SA Unit III

Unit III - Windows 2008 Server administration
3.1 Analyze the Installation & Configuration of Windows 2008 Server

Installing Windows Server 2008 is pretty straightforward and is very much like installing
Windows Vista, and notably much easier to perform.
Windows Server 2008 can also be installed as a Server Core installation, which is a cut-down
version of Windows without the Windows Explorer GUI. Because you dont have the Windows
Explorer to provide the GUI interface that you are used to, you configure everything through the
command line interface or remotely using a Microsoft Management Console (MMC). The Server
Core can be used for dedicated machines with basic roles such as Domain controller/Active
Directory Domain Services, DNS Server, DHCP Server, file server, print server, Windows Media
Server, IIS 7 web server and Windows Server Virtualization virtual server.
To use Windows Server 2008 you need to meet the following hardware requirements:
Component
Processor
Requirement
Minimum: 1GHz (x86 processor) or 1.4GHz (x64 processor) Recommended:
2GHz or faster Note: An Intel Itanium 2 processor is required for Windows
Server 2008 for Itanium-based Systems
Memory
Minimum: 512MB RAM Recommended: 2GB RAM or greater Maximum
(32-bit systems): 4GB (Standard) or 64GB (Enterprise and Datacenter)
Maximum (64-bit systems): 32GB (Standard) or 2TB (Enterprise, Datacenter and
Itanium-based Systems)
Available Disk Minimum: 10GB Recommended: 40GB or greater Note: Computers with
Space
more than 16GB of RAM will require more disk space for paging, hibernation,
and dump files
Drive
DVD-ROM drive
Display
and Super VGA (800 x 600) or higher-resolution monitor Keyboard Microsoft
Peripherals
Mouse or compatible pointing device
Windows Server Upgrade notes:
If you are currently running:
You can upgrade to:
Windows Server 2003 Standard Edition (R2, Full Installation of Windows
Service Pack 1 or Service Pack 2)
Standard Edition
Full Installation of Windows
Enterprise Edition
Windows Server 2003 Enterprise Edition Full Installation of Windows
(R2, Service Pack 1 or Service Pack 2)
Enterprise Edition
Windows Server 2003 Datacenter Edition Full Installation of Windows
(R2, Service Pack 1 or Service Pack 2)
Datacenter Edition
Procedure to install Windows Server 2008:
Server 2008
Server 2008
Server 2008
Server 2008
1. Insert the appropriate Windows Server 2008 installation media into your DVD drive. If you
dont have an installation DVD for Windows Server 2008, you can download one for free from
Microsofts Windows 2008 Server Trial website.
2. Reboot the computer.
3. When prompted for an installation language and other regional options, make your selection
and press Next.
4. Next, press Install Now to begin the installation process.
5. Product activation is now also identical with that found in Windows Vista. Enter your Product
ID in the next window, and if you want to automatically activate Windows the moment the
installation finishes, click Next.
If you do not have the Product ID available right now, you can leave the box empty, and click
Next. You will need to provide the Product ID later, after the server installation is over. Press No.
6. Because you did not provide the correct ID, the installation process cannot determine what
kind of Windows Server 2008 license you own, and therefore you will be prompted to select
your correct version in the next screen, assuming you are telling the truth and will provide the
correct ID to prove your selection later on.
7. If you did provide the right Product ID, select the Full version of the right Windows version
youre prompted, and click Next.
8. Read and accept the license terms by clicking to select the checkbox and pressing Next.
9. In the Which type of installation do you want? window, click the only available option
Custom (Advanced).
10. In the Where do you want to install Windows?, if youre installing the server on a
regular IDE hard disk, click to select the first disk, usually Disk 0, and click Next.
If youre installing on a hard disk thats connected to a SCSI controller, click Load Driver and
insert the media provided by the controllers manufacturer.
If you must, you can also click Drive Options and manually create a partition on the destination
hard disk.
11. The installation now begins, and you can go and have lunch. Copying the setup files from the
DVD to the hard drive only takes about one minute. However, extracting and uncompressing the
files takes a good deal longer. After 20 minutes, the operating system is installed. The exact time
it takes to install server core depends upon your hardware specifications. Faster disks will
perform much faster installs Windows Server 2008 takes up approximately 10 GB of hard
drive space.
The installation process will reboot your computer, so, if in step #10 you inserted a floppy disk
(either real or virtual), make sure you remove it before going to lunch, as youll find the server
hanged without the ability to boot (you can bypass this by configuring the server to boot from a
CD/DVD and then from the hard disk in the booting order on the servers BIOS)
12. Then the server reboots youll be prompted with the new Windows Server 2008 type of login
screen. Press CTRL+ALT+DEL to log in.
13. Click on Other User.
14. The default Administrator is blank, so just type Administrator and press Enter.
15. You will be prompted to change the users password. You have no choice but to press Ok.
16. In the password changing dialog box, leave the default password blank (duh, read step
#15), and enter a new, complex, at-least-7-characters-long new password twice. A password
like topsecret is not valid (its not complex), but one like T0pSecreT! sure is. Make sure you
remember it.
17. Someone thought it would be cool to nag you once more, so now youll be prompted to
accept the fact that the password had been changed. Press Ok.
18. Finally, the desktop appears and thats it, youre logged on and can begin working. You will
be greeted by an assistant for the initial server configuration, and after performing some initial
configuration tasks, you will be able to start working.
3.2 Discuss User & Group Managements.

Active Directory domain services are used primarily to manage Users and Resource
management across Enterprise infrastructures spanning the physical subnets across the globe.
Active Directory domain provides distributed database to store and manage application data, user
data and computer data respectively. Active directory structure comprises of Single forest, with
multiple domains and child domains. Administrator can configure active directory domain based
on the physical subnets , it is advisable to install directory server on the physical site.
Active directory provides different security boundaries in the form of
a) Forest b) Domain c) Organizational Units
User Groups and Organizational Units are two great ways of keeping your Active Directory
organized and controlled.
Why would we want to do that? Well, let's say for example that we have this one shared folder on
our network that we want only our Sales Department to have access to. Without groups in your
Active Directory, you would have to go to each individual Sales Department user account and
give that account access to that shared folder. That can take quite some time if you have, let's say
... 200 users in your Sales Department.
Instead, what we are going to do is, take all the Sales Department user accounts and put them in
a Sales User Group. Now when I want to give access to all of my Sales Users to that shared
folder, I just give the entire Sales Group access to it and voila All Sales Users now have access to
our shared folder!
You can then take the Sales User Group and put it in a Sales Organizational Unit. An
Organizational Unit is really just a folder for organizational purpose, to keep your Active
Directory nice and clean. You can add different groups, computers and other resources to an
Organizational Unit.
Creating an Organizational Unit
1. Start by opening up your Server Manager, then expand the Roles section.
2. Next expand the Active Directory Domain Services section and click on Active Directory
Users and Computers.
3. At this point you should be able to see your domain. In our example we are using the
Globomantics domain. Go ahead and expand your domain.
4. Now we need to create an Organizational Unit for a group to live in. In our example we are
going to create an OU for our Ops Team.
To create a new Organization Unit, right-click on your domain name, point to the New option
and then select Organizational Unit.
5. Type in the name of your OU and make sure that the box is checked next to Protect container
from accidental deletion. When done, click OK.
6. We now have a new Organizational Unit in our Active Directory called OpsOU.
Creating a New Group

1. After you create an Organizational Unit in your Active Directory, you are ready to create your
first group. Go ahead and select your OU and then right-click in the blank area.
2. Next, point to New and then select Group.
3. The next step is to name your Group, select the scope and then select the type.
In this example we are going to name our group OpsUSers. We are also going to leave the
default selections for group scope, which is Global, and group type, which is Security. When you
are ready, click OK.
4. Our new group has been created!
Moving Accounts Into a Group

1. In order to move pre-existing accounts into a group, you need to hold down the Control key
and click on all the User or Computer accounts that you want to move into that group.
2. Then you need to right-click on any one of those accounts and select Add to a group.
3. Next, you need to type in the group name and let the machine find it.
In our example, I will type in OpsUsers and then click on the Check names button. Once the
name is verified and group name is found, the text will become underlined and you can click the
OK button. Since we know our group exists, we are going to click OK without verification.
4. Now all of these accounts are part of our OpsUsers group.
Note: Another way of accomplishing this would be to click on an account, hold it, then drag and
drop it into a particular group. Depending on how much you like to use your mouse and how
much time you have this may or may not be your preferred way of accomplishing this task
3.3 Analyze the working of Device Manager, Drivers Signing & Signature
Device Manager provides you with a graphical view of the hardware that is installed on your
computer. All devices communicate with Windows through a piece of software called a device
driver. You can use Device Manager to install and update the drivers for your hardware devices,
modify hardware settings for those devices, and troubleshoot problems.
Uses for Device Manager
You can use Device Manager to:
Determine whether the hardware on your computer is working properly.

Change hardware configuration settings.
Identify the device drivers that are loaded for each device, and obtain information about
each device driver.
Change advanced settings and properties for devices. Install updated device drivers.
Enable, disable, and uninstall devices.
Roll back to the previous version of a driver.
View the devices based on their type, by their connection to the computer, or by the
resources they use.
Show or hide hidden devices that are not critical to view, but might be necessary for
advanced troubleshooting.
You will typically use Device Manager to check the status of your hardware and update device
drivers on your computer. Advanced users who have a thorough understanding of computer
hardware might also use Device Manager's diagnostic features to resolve device conflicts and
change resource settings.
Ordinarily, you will not need to use Device Manager to change resource settings because
resources are allocated automatically by the system during hardware setup.
You can use Device Manager to manage devices only on a local computer. On a remote
computer, Device Manager will work only in read-only mode, allowing you to view, but not
change the hardware configuration of that computer.
Many of the virus, adware, security, and crash problems with Windows occur when someone
installs a driver of dubious origin. The driver supposedly provides some special feature for
Windows but in reality makes Windows unstable and can open doors for people of ill intent who
want your system for themselves. Of course, Microsofts solution is to lock down Windows so
that you can use only signed drivers. A signed driver is one in which the driver creator uses a
special digital signature to sign the driver software. You can examine this signature (as can
Windows) to ensure that the driver is legitimate.
Windows 2008 doesnt load a driver that the vendor hasnt signed. Unfortunately, youll find
more unsigned than signed drivers on the market right now. Vendors havent signed their drivers,
for the most part, because the process is incredibly expensive and difficult. Many vendors see the
new Windows 2008 feature as Microsofts method of forcing them to spend money on something
that they dispute as having value. Theoretically, someone can forge a signature, which means that
the signing process isnt foolproof and may not actually make Windows more secure or reliable.
Of course, the market will eventually decide whether Microsoft or the vendors are correct, but
for now you have to worry about having signed drivers to use with Windows.
Sometimes, not having a signed driver can cause your system to boot incorrectly or not at all.
The Disable Driver Signature Enforcement option lets you override Microsofts decision to use
only signed drivers. When you choose this option, Windows boots as it normally does. The only
difference is that it doesnt check the drivers it loads for a signature. You may even notice that
Windows starts faster. Of course, youre giving up a little extra reliability and security to use this
feature at least in theory.
You cant permanently disable the use of signed drivers in the 64-bit version of Windows Server
2008 at least, not using any Microsoft-recognized technique. Its possible to disable the use of
signed drivers in the 32-bit version by making a change in the global policy. A company named
Linchpin Labs has a product called Atsiv (http://www.linchpinlabs.com/resources/atsiv/usagedesign.htm), which lets you overcome this problem, even on 64-bit systems. Microsoft is
fighting a very nasty war to prevent people from using the product.
Using the boot method of permanently disabling signed driver checking
An undocumented method of disabling the signed driver requirement for both 32-bit and 64-bit
versions of Windows Server 2008 is to use the BCDEdit utility to make a change to the boot
configuration. Because this feature isnt documented, Microsoft could remove it at any time.
This procedure isnt something that a novice administrator should attempt to do, but its doable.
1. Choose Start -> Programs -> Accessories.
You see the Accessories menu.
2. Right-click Command Prompt and choose Run As Administrator from the context menu.
Windows opens a command line with elevated privileges. You can tell that the privileges are
elevated because the title bar states that this is the administrators command prompt rather than a
standard command prompt.
3. Type BCDEdit /Export C:\BCDBackup and press Enter. BCDEdit displays the message This
Operation Completed Successfully. This command saves a copy of your current boot
configuration to the C:\BCDBackup file. Never change the boot configuration without making a
backup.
4. Type BCDEdit /Set LoadOptions DDISABLE_INTEGRITY_CHECKS and press Enter.
BCDEdit displays the message This Operation Completed Successfully. The Driver Disable
(DDISABLE) option tells Windows not to check the signing of your drivers during the boot
process. Be sure to type the BCDEdit command precisely as shown. The BCDEdit utility is very
powerful and can cause your system not to boot when used incorrectly.
5. Restart your system as normal to use the new configuration.
Using the group policy method of permanently disabling signed driver checking
Users of the 32-bit version of Windows Server 2008 also have a documented and Microsoftapproved method of bypassing the signing requirement. (This technique will never work on the
64-bit version of the product.)
In this case, you set a global policy that disables the requirement for the local machine (when
made on the local machine) or the domain (when made on the domain controller). The following
steps describe how to use the Global Policy Edit (GPEdit) console to perform this task.
1. Choose Start -> Run.
You see the Run dialog box.
2. Type GPEdit.MSC (for Group Policy Edit) in the Open field and click OK. Windows displays
the Local Group Policy Editor window.
3. Locate the Local Computer Policy\User Configuration\Administrative
Templates\System\Driver Installation folder.
4. Double-click the Code Signing for Device Drivers policy.
5. Select Enabled.
6. Choose Ignore (installs unsigned drivers without asking), Warn (displays a message asking
whether you want to install the unsigned driver), or Block (disallows unsigned driver installation
automatically) from the drop-down list.
7. Click OK.
The Local Group Policy Editor console sets the new policy for installing device drivers.
8. Close the Local Group Policy Editor console.
9. Reboot the server.
Theoretically, the changes you made should take effect immediately after you log back in to the
system. However, to make sure the policy takes effect for everyone, reboot the server.
3.4 Analyze Verification & Managing Ports.

