Windows Server 2008 Bible

Shapiro
ffirs.tex
V2 - 06/13/2008
Windows
Server 2008
Bible
®
Jeffrey R. Shapiro
Wiley Publishing, Inc.
5:46pm
Page iii
Shapiro
ffirs.tex
V2 - 06/13/2008
12:31pm
Page ii
Shapiro ffirs.tex
Windows
Server 2008
Bible
®
V2 - 06/13/2008
12:31pm
Page i
Shapiro
ffirs.tex
V2 - 06/13/2008
12:31pm
Page ii
Shapiro
ffirs.tex
V2 - 06/13/2008
Windows
Server 2008
Bible
®
Jeffrey R. Shapiro
Wiley Publishing, Inc.
5:46pm
Page iii
Shapiro
ffirs.tex
V2 - 06/13/2008
12:31pm
Windows Server® 2008 Bible
Published by
Wiley Publishing, Inc.
10475 Crosspoint Boulevard
Indianapolis, IN 46256
www.wiley.com
Copyright © 2008 by Wiley Publishing, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-0-470-17069-4
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or
by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted
under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600.
Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing,
Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at
http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or
warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained
herein may not be suitable for every situation. This work is sold with the understanding that the publisher
is not engaged in rendering legal, accounting, or other professional services. If professional assistance is
required, the services of a competent professional person should be sought. Neither the publisher nor the
author shall be liable for damages arising herefrom. The fact that an organization or Website is referred to
in this work as a citation and/or a potential source of further information does not mean that the author
or the publisher endorses the information the organization or Website may provide or recommendations it
may make. Further, readers should be aware that Internet Websites listed in this work may have changed
or disappeared between when this work was written and when it is read.
For general information on our other products and services or to obtain technical support, please contact
our Customer Care Department within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993 or
fax (317) 572-4002.
Library of Congress Cataloging-in-Publication Data is available from the publisher.
Trademarks: Wiley, the Wiley logo, and related trade dress are trademarks or registered trademarks of
John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be
used without written permission. All other trademarks are the property of their respective owners. Wiley
Publishing, Inc., is not associated with any product or vendor mentioned in this book.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may
not be available in electronic books.
Page iv
Shapiro
f01.tex
V1 - 06/13/2008
12:32pm
About the Author
Jeffrey R. Shapiro (Orlando and Miami, Florida) has worked in Information Technology for
nearly 20 years. He has published more than 18 books on IT, network administration, and
software development, and has written for numerous publications over the years. He also
regularly speaks at events, and frequently participates in training courses on Microsoft systems.
In 2003, he was selected to lead Broward County’s NetWare to Windows Server 2003 migration
project. Over the course of many years, Jeffrey authored several newsletters, which included
the Java Developers newsletter for Network News magazine, Online Business Today (Home Page
Press), and was a contributor to Server Pipeline newsletter. He was also a contributor to Computer
Telephony Magazine for several years.
Jeffrey has specialized in Microsoft technologies since 1989. From 1992 to 1998 he was CTO
for a leading software development company specializing in telephony solutions for business
and was credited with developing one of the first Windows LAN-based computer telephony
platforms.
In early 2003 he was selected to lead Broward County’s (Florida) NetWare to Windows Server
2003 migration project. The mandate was to replace NDS with Active Directory to support more
than 80 agencies and to architect three mission-critical high-performance data centers supporting about 6,000 users serving one of the largest population centers in the USA. One of his key
missions for Broward County was to consolidate from hundreds of NetWare Servers to about
50 high-performance Windows Server 2003 Servers. He was also tasked to architect the county’s
SQL Server 2003 data tier comprising multiple data centers.
He is a highly effective engineer with a distinguished career leading all facets of software
development, systems implementation, migration, analysis, network administration, systems
architecture and design, deployment, and support. He has consulted for a large number of
corporations of various sizes from small insurance agencies and motels to the likes of IBM,
Disney, Gartner, ProSource, AmeriServe, Sun International, Microsoft, Old Mutual, Universal
Property, KLM Airlines, Philips, State of Idaho, and more.
