the Print Management snap-in, expand your print server to reveal
the Printers node. All printers configured for your server will appear in the details pane.
2. Right-click your desired printer and choose Manage Sharing. This opens the printers
Properties dialog box to the Sharing tab.
3. Select the Share this printer check box. As shown in Figure -7, a default share name is
provided automatically; accept this or type a different share name, as desired.
Figure -7. You can share your printer from the Sharing tab of the printers Properties
dialog box.
4. If users connecting to this printer are running different versions of Windows (including
32-bit as opposed to 64-bit Windows versions), click Additional Drivers to install
drivers required by these users. From the Additional Drivers dialog box that appears,
select the required drivers and click OK.
5. If client computers have the processing power for handling the print rendering process,
select the check box labeled Render print jobs on client computers. To have the print
server handle this processing load, clear this check box.
6. Click OK.
If you havent installed the Print and Document Services server role, you can perform the same
task from the Devices and Printers applet in Control Panel. Right-click your printer and choose
Printer Properties. This brings up the same Properties dialog box; select the Sharing tab, as
shown previously in Figure -7, and follow the same procedure as outlined here.
Publishing Printers in Active Directory
If your print server is part of an Active Directory Domain Services (AD DS) domain, you can
publish the printer to facilitate the task of users locating printers installed on the server. In the
Print Management snap-in, right-click your printer and choose List in Directory, as shown in
Figure -8. You can also publish your printer when configuring sharing (or from Control Panel if
you have not installed the Print and Document Services server role), by selecting the List in the
Directory check box, which was previously shown in Figure -7.
2. The Deploy with Group Policy dialog box shown in Figure -9 opens. Click Browse and
locate an appropriate GPO. If necessary, you can also create a new GPO for storing the
printer connections.
Select The computers that this GPO applies to (per machine) to deploy to
groups of computers, enabling all users of the computers to access your printer.
4. Click Add.
5. Repeat Steps 2 to 4 to deploy the printer connection settings to another GPO, if required.
6. Click OK.
Managing and Troubleshooting Printers
Several factors must be considered in administering printers. Like any other shared resource,
they can be assigned permissions and their use can be audited. Also, special printing
configurations, such as printer pools, can be set up. Multiple printers can be configured for one
print device to handle different types of jobs. Furthermore, lots of things can go wrong with print
jobs. Complaints from users that they cannot print or are denied access can make up a significant
portion of a network administrator or support specialists job.
Using the Printer Properties Dialog box
Each printer has a Properties dialog box associated with it that enables you to perform a large
quantity of management tasks. You already saw how to share a printer or publish it in AD DS.
This section discusses several additional tasks that you can perform from this dialog box. Rightclick the printer in the details pane of the Print Management snap-in and choose Properties, or
right-click the printer in the Control Panel Devices and Printers applet and choose Printer
Properties to bring up this dialog box. In addition to the tabs discussed here, some printers show
additional tabs; for example, color printers possess a Color Management tab that enables you to
adjust color profile settings. Some printers possess a Version Information tab, which merely
displays version information and contains no configurable settings.
General Tab
Use the General tab to rename the printer or modify the Location and Comment fields you
supplied when installing the printer. You can also print a test page or modify printer preferences
from this tab; click Preferences to open a dialog box that enables you to adjust settings, such as
print quality, paper source, type, and size, maintenance factors such as print head cleaning, and
so on. Appearance of, and options included in, this dialog box vary according to print device
make and model.
Ports Tab and Printer Pooling
As shown in Figure -10, the Ports tab enables you to select various available ports to which a
document will be printed. Documents will print to the first available selected port. Click Add
Port to bring up a dialog box that displays available port types and enables you to add new ports.
From here, you can add a new TCP/IP port for accessing a network printer; a wizard is provided
to guide you through the required steps. Options for configuring port options and deleting
unneeded ports are also available.
Figure -10. The Ports tab of the printers Properties dialog box enables you to configure printer
ports and printer pooling.
The Ports tab also enables you to configure printer pooling. A printer pool is a group of print
devices that are connected to a single printer through multiple ports on the print server. These
print devices should be the same make and model so that they use the same printer driver. This
method is useful because it allows pooling of similar print devices. In high volume print
situations, if one print device is busy, print jobs directed to a printer can be spooled to another
available print device that is part of the printer pool and printing jobs are completed more
quickly. To configure printer pooling, specify a different port for each print device in the printer
pool. Then, select the check box labeled Enable printer pooling and click OK.
To client computers, the printer pool appears as though it were a single printer. When users
submit print jobs to the printer pool, the jobs are printed on any available print device. You
should position the physical print devices in close proximity to each other so that the user does
not have to search for print jobs. Enabling separator pages is a best practice that you should
follow so that the users can locate their print jobs rapidly and conveniently.
This tab also enables you to redirect a printer should a problem occur with its print device and
you need to take it offline for maintenance. Redirecting a printer on the print server redirects all
documents sent to that printer. However, you cannot redirect individual documents. To do so,
click Add Port, and on the Printer Ports dialog box, select Local Port, and then click New Port.
In the Port Name dialog box that appears, enter the UNC or URL path to the other printer, and
then click OK.
Advanced Tab
The Advanced tab enables you to control the availability of the printer and configure drivers and
spool settings. Available settings on this tab are shown in Figure -11 and described in Table -3.
Figure -11. The Advanced tab of the printers Properties dialog box enables you to control
availability, priority, and spooler settings.
Table -3. Configurable Advanced Printer Properties
Setting
Description
Enables you to specify the hours of the day when the printer is available. For
example, you can configure a printer that accepts large jobs to print only between
6 p.m. and 8 a.m. so that shorter jobs can be printed rapidly. Jobs submitted
outside the available hours are kept in the print queue until the available time.
Priority
Spool print
documents so
program finishes
printing faster
Enables you to assign a numerical priority to the printer. This priority ranges from
1 to 99, with higher numbers receiving higher priority. The default priority is 1.
For example, you can assign a printer for managers with a priority of 99 so that
their print jobs are completed before those of other employees.
Enables spooling of print documents. Select from the following:
Sends documents to the print device without first writing them to the print
server's hard disk drive. Recommended only for non-shared printers.
Hold mismatched
documents
The spooler holds documents that do not match the available form until this form
is loaded. Other documents that match the form can print.
Print spooled
documents first
Documents are printed in the order that they finish spooling, rather than in the
order that they start spooling. Use this option if you selected the Start printing
immediately option.
Keep printed
documents
Retains printed jobs in the print spooler. Enables a user to resubmit a document
from the print queue rather than from an application.
Enable advanced
printing features
Turns on metafile spooling and presents additional options like page order and
pages per sheet. This is selected by default and should be turned off only if
printer compatibility problems arise.
Printing Defaults
command button
Selects the default orientation and order of pages being printed. Users can modify
this from most applications if desired. Additional print devicespecific settings
may be present.
Print Processor
command button
Specifies the available print processor, which processes a document into the
appropriate print job.