Today's security model is all about layers. If your network suffers a breach, security layers can at
least limit the scope of the attack or slow down the hacker. Windows Server 2008 R2 and
Windows Server 2008 are the first versions of Windows Server in which you can successfully
keep your firewall enabled and still have the server work in a production environment.
The Microsoft Management Console (MMC) Firewall with Advanced Security snap-in is key to
this capability.
Firewall Profiles
There are three different Windows Firewall profiles that can be configured with a Server 2008
R2 firewall. Only one of these profiles can be active at a time.
1. Domain profileThis profile is active when the server is connected to an Active
Directory (AD) domain via an internal network. This is the profile that's typically active,
because most servers are members of an AD domain.
2. Private profileThis profile is active when the server is a member of a workgroup.
Microsoft recommends more restrictive firewall settings for this profile than for the
domain profile.
3. Public profileThis profile is active when the server is connected to an AD domain via
a public network. Microsoft recommends the most restrictive settings for this profile.
When you start the Firewall with Advanced Security snap-in, you can view which firewall profile
is active. Although Microsoft recommends that you can have different security settings based on
the firewall profile. With this approach, if any ports are accidentally opened on perimeter
firewalls, Server 2008's Windows Firewall will block the traffic. Just as with previous versions of
Windows Firewall, all inbound connections are blocked and all outbound connections from the
server are allowed by default in Server 2008 R2 (as long as there's no existing Deny rule).
With these settings, organization's firewall configuration leans toward a public profile
environment. When we create a rule, we make it active for all three profiles. By using a firewall
configuration that's consistent across all three domain profiles, we don't have to worry about
exposing any unwanted ports in case the Windows Firewall profile changes.
IPsec and Domain Isolation
You can implement domain isolation by using Windows Firewall's IPsec feature. Domain
isolation prevents the communication of a non-domain computer from connecting to a computer
that's a domain member. When communication is established between two domain members, you
can configure the firewall to encrypt all traffic between the two computers with IPsec. This
configuration can be useful in an environment in which you have guests on the same network but
you want to prevent them from accessing computers that are part of a domain. It can be used as
an alternative or in addition to Virtual LANs (VLANs).
Leave the Firewall Enabled
Most applications are now smart enough to automatically open the necessary port on the firewall
when they're installed, which eliminates the need to manually open inbound ports on the server.
One of the main reasons to have the firewall up during installation is that it protects the OS
before you have the chance to apply the latest updates.
The firewall is well-integrated with Server Manager's roles and features. When a role or feature
is added on the server, the firewall automatically opens the necessary inbound ports. SQL Server
uses the default port of TCP 1433. Therefore, you must manually create an inbound rule that
allows TCP port 1433 on the firewall for SQL Server. (Alternatively, you can change the default.)
Creating Inbound Rules
Before creating a rule, check to see whether a rule was already created that will allow the desired
inbound traffic to pass. If you find an existing rule, you can simply enable the rule and possibly
change the default scope. If you don't find an existing rule, you can always create one from
scratch.
Select Administrative Tools from the Start menu, then select Windows Firewall with Advanced
Security to start the Firewall with Advanced Security snap-in.
For illustration purposes, how to create a rule to allow inbound SQL Server traffic on TCP port
1433 from a Microsoft Office SharePoint Server front-end server is as follows:
Right-click Inbound Rules and select New Rule.
As Figure 1 shows, you can select Program, Port, Predefined, or Custom for the rule type. Select
Custom, because this option prompts you to enter a scope for the rule. Click Next to continue.
Figure 1: Creating a new inbound rule type

In the next dialog box, which Figure 2 shows, you can specify a program or services that the rule
will match. Selected All programs so that traffic will be controlled by the port number.
Figure 2: Specifying a program for a new inbound rule

As Figure 3 shows, select TCP for the protocol type, and select Specific Ports from the Local
port drop-down menu and specified port 1433, which is the default port for SQL Server. Because
remote ports are dynamic, select All Ports.
Figure 3: Specifying a protocol and ports for a new inbound rule

In the Scope dialog box, which Figure 4 shows, specify the local IP address of 192.168.1.11 and
the remote IP address of 192.168.1.10, which is the IP address of organization's SharePoint frontend server. Its strongly recommend specifying a scope with every rule, in case the server is
accidentally exposed to unwanted subnets.
Figure 4: Specifying local and remote IP addresses in a new inbound rule's scope
In the Action dialog box, which Figure 5 shows, select Allow the connection to allow inbound
traffic to pass for SQL Server.
Figure 5: Specifying the action to take when a connection matches the condition in a new
inbound rule
Alternatively, you can allow traffic to pass only if it's encrypted and secured with IPsec, or you
can block the connection. Next, you need to specify the profile(s) for which the rule will apply.
As Figure 6 shows, select all the profiles (which is a best practice).
Figure 6: Specifying profiles for which a new inbound rule will apply
Finally, use a descriptive name for the rule, specifying the allowed service, scope, and ports, as
Figure 7 shows. Using a descriptive name makes it easier to identify what a rule does. Click
Finish to create the new inbound rule.
Figure 7: Naming a new inbound rule

Creating Outbound Rules
By default, all inbound traffic is blocked and all outbound traffic is allowed on all three firewall
profiles (i.e., domain, public, and private). If you use the default settings, you don't need to open
any outbound ports. Alternatively, you can block outbound trafficbut then you must open up
the necessary outbound ports.
Creating outbound rules is similar to creating inbound rules, except the traffic flow is reversed.
You can use the Firewall with Advanced Security snap-in to block outbound traffic on specific
ports if the server becomes infected with a virus and attempts to attack other computers on
specific ports.
Managing Firewall Configuration
In addition to the Firewall with Advanced Security snap-in, you can use Netsh commands to
create firewall rules. You can also use Group Policy to control the configuration of the firewall.
One of the easiest ways to push out a firewall rule with Group Policy is to use the Firewall with
Advanced Security snap-in to create the rule, export it, and import it into the Group Policy
Management Editor. Then you can use Group Policy to push out the rule to the appropriate
computers.
3.5 Implement the Installing & Managing & Configuration Printers,
Printing Process
When a user selects File > Print from an application, a series of steps must be completed for the
printed document to appear. These steps have remained much the same over all recent versions
of Windows:
1. When the user selects File > Print, a new print job is created, which includes all the data,
and eventually, the printer commands that the system requires to output a document.
2. The client computer queries the print server for a version of the print driver for the
default or a selected printer. If necessary, the most recent version of the driver is
downloaded to the client computer.
3. The graphics device interface (GDI) and the printer driver may convert the print job into
a rendered Windows enhanced metafile (EMF). (The GDI is the component that provides
network applications with a system for presenting graphical information.) The GDI
actually does double duty by producing WYSIWYG (what you see is what you get)
screen output and printed output.
4. It is possible for Windows to convert the applications output (the print job) into either a
metafile or a RAW format. (The RAW format is ready to print and requires no further
rendering.) The driver then returns the converted print job to the GDI, which delivers it to
the spooler.
5. The client side of the spooler (Winspool.drv) makes a remote procedure call (RPC) to the
server side of the spooler (Spoolsv.dll). If a network-connected server is managing the
print device, the spooler hands off the print job to the spooler on the print server. Then,
that spooler copies the print job to a temporary storage area on that computers hard disk.
This step does not take place for locally managed print jobs. In that case, the job is
spooled to disk locally.
6. The print server receives the job and passes it to the print router, Spoolss.dll. (You should
not confuse a router in this context with the device that directs network packets from one
subnetwork to another.)
7. The router checks the kind of data it has received and passes it on to the appropriate print
processor component of the local print provider, or the remote print server if the job is
destined for a network printer.
8. The local print provider may request that the print processor perform additional
conversions as needed on the file, typically from EMF to RAW. (Print devices can only
handle RAW information.) The print processor then returns the print job to the local print
provider.
9. The print monitor communicates directly with the print device and sends the ready-toprint print job to the print device.
10. The print device receives the data in the form it requires and translates it to a bitmap,
producing printed output.
Although it may seem complicated, this sequence is designed to make printing more efficient and
faster in a networked environment. In particular, the burden of spooling is distributed between
client and server computers.
Installing, Sharing, and Publishing Printers
By itself, Windows Server 2008 R2 is a very capable print server that provides a large range of
capabilities for working with printers and documents, much like the capabilities that were
included with previous Windows Server versions. The original version of Windows Server 2008
added the Print Services server role, which provided enhanced capabilities for sharing printers on
the network and centralizing printer and print management tasks into its own Microsoft
Management Console (MMC) snap-in. In Windows Server 2008 R2 this role is replaced by the
Print and Document Services role, which adds scanning management to the list of capabilities.
Installing the Print and Document Services Role
Use the following procedure to install the Print and Document Services server role on a
Windows Server 2008 R2 computer:
1. Open Server Manager and expand the Roles node.
2. Click Add Roles to start the Add Roles Wizard.
3. From the Select Server Roles page, select Print and Document Services (as shown in
Figure -1) and click Next.
Figure -1. Selecting the Print and Document Services role.

4. The Introduction to Print and Document Services page provides links to information on
this service. To learn more, click the links provided. When youre ready to proceed, click
Next.
5. The Select Role Services page shown in Figure -2 enables you to select additional role
services. The Print Server role is included by default. Make any desired selections and
click Next.
Figure -2. You can select optional role services from the Select Role Services page.
6. On the Confirm Installation Selections page, click Install.
7. The Installation Progress page tracks the progress of installing the Print and Document
services server role. When informed that the installation is complete, click Close.
When finished, the Print Management snap-in is accessible from the Administrative Tools folder.
This snap-in enables you to perform a large range of printer management tasks on printers
installed on computers running any version of Windows from Windows 2000 or later.
Installing Printers
You can install a printer on your Windows Server 2008 R2 computer from Control Panel even
without installing the Print and Document Services server role. If you installed this role, you can
also install a printer from the Print Management snap-in.
Using Control Panel to Install a Printer
Use the following procedure to install a printer from Control Panel:
1. Click Start > Control Panel > Hardware.
2. Under Devices and Printers, select Add a printer. The Add Printer Wizard starts and
provides two options, as shown in Figure -3.
Figure -3. Windows Server 2008 enables you to choose between installing a local or
network printer.
3. Select the appropriate option and click Next.
4. If you select the Add a network, wireless, or Bluetooth printer option, Windows
searches for network printers. Select the desired printer and click Next. If you select the
Add a local printer option, the Add Printer page asks you to choose a printer port. Select
the port to which the printer is attached and click Next.
5. You receive the Install the printer driver page. Select the make and model of the print
device for which youre installing the printer (as shown in Figure -4) and click Next. To
install a driver from an installation CD, click Have Disk and follow the instructions
provided.
Figure -4. Selecting the make and model for which youre installing a printer.
6. The Type a Printer Name page provides a default name for the printer. Accept this or type
a different name, and then click Next.
7. The Printer Sharing page shown in Figure -5 enables you to share the printer. Accept the
share name or type a different name if necessary. Optionally, type location and comment
information in the text boxes provided. (This information helps users when selecting a
network printer.) When finished, click Next.
Figure -5. You are provided with options for sharing your printer.
8. You are informed that you successfully installed your printer. Click Print a test page to
print a test page if desired to confirm printer installation. When done, click Finish.
Using the Print Management Console to Install a Printer
After you install the Print and Document Management server role as described earlier, you can
install a printer directly from this console. Use the following procedure:
1. Click Start > Administrative Tools > Print Management to open the Print
Management console.
2. Expand the Print Server node to locate your print server.
3. Right-click your print server and choose Add Printer. The Network Printer Installation
Wizard starts and displays options, as shown in Figure -6.
Figure -6. The Network Printer Installation Wizard facilitates installation of printers on
the network.
4. Select the appropriate option and click Next.
5. If you select the Add a TCP/IP or Web Services Printer by IP address or hostname
option, specify the host name or IP address as well as the port name on the Printer
Address page, and then click Next. If you select the Search the network for printers
option, the Network Printer Search page appears and displays the printers it finds. Select
the desired printer and click Next.
6. On the Printer Driver page, select the make and model of the print device for which
youre installing the printer, and then click Next.
7. The Type a printer name page provides a default name for the printer. Accept this or type
a different name, and then click Next.
8. The Printer Sharing page provides options similar to those previously shown in Figure -5
that are provided when installing from Control Panel. Specify the required options and
click Next.
9. If you receive a page asking for printer-specific configuration options, select the required
options and then click Next. Options provided depend on the make and model of the print
device associated with the printer youre installing.
10. You are informed that you successfully installed your printer. Click Finish.
When you finish installing the printer (whether from the Print Management snap-in or from
Control Panel), the printer is displayed in the details pane of the Print Management snap-in when
you select the Printers subnode under the node for your print server.
Sharing Printers
You can share a printer at the time you install it. You can configure printer sharing at any time.
Use the following procedure:
1. In the console tree of the Print Management snap-in, expand your print server to reveal
the Printers node. All printers configured for your server will appear in the details pane.
2. Right-click your desired printer and choose Manage Sharing. This opens the printers
Properties dialog box to the Sharing tab.
3. Select the Share this printer check box. As shown in Figure -7, a default share name is
provided automatically; accept this or type a different share name, as desired.
Figure -7. You can share your printer from the Sharing tab of the printers Properties
dialog box.
4. If users connecting to this printer are running different versions of Windows (including
32-bit as opposed to 64-bit Windows versions), click Additional Drivers to install
drivers required by these users. From the Additional Drivers dialog box that appears,
select the required drivers and click OK.
5. If client computers have the processing power for handling the print rendering process,
select the check box labeled Render print jobs on client computers. To have the print
server handle this processing load, clear this check box.
6. Click OK.
If you havent installed the Print and Document Services server role, you can perform the same
task from the Devices and Printers applet in Control Panel. Right-click your printer and choose
Printer Properties. This brings up the same Properties dialog box; select the Sharing tab, as
shown previously in Figure -7, and follow the same procedure as outlined here.
Publishing Printers in Active Directory
If your print server is part of an Active Directory Domain Services (AD DS) domain, you can
publish the printer to facilitate the task of users locating printers installed on the server. In the
Print Management snap-in, right-click your printer and choose List in Directory, as shown in
Figure -8. You can also publish your printer when configuring sharing (or from Control Panel if
you have not installed the Print and Document Services server role), by selecting the List in the
Directory check box, which was previously shown in Figure -7.
Figure -8. Publishing a printer in Active Directory.