Besides various ongoing consulting projects, Jeffrey has his hands full authoring a number of
highly specific deployment, operations and maintenance manuals, reports, and training material
covering Microsoft infrastructure and software engineering technologies. He can be contacted at
his company, Jacaranda Communications, Inc. at www.misiq.com.
Page v
Shapiro
f02.tex
V1 - 06/13/2008
12:28pm
Credits
Acquisitions Editor
Katie Mohr
Production Manager
Tim Tate
Senior Development Editor
Tom Dinse
Vice President and Executive Group
Publisher
Richard Swadley
Technical Editors
Doug Holland, Andrew Edney
Production Editor
Angela Smith
Vice President and Executive Publisher
Joseph B. Wikert
Project Coordinator, Cover
Lynsey Stanford
Copy Editor
Kim Cofer
Proofreader
Publication Services, Inc.
Editorial Manager
Mary Beth Wakefield
Indexer
Jack Lewis
Page vi
Shapiro
fack.tex
V1 - 06/13/2008
12:33pm
God knows how hard writing a book is . . . and then to get it published. I am thankful for the
team that has helped me bring this baby into the world.
I would first like to thank my agent, Carole McClendon, for her effort over the past few years
in bringing me together with the team at Wiley Publishing. Special honors also go to the Wiley
Publishing editorial team. In particular, I would like to ‘‘flag’’ my development editor, Tom
Dinse, who did an outstanding job of bringing together the pieces of the puzzle.
The technical editor ‘‘Oscar’’ goes to Doug Holland and Andrew Edney, not only for reading
my lines, but for reading in between them as well. In addition, I would no doubt have gotten
no farther than this acknowledgments page without the expert cyber-pencil of copy editor Kim
Cofer.
For every hour spent writing these words, at least ten were spent testing and toying with Windows Server 2008. How do you get this far? Simple — you gather around you a team of dedicated professionals who help you build a killer lab and then help you test everything from the
logon screen to the shutdown command.
The ‘‘home’’ team always gets the last mention, but without their support, input, and love, the
soul in this work would not have taken flight. Special thanks to Kim and Kevin Shapiro.
vii
Page vii
Shapiro
fack.tex
V1 - 06/13/2008
12:33pm
Page viii
Shapiro
cag.tex
V1 - 06/13/2008
1:22pm
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxi
Part I Windows Server 2008, Core, Configuration,
Networking, and Communication Services
Chapter
Chapter
Chapter
Chapter
Chapter
Chapter
Chapter
Chapter
Chapter
Chapter
Chapter
1: Installing Windows Server 2008 ....................................................................................3
2: Configuring Windows Server 2008 ..............................................................................37
3: Networking Windows Server 2008 ..............................................................................97
4: DHCP ..........................................................................................................................149
5: Windows Name Services ............................................................................................177
6: Routing and Remote Access ....................................................................................... 227
7: Backup and Restore ....................................................................................................287
8: Disaster Recovery ........................................................................................................323
9: The Registry ................................................................................................................335
10: Auditing Windows Server 2008 ...............................................................................351
11: .NET Framework Services ........................................................................................361
Part II File, Print, and Storage Services
Chapter
Chapter
Chapter
Chapter
12:
13:
14:
15:
Print Services ............................................................................................................ 371
Storage Management .................................................................................................411
Windows Server 2008 File Systems .........................................................................447
Sharing and Securing Files and Folders .................................................................. 487
Part III Security and Active Directory
Chapter
Chapter
Chapter
Chapter
Chapter
Chapter
Chapter
16:
17:
18:
19:
20:
21:
22:
Windows Server 2008 Security ................................................................................551
Windows 2008 and Active Directory .......................................................................597
Planning for Active Directory ...................................................................................633
Organizing a Logical Domain Structure ...................................................................657
Active Directory Physical Architecture .....................................................................697
Active Directory Installation and Deployment .........................................................745
Active Directory Management .................................................................................. 777
Part IV Change Control and Workplace Management
Chapter 23: Managing Users and Groups ....................................................................................809
Chapter 24: Change Control, Group Policy, and Workspace Management ............................... 859
Chapter 25: Service Level ............................................................................................................. 913
Index ..............................................................................................................................................939
ix
Page ix
Shapiro
cag.tex
V1 - 06/13/2008
1:22pm
Page x
Shapiro
ftoc.tex
V1 - 06/13/2008
1:19pm
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxi
Part I Windows Server 2008, Core, Configuration, Networking,
and Communication Services
Chapter 1: Installing Windows Server 2008 . . . . . . . . . . . . . . . . . 3
It’s All About the Core .........................................................................................................3
What Is Server Core? .................................................................................................... 4
Installation and Configuration Strategy ...........................................................................5
Getting psyched up about installing .............................................................................5
Server recipes .................................................................................................................6
Overview of Hardware .......................................................................................................10
Hardware compatibility ...............................................................................................10
Installing Windows Server 2008 ..................................................................................... 11
Partitioning hard-disk drives ...................................................................................... 12
Performing a Server Core install .................................................................................14
Performing a unattended Server Core install .............................................................14
Performing a basic install ............................................................................................15
Installing from the network ........................................................................................18
Roles, Features, and Applications ...................................................................................19
Standalone servers .......................................................................................................19
Member servers ...........................................................................................................20
Role servers ..................................................................................................................21
Windows Server 2008 as a domain controller ...........................................................23
Windows Server 2008 as a Communications Server and Microsoft Exchange .......27
Internet Information Services integration ...................................................................27
Active Directory integration ........................................................................................27
Distributed services .....................................................................................................28
Security ........................................................................................................................28