Separator Page
command button
Enables you to specify a separator page file, which is printed at the start of a print
job to identify the print job and the user who submitted it. This is useful for
identifying printed output when many users access a single print device.
the same manner. Use the following steps to configure a printers permissions from the Security
tab of its Properties dialog box:
1. Select the Security tab of the printers Properties dialog box, as shown in Figure -12.
Figure -12. The Security tab of the printers Properties dialog box enables you to
configure printer permissions.
2. If you need to add users or groups to the ACL, click Add to open the Select Users,
Computers, or Groups dialog box.
3. In this dialog box, click Advanced, and then click Find now to locate the required users
or groups. You may also use the fields in the Common Queries area of the dialog box to
narrow the search for the appropriate object.
4. Select one or more users or groups in the list, and then click OK. This returns you to the
Security tab of the printers Properties dialog box.
5. Select the permissions you want to allow or deny from the available list. Table -4
describes the available permissions.
6. If you need to assign special permissions or check the effective permissions granted to a
specific user, click Advanced. The options available are similar to those discussed in
Chapter 9 for files and folders.
7. When you finish, click OK or Apply to apply your settings.
Table -4. Windows Server 2008 Printer Permissions
Permission
Description
Enables users to connect to the printer to print documents and control settings for their
own documents only. Users can pause, delete, and restart their own jobs only.
Manage this
printer
Enables users to assign forms to paper trays and set a separator page. Users can also
pause, resume, and purge the printer, change printer properties and permissions, and even
delete the printer itself. Also enables users to perform the tasks associated with the
Manage Documents permission.
Manage
documents
Enables users to pause, resume, restart, and delete all documents. Users can also set the
notification level for completed print jobs and set priority and scheduling properties for
documents to be printed.
Special
permissions
Similar to NTFS security permissions discussed in Chapter 9 , the three default printer
permissions are made up of granular permissions. Click Advanced to bring up the
Advanced Security Settings dialog box, from which you can configure these permissions,
if required.
Term
Basic disk
Dynamic disk
Foreign disk
Partitions
Simple
volume
Spanned
volume
Striped
volume
Mirrored
volume
RAID
Master boot
record
(MBR)
GUID
partition
table (GPT)
In the Disk Management tool, you will see your volumes and disks listed on your server. When
you first put your physical disks on the system, they will most likely be basic disks. You can
choose to leave them as basic or convert them to dynamic. You will want to convert these disks
to dynamic disks when you need to create spanned and striped volumes. It is recommended that
you convert these disks prior to creating partitions or placing any data on the volumes.
To convert a disk to dynamic, follow these steps:
1. Open Server Manager by selecting Start => Administrative Tools => Server Manager.
2. In the Server Manager tree, click Storage.
3. In Storage, click Disk Management.
4. Right-click the disk you want to convert.
5. Select Convert To Dynamic Disk.
6. Select the disk or disks in the bottom window of the middle pane you want to convert,
and click OK.
2.2. Import a Foreign Disk
When you move a dynamic disk from one server to another server, the drive will be labeled as
Foreign. You can see an example of a foreign disk in Figure 2.
You may see a warning about some of your volumes losing data, as shown here. This
typically will occur when you import disks and volumes that may have been part of a
RAID volume. If you are ready to import and have reviewed the message about your
volumes and lose data, click Yes.
4. Right-click the unallocated space in the bottom window of the middle pane you want to
create the volume on.
5. Click New Simple Volume.
6. On the Welcome screen, review the message, and click Next.
7. Select the size you want to make the volume, and click Next.
8. Select how you want to mount the volume. You can choose to mount to a drive letter,
mount to a folder on an existing drive, or not assign any mount point. After you make
your selection, click Next.
9. Next, you can select how to format the drive. After you make your selection, click Next.
You will see a screen similar to Figure 4.
10. Review the summary screen, and click Finish.
10. Next, you can select how to format the drive. After you make your selection, click Next.
11. Review the summary screen, and click Finish.
12. You will see a warning dialog box, as shown in Figure 7, if the drives need to be
converted to dynamic drives for spanned volumes. After you review the warning, click
Yes.
If neither of the options are selected when the Start button is pressed Check Disk will only
report, but not attempt to fix errors. In order for Check Disk to repair errors and recover bad
sectors during the scan the Automatically fix file system errors and Scan for and attempt recovery
of bad sectors toggles must be selected respectively.
If the disk drive contains open files, Check Disk will be unable to fix errors located during the
scan and will display a dialog warning you of this fact. This warning dialog will also provide the
option to have the check run on the next system reboot (before any files are opened). This marks
the disk as dirty forcing Check Disk execution at system startup. This setting may also be
specified from the command prompt as follows:
fsutil dirty set e:
Volume - e: is now marked dirty
The current setting for a volume may be checked at any time using fsutil dirty query:
fsutil dirty query
Volume - e: is Dirty
Running Check Disk from the Command-prompt
The Check Disk process may also be initiated from the command prompt using the chkdsk
command combined with the designator of the drive on which the scan is to be performed. In
addition to performing the same functions as the graphical version of Check Disk, the command
prompt version also provides more detailed disk analysis and repair reports.
The chkdsk utility accepts a number of command line options which govern the tasks performed
during execution. These options are outlined in the following table:
Option
Description
/F
/B
/C
Do not check for cycles (a situation where a directory points to itself) within the folder
structure. NTFS only.
/I
/
Change the size of the transaction log file efault size is m default of 4096 KB. NTFS only.
L[:Size]
/R
Analyze the disk and fix any errors, check for bad sectors and mark them as bad.
/V
List the full path of every file on the volume on FAT/FAT32. Displays messages related to
fixing errors on NTFS volumes.
/X
To perform a disk analysis without correcting any errors, simply enter chkdsk at a command
prompt together with the drive designator of the drive to be analyzed the following output is the
result of running chkdsk on an NTFS volume:
C:\Windows\system32>chkdsk e:
The type of the file system is NTFS.
One method for performing this task is to use the Disk Defragmenter tool which is accessed by
right clicking on a disk volume in Windows Explorer or the Disk Management interface in
Computer Management and selecting Properties. In the properties dialog, select the Tools tab and
click on Defragment Now.... This will display the initial screen of the Disk Defragmenter as
illustrated in the following figure:
The tool will perform a scan of the selected volume and report whether a defragmentation is
recommended (and in the above example it is recommended). Click on Defragment now... to
initiate the defragmentation process. This will cause the drive selection dialog to appear. Select
one or more disks to defragment from this dialog followed by OK to trigger the defragmentation
process. As each selected drive is defragmented the progress will be displayed together with a
button providing the option to cancel the process.