If you want to remove your printer from AD DS, right-click it and choose Remove from
Directory or clear the List in the Directory check box.
You can also use the pubprn.vbs script to publish a printer in AD DS from the command line.
The syntax is as follows:
Cscript Pubprn.vbs {<ServerName> | <UNCPrinterPath>}
"LDAP://CN=<Container>,DC=<Container>"
In this command, <ServerName> specifies the name of the server hosting the printer to be
published. If omitted, the local server is assumed. <UNCPrinterPath> represents the UNC path
to the shared printer being published. "LDAP://CN=<Container>,DC=<Container>" specifies
the path to the AD DS container where the printer is to be published.
For example, to publish a printer named HPLaserJ located at Server1 to the Printers container in
the que.com domain, use the following command at Server1:
Cscript Pubprn.vbs \\Server1\HPLaserJ LDAP://CN=Printers,DC=Que,DC=com"
Using Group Policy to Deploy Printer Connections
Group Policy enables you to deploy printers in an AD DS domain environment, automatically
making printer connections available to users and computers in the domain or organizational unit
(OU). Use the following procedure to add printer connections to a Group Policy object (GPO):
1. In the details pane of the Print Management snap-in, right-click the desired printer and
choose Deploy with Group Policy. (This option is visible in Figure -8, which was
previously shown.)
2. The Deploy with Group Policy dialog box shown in Figure -9 opens. Click Browse and
locate an appropriate GPO. If necessary, you can also create a new GPO for storing the
printer connections.
Figure -9. Using Group Policy to deploy printer connections.

3. Select either or both of the following options for deploying printer connections to users or
computers, as required:
o Select The users that this GPO applies to (per user) to deploy to groups of
users, enabling these users to access the printer from any computer to which they
log on.
o
Select The computers that this GPO applies to (per machine) to deploy to
groups of computers, enabling all users of the computers to access your printer.
4. Click Add.
5. Repeat Steps 2 to 4 to deploy the printer connection settings to another GPO, if required.
6. Click OK.
Managing and Troubleshooting Printers
Several factors must be considered in administering printers. Like any other shared resource,
they can be assigned permissions and their use can be audited. Also, special printing
configurations, such as printer pools, can be set up. Multiple printers can be configured for one
print device to handle different types of jobs. Furthermore, lots of things can go wrong with print
jobs. Complaints from users that they cannot print or are denied access can make up a significant
portion of a network administrator or support specialists job.
Using the Printer Properties Dialog box
Each printer has a Properties dialog box associated with it that enables you to perform a large
quantity of management tasks. You already saw how to share a printer or publish it in AD DS.
This section discusses several additional tasks that you can perform from this dialog box. Rightclick the printer in the details pane of the Print Management snap-in and choose Properties, or
right-click the printer in the Control Panel Devices and Printers applet and choose Printer
Properties to bring up this dialog box. In addition to the tabs discussed here, some printers show
additional tabs; for example, color printers possess a Color Management tab that enables you to
adjust color profile settings. Some printers possess a Version Information tab, which merely
displays version information and contains no configurable settings.
General Tab
Use the General tab to rename the printer or modify the Location and Comment fields you
supplied when installing the printer. You can also print a test page or modify printer preferences
from this tab; click Preferences to open a dialog box that enables you to adjust settings, such as
print quality, paper source, type, and size, maintenance factors such as print head cleaning, and
so on. Appearance of, and options included in, this dialog box vary according to print device
make and model.
Ports Tab and Printer Pooling
As shown in Figure -10, the Ports tab enables you to select various available ports to which a
document will be printed. Documents will print to the first available selected port. Click Add
Port to bring up a dialog box that displays available port types and enables you to add new ports.
From here, you can add a new TCP/IP port for accessing a network printer; a wizard is provided
to guide you through the required steps. Options for configuring port options and deleting
unneeded ports are also available.
Figure -10. The Ports tab of the printers Properties dialog box enables you to configure printer
ports and printer pooling.
The Ports tab also enables you to configure printer pooling. A printer pool is a group of print
devices that are connected to a single printer through multiple ports on the print server. These
print devices should be the same make and model so that they use the same printer driver. This
method is useful because it allows pooling of similar print devices. In high volume print
situations, if one print device is busy, print jobs directed to a printer can be spooled to another
available print device that is part of the printer pool and printing jobs are completed more
quickly. To configure printer pooling, specify a different port for each print device in the printer
pool. Then, select the check box labeled Enable printer pooling and click OK.
To client computers, the printer pool appears as though it were a single printer. When users
submit print jobs to the printer pool, the jobs are printed on any available print device. You
should position the physical print devices in close proximity to each other so that the user does
not have to search for print jobs. Enabling separator pages is a best practice that you should
follow so that the users can locate their print jobs rapidly and conveniently.
This tab also enables you to redirect a printer should a problem occur with its print device and
you need to take it offline for maintenance. Redirecting a printer on the print server redirects all
documents sent to that printer. However, you cannot redirect individual documents. To do so,
click Add Port, and on the Printer Ports dialog box, select Local Port, and then click New Port.
In the Port Name dialog box that appears, enter the UNC or URL path to the other printer, and
then click OK.
Advanced Tab
The Advanced tab enables you to control the availability of the printer and configure drivers and
spool settings. Available settings on this tab are shown in Figure -11 and described in Table -3.
Figure -11. The Advanced tab of the printers Properties dialog box enables you to control
availability, priority, and spooler settings.
Table -3. Configurable Advanced Printer Properties
Setting
Description
Always available and

available from
Enables you to specify the hours of the day when the printer is available. For
example, you can configure a printer that accepts large jobs to print only between
6 p.m. and 8 a.m. so that shorter jobs can be printed rapidly. Jobs submitted
outside the available hours are kept in the print queue until the available time.
Priority
Spool print
documents so
program finishes
printing faster
Enables you to assign a numerical priority to the printer. This priority ranges from
1 to 99, with higher numbers receiving higher priority. The default priority is 1.
For example, you can assign a printer for managers with a priority of 99 so that
their print jobs are completed before those of other employees.
Enables spooling of print documents. Select from the following:
Start printing after last page is spooled: Prevents documents from

printing until completely spooled. Prevents delays when the print device
prints pages faster than the rate at which they are provided.
Start printing immediately: The default option causes documents to be

printed as rapidly as possible.
Print directly to the

printer
Sends documents to the print device without first writing them to the print
server's hard disk drive. Recommended only for non-shared printers.
Hold mismatched
documents
The spooler holds documents that do not match the available form until this form
is loaded. Other documents that match the form can print.
Print spooled
documents first
Documents are printed in the order that they finish spooling, rather than in the
order that they start spooling. Use this option if you selected the Start printing
immediately option.
Keep printed
documents
Retains printed jobs in the print spooler. Enables a user to resubmit a document
from the print queue rather than from an application.
Enable advanced
printing features
Turns on metafile spooling and presents additional options like page order and
pages per sheet. This is selected by default and should be turned off only if
printer compatibility problems arise.
Printing Defaults
command button
Selects the default orientation and order of pages being printed. Users can modify
this from most applications if desired. Additional print devicespecific settings
may be present.
Print Processor
command button
Specifies the available print processor, which processes a document into the
appropriate print job.
Separator Page
command button
Enables you to specify a separator page file, which is printed at the start of a print
job to identify the print job and the user who submitted it. This is useful for
identifying printed output when many users access a single print device.
Security Tab and Printer Permissions

Just as you can assign permissions to files and folders as you learned in Chapter 9, you can
assign permissions to printers. Printers have access control lists (ACL) that you can modify in
the same manner. Use the following steps to configure a printers permissions from the Security
tab of its Properties dialog box:
1. Select the Security tab of the printers Properties dialog box, as shown in Figure -12.
Figure -12. The Security tab of the printers Properties dialog box enables you to
configure printer permissions.
2. If you need to add users or groups to the ACL, click Add to open the Select Users,
Computers, or Groups dialog box.
3. In this dialog box, click Advanced, and then click Find now to locate the required users
or groups. You may also use the fields in the Common Queries area of the dialog box to
narrow the search for the appropriate object.
4. Select one or more users or groups in the list, and then click OK. This returns you to the
Security tab of the printers Properties dialog box.
5. Select the permissions you want to allow or deny from the available list. Table -4
describes the available permissions.
6. If you need to assign special permissions or check the effective permissions granted to a
specific user, click Advanced. The options available are similar to those discussed in
Chapter 9 for files and folders.
7. When you finish, click OK or Apply to apply your settings.
Table -4. Windows Server 2008 Printer Permissions
Permission
Description
Print
Enables users to connect to the printer to print documents and control settings for their
own documents only. Users can pause, delete, and restart their own jobs only.
Manage this
printer
Enables users to assign forms to paper trays and set a separator page. Users can also
pause, resume, and purge the printer, change printer properties and permissions, and even
delete the printer itself. Also enables users to perform the tasks associated with the
Manage Documents permission.
Manage
documents
Enables users to pause, resume, restart, and delete all documents. Users can also set the
notification level for completed print jobs and set priority and scheduling properties for
documents to be printed.
Special
permissions
Similar to NTFS security permissions discussed in Chapter 9 , the three default printer
permissions are made up of granular permissions. Click Advanced to bring up the
Advanced Security Settings dialog box, from which you can configure these permissions,
if required.
3.6 Discuss Disk Management Tools & Tasks,

As you begin to work with managing the disks and storage for your Windows Server 2008 R2
server, you need to have a firm handle on the basics of the terminology used. Before you start
creating and working with the drives on your server, it is important to have a solid understanding
of the basic terminology associated with using the disk storage on your server.
Term
Basic disk
Dynamic disk
Foreign disk
Partitions
Simple
volume
Spanned
volume
Striped
volume
Mirrored
volume
RAID
Table 1. Basic Disk Management Terminology

Definition
These are the default disk types in a Windows environment and have been around since
MS-DOS.
Dynamic disks are used to create volumes that will span multiple hard drives. These
drives can also be used for simple volumes.
You will see a Foreign Disk option when you take a dynamic disk from one server and
place it in another server.
These define how you break up your physical drives. Partitions can be primary
partitions, extended partitions, or logical drives.
This is the most basic type of volume and can be created and used only on one physical
disk.
Spanned volumes combine two or more physical disks and allow you to create a volume
larger than a single physical disk on your system. The disks in a spanned volume need to
be dynamic disks.
Striped volumes combine two or more physical disks. The data stored on these volumes
is striped, which means when data is written to the drives, it is written alternatively in
equal amounts across both physical drives. Striped volumes are faster than spanned or
mirrored volumes; however, they do not provide any redundancy. The disks in a striped
volume need to be dynamic disks. This is also known as RAID 0.
Mirrored volumes combine two disks that are duplicates of each other. This provides you
with an identical copy of data stored on two different disks and therefore some
protection against data loss. This is also known as RAID 1.
RAID stands for Redundant Array of Independent (or Inexpensive) Disks. RAID drives
are broken into different levels, and with the exception of RAID 0, all levels of RAID
Master boot
record
(MBR)
GUID
partition
table (GPT)
offer data protection and redundancy from a failed drive or volume.

The MBR is part of the hard drive system used by the BIOS. The MBR is used to store
all the initial boot-processing information for performing the initial boot sequence of the
operating system. The MBR has been around for a long time and is primarily used for
smaller hard drives and is not recommended if your drive is larger than 2TB.
The GPT, like the MBR, is another system used by the BIOS to load the initial boot
sequence of the hard drive. The GPT is a newer form of the MBR but utilizes the
extensible firmware interface for working with the drives. GPT drives can have more
than four partitions and are designed to work with large and small drives, particularly
drives larger than 2TB. However, GPT drives are not recognized by all previous versions
of Windows.
2. Work with Your Storage

You'll now learn how to work with your disks and create partitions. Although these may not be
day-to-day activities, this will create the foundation for storing data on your server. To begin
working with your storage on your Windows Server 2008 R2 server, you'll need to open the Disk
Management utility for your server. This utility will work with your locally connected hard
drives; however, USB- and FireWire-connected drives are not supported by the Disk
Management utility.
1. Open Server Manager by selecting Start => Administrative Tools => Server Manager.
2. In the Server Manager tree, click Storage.
3. In Storage, click Disk Management, and you will see a screen similar to Figure 1.
Figure 1. Disk Management utility

2.1. Convert a Basic Disk to a Dynamic Disk
In the Disk Management tool, you will see your volumes and disks listed on your server. When
you first put your physical disks on the system, they will most likely be basic disks. You can
choose to leave them as basic or convert them to dynamic. You will want to convert these disks
to dynamic disks when you need to create spanned and striped volumes. It is recommended that
you convert these disks prior to creating partitions or placing any data on the volumes.
To convert a disk to dynamic, follow these steps:
3. In Storage, click Disk Management.
4. Right-click the disk you want to convert.
5. Select Convert To Dynamic Disk.
6. Select the disk or disks in the bottom window of the middle pane you want to convert,
and click OK.
2.2. Import a Foreign Disk
When you move a dynamic disk from one server to another server, the drive will be labeled as
Foreign. You can see an example of a foreign disk in Figure 2.
Figure 2. Foreign disk

Before you can use the drive, you need to import it:

4. Right-click the disk in the bottom window of the middle pane you want to import.
5. Select Import Foreign Disks.
6. On the Import Disk screen, select the disks you want to import, and click OK.
7. In the Foreign Disk Volumes dialog box, you will see what volumes currently exist on the
drive, as shown in Figure 3. Review the volumes, and click OK.
Figure 3. Foreign volumes
You may see a warning about some of your volumes losing data, as shown here. This
typically will occur when you import disks and volumes that may have been part of a
RAID volume. If you are ready to import and have reviewed the message about your
volumes and lose data, click Yes.
2.3. Create Simple Volumes

Before you can use your disks for storage, you will generally need to create volumes on the
drives for use within your server. Creating simple volumes is fairly straightforward:
4. Right-click the unallocated space in the bottom window of the middle pane you want to
create the volume on.
5. Click New Simple Volume.
6. On the Welcome screen, review the message, and click Next.
7. Select the size you want to make the volume, and click Next.
8. Select how you want to mount the volume. You can choose to mount to a drive letter,
mount to a folder on an existing drive, or not assign any mount point. After you make
your selection, click Next.
9. Next, you can select how to format the drive. After you make your selection, click Next.
You will see a screen similar to Figure 4.
10. Review the summary screen, and click Finish.
Figure 4. Format partition options

2.4. Create Spanned and Striped Volumes
Creating spanned and striped volumes is similar to creating simple volumes. These types of
drives require your disks to be dynamic disks, and they require two or more drives to create. The
ability to create these types of volumes is determined by the number of drives and amount of
unallocated space you have available on your Windows Server 2008 R2 server. When you rightclick the unallocated space and you see the options grayed out, as shown in Figure 5, this will tell
you do not have the needed disks or unallocated space to create the volumes.
Figure 5. Grayed-out options

Creating a spanned volume is similar to creating a simple volume:
5. Click New Spanned Volume.
7. On the Select Disks screen, as shown in Figure 6, select the disks you want to use for the
volume, and click Add to place them in the Selected section.
Figure 6. Selecting disks

9. Select how you want mount the volume. You can choose to mount to a drive letter, mount
to a folder on an existing drive, or not assign any mount point. After you make your
selection, click Next.
12. You will see a warning dialog box, as shown in Figure 7, if the drives need to be
converted to dynamic drives for spanned volumes. After you review the warning, click
Yes.
Figure 7. Dynamic disk conversion warning

Creating a striped volume is similar to creating spanned volumes. It is important for you to
understand that striping helps improve the performance of your hard drive. However, it does
have one risk. If you lose one hard drive from the striped volume, you will lose all the data
across the entire volume.
5. Click New Striped Volume.
7. On the Select Disks screen, select the disks you want to use for the striped volume, and
click Add to place them in the selected option.
9. Select how you want mount the volume. You can choose to mount to a drive letter, mount
a folder on an existing drive, or not assign any mount point. After you make your
selection, click Next.