Single-seat and policy-based administration .............................................................. 28
SMTP message routing ................................................................................................28
Internet mail content ...................................................................................................29
System Monitoring Using Windows Management Instrumentation ..........................29
Windows Server 2008 for Database Services with SQL Server ................................. 30
Windows Server 2008 for IIS and ASP.NET ................................................................. 31
Windows Server 2008 for Application Services ............................................................31
xi
Page xi
Shapiro
ftoc.tex
V1 - 06/13/2008
1:19pm
Contents
Windows Server 2008 for Resolutions Services ............................................................33
DNS ............................................................................................................................. 33
DHCP ...........................................................................................................................34
WINS ........................................................................................................................... 34
Summary ..............................................................................................................................35
Chapter 2: Configuring Windows Server 2008 . . . . . . . . . . . . . . . 37
Using the Microsoft Management Console .....................................................................37
Understanding the function of the MMC ...................................................................37
Opening the MMC ......................................................................................................40
Using snap-ins .............................................................................................................41
Getting to know taskpads ...........................................................................................43
Other add-in tools .......................................................................................................45
Customizing MMC to suit your needs ....................................................................... 46
Control Panel versus MMC .........................................................................................47
Windows Firewall Changes for MMC Tools ..................................................................48
Getting to Know the MMC Tools .....................................................................................49
Certification Authority ................................................................................................ 49
Failover Cluster Management ..................................................................................... 49
Component Services ....................................................................................................50
Computer Management ...............................................................................................51
Event Viewer ............................................................................................................... 52
Reliability and Performance ........................................................................................52
Shared Folders .............................................................................................................52
Using Event Viewer .....................................................................................................64
Server extensions .........................................................................................................70
Using the Security Configuration Wizard ......................................................................70
Working with Data Sources (ODBC) ..............................................................................75
Defining DSNs .............................................................................................................76
Viewing driver information .........................................................................................80
Tracing .........................................................................................................................80
Connection Pooling .....................................................................................................81
Understanding Control Panel Applets ............................................................................81
Ease of Access applet .................................................................................................. 81
Add Hardware applet ..................................................................................................81
Default Programs applet ..............................................................................................82
Administrative Tools applet ........................................................................................83
Windows Update .........................................................................................................83
Date and Time applet ..................................................................................................83
Display object . . . Personalization ............................................................................. 85
Folder Options applet .................................................................................................85
Internet Options applet ...............................................................................................85
Network and Sharing Center applet ...........................................................................86
Power Options applet ..................................................................................................86
xii
Page xii
Shapiro
ftoc.tex
V1 - 06/13/2008
1:19pm
Contents
Printers Control Panel applet ......................................................................................86
System applet .............................................................................................................. 87
Windows PowerShell .........................................................................................................94
Summary ..............................................................................................................................95
Chapter 3: Networking Windows Server 2008 . . . . . . . . . . . . . . . 97
TCP/IP on Windows Server 2008 ....................................................................................97
TCP/IP Basics (IPv4) ......................................................................................................... 98
IP addressing ...............................................................................................................99
Subnetting ..................................................................................................................101
Classless Interdomain Routing notation ...................................................................103
Obtaining IP addresses ..............................................................................................104
Gateways and routing ............................................................................................... 104
Dynamic Host Configuration Protocol (DHCP) .......................................................106
Domains and name resolution ..................................................................................106
Preparing for installation ...........................................................................................108
Setting Up TCP/IP ............................................................................................................108
Configuring TCP/IP ...................................................................................................109
Understanding and Using IPv6 ......................................................................................115
IPv6 terms and concepts ...........................................................................................115
Using IPv6 in Windows Server 2008 .......................................................................119
Troubleshooting TCP/IP ..................................................................................................122
Common troubleshooting concepts ..........................................................................122
ping ............................................................................................................................123
ipconfig ......................................................................................................................126