Automated Disk Defragmentation
Windows Server 2008 also provides the option to automatically defragment disk drives as a
background task. This is scheduled in the Disk Defragmenter tool which can be accessed either
from within Windows Explorer or Disk Management as outlined above. Once invoked,
automated disk defragmentation is configured by setting the Run on a schedule (recommended)
toggle:
By default, automated defragmentation occurs at 1am every Wednesday. Once selected, the
schedule may be configured by clicking on the Modify schedule... button where the frequency
(daily, weekly, monthly), day and time may be specified:
To specify the volumes to be automatically defragmented, click on Modify volumes... and make
the required volume selections.
Description
-A
-C
-F
-R
-V
Set verbose mode for detailed output during analysis and/or defragmentation.
-W
A more detailed report can be obtained using the -A option in conjunction with -V, for example:
C:\Windows\system32>defrag e: -a -v
Windows Disk Defragmenter
Copyright (c) 2006 Microsoft Corp.
Analysis report for volume E: New Volume
Volume size
Cluster size
Used space
Free space
Percent free space
= 8.00 GB
= 4 KB
= 65 MB
= 7.93 GB
= 99 %
File fragmentation
Percent file fragmentation
=0%
Total movable files
= 14
Average file size
= 4 MB
Total fragmented files
=1
Total excess fragments
=1
Average fragments per file
= 1.12
Total unmovable files
=4
Free space fragmentation
Free space
= 7.93 GB
Total free space extent
=4
Average free space per extent
= 1.98 GB
Largest free space extent
= 4.00 GB
Folder fragmentation
Total folders
Fragmented folders
Excess folder fragments
=7
=1
=0
functionality is that if a new file screening template is applied to an existing volume, files that
would normally not be allowed on the volume would not be removed if they are already stored
on it.
File Classification Infrastructure
Windows Server 2008 R2 includes a new feature called the File Classification Infrastructure
(FCI). The FCI enables administrators to create classification policies that can be used to identify
files and tag or classify files according to properties and policies defined by the file server
administrators. FCI can be managed by using the File Server Resource Manager console and
allows for file server administrators to identify files and classify these files by setting specific
FCI property values to these files based on the folder they are stored in and/or based on the
content stored within the file itself. When a file is classified by FCI, if the file is a Microsoft
Office file, the FCI information is stored within the file itself and follows the file wherever it is
copied or moved to. If the file is a different type of file, the FCI information is stored within the
NTFS volume itself, but the FCI information follows the file to any location it is copied or
moved to, provided that the destination is an NTFS volume hosted on a Windows Server 2008
R2 system.
Volume Shadow Copy Service (VSS)
Windows Server 2003 introduced a file system service called the Volume Shadow Copy Service
(VSS). The VSS enables administrators and third-party independent software vendors to take
snapshots of the file system to allow for faster backups and, in some cases, point-in-time
recovery without the need to access backup media. VSS copies of a volume can also be mounted
and accessed just like another Windows volume if that should become necessary.
Shadow Copies of Shared Folders
Volume shadow copies of shared folders can be enabled on Windows volumes to allow
administrators and end users to recover data deleted from a network share without having to
restore from backup. The shadow copy runs on a scheduled basis and takes a snapshot copy of
the data currently stored in the volume. In previous versions of Windows prior to Windows
Server 2003, if a user mistakenly deleted data in a network shared folder, it was immediately
deleted from the server and the data had to be restored from backup. A Windows Server 2003,
Windows Server 2008, or Windows Server 2008 R2 NTFS volume that has shadow copies
enabled allows a user with the correct permissions to restore deleted or overwritten data from a
previously stored shadow copy backup. It is important to note that shadow copies are stored on
local volumes and if the volume hosting the shadow copy becomes inaccessible or corrupted, so
does the shadow copy. Shadow copies are not a replacement for backups and should not be
considered a disaster recovery tool.
Volume Shadow Copy Service Backup
The Volume Shadow Copy Service in Windows Server 2008 R2 also provides the ability for
Windows Backup and third-party software vendors to utilize this technology to improve backup
performance and integrity. A VSS-compatible backup program can call on the Volume Shadow
Copy Service to create a shadow copy of a particular volume or database, and then the backup
can be created using that shadow copy. A benefit of utilizing VSS-aware backups is that the
reliability and performance of the backup is increased as the backup window will be shorter and
the load on the system disk will be reduced during the backup.
Remote Storage Service (RSS)
The Remote Storage Service was included with Windows 2000 Server and Windows Server
2003. The Remote Storage Service enables administrators to migrate or archive data to lowercost, slower disks or tape media to reduce the required storage space on file servers.
This service, however, has been discontinued in Windows Server 2008 and is not included in
Windows Server 2008 R2 either. Many organizations that required this sort of functionality have
turned to third-party vendors to provide this type of hierarchical storage management. However,
the New File Management Tasks node within the File Server Resource Manager console
provides a function that allows administrators to schedule processes that will report on files that
might be candidates for moving to alternate storage through a function called file expiration. This
can be configured to notify both administrators and end-user file owners of upcoming files that
will be expired and moved to alternate volumes. One main difference, however, is that file
expiration does not leave a link in the original file location as the Remote Storage Service
previously did.
Distributed File System (DFS)
As the file services needs of an organization change, it can be a challenging task for
administrators to design a migration plan to support the new requirements. In many cases when
file servers need additional space or need to be replaced, extensive migration time frames,
scheduled outages, and, sometimes, heavy user impact results.
In an effort to create highly available file services that reduce end-user impact and simplify file
server management, Windows Server 2008 R2 includes the Distributed File System (DFS)
service. DFS provides access to file data from a single namespace that can be used to represent a
single server or a number of servers that store different sets or replicated sets of the same data.
For example, when using DFS in an Active Directory domain, a DFS namespace named
\\companyabc.com\UserShares could redirect users to \\Server10\UserShares or to a replicated
copy of the data stored at \\Server20\UserShares.
Users and administrators both can benefit from DFS because they only need to remember a
single server or domain name to locate all the necessary file shares.
Distributed File System Replication (DFSR)
With the release of Windows 2003 R2 and continuing with Windows Server 2008 and Windows
Server 2008 R2, DFS has now been upgraded. In previous versions, DFS Replication was
performed by the File Replication Service (FRS). Starting with Windows Server 2003 R2, DFS
Replication is now performed by the Distributed File System Replication service, or DFSR.
DFSR uses the Remote Differential Compression (RDC) protocol to replicate data. The RDC
protocol improves upon FRS with better replication stability, more granular administrative
control, and additional replication and access options. Also, starting with Windows Server 2008
R2, RDC improves replication by only replicating the portions of files that have changed, as
opposed to replicating the entire file, and replication can now be secured in transmission.
As illustrated in the preceding figure, the file's current owner is bill and the option is available
for user nas to take over ownership of the file. To take ownership, click on the Edit button to
display the following dialog box where ownership may be changed:
To take ownership, select your user name from the list and click on Apply. To transfer ownership
to a different user, either select the name from the list, or search for the user by clicking on the
Other users or groups... button. Select the required user and click on Apply to commit the
transfer.
File and Folder Permission Inheritance
Another part of understanding file and folder permissions involves the concept of inheritance.