12. You will see a warning dialog box, as shown in Figure 7, if the drives need to be
converted to dynamic drives for striped volumes. After you review the warning, click
Yes.
NOTE
When you create a striped volume, it will make the partitions on all disks the same size.
Figure 8. Striped volume

Using Check Disk to Scan For and Fix File System Errors
The Check Disk tool can be used either to scan for and report errors on a file system, or to locate
and fix errors. The graphical form of Check Disk can be invoked either from within Windows
Explorer or the Disk Management tool. In either case, invoke the tool by right clicking on the
drive in question, selecting Properties, clicking the Tools tab and pressing the Check Now...
button. Once invoked, the initial Check Disk dialog will appear providing two options as
illustrated below:
If neither of the options are selected when the Start button is pressed Check Disk will only
report, but not attempt to fix errors. In order for Check Disk to repair errors and recover bad
sectors during the scan the Automatically fix file system errors and Scan for and attempt recovery
of bad sectors toggles must be selected respectively.
If the disk drive contains open files, Check Disk will be unable to fix errors located during the
scan and will display a dialog warning you of this fact. This warning dialog will also provide the
option to have the check run on the next system reboot (before any files are opened). This marks
the disk as dirty forcing Check Disk execution at system startup. This setting may also be
specified from the command prompt as follows:
fsutil dirty set e:
Volume - e: is now marked dirty
The current setting for a volume may be checked at any time using fsutil dirty query:
fsutil dirty query
Volume - e: is Dirty
Running Check Disk from the Command-prompt
The Check Disk process may also be initiated from the command prompt using the chkdsk
command combined with the designator of the drive on which the scan is to be performed. In
addition to performing the same functions as the graphical version of Check Disk, the command
prompt version also provides more detailed disk analysis and repair reports.
The chkdsk utility accepts a number of command line options which govern the tasks performed
during execution. These options are outlined in the following table:
Option
Description
/F
Analyze the disk and fix any errors detected.
/B
Reevaluate clusters marked as bad on the volume.
/C
Do not check for cycles (a situation where a directory points to itself) within the folder
structure. NTFS only.
/I
Perform a minimum check of indexes. NTFS only
/
Change the size of the transaction log file efault size is m default of 4096 KB. NTFS only.
L[:Size]
/R
Analyze the disk and fix any errors, check for bad sectors and mark them as bad.
/V
List the full path of every file on the volume on FAT/FAT32. Displays messages related to
fixing errors on NTFS volumes.
/X
Force the volume to dismount if currently mounted.
To perform a disk analysis without correcting any errors, simply enter chkdsk at a command
prompt together with the drive designator of the drive to be analyzed the following output is the
result of running chkdsk on an NTFS volume:
C:\Windows\system32>chkdsk e:
The type of the file system is NTFS.
Volume label is New Volume.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.
CHKDSK is verifying files (stage 1 of 3)...
64 file records processed.
File verification completed.
0 large file records processed.
0 bad file records processed.
0 EA records processed.
0 reparse records processed.
CHKDSK is verifying indexes (stage 2 of 3)...
90 index entries processed.
Index verification completed.
0 unindexed files processed.
CHKDSK is verifying security descriptors (stage 3 of 3)...
64 security descriptors processed.
Security descriptor verification completed.
data files processed.
Windows has checked the file system and found no problems.
8385535 KB total disk space.
328864 KB in 9 files.
16 KB in 15 indexes.
0 KB in bad sectors.
44715 KB in use by the system.
43984 KB occupied by the log file.
8011940 KB available on disk.
4096 bytes in each allocation unit.
2096383 total allocation units on disk.
2002985 allocation units available on disk.
To perform error fixing, run chkdsk with the /F option. Alternatively the /R option will perform
the same error fixing as /F but will also check for bad sectors. The /X option performs the same
error corrections as /F but also dismounts the volume before doing so.
Defragmenting Disks with Disk Defragmenter
Disk defragmentation occurs over time as files written to clusters spread over a wide area of a
disk volume. This is the inevitable side effect of files being created and deleted over time and
can ultimately result in degraded disk read/write performance. As such it is considered good
practice to regularly monitor, and when necessary, defragment disk volumes.
One method for performing this task is to use the Disk Defragmenter tool which is accessed by
right clicking on a disk volume in Windows Explorer or the Disk Management interface in
Computer Management and selecting Properties. In the properties dialog, select the Tools tab and
click on Defragment Now.... This will display the initial screen of the Disk Defragmenter as
illustrated in the following figure:
The tool will perform a scan of the selected volume and report whether a defragmentation is
recommended (and in the above example it is recommended). Click on Defragment now... to
initiate the defragmentation process. This will cause the drive selection dialog to appear. Select
one or more disks to defragment from this dialog followed by OK to trigger the defragmentation
process. As each selected drive is defragmented the progress will be displayed together with a
button providing the option to cancel the process.
Automated Disk Defragmentation
Windows Server 2008 also provides the option to automatically defragment disk drives as a
background task. This is scheduled in the Disk Defragmenter tool which can be accessed either
from within Windows Explorer or Disk Management as outlined above. Once invoked,
automated disk defragmentation is configured by setting the Run on a schedule (recommended)
toggle:
By default, automated defragmentation occurs at 1am every Wednesday. Once selected, the
schedule may be configured by clicking on the Modify schedule... button where the frequency
(daily, weekly, monthly), day and time may be specified:
To specify the volumes to be automatically defragmented, click on Modify volumes... and make
the required volume selections.
Defragmenting Disks from the Command-line

Disk defragmentation may be analyzed and repaired from the command-prompt using the defrag
command. This command supports a number of command-line options as described in the
following table:
Option
Description
-A
Perform an analysis of the specified volume.
-C
Defragment all disks.
-F
Force defragmentation of a volume even when low on space.
-R
Perform a partial defragmentation, consolidating fragments smaller than 64 MB (default).
-V
Set verbose mode for detailed output during analysis and/or defragmentation.
-W
Performs full defragmentation, consolidating all fragments regardless of fragment size.
A more detailed report can be obtained using the -A option in conjunction with -V, for example:
C:\Windows\system32>defrag e: -a -v
Windows Disk Defragmenter
Copyright (c) 2006 Microsoft Corp.
Analysis report for volume E: New Volume
Volume size
Cluster size
Used space
Free space
Percent free space
= 8.00 GB
= 4 KB
= 65 MB
= 7.93 GB
= 99 %
File fragmentation
Percent file fragmentation
=0%
Total movable files
= 14
Average file size
= 4 MB
Total fragmented files
=1
Total excess fragments
=1
Average fragments per file
= 1.12
Total unmovable files
=4
Free space fragmentation
Free space
= 7.93 GB
Total free space extent
=4
Average free space per extent
= 1.98 GB
Largest free space extent
= 4.00 GB
Folder fragmentation
Total folders
Fragmented folders
Excess folder fragments
=7
=1
=0
Master File Table (MFT) fragmentation

Total MFT size
= 64 KB
MFT record count
= 34
Percent MFT in use
= 53
Total MFT fragments
=2
Note: On NTFS volumes, file fragments larger than 64MB are not included in the
fragmentation statistics
You do not need to defragment this volume.
3.7 Describe File Systems and User Management.

Windows Server 2008 R2 provides many services that can be leveraged to deploy a highly
reliable, manageable, and fault-tolerant file system infrastructure.
Windows Volume and Partition Formats
When a new disk is added to a Windows Server 2008 R2 system, it must be configured by
choosing what type of disk, type of volume, and volume format type will be used. To introduce
some of the file system services available in Windows Server 2008 R2, you must understand a
disks volume partition format types. Windows Server 2008 R2 enables administrators to format
Windows disk volumes by choosing either the file allocation table (FAT) format, FAT32 format,
or NT File System (NTFS) format. FAT-formatted partitions are legacy-type partitions used by
older operating systems and floppy disk drives and are limited to 2GB in size. FAT32 is an
enhanced version of FAT that can accommodate partitions up to 2TB and is more resilient to disk
corruption. Data stored on FAT or FAT32 partitions is not secure and does not provide many
features. NTFS-formatted partitions have been available since Windows NT 3.51 and provide
administrators with the ability to secure files and folders, as well as the ability to leverage many
of the services provided with Windows Server 2008 R2.
NTFS-Formatted Partition Features
NTFS enables many features that can be leveraged to provide a highly reliable, scalable, secure,
and manageable file system. Base features of NTFS-formatted partitions include support for
large volumes, configuring permissions or restricting access to sets of data, compressing or
encrypting data, configuring per-user storage quotas on entire partitions and/or specific folders,
and file classification tagging. Several Windows services require NTFS volumes; as a best
practice, we recommend that all partitions created on Windows Server 2008 R2 systems are
formatted using NT File System (NTFS).
File System Quotas

File system quotas enable administrators to configure storage thresholds on particular sets of data
stored on server NTFS volumes. This can be handy in preventing users from inadvertently filling
up a server drive or taking up more space than is designated for them. Also, quotas can be used
in hosting scenarios where a single storage system is shared between departments or
organizations and storage space is allocated based on subscription or company standards.
The Windows Server 2008 R2 file system quota service provides more functionality than was
included in versions older that Windows Server 2008. Introduced in Windows 2000 Server as an
included service, quotas could be enabled and managed at the volume level only. This did not
provide granular control; furthermore, because it was at the volume level, to deploy a functional
quota-managed file system, administrators were required to create several volumes with different
quota settings. Windows Server 2003 also included the volume-managed quota system, and some
limitations or issues with this system included the fact that data size was not calculated in real
time. This resulted in users exceeding their quota threshold after a large copy was completed.
Windows Server 2008 and Windows Server 2008 R2 include the volume-level quota
management feature but also can be configured to enable and/or enforce quotas at the folder
level on any particular NTFS volume using the File Server Resource Manager service. Included
with this service is the ability to screen out certain file types, as well as real-time calculation of
file copies to stop operations that would exceed quotas thresholds. Reporting and notifications
regarding quotas can also be configured to inform end users and administrators during scheduled
intervals, when nearing a quota threshold, or when the threshold is actually reached.
Data Compression
NTFS volumes support data compression, and administrators can enable this functionality at the
volume level, allowing users to compress data at the folder and file level. Data compression
reduces the required storage space for data. Data compression, however, does have some
limitations, as follows:
Additional load is placed on the system during read, write, and compression and
decompression operations.
Compressed data cannot be encrypted.
Data Encryption
NTFS volumes support the ability for users and administrators to encrypt the entire volume, a
folder, or a single file. This provides a higher level of security for data. If the disk, workstation,
or server the encrypted data is stored on is stolen or lost, the encrypted data cannot be accessed.
Enabling, supporting, and using data encryption on Windows volumes and Active Directory
domains needs to be considered carefully as there are administrative functions and basic user
issues that can cause the inability to access previously encrypted data.
File Screening
File screening enables administrators to define the types of files that can be saved within a
Windows volume and folder. With a file screen template enabled, all file write or save operations
are intercepted and screened and only files that pass the file screen policy are allowed to be
saved to that particular volume or folder. The one implication with the file screening
functionality is that if a new file screening template is applied to an existing volume, files that
would normally not be allowed on the volume would not be removed if they are already stored
on it.
File Classification Infrastructure
Windows Server 2008 R2 includes a new feature called the File Classification Infrastructure
(FCI). The FCI enables administrators to create classification policies that can be used to identify
files and tag or classify files according to properties and policies defined by the file server
administrators. FCI can be managed by using the File Server Resource Manager console and
allows for file server administrators to identify files and classify these files by setting specific
FCI property values to these files based on the folder they are stored in and/or based on the
content stored within the file itself. When a file is classified by FCI, if the file is a Microsoft
Office file, the FCI information is stored within the file itself and follows the file wherever it is
copied or moved to. If the file is a different type of file, the FCI information is stored within the
NTFS volume itself, but the FCI information follows the file to any location it is copied or
moved to, provided that the destination is an NTFS volume hosted on a Windows Server 2008
R2 system.
Volume Shadow Copy Service (VSS)
Windows Server 2003 introduced a file system service called the Volume Shadow Copy Service
(VSS). The VSS enables administrators and third-party independent software vendors to take
snapshots of the file system to allow for faster backups and, in some cases, point-in-time
recovery without the need to access backup media. VSS copies of a volume can also be mounted
and accessed just like another Windows volume if that should become necessary.
Shadow Copies of Shared Folders
Volume shadow copies of shared folders can be enabled on Windows volumes to allow
administrators and end users to recover data deleted from a network share without having to
restore from backup. The shadow copy runs on a scheduled basis and takes a snapshot copy of
the data currently stored in the volume. In previous versions of Windows prior to Windows
Server 2003, if a user mistakenly deleted data in a network shared folder, it was immediately
deleted from the server and the data had to be restored from backup. A Windows Server 2003,
Windows Server 2008, or Windows Server 2008 R2 NTFS volume that has shadow copies
enabled allows a user with the correct permissions to restore deleted or overwritten data from a
previously stored shadow copy backup. It is important to note that shadow copies are stored on
local volumes and if the volume hosting the shadow copy becomes inaccessible or corrupted, so
does the shadow copy. Shadow copies are not a replacement for backups and should not be
considered a disaster recovery tool.
Volume Shadow Copy Service Backup
The Volume Shadow Copy Service in Windows Server 2008 R2 also provides the ability for
Windows Backup and third-party software vendors to utilize this technology to improve backup
performance and integrity. A VSS-compatible backup program can call on the Volume Shadow
Copy Service to create a shadow copy of a particular volume or database, and then the backup
can be created using that shadow copy. A benefit of utilizing VSS-aware backups is that the
reliability and performance of the backup is increased as the backup window will be shorter and
the load on the system disk will be reduced during the backup.
Remote Storage Service (RSS)
The Remote Storage Service was included with Windows 2000 Server and Windows Server
2003. The Remote Storage Service enables administrators to migrate or archive data to lowercost, slower disks or tape media to reduce the required storage space on file servers.
This service, however, has been discontinued in Windows Server 2008 and is not included in
Windows Server 2008 R2 either. Many organizations that required this sort of functionality have
turned to third-party vendors to provide this type of hierarchical storage management. However,
the New File Management Tasks node within the File Server Resource Manager console
provides a function that allows administrators to schedule processes that will report on files that
might be candidates for moving to alternate storage through a function called file expiration. This
can be configured to notify both administrators and end-user file owners of upcoming files that
will be expired and moved to alternate volumes. One main difference, however, is that file
expiration does not leave a link in the original file location as the Remote Storage Service
previously did.
Distributed File System (DFS)
As the file services needs of an organization change, it can be a challenging task for
administrators to design a migration plan to support the new requirements. In many cases when
file servers need additional space or need to be replaced, extensive migration time frames,
scheduled outages, and, sometimes, heavy user impact results.
In an effort to create highly available file services that reduce end-user impact and simplify file
server management, Windows Server 2008 R2 includes the Distributed File System (DFS)
service. DFS provides access to file data from a single namespace that can be used to represent a
single server or a number of servers that store different sets or replicated sets of the same data.
For example, when using DFS in an Active Directory domain, a DFS namespace named
\\companyabc.com\UserShares could redirect users to \\Server10\UserShares or to a replicated
copy of the data stored at \\Server20\UserShares.
Users and administrators both can benefit from DFS because they only need to remember a
single server or domain name to locate all the necessary file shares.
Distributed File System Replication (DFSR)
With the release of Windows 2003 R2 and continuing with Windows Server 2008 and Windows
Server 2008 R2, DFS has now been upgraded. In previous versions, DFS Replication was
performed by the File Replication Service (FRS). Starting with Windows Server 2003 R2, DFS
Replication is now performed by the Distributed File System Replication service, or DFSR.
DFSR uses the Remote Differential Compression (RDC) protocol to replicate data. The RDC
protocol improves upon FRS with better replication stability, more granular administrative
control, and additional replication and access options. Also, starting with Windows Server 2008
R2, RDC improves replication by only replicating the portions of files that have changed, as
opposed to replicating the entire file, and replication can now be secured in transmission.
File System Management Tools