netstat ........................................................................................................................ 126
hostname ................................................................................................................... 128
tracert .........................................................................................................................129
arp ..............................................................................................................................130
route .......................................................................................................................... 131
nbtstat ........................................................................................................................132
Legacy protocols ........................................................................................................133
NetBEUI .....................................................................................................................133
IPX/SPX ......................................................................................................................134
DLC ............................................................................................................................134
SNMP ..................................................................................................................................135
Understanding how SNMP works ............................................................................135
Installing and configuring SNMP ..............................................................................136
Windows Firewall Configuration and Management .................................................. 140
Overview of Windows Firewall changes ..................................................................140
Configuring Windows Firewall .................................................................................141
Managing Windows Firewall with Group Policy .....................................................145
Managing Windows Firewall from a console ...........................................................145
Windows Firewall with Advanced Security ............................................................. 146
Summary ............................................................................................................................147
xiii
Page xiii
Shapiro
ftoc.tex
V1 - 06/13/2008
1:19pm
Contents
Chapter 4: DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Overview of DHCP ...........................................................................................................149
The Windows Server DHCP Service ..............................................................................150
Support for dynamic DNS ........................................................................................150
Vendor and user classes ............................................................................................152
Multicast address allocation ......................................................................................152
Unauthorized DHCP server detection ......................................................................152
Automatic client configuration ................................................................................. 153
Monitoring and reporting ......................................................................................... 153
Installing and Configuring the DHCP Server ..............................................................153
Installing DHCP ........................................................................................................ 153
Using the DHCP console .......................................................................................... 154
Creating scopes ......................................................................................................... 154
Setting general scope options ................................................................................... 156
Configuring global DHCP options ............................................................................159
Creating reservations .................................................................................................159
Setting global scope properties .................................................................................160
Activating and deactivating a scope ..........................................................................161
Authorizing the server ...............................................................................................161
Defining and Implementing User and Vendor Classes ..............................................162
Vendor classes ...........................................................................................................162
User classes ................................................................................................................164
Configuring a client to use class IDs ........................................................................165
Creating and Using Superscopes ...................................................................................166
Creating a superscope ...............................................................................................167
Activating and deactivating a superscope .................................................................168
Removing scopes from a superscope ........................................................................168
Deleting superscopes .................................................................................................168
Creating Multicast Scopes .............................................................................................. 168
Configuring Global DHCP Server Properties .............................................................. 169
Managing the DHCP Database ...................................................................................... 172
Backing up and restoring the DHCP database .........................................................172
Moving the DHCP database to another server .........................................................173
Configuring Windows DHCP Clients ............................................................................174
Configuring DNS options for DHCP ........................................................................174
Network Access Protection .............................................................................................175
Summary ............................................................................................................................176
Chapter 5: Windows Name Services . . . . . . . . . . . . . . . . . . . 177
Overview of the Domain Name Service ........................................................................177
Understanding domain names ..................................................................................178
Today’s DNS system ..................................................................................................180
Resolvers, name servers, and forward lookup ..........................................................181
Domain records and zone files .................................................................................183
Reverse lookup ..........................................................................................................186
Delegation ..................................................................................................................188
xiv
Page xiv
Shapiro
ftoc.tex
V1 - 06/13/2008
1:19pm
Contents
Caching, forwarders, and slaves ............................................................................... 189
Recursion, iteration, and referrals .............................................................................190
Microsoft Domain Name Services ................................................................................. 192
Installing DNS ...........................................................................................................192
Overview of the DNS console ...................................................................................192
Creating forward-lookup zones ................................................................................ 193
Creating reverse-lookup zones ..................................................................................194
Creating resource records .........................................................................................194
Configuring zone properties .....................................................................................197
Managing DNS Server Options and Behavior .............................................................200