When a file or sub-folder is created in an existing folder (referred to as the parent folder) it
inherits, by default, all of the permissions of the parent folder. Similarly, when the permissions
on a parent folder are changed, those changes are automatically inherited by all child files and
folders contained within that parent folder.
To turn off inheritance for a child file or folder, right click the object in Windows Explorer, select
Properties and then click on the Security tab of the properties dialog. On the Security properties
panel, click on the Advanced button to display the Advanced Security Settings dialog followed by
Edit... to display the editable permission settings. In this dialog, unset the check box next to
Include inheritable permissions from parent object. Once selected, a warning dialog will
appear providing the choice to retain the current inherited permissions, or to remove any
inherited permissions keeping only permissions which have been explicitly set on the selected
object:
Occasionally, the converse situation exists, whereby a parent folder contains files and folders
which have explicitly set permissions, rather than just the inherited permissions from the parent
folder. In order to reset a folder and its children such that it only has inherited permissions,
display the Security tab of the Properties dialog as outlined above, click on Advanced... and then
Edit... and set the check box next to Replace all existing inheritable permissions on all
descendants with inheritable permissions from this object. A dialog will subsequently appear
warning that any explicitly defined permissions on all descendant files and folders will be
removed and replaced by inheritable permissions. Click Yes to commit the change.
Basic File and Folder Permissions
NTFS provides two levels of file and folder permissions which can be used to control user and
group access. These are basic permissions and special permissions. In essence, basic permissions
are nothing more than pre-configured sets of special permissions. This section will look at basic
permissions and the next will focus on special permissions and how they are used to create basic
permissions.
The current basic permissions for a file or folder may be viewed by right clicking on the object in
Windows Explorer, selecting Properties and then choosing the Security tab. At the top of the
security properties panel is a list of users and groups for which permissions have been configured
on the selected file or folder. Selecting a group or user from the list causes the basic permissions
for that user to be displayed in the lower half of the dialog. Any permissions which are grayed
out in the permission list are inherited from the parent folder. The basic permission settings
available differ slightly between files and folders. The following table lists the basic folder
permissions supported by Windows Server 2008 on NTFS volumes:
Permission
Description
Full Control
Modify
Permission to read and write to files in the folder, and to delete current folder.
List Folder Contents Permission to obtain listing of files and folders and to execute files.
Read and Execute
Write
Read
Description
Full Control
Modify
Read and Execute Permission to view file contents and execute file.
Write
Read
To change the basic permission on a file or folder access the security panel of the properties
dialog as outlined above and click Edit to display an editable version of the current settings. To
change permissions for users or groups already configured, simply select the desired user or
group from the list and change the settings in the permissions list as required (keeping in mind
that any grayed out permissions are inherited from the parent folder). Click Apply to commit the
changes. To configure permissions for users or groups not already listed, click on the Edit...
button on the security properties panel and click on Add.... Enter the names of users or groups
separated by semi-colons (;) in the Select Users or Groups dialog box and then click on Check
names to verify the names exist. Click on OK to confirm the user or group and return to the
editing dialog. With the new user or group selected, configure the desired permissions and then
Apply the settings when completed.
Special File and Folder Permissions
As mentioned previously, basic file and folder permissions are really just pre-packaged
collections of special permissions. Special permissions provide a much more fine grained
approach to defining permissions on files and folders than is offered by basic permissions. The
current special permissions configured on a file or folder can be viewed and modified by right
clicking on the object in Windows Explorer, selecting Properties, clicking on the Security tab of
the properties dialog and pressing the Advanced button. This will display the Permissions page of
the Advanced Security Settings dialog which contains a list of users and groups for which
permissions have been defined. Click on Edit to access the editable view of the permissions.
Select a user or group from the list and click on the Edit... once again to display the Permission
Entry for the selected user or group for this file or folder. This dialog will appear as illustrated in
the following figure:
To change the special permissions simply make the appropriate selections in the list (keeping in
mind that any grayed out permissions are inherited). To add special permissions for a user or
group not currently listed in the Advanced Security Settings page, click on the Add... button and
use the Select Users and Groups dialog to add new users or groups to the permission entries list.
Windows Server 2008 (or to be more exact, NTFS) provides 14 special permission options, each
of which may be allowed or denied. The following table lists each of these settings and describes
the option in more detail:
Permission
Description
Traverse folder /
execute file
Allows access to folder regardless of whether access is provided to data in folder. Allows
execution of a file.
Traverse folder option provides permission to view file and folder names. Read data allows
contents of files to be viewed.
Read attributes
Read extended
attributes
Create files option allows the creation or placement (via move or copy) of files in a folder.
Write data allows data in a file to be overwritten (does not permit appending of data).
Create folders /
append data
Create folders option allows creation of sub-folders in current folder. Append data allows data
to be appended to an existing file (file may not be overwritten)
Write attributes
Write extended
attributes
Delete subfolders
and files
Delete
Allows a file or folder to be deleted. When deleting a folder, the user or group must have
permission to delete any sub-folders or files contained therein.
Read permissions
Provides read access to both basic and special permissions of files and folders.
Change permissions Allows basic and special permissions of a file or folder to be changed.
Take ownership
3.9 Explain Managing Servers Remotely Using Terminal Services (Remote Desktop).
Windows Server 2008 is, as the name suggests, a server operating system. In the real world this
means that systems running Windows Server 2008 will most likely be located in large rack
systems in a server room. As such, it is highly unlikely that system administrators are going to
want to have to physically visit each of these servers to perform routine administrative tasks such
as system configuration and monitoring. A far preferable scenario involves these administrators
remotely logging into the servers from their own desktop systems to perform administrative
tasks. Fortunately Windows Server 2008 provides precisely this functionality through Remote
Desktop and the remote administration features of the Machine Management Console (MMC).
The Remote properties dialog provides a number of options. The default setting is to disallow
remote connections to the computer system. The second option allows remote desktop
connections from any version of the Remote Desktop client. The third, and most secure option,
will only allow connections from Remote Desktop clients with Network Level Authentication
support. This typically will only allow access to systems providing secure network authentication
such as Windows Vista and Windows Server 2008.
If the Windows Firewall is active, the act of enabling Remote Desktop administration also results
in the creation of a firewall exception allowing Remote Desktop Protocol (RDP) traffic to pass
through on TCP port 3389.
This default port can be changed by changing this setting in the Registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\R
DP-tcp\PortNumber.
The easiest way to locate this registry key value is to execute regedit from the Run window or a
command prompt, select Edit - > Find and enter RDP-tcp.