Windows Server 2008 R2 provides several tools administrators can leverage to manage Windows
Server 2008 R2 file servers. Administrators can install these tools on Windows Server 2008 R2
systems by adding the File Services tools feature to the system. The File Services tools can be
added by invoking the Add Features applet located in Server Manager. The tools are located in
the Add Features, Remote Server Administration Tools, Role Administration Tools hierarchy.
The File Services tools installed in this group include the following:
Distributed File System tools

File Server Resource Manager tools
Services for Network File System tools
File System Monitoring and Reporting

Windows Server 2008 R2 includes the ability for administrators to enable automated monitoring
and reporting of the file system. This includes reporting on storage and quota usage, file
screening, file group by types as well as owners, and file properties. Also, new to Windows
Server 2008 R2 is the ability to produce reports on file classification and file expiration file
management tasks.
3.8 Implementing Files and Folder NTFS & Share Permissions.
One of the key advantages offered by NTFS over the older FAT file system type is the concept of
file and folder permissions and ownership. Through careful implementation and management,
file and folder permissions on NTFS based file systems significantly increases the security of
data stored on a Windows Server system. In addition, file and folder permissions augment the
shared permissions discussed in previous chapters to provide finer grained control over access to
shared files and folders.
Ownership of Files and Folders
The owner of a file or folder is the user who has complete and full control over that file or folder
in terms of being able to grant access to the resource, and also allow other users to take over the
ownership of a file or folder. This is often, but not always, the creator of the file or folder and is
governed by the location of where the file or folder is first created. Typically, the creator of the
file or folder is, by default, initially designated as the owner. Ownership of a file or folder may
be taken by an administrator, any user with Take ownership permission on the object in question
or any user with the right to Restore Files and Directories which by default includes members of
the Backup Operators group.
Taking and Transferring Windows Server 2008 File and Folder Ownership
Ownership may be taken, when permitted, using the properties dialog of the file or folder in
question. This can be accessed by right clicking on the file or folder in Windows Explorer,
selecting Properties from the menu and then clicking on the Security tab. On the Security page of
the properties dialog, click on the Advanced button to access the Advanced Security Settings
dialog and then select the Ownership tab to display the following dialog:
As illustrated in the preceding figure, the file's current owner is bill and the option is available
for user nas to take over ownership of the file. To take ownership, click on the Edit button to
display the following dialog box where ownership may be changed:
To take ownership, select your user name from the list and click on Apply. To transfer ownership
to a different user, either select the name from the list, or search for the user by clicking on the
Other users or groups... button. Select the required user and click on Apply to commit the
transfer.
File and Folder Permission Inheritance
Another part of understanding file and folder permissions involves the concept of inheritance.
When a file or sub-folder is created in an existing folder (referred to as the parent folder) it
inherits, by default, all of the permissions of the parent folder. Similarly, when the permissions
on a parent folder are changed, those changes are automatically inherited by all child files and
folders contained within that parent folder.
To turn off inheritance for a child file or folder, right click the object in Windows Explorer, select
Properties and then click on the Security tab of the properties dialog. On the Security properties
panel, click on the Advanced button to display the Advanced Security Settings dialog followed by
Edit... to display the editable permission settings. In this dialog, unset the check box next to
Include inheritable permissions from parent object. Once selected, a warning dialog will
appear providing the choice to retain the current inherited permissions, or to remove any
inherited permissions keeping only permissions which have been explicitly set on the selected
object:
Occasionally, the converse situation exists, whereby a parent folder contains files and folders
which have explicitly set permissions, rather than just the inherited permissions from the parent
folder. In order to reset a folder and its children such that it only has inherited permissions,
display the Security tab of the Properties dialog as outlined above, click on Advanced... and then
Edit... and set the check box next to Replace all existing inheritable permissions on all
descendants with inheritable permissions from this object. A dialog will subsequently appear
warning that any explicitly defined permissions on all descendant files and folders will be
removed and replaced by inheritable permissions. Click Yes to commit the change.
Basic File and Folder Permissions
NTFS provides two levels of file and folder permissions which can be used to control user and
group access. These are basic permissions and special permissions. In essence, basic permissions
are nothing more than pre-configured sets of special permissions. This section will look at basic
permissions and the next will focus on special permissions and how they are used to create basic
permissions.
The current basic permissions for a file or folder may be viewed by right clicking on the object in
Windows Explorer, selecting Properties and then choosing the Security tab. At the top of the
security properties panel is a list of users and groups for which permissions have been configured
on the selected file or folder. Selecting a group or user from the list causes the basic permissions
for that user to be displayed in the lower half of the dialog. Any permissions which are grayed
out in the permission list are inherited from the parent folder. The basic permission settings
available differ slightly between files and folders. The following table lists the basic folder
permissions supported by Windows Server 2008 on NTFS volumes:
Permission
Description
Full Control
Permission to read, write, change and delete files and sub-folders.
Modify
Permission to read and write to files in the folder, and to delete current folder.
List Folder Contents Permission to obtain listing of files and folders and to execute files.
Read and Execute
Permission to list files and folders and to execute files.
Write
Permission to create new files and folders within selected folder.
Read
Permission to list files and folders.
The following table outlines the basic file permissions:

Permission
Description
Full Control
Permission to read, write, change and delete the file.
Modify
Permission to read and write to and delete the file.
Read and Execute Permission to view file contents and execute file.
Write
Permission to write to the file.
Read
Permission to view the files contents.
To change the basic permission on a file or folder access the security panel of the properties
dialog as outlined above and click Edit to display an editable version of the current settings. To
change permissions for users or groups already configured, simply select the desired user or
group from the list and change the settings in the permissions list as required (keeping in mind
that any grayed out permissions are inherited from the parent folder). Click Apply to commit the
changes. To configure permissions for users or groups not already listed, click on the Edit...
button on the security properties panel and click on Add.... Enter the names of users or groups
separated by semi-colons (;) in the Select Users or Groups dialog box and then click on Check
names to verify the names exist. Click on OK to confirm the user or group and return to the
editing dialog. With the new user or group selected, configure the desired permissions and then
Apply the settings when completed.
Special File and Folder Permissions
As mentioned previously, basic file and folder permissions are really just pre-packaged
collections of special permissions. Special permissions provide a much more fine grained
approach to defining permissions on files and folders than is offered by basic permissions. The
current special permissions configured on a file or folder can be viewed and modified by right
clicking on the object in Windows Explorer, selecting Properties, clicking on the Security tab of
the properties dialog and pressing the Advanced button. This will display the Permissions page of
the Advanced Security Settings dialog which contains a list of users and groups for which
permissions have been defined. Click on Edit to access the editable view of the permissions.
Select a user or group from the list and click on the Edit... once again to display the Permission
Entry for the selected user or group for this file or folder. This dialog will appear as illustrated in
the following figure:
To change the special permissions simply make the appropriate selections in the list (keeping in
mind that any grayed out permissions are inherited). To add special permissions for a user or
group not currently listed in the Advanced Security Settings page, click on the Add... button and
use the Select Users and Groups dialog to add new users or groups to the permission entries list.
Windows Server 2008 (or to be more exact, NTFS) provides 14 special permission options, each
of which may be allowed or denied. The following table lists each of these settings and describes
the option in more detail:
Permission
Description
Traverse folder /
execute file
Allows access to folder regardless of whether access is provided to data in folder. Allows
execution of a file.
List folder / read

data
Traverse folder option provides permission to view file and folder names. Read data allows
contents of files to be viewed.
Read attributes
Allows read-only access to the basic attributes of a file or folder.
Read extended
attributes
Allows read-only access to extended attributes of a file.
Create files / write

data
Create files option allows the creation or placement (via move or copy) of files in a folder.
Write data allows data in a file to be overwritten (does not permit appending of data).
Create folders /
append data
Create folders option allows creation of sub-folders in current folder. Append data allows data
to be appended to an existing file (file may not be overwritten)
Write attributes
Allows the basic attributes of a file or folder to be changed.
Write extended
attributes
Allows extended attributes of of a file to be changed.
Delete subfolders
and files
Provides permission to delete any files or sub-folders contained in a folder.
Delete
Allows a file or folder to be deleted. When deleting a folder, the user or group must have
permission to delete any sub-folders or files contained therein.
Read permissions
Provides read access to both basic and special permissions of files and folders.
Change permissions Allows basic and special permissions of a file or folder to be changed.
Take ownership
Allows user to take ownership of a file or folder.
Effective File and Folder Permissions

With all the different permission options provided by NTFS on Windows Server 2008, it can be
difficult to determine how permissions may accumulate to affect a particular user or group for
any given file or folder. In order to make this task a little easier, Windows provides a feature
known as Effective Permissions which will list the cumulative permissions for a user or group.
To access this feature, right click on the required file or folder in Windows Explorer, select
Properties and then select the Security tab in the resulting properties dialog. Within the security
panel, click on Advanced and select the Effective Permissions tab in the Advanced Security
Settings dialog. The next step is to specify the user or group for which the effective permissions
are to be calculated. To achieve this, click on the Select button and use the Select User or Group
dialog to specify or search for a particular user or group and then click on OK. The effective
permissions for the chosen user or group will subsequently be displayed, as illustrated below:
3.9 Explain Managing Servers Remotely Using Terminal Services (Remote Desktop).
Windows Server 2008 is, as the name suggests, a server operating system. In the real world this
means that systems running Windows Server 2008 will most likely be located in large rack
systems in a server room. As such, it is highly unlikely that system administrators are going to
want to have to physically visit each of these servers to perform routine administrative tasks such
as system configuration and monitoring. A far preferable scenario involves these administrators
remotely logging into the servers from their own desktop systems to perform administrative
tasks. Fortunately Windows Server 2008 provides precisely this functionality through Remote
Desktop and the remote administration features of the Machine Management Console (MMC).
What is Remote Desktop?