Configuring multiple addresses on a DNS server ....................................................200
Using a forwarder ......................................................................................................200
Configuring advanced settings ..................................................................................201
Setting root hints .......................................................................................................203
Configuring logging ...................................................................................................204
Monitoring and testing ..............................................................................................205
Applying security ...................................................................................................... 206
Managing the server and cache ................................................................................ 207
Configuring Subdomains and Delegation .................................................................... 207
Setting up subdomains ..............................................................................................208
Delegating a subdomain ............................................................................................208
DNS and Active Directory .............................................................................................. 209
Dynamic DNS ................................................................................................................... 210
Configuring DDNS ....................................................................................................210
Configuring scavenging .............................................................................................211
Windows Internet Name Service (WINS) ....................................................................213
How WINS Works ........................................................................................................... 214
WINS registration ......................................................................................................215
Mapping renewal .......................................................................................................216
WINS Forever ................................................................................................................... 216
Persistent connections ...............................................................................................217
Manual tombstoning ................................................................................................. 217
WINS Installation and Configuration ..........................................................................218
Installing WINS .........................................................................................................218
Configuring WINS .................................................................................................... 218
Configuring Windows Clients for DNS and WINS ....................................................220
Using Hosts and LMHOSTS Files for Name Resolution ............................................223
Using a Hosts file for name resolution .....................................................................224
Using the LMHOSTS file for name resolution .........................................................224
Summary ............................................................................................................................226
Chapter 6: Routing and Remote Access . . . . . . . . . . . . . . . . . . 227
Windows Server 2008 RAS and Telephony Services ................................................. 227
Overview of Windows Server 2008 RRAS ............................................................... 228
New features of Windows Server 2008 RRAS ..........................................................230
The Routing and Remote Access management console ...........................................232
xv
Page xv
Shapiro
ftoc.tex
V1 - 06/13/2008
1:19pm
Contents
RAS Connection Types and Protocols ..........................................................................233
Point-to-Point Protocol ............................................................................................. 233
Point-to-Point Multilink Protocol and BAP ..............................................................233
Point-to-Point Tunneling Protocol ............................................................................234
Layer Two Tunneling Protocol .................................................................................235
Transport protocols ...................................................................................................235
Enabling and Configuring RRAS ................................................................................... 235
IP Routing ..........................................................................................................................236
IP routing overview ...................................................................................................236
Routing with RRAS ....................................................................................................239
Configuring a basic router ........................................................................................240
Dynamic routing ....................................................................................................... 245
Adding and configuring RIP .....................................................................................245
DHCP relay agent ......................................................................................................248
IGMP — multicast forwarding ................................................................................. 250
Network address translation .....................................................................................252
Configuring NAT .......................................................................................................253
Configuring Services and Ports ......................................................................................255
Configuring RAS for Inbound Connections .................................................................257
Enabling RRAS .......................................................................................................... 257
Configuring modems and ports ................................................................................259
Configuring protocols ...............................................................................................260
Configuring authentication .......................................................................................263
Disabling routing (Remote Access Server only) .......................................................268
RRAS logging and accounting ...................................................................................268
Configuring a VPN Server ...............................................................................................270
Configuring VPN ports ............................................................................................. 271
Enabling L2TP for VPN ............................................................................................ 272
Using Multilink and BAP ................................................................................................273
Policy Server ..................................................................................................................... 274
Creating a new policy ...............................................................................................275
Prioritizing policies ....................................................................................................278
Using RADIUS .................................................................................................................. 279
Configuring RADIUS .................................................................................................280
Configuring accounting .............................................................................................280
Configuring Outgoing Dial-Up Networking Connections ..........................................280
Creating a connection ...............................................................................................281
Configuring connection properties ...........................................................................281
Configuring dial-up networking to connect to the Internet ....................................284
Summary ............................................................................................................................285
Chapter 7: Backup and Restore . . . . . . . . . . . . . . . . . . . . . . 287