Controlling Remote Desktop Access
The default configuration for Remote Desktop is to allow all members of the Administration
group to connect remotely. Active Directory also contains a Remote Desktop Users group to
which users may be added to provide Remote Desktop access privileges. To provide users with
remote desktop access, open the Control Panel -> System and Maintenance -> System ->
Remote settings and click on the Select Users button to invoke the Remote Desktop Users dialog
illustrated in the following figure:
Note that users with administrative privileges do not need to be added to this list; by default they
already have Remote Desktop access. To add additional users click on the Add... button to
display the Select Users dialog. Enter the name of the user in the text box entitled Enter object
names to select and click on Check names to list names that match the name entered. Select the
appropriate name from the list. The following example shows user Bill on server winserver-2:
Click on OK to apply the change. The new user will now appear in the list of users with Remote
Desktop access on the Remote Users screen. Click OK to close this screen and click on Apply in
the System Settings screen. The specified user will now have remote desktop access to the
system.
Remote Desktop Group Policy
A vast array of configuration options for Terminal Services is available through the Group Policy
settings. To access these values start the Group Policy Object Editor (open the Start menu and
enter gpedit.msc into the Search box).
In the Group Object Policy Editor navigate to Computer Configuration\Administrative
Templates\Windows Components\Terminal Services or User Configuration\Administrative
Templates\Windows Components\Terminal Services to access the range of policy settings
available.
Policy options include, amongst other options, items such as control over resource redirection
(printers, audio etc), setting session time limits and security settings. A complete overview of all
the settings is beyond the scope of this book but almost without exception the various settings are
largely self-explanatory.
Starting the Remote Desktop Client
With the appropriate configuration tasks completed on the remote system the next step is to
launch the Remote Desktop Client on the local system. The client can be run in either
administration mode which provides full integration with the console of the remote server, or
virtual session mode which provides some administrative privileges but does not provide console
access or allow applications to be installed.
To invoke the Remote Desktop Client in virtual session mode either select Start -> All Programs
-> Accessories -> Remote Desktop Connection or enter the following in the Run dialog or at a
command prompt:
mstsc
To start the Remote Desktop Client in administrator mode run the following command:
mstsc /admin
In either case the following initial screen will appear requesting details of computer to which the
client is to connect:
This can either be an IP address or a computer name. If previous connections have been
established the User name field will be populated with the user name used in the preceding
session. If you need to log in as a different user this option will be provided on the next screen
which appears after the Connect button is pressed:
In this screen enter the password for the selected user (note that remote desktop access is only
available for user accounts which are password protected). If a user other than the one displayed
is required, simply click on the Use another account link and enter the necessary details. Click
on OK to establish the connection. After a short delay the remote desktop will appear on the local
computer screen.
Remote Desktop Client Configuration Options
The Options>> button displayed on the initial screen of the Remote Desktop Client provides six
tabs, each containing a range of configuration options:
General - Allows login credentials to be configured and session information to be saved.
Display - Configures the resolution and color settings to be used when displaying the
remote desktop on the local system.
Local Resources - Specifies which local resources (sound, disk drives, printers etc) are to
be made accessible to the remote system during the Remote Desktop session. This page
also provides options to control the situations under which special key combinations such
as Ctrl-Alt-Del are interpreted by the local or remote systems.
Once launched, right click on the Remote desktops item in the tree in the left hand panel and
select Add a new connection from the menu. Once selected the Add New Connection dialog will
appear as follows:
In this dialog enter the IP address or computer name of the remote system together with the User
name and the name to be assigned to this connection (this is essentially the name by which this
connection will be listed and administered inside the Remote Desktops snap-in). For an
administrative session (as opposed to a virtual session) set the Connect with /admin box. Click
OK to add the session to the snap-in. Once added, the session will appear in the left hand panel
under Remote Desktops. Repeat these steps to add connections to any additional remote systems
required.
To establish a remote desktop connection, right click on the name of the session from the left
hand panel and select Connect from the menu. The remote session will appear in the window. To
start another session simply right click on the session name and once again select Connect. To
switch between sessions simply click on the name of the session in the left hand panel and the
corresponding desktop will be displayed. The following figure illustrates two sessions running in
Remote Desktops:
To change configuration options for each session right click on the desired session in the left
hand panel and select Properties. This panel has a number of tabs which enable credentials,
screen size and program start properties to be defined.
3.10 Describe Remote Access and VPN Overview, Configuring & Implementing Remote
Access Server.
Remote Desktop lets users control their desktop computer remotely. Its a simple concept
that, properly implemented, can have a dramatic impact on your organizations
productivity so that staff can work from home even if they dont have a mobile
computer.
Until Microsoft Windows Server 2008, the network connection itself has been the biggest
challenge. Your private network probably uses private Internet Protocol addresses, which
prevent users from connecting directly to their desktop computers from the Internet. Even
if you offered users a virtual private network connection, many firewalls block VPNs.
To work around these limits, Windows Server 2008 introduces the Terminal Services (TS)
Gateway role, which acts as a proxy server between the Internet and your internal
network. As illustrated, the Remote Desktop client uses encrypted Hypertext Transfer
Protocol over Secure Sockets Layer to communicate with the TS Gateway. Because
HTTPS is primarily used to browse the Web, almost all firewalls allow it. The TS Gateway
authenticates the user (via either a password or a smart card), verifies that the user is
authorized to connect to the destination computer and then uses Remote Desktop Protocol
(RDP) to complete the connection on your private network.
Note: Throughout this article, the computer being controlled will be referred to as a
Remote Desktop server. The Remote Desktop server could be any Windows XP, Windows
Server 2003, Windows Vista or Windows Server 2008 computer with Remote Desktop
enabled. It could also be any version of Terminal Server.
Planning Your Terminal Services Gateway SSL Certificate
Because clients use HTTPS to connect to the TS Gateway, the TS Gateway will need an
SSL certificate just like an electronic-commerce Web server. To simplify the
configuration of the Remote Desktop clients, purchase an SSL certificate from one of the
many public certificate authorities (CAs) that Windows trusts by default (a search for ssl
certificate will turn up several available for less than $20 per year). When configuring the
SSL certificate, specify the full host name that clients will use to connect to the TS
Gateway from the Internet. If the host name doesnt match what the users enter in the
Remote Desktop Client, the server authentication will fail. Although you can use a
temporary or internal SSL certificate for testing purposes, client computers must trust the
certificates CA. Because many remote access scenarios involve computers that arent
members of your Active Directory domain (such as home computers), only SSL
certificates issued by trusted public CAs will work by default.
Note: For testing purposes, the Add Roles Wizard can generate a temporary SSL
certificate for you. You will need to import the root CA certificate it generates into any
client computers, clicking the Certificates button on the Content tab of the Internet
Options dialog box, and then importing the certificate into the list of Trusted Root
Certification Authorities.
Configuring the Terminal Services Gateway
To add the Terminal Services Role to Windows Server 2008, follow these steps:
1.
Log on to your Windows Server 2008 computer as an administrator. Click Start,
and then click Server Manager.
2.
Right-click Roles, and then click Add Roles.
The Add Roles Wizard appears.
3.
On the Before You Begin page, click Next.
4.
On the Select Server Roles page, select Terminal Services. Then, click Next.
5.
On the Terminal Services page, click Next.
6.
On the Role Services page, select TS Gateway. When prompted, click Add
Required Role Services. Then, click Next.