Remote Desktop allows the graphical interface of a remote Windows system to be displayed over
a network onto a local system. In addition, keyboard and mouse events on the local system are
transmitted to the remote system enabling the local user to perform tasks on the remote system as
if they were physically sitting at the remote system. Conversely, resources (such as printers and
disk drives) on the local system can be made available to the remote system for the duration of
the connection. This remote control can be established in a number of ways, including over wide
area networks (WAN), local area networks (LAN) or over the internet.
In the case of Windows Server 2008, this service is provided by Terminal Services running on the
remote systems and the Remote Desktop Connection (RDC) client on the local system.
Terminal Services run in two different modes, Administration and Virtual Session. Remote
Desktop for Administration provides full administration functionality to the remote administrator
(including access to the console session and visibility of notification messages). Remote Desktop
for Administration is the equivalent to working directly at the remote system's console. In virtual
session mode the user is subject to some limitations such as the ability to install applications and
view console notification messages.
Windows Server 2008 imposes some administrator logon restrictions. Specifically, a maximum
of two administrators may be logged on at any one time, either two logged on remotely, or one
local and one remote administrator. This assumes, however, that different accounts are being
used to log on. In other words, the same user may not log on locally and remotely
simultaneously.
Enabling Remote Desktop Administration on the Remote Server
As mentioned previously, remote desktop functionality on the server is provided by Terminal
Services. It is important to note, however, that Terminal Services do not have to be explicitly
enabled on the server in order to support Remote Desktop Administration. In fact, all that needs
to be done is to enable Remote Desktop Administration. This is configured by opening the
Control Panel from the Start menu and selecting the System icon (if the Control Panel is in
Control Panel Home mode this is located under System and Maintenance). In the Task section in
the top left hand corner of the System page select Remote settings to display the following
properties window:
The Remote properties dialog provides a number of options. The default setting is to disallow
remote connections to the computer system. The second option allows remote desktop
connections from any version of the Remote Desktop client. The third, and most secure option,
will only allow connections from Remote Desktop clients with Network Level Authentication
support. This typically will only allow access to systems providing secure network authentication
such as Windows Vista and Windows Server 2008.
If the Windows Firewall is active, the act of enabling Remote Desktop administration also results
in the creation of a firewall exception allowing Remote Desktop Protocol (RDP) traffic to pass
through on TCP port 3389.
This default port can be changed by changing this setting in the Registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\R
DP-tcp\PortNumber.
The easiest way to locate this registry key value is to execute regedit from the Run window or a
command prompt, select Edit - > Find and enter RDP-tcp.
Controlling Remote Desktop Access
The default configuration for Remote Desktop is to allow all members of the Administration
group to connect remotely. Active Directory also contains a Remote Desktop Users group to
which users may be added to provide Remote Desktop access privileges. To provide users with
remote desktop access, open the Control Panel -> System and Maintenance -> System ->
Remote settings and click on the Select Users button to invoke the Remote Desktop Users dialog
illustrated in the following figure:
Note that users with administrative privileges do not need to be added to this list; by default they
already have Remote Desktop access. To add additional users click on the Add... button to
display the Select Users dialog. Enter the name of the user in the text box entitled Enter object
names to select and click on Check names to list names that match the name entered. Select the
appropriate name from the list. The following example shows user Bill on server winserver-2:
Click on OK to apply the change. The new user will now appear in the list of users with Remote
Desktop access on the Remote Users screen. Click OK to close this screen and click on Apply in
the System Settings screen. The specified user will now have remote desktop access to the
system.
Remote Desktop Group Policy
A vast array of configuration options for Terminal Services is available through the Group Policy
settings. To access these values start the Group Policy Object Editor (open the Start menu and
enter gpedit.msc into the Search box).
In the Group Object Policy Editor navigate to Computer Configuration\Administrative
Templates\Windows Components\Terminal Services or User Configuration\Administrative
Templates\Windows Components\Terminal Services to access the range of policy settings
available.
Policy options include, amongst other options, items such as control over resource redirection
(printers, audio etc), setting session time limits and security settings. A complete overview of all
the settings is beyond the scope of this book but almost without exception the various settings are
largely self-explanatory.
Starting the Remote Desktop Client
With the appropriate configuration tasks completed on the remote system the next step is to
launch the Remote Desktop Client on the local system. The client can be run in either
administration mode which provides full integration with the console of the remote server, or
virtual session mode which provides some administrative privileges but does not provide console
access or allow applications to be installed.
To invoke the Remote Desktop Client in virtual session mode either select Start -> All Programs
-> Accessories -> Remote Desktop Connection or enter the following in the Run dialog or at a
command prompt:
mstsc
To start the Remote Desktop Client in administrator mode run the following command:
mstsc /admin
In either case the following initial screen will appear requesting details of computer to which the
client is to connect:
This can either be an IP address or a computer name. If previous connections have been
established the User name field will be populated with the user name used in the preceding
session. If you need to log in as a different user this option will be provided on the next screen
which appears after the Connect button is pressed:
In this screen enter the password for the selected user (note that remote desktop access is only
available for user accounts which are password protected). If a user other than the one displayed
is required, simply click on the Use another account link and enter the necessary details. Click
on OK to establish the connection. After a short delay the remote desktop will appear on the local
computer screen.
Remote Desktop Client Configuration Options
The Options>> button displayed on the initial screen of the Remote Desktop Client provides six
tabs, each containing a range of configuration options:
General - Allows login credentials to be configured and session information to be saved.
Display - Configures the resolution and color settings to be used when displaying the
remote desktop on the local system.
Local Resources - Specifies which local resources (sound, disk drives, printers etc) are to
be made accessible to the remote system during the Remote Desktop session. This page
also provides options to control the situations under which special key combinations such
as Ctrl-Alt-Del are interpreted by the local or remote systems.
Programs - Allows specified programs to be automatically invoked each time a remote

sessions is established.
Experience - Controls which desktop features are enabled or disabled for the Remote
Desktop session. For example, over a slow dial-up connection it is unwise to have the
desktop background displayed and font smoothing enabled. Either select the connection
type and speed to see recommended settings, or use Custom to configure your own
settings. This particular screen also provides the option to have the connection
automatically re-established in the event that a session is dropped.
Advanced - Enables and disables remote server verification. This ensures that the remote
server to which you are connected is indeed the server you wanted. Also available are TS
Gateway settings. By default the Remote Desktop Client is configured to automatically
detect TS Gateway settings.
Remote Session Tracking

With Remote Desktop access implemented it is often useful to find out at times who is logged
into a system. This can be achieved using the quser command-line tool. To obtain details of
logged in users on a local system simply run quser at a command prompt or in a Run dialog:
C:Users\Administrator> quser
USERNAME
SESSIONNAME
ID STATE IDLE TIME LOGON TIME
administrator
1 Disc
3:18 7/11/2008 12:36 PM
bill
rdp-tcp#0
2 Active
. 7/14/2008 9:11 AM
nas
console
3 Active
none 7/11/2008 12:58 PM
To obtain information for a remote system simply run quser with the /server:<hostname>
command-line option. For example:
C:\Users\Administrator> quser /server:winserver-2
USERNAME
SESSIONNAME
ID STATE IDLE TIME LOGON TIME
administrator
1 Disc
3:22 7/11/2008 12:36 PM
bill
rdp-tcp#0
2 Active
. 7/14/2008 9:11 AM
nas
console
3 Active
none 7/11/2008 12:58 PM
Logging out from a Remote Desktop Session
When the Remote Desktop Client is exited by pressing the 'X' on the control panel the remote
session continues to run on the server even though no client is connected. Next time the user
connects the desktop session will appear exactly as it was left before.
To end the session select Start in the remote desktop session, click on the right arrow button in
the bottom right hand corner of the menu and select Log Off. This will close down the remote
desktop session and close the remote desktop client.
Running Multiple Remote Desktops
Multiple concurrent remote desktops can be run and managed within a single window using the
MMC Remote Desktops snap-in. This may either be snapped into the MMC or launched from the
command-line or a Run dialog by typing:
tsmmc.msc
Once launched, right click on the Remote desktops item in the tree in the left hand panel and
select Add a new connection from the menu. Once selected the Add New Connection dialog will
appear as follows:
In this dialog enter the IP address or computer name of the remote system together with the User
name and the name to be assigned to this connection (this is essentially the name by which this
connection will be listed and administered inside the Remote Desktops snap-in). For an
administrative session (as opposed to a virtual session) set the Connect with /admin box. Click
OK to add the session to the snap-in. Once added, the session will appear in the left hand panel
under Remote Desktops. Repeat these steps to add connections to any additional remote systems
required.
To establish a remote desktop connection, right click on the name of the session from the left
hand panel and select Connect from the menu. The remote session will appear in the window. To
start another session simply right click on the session name and once again select Connect. To
switch between sessions simply click on the name of the session in the left hand panel and the
corresponding desktop will be displayed. The following figure illustrates two sessions running in
Remote Desktops:
To change configuration options for each session right click on the desired session in the left
hand panel and select Properties. This panel has a number of tabs which enable credentials,
screen size and program start properties to be defined.
3.10 Describe Remote Access and VPN Overview, Configuring & Implementing Remote
Access Server.
Remote Desktop lets users control their desktop computer remotely. Its a simple concept
that, properly implemented, can have a dramatic impact on your organizations
productivity so that staff can work from home even if they dont have a mobile
computer.
Until Microsoft Windows Server 2008, the network connection itself has been the biggest
challenge. Your private network probably uses private Internet Protocol addresses, which
prevent users from connecting directly to their desktop computers from the Internet. Even
if you offered users a virtual private network connection, many firewalls block VPNs.
To work around these limits, Windows Server 2008 introduces the Terminal Services (TS)
Gateway role, which acts as a proxy server between the Internet and your internal
network. As illustrated, the Remote Desktop client uses encrypted Hypertext Transfer
Protocol over Secure Sockets Layer to communicate with the TS Gateway. Because
HTTPS is primarily used to browse the Web, almost all firewalls allow it. The TS Gateway
authenticates the user (via either a password or a smart card), verifies that the user is
authorized to connect to the destination computer and then uses Remote Desktop Protocol
(RDP) to complete the connection on your private network.
Note: Throughout this article, the computer being controlled will be referred to as a
Remote Desktop server. The Remote Desktop server could be any Windows XP, Windows
Server 2003, Windows Vista or Windows Server 2008 computer with Remote Desktop
enabled. It could also be any version of Terminal Server.
Planning Your Terminal Services Gateway SSL Certificate
Because clients use HTTPS to connect to the TS Gateway, the TS Gateway will need an
SSL certificate just like an electronic-commerce Web server. To simplify the
configuration of the Remote Desktop clients, purchase an SSL certificate from one of the
many public certificate authorities (CAs) that Windows trusts by default (a search for ssl
certificate will turn up several available for less than $20 per year). When configuring the
SSL certificate, specify the full host name that clients will use to connect to the TS
Gateway from the Internet. If the host name doesnt match what the users enter in the
Remote Desktop Client, the server authentication will fail. Although you can use a
temporary or internal SSL certificate for testing purposes, client computers must trust the
certificates CA. Because many remote access scenarios involve computers that arent
members of your Active Directory domain (such as home computers), only SSL
certificates issued by trusted public CAs will work by default.
Note: For testing purposes, the Add Roles Wizard can generate a temporary SSL
certificate for you. You will need to import the root CA certificate it generates into any
client computers, clicking the Certificates button on the Content tab of the Internet
Options dialog box, and then importing the certificate into the list of Trusted Root
Certification Authorities.
Configuring the Terminal Services Gateway
To add the Terminal Services Role to Windows Server 2008, follow these steps:
1.
Log on to your Windows Server 2008 computer as an administrator. Click Start,
and then click Server Manager.
2.
Right-click Roles, and then click Add Roles.
The Add Roles Wizard appears.
3.
On the Before You Begin page, click Next.
4.
On the Select Server Roles page, select Terminal Services. Then, click Next.
5.
On the Terminal Services page, click Next.
6.
On the Role Services page, select TS Gateway. When prompted, click Add
Required Role Services. Then, click Next.
7.
On the Server Authentication Certificate page, select an SSL certificate, and then
click Next.
8.
On the Authorization Policies page, click Now, and then click Next.
9.
On the TS Gateway User Groups page, click Add to select the user groups that can
connect through the terminal server gateway. Typically, you should create an
Active Directory security group for Remote Desktop users connecting from the
Internet, and add all authorized users to that group. Then, click Next.
10.
On the TS CAP page, enter a name for the Terminal Services Connection
Authorization Policy, and choose whether to allow authentication using passwords,
smart cards or both. Click Next.
11.
On the TS RAP page, enter a name for the Terminal Services Resource
Authorization Policy. Then, choose whether to allow remote clients to connect to
all computers on your internal network or just computers in a specific domain
group. For best results, create an Active Directory security group, and add the
computer accounts for all authorized Remote Desktop servers to that group.
Click Next.
Note: The CAP defines who can connect to the TS Gateway, while the RAP defines
which computers they can use the gateway to access. Both must be defined for a user to
establish a connection.
12.
Complete any other wizard pages that appear for dependant roles by accepting the
default settings, and then click Install on the Confirmation page.
13.
After the installation is complete, click Close, and then click Yes to restart the
computer if required.
14.
After the computer restarts, log back on and click Close in the Resume Installation
Wizard.
Later, you can use the Server Manager console to modify the CAPs or RAPs by clicking
the roles\terminal services\ts gateway manager\computer_name\policies node.
If necessary, configure your firewall to allow incoming HTTPS connections to your TS

Gateway on TCP port 443. Additionally, the TS Gateway must be able to communicate to
Remote Desktop servers using TCP port 3389.
Configuring the Remote Desktop Client
You must configure the Remote Desktop Client with the IP address of the TS gateway
before connecting to a Remote Desktop server on your internal network. To configure the
Remote Desktop Client, follow these steps:
1.
If the client computer is running Windows XP with Service Pack 1 or Windows

Server 2003 with Service Pack 1 or 2, install the Terminal Services Client 6.0. You
can download the software at support.microsoft.com/kb/925876. Windows Vista and
Server 2008 have the client built in. Older versions of Windows cannot use the
updated Terminal Services Client and thus cannot connect through a TS Gateway.
2.
Open Remote Desktop Connection from the Start menu.
3.
If necessary, click the Options button to display the Remote Desktop Connection
settings.
4.
On the General tab, type the Remote Desktop servers name or IP address (not the
TS Gateway), even if the IP address is private and not directly reachable.
5.
Click the Advanced tab, and then click the Settings button.
6.
On the Gateway Server Settings dialog box, click Use these TS Gateway server
settings. Then, type the server name (it must exactly match the name in the servers
SSL certificate) and select a logon method. Click OK to save the settings.
7.
After customizing any other settings, click the General tab, and click Save As to
save the settings to an RDP file. Because the RDP file includes the TS Gateway
settings, you can distribute it to any computer with the Remote Desktop Client
version 6.0 or later.
To connect to the server, open the RDP file, and click Connect. If prompted, provide
credentials for both the TS Gateway and the Remote Desktop server. In a few seconds, you
should have complete control over the Remote Desktop server.
Note: The Remote Desktop Client 6.1, included with Windows Server 2008 and currently
in beta testing for other operating systems, can be configured to send the same credentials
to both the TS Gateway and the Remote Desktop server. This requires prompting the user
only once.
If your employees have computers at home and broadband Internet connections, you can
allow them to use Remote Desktop to control their desktop computers at work. Instantly,
the users gain access to their files, applications, printers and other network resources on
your internal network as if they were sitting at their desks. Theres no fussing with
firewalls or VPNs either all users need to do is double-click an RDP file you provide.
3.11 Implementing & Configuring VPN.

1. Install the Role Network Policy and Access Services with the Server Manager
2.
Select the Role Services Routing and Remote Access Services
3.
Configure and Enable Routing and Remote Access in the Server Manager.
4.
Choose Custom Configuration if you just have one Network Interface in the Server
5.
Choose VPN access
6.
Finish and click next
7. Allow access for users Network Access Permission. You can set that in de Dial-In Tab
under the User Premission.
8.
Open Ports in your Firewall

For PPTP: 1723 TCP 47 GRE
For L2TP over IPSEC: 1701 TCP 500 UDP
For SSTP: 443 TCP
Optional: If you dont have a DHCP Server in your local network you have to add a static
address pool. This could be if you have a stand-alone Server by your provider.
1.
Right click on Routing and Remote Access and open Properties
2.
3.
4.
Click on the IPv4 Tab and check Static address pool
Add a static address pool of private IP addresses
Add secondary IP Address to the Server network interface which is in the same subnet as
this pool.
3.12 Implementing & Configuring Active Directory Services Forest.