Why Back Up Data? ........................................................................................................ 288
What to Back Up ............................................................................................................. 288
xvi
Page xvi
Shapiro
ftoc.tex
V1 - 06/13/2008
1:19pm
Contents
Understanding Backup ....................................................................................................289
Understanding archive bits .......................................................................................289
What Is a backup? .................................................................................................... 289
What Is a restore? ..................................................................................................... 290
Understanding how a backup works ........................................................................291
Removable Storage and Media Pools ............................................................................291
The Removable Storage Service ................................................................................291
The Removable Storage database ..............................................................................293
Physical locations ......................................................................................................293
Media pools ...............................................................................................................295
Work Queue and Operator Requests .......................................................................297
Practicing scratch and save .......................................................................................298
Establishing Quality of Support Baselines for Data Backup/Restore .....................299
Establishing Quality of Capture ....................................................................................303
Best backup time of the day .....................................................................................304
Length of backup ......................................................................................................304
Backup of servers and workstations .........................................................................305
The open files dilemma .............................................................................................306
Backup Procedure ............................................................................................................309
Performing a Backup .......................................................................................................310
Creating a media pool ...............................................................................................310
Understanding rights and permissions .....................................................................310
Understanding source and destination .....................................................................312
Setting up schedules ................................................................................................. 313
Rotation Schemes .............................................................................................................313
Restoring Data ..................................................................................................................315
Tape Location ...................................................................................................................317
Backup Bandwidth .......................................................................................................... 317
Working with Shadow Copies ....................................................................................... 318
Summary ............................................................................................................................321
Chapter 8: Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . 323
Disaster Recovery Planning ............................................................................................323
Policy and protocol ...................................................................................................323
Documentation ..........................................................................................................324
Disaster recovery training and action planning ........................................................325
Identifying Resources ...................................................................................................... 326
Developing Response Plans ............................................................................................ 326
Testing Response Plans ...................................................................................................327
Mock Disaster Programs .................................................................................................328
Understanding fault tolerance ...................................................................................328
Identifying the Weak Links ............................................................................................330
Recovery from Backup .................................................................................................... 331
Recovery of base operating systems ..........................................................................331
Recovery of configuration .........................................................................................332
xvii
Page xvii
Shapiro
ftoc.tex
V1 - 06/13/2008
1:19pm
Contents
Mirrored Services, Data, and Hardware ...................................................................... 332
Recovery of Key Services .................................................................................................332
Active Directory .........................................................................................................332
DNS ........................................................................................................................... 333
Registry ......................................................................................................................333
Crash Analysis ..................................................................................................................333
Summary ............................................................................................................................334
Chapter 9: The Registry . . . . . . . . . . . . . . . . . . . . . . . . . . 335
The Purpose of the Registry ...........................................................................................335
The Registry Structure .................................................................................................... 337
Registry hive files ...................................................................................................... 340
Keys and values .........................................................................................................342
The Registry Editor ..........................................................................................................342
Regedit.exe .................................................................................................................343
Modifying the registry ...............................................................................................343
Importing and exporting keys ..................................................................................344
Editing a remote registry ...........................................................................................346
Loading and unloading hives ....................................................................................346
Securing the Registry .......................................................................................................346
Preventing access to the registry ...............................................................................347
Applying permissions to registry keys ......................................................................347
Auditing registry access .............................................................................................347
Securing remote registry access ................................................................................350
Summary ............................................................................................................................350
Chapter 10: Auditing Windows Server 2008 . . . . . . . . . . . . . . . 351
Auditing Overview ............................................................................................................351
Configuring Auditing .......................................................................................................352