7.
On the Server Authentication Certificate page, select an SSL certificate, and then
click Next.
8.
On the Authorization Policies page, click Now, and then click Next.
9.
On the TS Gateway User Groups page, click Add to select the user groups that can
connect through the terminal server gateway. Typically, you should create an
Active Directory security group for Remote Desktop users connecting from the
Internet, and add all authorized users to that group. Then, click Next.
10.
On the TS CAP page, enter a name for the Terminal Services Connection
Authorization Policy, and choose whether to allow authentication using passwords,
smart cards or both. Click Next.
11.
On the TS RAP page, enter a name for the Terminal Services Resource
Authorization Policy. Then, choose whether to allow remote clients to connect to
all computers on your internal network or just computers in a specific domain
group. For best results, create an Active Directory security group, and add the
computer accounts for all authorized Remote Desktop servers to that group.
Click Next.
Note: The CAP defines who can connect to the TS Gateway, while the RAP defines
which computers they can use the gateway to access. Both must be defined for a user to
establish a connection.
12.
Complete any other wizard pages that appear for dependant roles by accepting the
default settings, and then click Install on the Confirmation page.
13.
After the installation is complete, click Close, and then click Yes to restart the
computer if required.
14.
After the computer restarts, log back on and click Close in the Resume Installation
Wizard.
Later, you can use the Server Manager console to modify the CAPs or RAPs by clicking
the roles\terminal services\ts gateway manager\computer_name\policies node.
2.
3.
Configure and Enable Routing and Remote Access in the Server Manager.
4.
Choose Custom Configuration if you just have one Network Interface in the Server
5.
6.
7. Allow access for users Network Access Permission. You can set that in de Dial-In Tab
under the User Premission.
8.
Optional: If you dont have a DHCP Server in your local network you have to add a static
address pool. This could be if you have a stand-alone Server by your provider.
1.
2.
3.
4.
Add secondary IP Address to the Server network interface which is in the same subnet as
this pool.
3. Depending on whether you checked off to skip the Before You Begin page while installing
another service, you will now see warning pages telling you to make sure you have strong security,
static IP, and latest patches before adding roles to your server.
4. In the Select Server Roles window we are going to place a check next to Active Directory
Domain Services and click Next.
5. The information page on Active Directory Domain Services will give the following warnings,
which after reading, you should click Next:
Install a minimum of two Domain Controllers to provide redundancy against server outage
(which would prevent users from logging in with only one)
AD DS requires DNS which if not installed you will be prompted for
After installing AD DS you must run dcpromo.exe to upgrade to a fully functional domain
controller
Installing AD DS will also install DFS Namespaces, DFS Replication, and Filer Replication
services which are required by Directory Service
6. The Confirm Installation Selections screen will show you some information messages and warn
that the server may need to be restarted after installation. Review the information and then
click Next.
7. The Installation Results screen will hopefully show Installation Succeeded, and an additional
warning about running dcpromo.exe (I think they really want us to run dcpromo).
After you review the, click Close.
8. After the Installation Wizard closes you will see that server manager is showing that Active
Directory Domain Services is still not running. This is because we have not run dcpromo yet.
9. Click on the Start button, type dcpromo.exe in the search box and either hit Enter or click on the
search result.
10. The Active Directory Domain Services Installation Wizard will now start. There are links to
more information if you want to learn a bit more you can follow them or you can go ahead and
click Use advanced mode installation and then click Next.
11. The next screen warns about some operating system compatibility with some older clients.
12. Next is the Choose Deployment Configuration screen and you can choose to add a domain to
an existing forest or create a forest from scratch. Choose Create a new domain in a new forest and
click Next.
13. The Name the Forest Root Domain wants you to name the root domain of the forest you are
creating.
For the purposes of this test we will create ADExample.com. After typing that go ahead and
click Next.
14. The wizard will test to see if that name has been used, after a few seconds you will then be asked
for the NetBios name for the domain. In this case I will leave the default in place of ADEXAMPLE,
and then click Next.
15. The next screen is the Set Forest Functional Level that allows you to choose the function level
of the forest.
Since this is a fresh install and a new forest with no additional prior version domains to worry about I
am going to select Windows Server 2008. If you did have other domain controllers at earlier versions
or had a need to have Windows 2000 or 2003 domain controllers (because of Exchange for example),
then you should select the appropriate function level.
Select Windows Server 2008 and then click Next.
16. Now we come to the Additional Domain Controller Options where you can select to install a
DNS server, which is recommended on the first domain controller.
If this was not the first domain controller you would have the options of installing Global
Catalog and/or setting this as a Read-only Domain Controller. Since it is the first domain
controller, Global Catalog is mandatory, and a RDOC controller is not an available option.
Let's install the DNS Server by placing a check next to it and clicking Next.
17. You will get a warning window about delegation for this DNS server cannot be created, but since
this is the first DNS server you can just click Yes and ignore this warning.
18. Next you can choose to place the files that are necessary for Active Directory, including
the Database, Log Files, and SYSVOL.
It is recommended to place the log files and database on a separate volume for performance and
recoverability. You can just leave the defaults though and click Next.
19. Now choose a password for Directory Services Restore Mode that is different than the domain
password. Type your password and confirm it before hitting Next.
Note: You should use a STRONG password for this and will be warned if it doesn't meet
criteria.
20. Next you will see a summary of all the options you have went through in the wizard.
If you plan on creating more domain controllers with the same settings hit the Export settings
button to save off a txt copy of the settings to use in an answer file for a scripted install. After
exporting and reviewing settings click on Next.
21. Now the installation will start including the DNS server option if selected. You will notice a box
to Reboot on completion that you can check to reboot soon as everything is installed (A reboot is
required you can do it manually or use this function to do it automatically).
NOTE: This can be from a few minutes to several hours depending on different factors.
You have now successfully installed Active Directory Domain Services and the first Domain
Controller.
3. Scroll to the bottom and select both the Windows Server Backup and the Command Line Tools
When the backup is finished running you should get a message that the backup completed
successfully. If it did not complete properly you will need to troubleshoot.
3. Login to your server with your DSRM password you created during Active Directory installation.
4. Once you're logged into your server and in DSRM safe mode, open a command prompt by
clicking Start, type "cmd", and press enter.
5. To make sure you restore the correct backup it's a good idea to use the "wbadmin get versions"
command and write down the version you need to use.
8. You can mark the sysvol as authoritative by adding the authsysvol switch to the end of the
wbadmin command.
9. But if you want to restore a specific Active Directory object then you can use the ever
familiar ntdsutil.
For this example we are going to restore a user account with a distinguished name of CN=Test
User,CN=Users,DC=home,DC=local. So the commands would be:
ntdsutil
activate instance ntds
authoritative restore
restore object "cn=Test User,cn=Users,dc=home,dc=local"
Note: The quotes are required
10. Reboot your server into normal mode and you're finished. The object will be marked as
authoritative and replicate to the rest of your domain.