Since Windows 2000, Active Directory has been the driving force behind Microsoft Server
Networking Services.
Active Directory provides the structure to centralize the network and store information about
network resources across the entire domain. Active Directory uses Domain Controllers to keep this
centralized storage available to network users. In this scenario we are going to install Active
Directory fresh with a brand new Domain Controller after a fresh install of Windows Server 2008.
Requirements for Active Directory Domain Services
Install Windows Server 2008
Configure TCP/IP and DNS networking configurations
The disk drives that store SYSVOL must be on a local drive configured NTFS
Active Directory requires DNS to be installed in the network. If it is not already installed you
can specify DNS server to be installed during the Active Directory Domain Services
installation.
How to Install Active Directory Domain Services via Server Manager
1. Start Server Manager.
2. Select Roles in the left pane, then click on Add Roles in the center console.
3. Depending on whether you checked off to skip the Before You Begin page while installing
another service, you will now see warning pages telling you to make sure you have strong security,
static IP, and latest patches before adding roles to your server.
If you get this page, then just click Next.
4. In the Select Server Roles window we are going to place a check next to Active Directory
Domain Services and click Next.
5. The information page on Active Directory Domain Services will give the following warnings,
which after reading, you should click Next:
Install a minimum of two Domain Controllers to provide redundancy against server outage
(which would prevent users from logging in with only one)
AD DS requires DNS which if not installed you will be prompted for
After installing AD DS you must run dcpromo.exe to upgrade to a fully functional domain
controller
Installing AD DS will also install DFS Namespaces, DFS Replication, and Filer Replication
services which are required by Directory Service
6. The Confirm Installation Selections screen will show you some information messages and warn
that the server may need to be restarted after installation. Review the information and then
click Next.
7. The Installation Results screen will hopefully show Installation Succeeded, and an additional
warning about running dcpromo.exe (I think they really want us to run dcpromo).
After you review the, click Close.
8. After the Installation Wizard closes you will see that server manager is showing that Active
Directory Domain Services is still not running. This is because we have not run dcpromo yet.
9. Click on the Start button, type dcpromo.exe in the search box and either hit Enter or click on the
search result.
10. The Active Directory Domain Services Installation Wizard will now start. There are links to
more information if you want to learn a bit more you can follow them or you can go ahead and
click Use advanced mode installation and then click Next.
11. The next screen warns about some operating system compatibility with some older clients.
12. Next is the Choose Deployment Configuration screen and you can choose to add a domain to
an existing forest or create a forest from scratch. Choose Create a new domain in a new forest and
click Next.
13. The Name the Forest Root Domain wants you to name the root domain of the forest you are
creating.
For the purposes of this test we will create ADExample.com. After typing that go ahead and
click Next.
14. The wizard will test to see if that name has been used, after a few seconds you will then be asked
for the NetBios name for the domain. In this case I will leave the default in place of ADEXAMPLE,
and then click Next.
15. The next screen is the Set Forest Functional Level that allows you to choose the function level
of the forest.
Since this is a fresh install and a new forest with no additional prior version domains to worry about I
am going to select Windows Server 2008. If you did have other domain controllers at earlier versions
or had a need to have Windows 2000 or 2003 domain controllers (because of Exchange for example),
then you should select the appropriate function level.
Select Windows Server 2008 and then click Next.
16. Now we come to the Additional Domain Controller Options where you can select to install a
DNS server, which is recommended on the first domain controller.
If this was not the first domain controller you would have the options of installing Global
Catalog and/or setting this as a Read-only Domain Controller. Since it is the first domain
controller, Global Catalog is mandatory, and a RDOC controller is not an available option.
Let's install the DNS Server by placing a check next to it and clicking Next.
17. You will get a warning window about delegation for this DNS server cannot be created, but since
this is the first DNS server you can just click Yes and ignore this warning.
18. Next you can choose to place the files that are necessary for Active Directory, including
the Database, Log Files, and SYSVOL.
It is recommended to place the log files and database on a separate volume for performance and
recoverability. You can just leave the defaults though and click Next.
19. Now choose a password for Directory Services Restore Mode that is different than the domain
password. Type your password and confirm it before hitting Next.
Note: You should use a STRONG password for this and will be warned if it doesn't meet
criteria.
20. Next you will see a summary of all the options you have went through in the wizard.
If you plan on creating more domain controllers with the same settings hit the Export settings
button to save off a txt copy of the settings to use in an answer file for a scripted install. After
exporting and reviewing settings click on Next.
21. Now the installation will start including the DNS server option if selected. You will notice a box
to Reboot on completion that you can check to reboot soon as everything is installed (A reboot is
required you can do it manually or use this function to do it automatically).
NOTE: This can be from a few minutes to several hours depending on different factors.
Confirming Active Directory Domain Services Install

When you reboot you will be asked to login to the domain, and be able to open Active Directory
Users and Computers from the Administrative menu. When you do you will see the
domain ADExample.com and be able to manage the domain.
You have now successfully installed Active Directory Domain Services and the first Domain
Controller.
3.13 Implementing Server Roles, Restoring Active Directory.

Scenario: Have you ever accidentally deleted a user account or an OU in Active Directory and
wished you could restore it?
I recently had a client call me after they installed updates and rebooted their server. They noticed
after the reboot that there was a message that said "Active Directory is rebuilding indices. Please
wait".
Their Active Directory database had become corrupted from the updates. So what do you do? How
can you restore AD?
How to backup AD in Windows Server 2008 and how to restore it:
what you need to do to get your Server 2008 ready for backup
how to backup Active Directory on Server 2008
how to perform an Authoritative Restore of Active Directory
how to perform Active Directory Snapshots
Prerequisites: Getting Server 2008 Ready for Backup
Before you can backup Server 2008 you need to install the backup features from the Server Manager.
1. To install the backup features click Start Server Manager.
2. Next click Features Add Features
3. Scroll to the bottom and select both the Windows Server Backup and the Command Line Tools
4. Click Next, then click Install
Backing up Server 2008 Active Directory

Now that we have the backup features installed we need to backup Active Directory. You could do a
complete server backup, but what if you need to do an authoritative restore of Active Directory?
As you'll notice in Server 2008, there isn't an option to backup the System State data through the
normal backup utility.
So what do we do? We need to go "command line" to backup Active Directory.

1. Open up your command prompt by clicking Start and type "cmd" and hit enter.
2. In your command prompt type "wbadmin start systemstatebackup -backuptarget:e:" and press
enter.
Note: You can use a different backup target of your choosing
3. Type "y" and press enter to start the backup process.
When the backup is finished running you should get a message that the backup completed
successfully. If it did not complete properly you will need to troubleshoot.
Now you have a system state backup of your 2008 Server!

Authoritative Restore of Active Directory
So now what if you accidentally delete an OU, group, or a user account and it's already replicated to
your other servers? We will need to perform an authoritative restore of the Active Directory object
you accidentally deleted.
1. To do this you will need to boot into DSRM (Directory Services Restore Mode) by restarting your
server and pressing F8 during the restart.
2.Choose Directory Services Restore Mode from the Advanced Boot menu.
3. Login to your server with your DSRM password you created during Active Directory installation.
4. Once you're logged into your server and in DSRM safe mode, open a command prompt by
clicking Start, type "cmd", and press enter.
5. To make sure you restore the correct backup it's a good idea to use the "wbadmin get versions"
command and write down the version you need to use.
6. Now we need to perform a non-authoritative restore of Active Directory by typing "wbadmin

start systemstaterecovery -version:04/14/2009-02:39".
Note: The version of backup will vary depending on your situation. Type "y" and press enter to start
the non authoritative restore.
7. Go grab some coffee and take a break while the restore completes.
8. You can mark the sysvol as authoritative by adding the authsysvol switch to the end of the
wbadmin command.
9. But if you want to restore a specific Active Directory object then you can use the ever
familiar ntdsutil.
For this example we are going to restore a user account with a distinguished name of CN=Test
User,CN=Users,DC=home,DC=local. So the commands would be:
ntdsutil
activate instance ntds
authoritative restore
restore object "cn=Test User,cn=Users,dc=home,dc=local"
Note: The quotes are required
10. Reboot your server into normal mode and you're finished. The object will be marked as
authoritative and replicate to the rest of your domain.
Using Active Directory Snapshots
There is a really cool new feature in Windows Server 2008 called Active Directory Snapshots.
Volume Shadow Copy Service now allows us to take a snapshot of Active Directory as a type of
backup. They are very quick to create and serve as another line of defense for your backup strategy.
With your server booted into normal mode open a command prompt by clicking Start, type "cmd",
and press enter.
We are going to use the ntdsutil again for creating the Active Directory snapshots. The commands
are:
ntdsutil
snapshot
activate instance ntds
create
quit
quit
So now that you have a snapshot of AD, how do you access the data? First we need to mount the
snapshot using ntdsutil. The commands are:
ntdsutl
snapshot
list all
mount 1 -- (Note: You should mount the correct snapshot you need; for this example there is only 1.)
quit
quit
Your snapshot is mounted, but how do you access the data? We need to use the dsamain command to
accomplish this. Then we need to select an LDAP port to use. The command is as follows:
dsamain dbpath c:\$SNAP_200905141444_VOLUMEC$\WINDOWS\
TDS\
tds.dit ldapport 10001
The result should look like this:
Now we need to go to Start, Administrative Tools, then Active Directory Users and Computers.
Right click Active Directory Users and Computers and select Change Domain Controller.
In the area that says < Type a Directory Server name [:port] here > enter the name of your server
and the LDAP port you used when running the dsamain command. For my example it would
be: WIN-V22UWGW0LU8.HOME.LOCAL:10001
Now you can browse the snapshot of Active Directory without affecting anything else negatively.
3.14 Implementing Local and Domain Security policies

Security is a primary concern for all Windows administrators. Windows Server 2008 R2 includes
numerous settings that affect the services that are running, the ports that are open, the network packets
that are allowed into or out of the system, the rights and permissions of users, and the activities that are
audited. You can manage an enormous number of settings, and, unfortunately, there is no magic formula
that applies the perfect security configuration to a server. The appropriate security configuration for a
server depends on the roles that server plays, the mix of operating systems in the environment, and the
security policies of the organization, which themselves depend on compliance regulations enforced from
outside the organization.
Therefore, you must work to determine and configure the security settings that are required for servers in
your organization, and you must be prepared to manage those settings in a way that centralizes and
optimizes security configuration. Windows Server 2008 R2 provides several mechanisms with which to
configure security settings on one or more systems. In this lesson, you discover these mechanisms and
their interactions.
1. What Is Security Policy Management?
Security policy management involves designing, deploying, managing, analyzing, and revising security
settings for one or more configurations of Windows systems. There are likely to be several system
configurations in a typical enterprise: desktops and laptops, servers, and domain controllers. Most
enterprises define even more configurationsfor example, by delineating various types or roles of
servers.
The first words are important: Security Policy. Before you even touch the technology, you need to
understand what your enterprise security policy requires; if you do not yet have a written security policy,
begin by creating one. After you know where you are heading, you are ready to start the journey.
Your security policy, and the requirements it contains, probably require multiple customizations to the
default, out-of-box security configuration of Windows client and server operating systems. To manage
security configuration, you need to:
Create a security policy for a new application or server role not included in Server Manager.
Use security policy management tools to apply security policy settings that are unique to your
environment.
Analyze server security settings to ensure that the security policy applied to a server is
appropriate for the server role.
Update a server security policy when the server configuration is modified.
This lesson covers the tools, concepts, and processes required to perform these tasks. The tools used in
this lesson include:
Local Group Policy

Security Configuration Wizard
Security Templates snap-in
Security Configuration And Analysis snap-in
Domain Group Policy
2. Configuring the Local Security Policy

Each server running Windows Server 2008 R2 maintains a collection of security settings that can be
managed by using the local GPO. You can configure the local GPO by using the Group Policy Object
Editor snap-in or the Local Security Policy console. The available policy setting categories are shown in
Figure 1.
Figure 1. The security settings available in the local GPO

This lesson focuses on the mechanisms with which to configure and manage security settings, rather than
on the details of the settings themselves. Many of the settingsincluding account policies, audit policy,
and user rights assignmentare discussed elsewhere in this training kit.
Because domain controllers (DCs) do not have local user accounts (only domain accounts), the policies in
the Account Policies container of the local GPO on DCs cannot be configured. Instead, account policies
for the domain should be configured as part of a domain-linked GPO such as the Default Domain Policy
GPO.
The settings found in the local Security Settings policies are a subset of the policies that can be
configured using domain-based Group Policy, shown in Figure 2. The Default Domain Controllers Policy
GPO is created when the first domain controller is promoted for a new domain. It is linked to the Domain
Controllers OU and should be used to manage baseline security settings for all DCs in the domain so that
DCs are consistently configured.
Figure 2. Security settings in a domain-based GPO

3. Managing Security Configuration with Security Templates
The second mechanism for managing security configuration is the security template. A security template
is a collection of configuration settings stored as a text file with the .inf extension. As you can see in
Figure 3, a security template contains settings that are a subset of the settings available in a domainbased GPO but a somewhat different subset than those managed by the local GPO. The tools used to
manage security templates present settings in an interface that allows you to save your security
configurations as files and deploy them when and where they are needed. You can also use a security
template to analyze the compliance of a computers current configuration against the desired
configuration.
Figure 3. Security settings in a security template