Enabling audit policies ..............................................................................................353
Auditing object access ...............................................................................................354
Examining the Audit Reports .........................................................................................356
Using the Event Viewer .............................................................................................356
Using other tools .......................................................................................................357
Strategies for Auditing .................................................................................................... 358
Leaving auditing off ...................................................................................................358
Turning all auditing on .............................................................................................358
Auditing problem users .............................................................................................359
Auditing administrators .............................................................................................359
Auditing critical files and folders ..............................................................................359
Summary ............................................................................................................................359
xviii
Page xviii
Shapiro ftoc.tex
V1 - 06/13/2008
1:19pm
Contents
Chapter 11: .NET Framework Services . . . . . . . . . . . . . . . . . . 361
Introduction to the .NET Framework ...........................................................................362
64-bit platform support ............................................................................................363
Access control list ......................................................................................................363
ADO .NET and LINQ ...............................................................................................363
Asynchronous processing ..........................................................................................363
Understanding the .NET Initiative ................................................................................364
The Common Language Runtime .............................................................................364
Common Type System ..............................................................................................365
.NET security .............................................................................................................366
Application domains ................................................................................................. 366
Garbage collection .....................................................................................................367
.NET vs. the JVM ......................................................................................................367
Configuring the Global Assembly Cache ..................................................................368
Summary ............................................................................................................................368
Part II File, Print, and Storage Services
Chapter 12: Print Services . . . . . . . . . . . . . . . . . . . . . . . . 371
Print Services ....................................................................................................................372
Understanding Windows Server Printer Services .......................................................372
Printer services: the logical environment ................................................................. 373
Printer services: the physical environment ...............................................................382
Print Services Strategy .................................................................................................... 384
Printer taxonomy .......................................................................................................384
Creating print groups ................................................................................................385
Creating a print network .......................................................................................... 386
Keeping drivers current ............................................................................................ 386
Installing and Setting Up Printers ................................................................................ 387
Installing the local printer .........................................................................................387
Publishing Printers .......................................................................................................... 391
Locating printers ....................................................................................................... 391
Hiding printers ..........................................................................................................393
Printer pools ..............................................................................................................393
Loading printer ports ................................................................................................394
Printer Administration ....................................................................................................396
Printer management ..................................................................................................397
Job management ........................................................................................................400
Advanced spool options ............................................................................................401
Access control ............................................................................................................403
xix
Page xix
Shapiro
ftoc.tex
V1 - 06/13/2008
1:19pm
Contents
Troubleshooting ................................................................................................................405
Server-side print problems ........................................................................................406
Client-side print problems ........................................................................................408
Enabling bi-directional printing ................................................................................408
Auditing Printer Usage and Management ....................................................................409
Summary ............................................................................................................................409
Chapter 13: Storage Management . . . . . . . . . . . . . . . . . . . . 411
Overview of Storage .........................................................................................................411
Storage Management ........................................................................................................412
Performance and capacity .........................................................................................412
High availability ........................................................................................................ 415
Recoverability ............................................................................................................415
Issues with legacy systems ........................................................................................416
Disk Management .............................................................................................................416
Partition Styles .................................................................................................................418
MBR disks ..................................................................................................................418
GPT disks ..................................................................................................................418
Removable Storage ...........................................................................................................419
Remote Storage and HSM ...............................................................................................419
The Disk Management Snap-in ......................................................................................420
Basic Storage .....................................................................................................................421
Primary partitions ......................................................................................................421
Extended partitions ...................................................................................................421