Using Active Directory Snapshots
There is a really cool new feature in Windows Server 2008 called Active Directory Snapshots.
Volume Shadow Copy Service now allows us to take a snapshot of Active Directory as a type of
backup. They are very quick to create and serve as another line of defense for your backup strategy.
With your server booted into normal mode open a command prompt by clicking Start, type "cmd",
and press enter.
We are going to use the ntdsutil again for creating the Active Directory snapshots. The commands
are:
ntdsutil
snapshot
activate instance ntds
create
quit
quit
So now that you have a snapshot of AD, how do you access the data? First we need to mount the
snapshot using ntdsutil. The commands are:
ntdsutl
snapshot
list all
mount 1 -- (Note: You should mount the correct snapshot you need; for this example there is only 1.)
quit
quit
Your snapshot is mounted, but how do you access the data? We need to use the dsamain command to
accomplish this. Then we need to select an LDAP port to use. The command is as follows:
dsamain dbpath c:\$SNAP_200905141444_VOLUMEC$\WINDOWS\
TDS\
tds.dit ldapport 10001
The result should look like this:
Now we need to go to Start, Administrative Tools, then Active Directory Users and Computers.
Right click Active Directory Users and Computers and select Change Domain Controller.
In the area that says < Type a Directory Server name [:port] here > enter the name of your server
and the LDAP port you used when running the dsamain command. For my example it would
be: WIN-V22UWGW0LU8.HOME.LOCAL:10001
Now you can browse the snapshot of Active Directory without affecting anything else negatively.
Create a security policy for a new application or server role not included in Server Manager.
Use security policy management tools to apply security policy settings that are unique to your
environment.
Analyze server security settings to ensure that the security policy applied to a server is
appropriate for the server role.
This lesson covers the tools, concepts, and processes required to perform these tasks. The tools used in
this lesson include:
Account Policies Specify password restrictions, account lockout policies, and Kerberos policies.
Local Policies Configure audit policies, user rights assignments, and security options policies.
Event Log Policies Configure maximum event log sizes and rollover policies.
System Services Specify the startup types and permissions for system services.
Registry Permissions Set access control permissions for specific registry keys.
File System Permissions Specify access control permissions for NTFS files and folders.
You can deploy security templates in a variety of ways: by using Active Directory Group Policy Objects,
the Security Configuration And Analysis snap-in, or Secedit.exe. When you associate a security template
with an Active Directory Group Policy object, the settings in the template become part of the GPO. You
can also apply a security template directly to a computer, in which case the settings in the template
become part of the computers local policies. This lesson discusses each of these options. Remember to
test security changes before deploying them in a production environment.
Using the Security Templates Snap-in
To work with security templates, you use the Security Templates snap-in. Windows Server 2008 R2 does
not include a console with the Security Templates snap-in, so you have to create one yourself using the
MMC Add/Remove Snap-in menu command. The snap-in creates a folder called Security and a subfolder
called Templates in your Documents folder, and the resulting Documents\Security\Templates folder
becomes the template search path, where you can store one or more security templates.
To create a new security template, right-click the node that represents your template search path
C:\Users\Administrator\Documents\Security\Templates, for exampleand then click New Template.
Settings are configured in the template in the same way that settings are configured in a GPO. The
Security Templates snap-in configures settings in a security template. It is just an editorit does not play
any role in actually applying those settings to a system. Configure security settings in a template by using
the Security Templates snap-in. Although the template itself is a text file, the syntax can be confusing.
Using the snap-in ensures that settings are changed using the proper syntax.
The exception to this rule is adding registry settings that are not already listed in the Local
Policies\Security Option portion of the template. As new security settings become known, if they can be
configured using a registry key, you can add them to a security template. To do so, you add them to the
Registry Values section of the template.
Note
SAVE YOUR SETTINGS
Be sure to save your changes to a security template by right-clicking the template and clicking Save.
When you install a server or promote it to a domain controller, a default security template is applied by
Windows. You can find that template in the %SystemRoot%\Security\Templates folder. On a domain
controller, the template is called DC security.inf. You should not modify this template directly, but you can
copy it to your template search path and modify the copy.
Note
SECURITY TEMPLATES IN DIFFERENT VERSIONS OF WINDOWS
In previous versions of Windows, several security templates were available to modify and apply to a
computer. The role-based configuration of Windows Server 2008 and later and the improved Security
Configuration Manager have made these templates unnecessary.
Deploying Security Templates by Using Group Policy Objects
Creating and modifying security templates does not improve security until you apply those templates. To
configure several computers in a single operation, you can import a security template into the Group
Policy Object for a domain, site, or organizational unit object in Active Directory.
To import a security template into a GPO, right-click the Security Settings node and click Import Policy. In
the Import Policy From dialog box, if you select the Clear This Database Before Importing check box, all
security settings in the GPO will be erased prior to importing the template settings, so the GPOs security
settings will match the templates settings.
If you leave the Clear This Database Before Importing check box cleared, the GPOs security policy
settings will remain and the templates settings will be imported. Any settings defined in the GPO that are
also defined in the template will be replaced with the templates setting.
Security Configuration And Analysis Tool
You can use the Security Configuration And Analysis snap-in to apply a security template to a computer
interactively. The snap-in also provides the ability to analyze the current system security configuration and
compare it to a baseline saved as a security template. This helps you quickly determine whether
someone has changed a computers security settings and whether the system conforms to your
organizations security policies.
As with the Security Templates snap-in, Windows Server 2008 R2 does not include a console with the
Security Configuration And Analysis snap-in, so you must add the snap-in to a console yourself.
To use the Security Configuration And Analysis snap-in, you must first create a database that will contain
a collection of security settings. The database is the interface between the actual security settings on the
computer and the settings stored in your security templates.
To create a database (or open an existing one), right-click the Security Configuration And Analysis node in
the console tree. You can then import one or more security templates. If you import more than one
template, you must decide whether to clear the database. If the database is cleared, only the settings in
the new template will be part of the database. If the database is not cleared, additional template settings
that are defined will override settings from previously imported templates. If settings in newly imported
templates are not defined, the settings in the database from previously imported templates will remain.
To summarize, the Security Configuration And Analysis snap-in creates a database of security settings
composed of imported security template settings. The settings in the database can be applied to the
computer or used to analyze the computers compliance and discrepancies with the desired state.
Warning
IMPORTANT DATABASE SETTINGS VS. THE COMPUTERS SETTINGS
Settings in a database do not modify the computers settings or the settings in a template until that
database is either used to configure the computer or exported to a template.
Applying Database Settings to a Computer
After you have imported one or more templates to create the database, you can apply the database
settings to the computer.
To apply a database, right-click Security Configuration And Analysis and click Configure Computer Now.
You are prompted for a path to an error log that will be generated during the application of settings. After
applying the settings, examine the error log for any problems.
Analyzing the Security Configuration of a Computer
Before applying the database settings to a computer, you might want to analyze the computers current
configuration to identify discrepancies.