Storing security configuration in security templates offers several advantages. For example, because the
templates are plaintext files, you can work with them manually as with any text file, cutting and pasting
sections as needed. Further, templates make it easy to store security configurations of various types so
that you can easily apply different levels of security to computers performing different roles.
Security templates allow you to configure any of the following types of policies and settings:
Account Policies Specify password restrictions, account lockout policies, and Kerberos policies.
Local Policies Configure audit policies, user rights assignments, and security options policies.
Event Log Policies Configure maximum event log sizes and rollover policies.
Restricted Groups Specify the users permitted to be members of specific groups.
System Services Specify the startup types and permissions for system services.
Registry Permissions Set access control permissions for specific registry keys.
File System Permissions Specify access control permissions for NTFS files and folders.
You can deploy security templates in a variety of ways: by using Active Directory Group Policy Objects,
the Security Configuration And Analysis snap-in, or Secedit.exe. When you associate a security template
with an Active Directory Group Policy object, the settings in the template become part of the GPO. You
can also apply a security template directly to a computer, in which case the settings in the template
become part of the computers local policies. This lesson discusses each of these options. Remember to
test security changes before deploying them in a production environment.
Using the Security Templates Snap-in
To work with security templates, you use the Security Templates snap-in. Windows Server 2008 R2 does
not include a console with the Security Templates snap-in, so you have to create one yourself using the
MMC Add/Remove Snap-in menu command. The snap-in creates a folder called Security and a subfolder
called Templates in your Documents folder, and the resulting Documents\Security\Templates folder
becomes the template search path, where you can store one or more security templates.
To create a new security template, right-click the node that represents your template search path
C:\Users\Administrator\Documents\Security\Templates, for exampleand then click New Template.
Settings are configured in the template in the same way that settings are configured in a GPO. The
Security Templates snap-in configures settings in a security template. It is just an editorit does not play
any role in actually applying those settings to a system. Configure security settings in a template by using
the Security Templates snap-in. Although the template itself is a text file, the syntax can be confusing.
Using the snap-in ensures that settings are changed using the proper syntax.
The exception to this rule is adding registry settings that are not already listed in the Local
Policies\Security Option portion of the template. As new security settings become known, if they can be
configured using a registry key, you can add them to a security template. To do so, you add them to the
Registry Values section of the template.
Note
SAVE YOUR SETTINGS
Be sure to save your changes to a security template by right-clicking the template and clicking Save.
When you install a server or promote it to a domain controller, a default security template is applied by
Windows. You can find that template in the %SystemRoot%\Security\Templates folder. On a domain
controller, the template is called DC security.inf. You should not modify this template directly, but you can
copy it to your template search path and modify the copy.
Note
SECURITY TEMPLATES IN DIFFERENT VERSIONS OF WINDOWS
In previous versions of Windows, several security templates were available to modify and apply to a
computer. The role-based configuration of Windows Server 2008 and later and the improved Security
Configuration Manager have made these templates unnecessary.
Deploying Security Templates by Using Group Policy Objects
Creating and modifying security templates does not improve security until you apply those templates. To
configure several computers in a single operation, you can import a security template into the Group
Policy Object for a domain, site, or organizational unit object in Active Directory.
To import a security template into a GPO, right-click the Security Settings node and click Import Policy. In
the Import Policy From dialog box, if you select the Clear This Database Before Importing check box, all
security settings in the GPO will be erased prior to importing the template settings, so the GPOs security
settings will match the templates settings.
If you leave the Clear This Database Before Importing check box cleared, the GPOs security policy
settings will remain and the templates settings will be imported. Any settings defined in the GPO that are
also defined in the template will be replaced with the templates setting.
Security Configuration And Analysis Tool
You can use the Security Configuration And Analysis snap-in to apply a security template to a computer
interactively. The snap-in also provides the ability to analyze the current system security configuration and
compare it to a baseline saved as a security template. This helps you quickly determine whether
someone has changed a computers security settings and whether the system conforms to your
organizations security policies.
As with the Security Templates snap-in, Windows Server 2008 R2 does not include a console with the
Security Configuration And Analysis snap-in, so you must add the snap-in to a console yourself.
To use the Security Configuration And Analysis snap-in, you must first create a database that will contain
a collection of security settings. The database is the interface between the actual security settings on the
computer and the settings stored in your security templates.
To create a database (or open an existing one), right-click the Security Configuration And Analysis node in
the console tree. You can then import one or more security templates. If you import more than one
template, you must decide whether to clear the database. If the database is cleared, only the settings in
the new template will be part of the database. If the database is not cleared, additional template settings
that are defined will override settings from previously imported templates. If settings in newly imported
templates are not defined, the settings in the database from previously imported templates will remain.
To summarize, the Security Configuration And Analysis snap-in creates a database of security settings
composed of imported security template settings. The settings in the database can be applied to the
computer or used to analyze the computers compliance and discrepancies with the desired state.
Warning
IMPORTANT DATABASE SETTINGS VS. THE COMPUTERS SETTINGS
Settings in a database do not modify the computers settings or the settings in a template until that
database is either used to configure the computer or exported to a template.
Applying Database Settings to a Computer
After you have imported one or more templates to create the database, you can apply the database
settings to the computer.
To apply a database, right-click Security Configuration And Analysis and click Configure Computer Now.
You are prompted for a path to an error log that will be generated during the application of settings. After
applying the settings, examine the error log for any problems.
Analyzing the Security Configuration of a Computer
Before applying the database settings to a computer, you might want to analyze the computers current
configuration to identify discrepancies.
To analyze the security configuration of a computer, right-click Security Configuration And Analysis and
click Analyze Computer Now. The system prompts you for the location of its error log file and then
proceeds to compare the computers current settings to the settings in the database. After the analysis is
complete, the console produces a report such as the one shown in Figure 4.
image: http://mscerts.programming4.us/image/201307/Managing%20Security%20Settings_4.jpg
Figure 4. The Security Configuration And Analysis snap-in displays an analysis of the computers
configuration.
Unlike the display of policy settings in the Group Policy Management Editor, Group Policy Object Editor,
Local Security Policy, or Security Templates snap-ins, the report shows for each policy the setting defined
in the database (which was derived from the templates you imported) and the computers current setting.
The two settings are compared, and the comparison result is displayed as a flag on the policy name. For
example, in Figure 4, the Allow Log On Locally policy setting shows a discrepancy between the database
setting and the computer setting. The meanings of the flags are as follows:
X in a red circle Indicates that the policy is defined both in the database and on the computer but
that the configured values do not match
Green check mark in a white circle Indicates that the policy is defined both in the database and
on the computer and that the configured values do match
Question mark in a white circle Indicates that the policy is not defined in the database and,
therefore, was not analyzed, or that the user running the analysis did not have the permissions
needed to access the policy on the computer
Exclamation point in a white circle Indicates that the policy is defined in the database but does
not exist on the computer
No flag Indicates that the policy is not defined in the database or on the computer
Correcting Security Setting Discrepancies

As you examine the elements of the database and compare its settings with those of the computer, you
might find discrepancies and want to make changes to the computers configuration or to the database to
bring the two settings into alignment. You can double-click any policy setting to display its Properties
dialog box and modify its value in the database.
Caution
APPLYING OR EXPORTING DATABASE CHANGES
Modifying a policy value in the Security Configuration And Analysis snap-in changes the database value
only, not the actual computer setting. For the changes you make to take effect on the computer, you must
either apply the database settings to the computer by using the Configure Computer Now menu
command or export the database to a new template and apply it to the computer, using a GPO or the
Secedit.exe command .
Alternately, you can modify the computers security settings directly by using the Local Security Policy
console, by modifying the appropriate Group Policy object, or by manually manipulating file system or
registry permissions. After making such changes, return to the Security Configuration And Analysis snapin and click the Analyze Computer Now command to refresh the comparison of the database and
computers settings.
Creating a Security Template
You can create a new security template from the database. To do so, right-click Security Configuration
And Analysis and click Export Template. The template contains the settings in the database that have
been imported from one or more security templates and that you have modified to reflect the current
settings of the analyzed computer.
Warning
IMPORTANT EXPORTING THE DATABASE TO A TEMPLATE
The Export Template feature creates a new template from the current database settings at the time that
you execute the command, not from the computers current settings.
Secedit.exe
Secedit.exe is a command-line utility that can perform the same functions as the Security Configuration
And Analysis snap-in. The advantage of Secedit.exe is that you can call it from scripts and batch files,
which allows you to automate your security template deployments. Another big advantage of Secedit.exe
is that you can use it to apply only part of a security template to a computer, something you cannot do
with the Security Configuration And Analysis snap-in or Group Policy Objects. For example, if you want to
apply the file systems permissions from a template but leave all the other settings alone, Secedit.exe is
the only way to do so.
To use Secedit.exe, you run the program from Command Prompt with one of the following six main
parameters, plus additional parameters for each function:
/Configure Applies all or part of a security database to the local computer. You can also configure
the program to import a security template into the specified database before applying the
database settings to the computer.
/Analyze Compares the computers current security settings with those in a security database.
You can configure the program to import a security template into the database before performing
the analysis. The program stores the results of the analysis in the database itself, which you can
view later, using the Security Configuration And Analysis snap-in.
/Import Imports all or part of a security template into a specific security database.
/Export Exports all or part of the settings from a security database to a new security template.
/Validate Verifies that a security template is using the correct internal syntax.
/Generaterollback Creates a security template that you can use to restore a system to its original
configuration after applying another template.
For example, to configure the machine by using a template called BaselineSecurity, use the following
command:
secedit /configure /db BaselineSecurity.sdb
/cfg BaselineSecurity.inf /log BaselineSecurity.log
To create a rollback template for the BaselineSecurity template, use the following command:
secedit /generaterollback /cfg BaselineSecurity.inf
/rbk BaselineSecurityRollback.inf
/log BaselineSecurityRollback.log
3.15 Explain briefly about Group policy Architecture
3.16 Implementing Group Policy: Configuring User environment by using Group policy
3.16 Deploying software through Group Policy

Imagine for a minute that your boss came in one day, gave you a Foxit DVD and
said that everyone in your organization needs to get that DPF software that's on this
DVD installed today.
You think, well that's great but are you sure you want all 500 people to get the software today?
That's almost impossible, isn't it? There isn't enough time for you to walk around with the DVD
and install it 500 times.
Sure there is! But you won't be walking around with the DVD in your hand, that's for sure.
The solution I'm going to show you today is quite simple, and much less time consuming
You are going to copy that software on a Shared Folder on your network. Then, you're going to
create a Group Policy Object, aka GPO, (aren't you happy you installed Active Directory?) that
will take that software and install it on everyone's machines.
Easy, huh? Of course it is and it is not going to take you days, I promise.
What You Need Before Installing Software Using GPOs
There are 3 things you will need in order to have a successful Software Installation GPO:
1. The most important thing you will need is a Microsoft installer file, called .msi
-- you cannot use the .exe file that is on the DVD.
You will need to get a packaging utility to turn that .exe file into .msi file. Many of them are
available for instant download from internet.
There are a few that will cost money but there are also free downloads. Here is an example from
each:
MSI Studio (30 day free trial):
http://www.scriptlogic.com/products/msi-studio/
EXE-to-MSI: http://juice.altiris.com/download/1355/exe-to-msi
2. The second thing you will need to create is a Shared Folder on your network for the software
to live in. You need to make sure that every computer has at least "read" access to that folder and
its contents.
3. And the last thing you will need is the new Group Policy Object linked to the appropriate
Organization Unit.
How to Install Software Using GPOs
Assuming that you already have the .msi file ready, let's start with creating a shared folder on our
network.
1. Browse to the location on your network, right-click and select New, then Folder.
2. Name the folder -- in this example we are going to call it "Software".

3. Select that folder and then click on the Share button on the menu toolbar.
4. Like I mentioned above, every machine needs to have at least read access to this folder. To do
this type in Everyone and hit enter, or click on the Add button.
5. Make sure the Permission Level says Reader and then click the Share button.
6. Remember or write down the location of this shared folder. In our example the location is \\
Y-MEM1-2K8\Software
7. Double click on the Shared Folder you just created and once again perform the steps to create
a new folder.
This time name the folder with a name specific to the software you are about to install. We are
going to call it "Foxit".
8. Double click on the new folder ("Foxit") and copy and paste the .msi file for the software you
want to install. Our .msi is called FoxitReader23.
9. Now it is time to switch to your domain controller.

We are going to switch to our DC1 server. Once there, go ahead and open up Server Manager.
10. Now you need to point to the Organizational Unit where the new Group Policy Object will
reside.
To start off, go ahead and expand Features, then Group Policy Management, and then your
Forest. In our example it is the Globomantics.com forest.
11. Then expand Domains and then the domain in which you want to create the GPO.
12. Once you are in the correct domain, expand the Organizational Unit. In our example, we are
expanding NewYorkOU.
13. Since we want the software to be installed on every single computer, we are going to create
the Group Policy Object in our NYComputers Organization Unit.
Go ahead and click on that OU.
14. To create a new GPO, right-click on the appropriate Organization Unit and select Create a
GPO in this domain, and Link it here...
15. Name your new GPO and hit OK.
16. To make sure the new GPO was created, go ahead and expand the Group Policy Objects.
You should see your GPO listed there. That GPO is now being linked to our NYComputers OU.
17. Select and then right click on the GPO under the Organization Unit. Then select Edit.
18. That should open a Group Policy Management Editor.

19. Go ahead and expand Computer Configuration, then Policies, and then Software Settings.
20. Next click on and select Software Installation.
21. Right click on the right side of the Software Installation, select New and then click on
Package.
22. Browse to the location where your software .msi file exists.
In our example it is NY-MEM1-2K8 Software Foxit. Once you have located it, double
click on the file or select it and then click on the Open button.
23. Select Assigned and click OK.
Testing
Before you actually go and test this on one of your client machines, do not forget to run a GPO
Update. To do so, open up you command prompt on your Domain Controller and type in
gpupdate /force.
Once the update ran through you can go to one of your clients and restart the machine. Keep in
mind that in order for the software to be installed on a computer, you will need to do a hard
reboot.

SA Unit III

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

SA Unit III

Caricato da

Copyright:

Formati disponibili

Unit III - Windows 2008 Server administration

3.1 Analyze the Installation & Configuration of Windows 2008 Server

4. Next, press Install Now to begin the installation process.

13. Click on Other User.

3.2 Discuss User & Group Managements.

Creating a New Group

2. Next, point to New and then select Group.

4. Our new group has been created!

Moving Accounts Into a Group

4. Now all of these accounts are part of our OpsUsers group.

Determine whether the hardware on your computer is working properly.

Enable, disable, and uninstall devices.

Roll back to the previous version of a driver.

3.4 Analyze Verification & Managing Ports.

Figure 1: Creating a new inbound rule type

Figure 2: Specifying a program for a new inbound rule

Figure 3: Specifying a protocol and ports for a new inbound rule

Figure 7: Naming a new inbound rule

3.5 Implement the Installing & Managing & Configuration Printers,

Figure -1. Selecting the Print and Document Services role.

Figure -8. Publishing a printer in Active Directory.

Figure -9. Using Group Policy to deploy printer connections.

Always available and

Start printing after last page is spooled: Prevents documents from

Start printing immediately: The default option causes documents to be

Print directly to the

Security Tab and Printer Permissions

3.6 Discuss Disk Management Tools & Tasks,

Table 1. Basic Disk Management Terminology

offer data protection and redundancy from a failed drive or volume.

2. Work with Your Storage

Figure 1. Disk Management utility

Figure 2. Foreign disk

3. In Storage, click Disk Management.

Figure 3. Foreign volumes

2.3. Create Simple Volumes

Figure 4. Format partition options

Figure 5. Grayed-out options

Figure 6. Selecting disks

Figure 7. Dynamic disk conversion warning

11. Review the summary screen, and click Finish.

Figure 8. Striped volume

Analyze the disk and fix any errors detected.

Reevaluate clusters marked as bad on the volume.

Perform a minimum check of indexes. NTFS only

Force the volume to dismount if currently mounted.

Volume label is New Volume.

Defragmenting Disks from the Command-line

Perform an analysis of the specified volume.

Defragment all disks.

Force defragmentation of a volume even when low on space.

Perform a partial defragmentation, consolidating fragments smaller than 64 MB (default).

Performs full defragmentation, consolidating all fragments regardless of fragment size.

Master File Table (MFT) fragmentation

3.7 Describe File Systems and User Management.

File System Quotas

File System Management Tools

Distributed File System tools

Services for Network File System tools

File System Monitoring and Reporting

Permission to read, write, change and delete files and sub-folders.

Permission to list files and folders and to execute files.

Permission to create new files and folders within selected folder.

Permission to list files and folders.