To analyze the security configuration of a computer, right-click Security Configuration And Analysis and
click Analyze Computer Now. The system prompts you for the location of its error log file and then
proceeds to compare the computers current settings to the settings in the database. After the analysis is
complete, the console produces a report such as the one shown in Figure 4.
image: http://mscerts.programming4.us/image/201307/Managing%20Security%20Settings_4.jpg
Figure 4. The Security Configuration And Analysis snap-in displays an analysis of the computers
configuration.
Unlike the display of policy settings in the Group Policy Management Editor, Group Policy Object Editor,
Local Security Policy, or Security Templates snap-ins, the report shows for each policy the setting defined
in the database (which was derived from the templates you imported) and the computers current setting.
The two settings are compared, and the comparison result is displayed as a flag on the policy name. For
example, in Figure 4, the Allow Log On Locally policy setting shows a discrepancy between the database
setting and the computer setting. The meanings of the flags are as follows:
X in a red circle Indicates that the policy is defined both in the database and on the computer but
that the configured values do not match
Green check mark in a white circle Indicates that the policy is defined both in the database and
on the computer and that the configured values do match
Question mark in a white circle Indicates that the policy is not defined in the database and,
therefore, was not analyzed, or that the user running the analysis did not have the permissions
needed to access the policy on the computer
Exclamation point in a white circle Indicates that the policy is defined in the database but does
not exist on the computer
No flag Indicates that the policy is not defined in the database or on the computer
been imported from one or more security templates and that you have modified to reflect the current
settings of the analyzed computer.
Warning
IMPORTANT EXPORTING THE DATABASE TO A TEMPLATE
The Export Template feature creates a new template from the current database settings at the time that
you execute the command, not from the computers current settings.
Secedit.exe
Secedit.exe is a command-line utility that can perform the same functions as the Security Configuration
And Analysis snap-in. The advantage of Secedit.exe is that you can call it from scripts and batch files,
which allows you to automate your security template deployments. Another big advantage of Secedit.exe
is that you can use it to apply only part of a security template to a computer, something you cannot do
with the Security Configuration And Analysis snap-in or Group Policy Objects. For example, if you want to
apply the file systems permissions from a template but leave all the other settings alone, Secedit.exe is
the only way to do so.
To use Secedit.exe, you run the program from Command Prompt with one of the following six main
parameters, plus additional parameters for each function:
/Configure Applies all or part of a security database to the local computer. You can also configure
the program to import a security template into the specified database before applying the
database settings to the computer.
/Analyze Compares the computers current security settings with those in a security database.
You can configure the program to import a security template into the database before performing
the analysis. The program stores the results of the analysis in the database itself, which you can
view later, using the Security Configuration And Analysis snap-in.
/Import Imports all or part of a security template into a specific security database.
/Export Exports all or part of the settings from a security database to a new security template.
/Validate Verifies that a security template is using the correct internal syntax.
/Generaterollback Creates a security template that you can use to restore a system to its original
configuration after applying another template.
For example, to configure the machine by using a template called BaselineSecurity, use the following
command:
secedit /configure /db BaselineSecurity.sdb
/cfg BaselineSecurity.inf /log BaselineSecurity.log
To create a rollback template for the BaselineSecurity template, use the following command:
secedit /generaterollback /cfg BaselineSecurity.inf
/rbk BaselineSecurityRollback.inf
/log BaselineSecurityRollback.log
3.16 Implementing Group Policy: Configuring User environment by using Group policy
You think, well that's great but are you sure you want all 500 people to get the software today?
That's almost impossible, isn't it? There isn't enough time for you to walk around with the DVD
and install it 500 times.
Sure there is! But you won't be walking around with the DVD in your hand, that's for sure.
The solution I'm going to show you today is quite simple, and much less time consuming
You are going to copy that software on a Shared Folder on your network. Then, you're going to
create a Group Policy Object, aka GPO, (aren't you happy you installed Active Directory?) that
will take that software and install it on everyone's machines.
Easy, huh? Of course it is and it is not going to take you days, I promise.
What You Need Before Installing Software Using GPOs
There are 3 things you will need in order to have a successful Software Installation GPO:
1. The most important thing you will need is a Microsoft installer file, called .msi
-- you cannot use the .exe file that is on the DVD.
You will need to get a packaging utility to turn that .exe file into .msi file. Many of them are
available for instant download from internet.
There are a few that will cost money but there are also free downloads. Here is an example from
each:
http://www.scriptlogic.com/products/msi-studio/
EXE-to-MSI: http://juice.altiris.com/download/1355/exe-to-msi
2. The second thing you will need to create is a Shared Folder on your network for the software
to live in. You need to make sure that every computer has at least "read" access to that folder and
its contents.
3. And the last thing you will need is the new Group Policy Object linked to the appropriate
Organization Unit.
How to Install Software Using GPOs
Assuming that you already have the .msi file ready, let's start with creating a shared folder on our
network.
1. Browse to the location on your network, right-click and select New, then Folder.
4. Like I mentioned above, every machine needs to have at least read access to this folder. To do
this type in Everyone and hit enter, or click on the Add button.
5. Make sure the Permission Level says Reader and then click the Share button.
6. Remember or write down the location of this shared folder. In our example the location is \\
Y-MEM1-2K8\Software
7. Double click on the Shared Folder you just created and once again perform the steps to create
a new folder.
This time name the folder with a name specific to the software you are about to install. We are
going to call it "Foxit".
8. Double click on the new folder ("Foxit") and copy and paste the .msi file for the software you
want to install. Our .msi is called FoxitReader23.
10. Now you need to point to the Organizational Unit where the new Group Policy Object will
reside.
To start off, go ahead and expand Features, then Group Policy Management, and then your
Forest. In our example it is the Globomantics.com forest.
11. Then expand Domains and then the domain in which you want to create the GPO.
12. Once you are in the correct domain, expand the Organizational Unit. In our example, we are
expanding NewYorkOU.
13. Since we want the software to be installed on every single computer, we are going to create
the Group Policy Object in our NYComputers Organization Unit.
Go ahead and click on that OU.
14. To create a new GPO, right-click on the appropriate Organization Unit and select Create a
GPO in this domain, and Link it here...
16. To make sure the new GPO was created, go ahead and expand the Group Policy Objects.
You should see your GPO listed there. That GPO is now being linked to our NYComputers OU.
17. Select and then right click on the GPO under the Organization Unit. Then select Edit.
21. Right click on the right side of the Software Installation, select New and then click on
Package.
22. Browse to the location where your software .msi file exists.
In our example it is NY-MEM1-2K8 Software Foxit. Once you have located it, double
click on the file or select it and then click on the Open button.
Testing
Before you actually go and test this on one of your client machines, do not forget to run a GPO
Update. To do so, open up you command prompt on your Domain Controller and type in
gpupdate /force.
Once the update ran through you can go to one of your clients and restart the machine. Keep in
mind that in order for the software to be installed on a computer, you will need to do a hard
reboot.