Basic volumes ............................................................................................................422
Dynamic Volumes and Fault Tolerance .......................................................................422
Dynamic disks ...........................................................................................................422
RAID-1: Disk mirroring ............................................................................................425
RAID-5: Fault-tolerant striping with parity ..............................................................425
Hardware RAID ................................................................................................................427
Dynamic Storage Management .......................................................................................427
Converting basic disks to dynamic ...........................................................................428
Creating simple volumes ...........................................................................................430
Extending simple volumes and spanned volumes ...................................................431
Creating and managing RAID-0 volumes (striping) .................................................432
Creating and managing RAID-1 volumes .................................................................433
Creating and managing RAID-5 volumes .................................................................434
Importing disks .........................................................................................................435
Managing Storage with Disk Quotas ............................................................................435
Why you need disk quotas .......................................................................................435
Setting disk quotas ....................................................................................................438
Common-sense disk quota management ..................................................................440
Troubleshooting ................................................................................................................441
Disk and volume states .............................................................................................441
Fixing RAID redundancy failures ............................................................................. 443
xx
Page xx
Shapiro ftoc.tex
V1 - 06/13/2008
1:19pm
Contents
Storage Explorer ...............................................................................................................444
Summary ............................................................................................................................445
Chapter 14: Windows Server 2008 File Systems . . . . . . . . . . . . . 447
An Overview of Disk Structure ......................................................................................447
FAT16 and FAT32 ............................................................................................................449
NTFS ...................................................................................................................................452
NTFS structure ..........................................................................................................453
Disk quotas ................................................................................................................457
Reparse points ...........................................................................................................457
Encrypting File System ............................................................................................. 458
Hierarchical Storage Management ............................................................................ 458
Directory junctions ....................................................................................................458
Mounted volumes ......................................................................................................459
Transactional NTFS ...................................................................................................459
Choosing a File System ...................................................................................................460
Optimizing Storage Capacity ......................................................................................... 461
Optimizing cluster size ............................................................................................. 461
Defragmenting volumes ............................................................................................ 463
Using disk compression in NTFS .............................................................................463
Managing the Distributed File System ......................................................................... 464
DFS structure and terminology ................................................................................ 465
Domain-based DFS Namespace vs. standalone DFS Namespaces ...........................467
Client support ........................................................................................................... 468
Replication with DRS ................................................................................................468
Replication with DFS-R .............................................................................................469
Client-side caching ....................................................................................................470
Working with the DFS Management console .......................................................... 470
Working with Mounted Volumes .................................................................................. 475
Mounting a volume ...................................................................................................477
Unmounting a volume ..............................................................................................478
Services for Network File System ..................................................................................478
NFS overview ............................................................................................................480
Summary ............................................................................................................................485
Chapter 15: Sharing and Securing Files and Folders . . . . . . . . . . . 487
Sharing and Securing Your Data ...................................................................................488
Ownership ......................................................................................................................... 489
Configuring the File Server Role ....................................................................................490
File Server Resource Management console ...............................................................492
Publishing Shares in Active Directory ..........................................................................496
Creating a Share ...............................................................................................................496
Sharing a local folder ................................................................................................496
Establishing shares by using the Share and Storage Management console .............498
xxi
Page xxi
Shapiro
ftoc.tex
V1 - 06/13/2008
1:19pm
Contents
Share Attributes ............................................................................................................... 504
Deny .......................................................................................................................... 506
Accumulation of share permissions ..........................................................................506
Moving or copying folders ........................................................................................506
Intradomain shares ....................................................................................................507
Who can share folders ..............................................................................................507
Hidden shares ............................................................................................................507
Connecting to shares .................................................................................................508
Connecting users to published shares ......................................................................509
Mapping out the DFS namespace for users ............................................................. 510
Administrative Shares ..................................................................................................... 514
Commonsense Strategies for Sharing Folders .............................................................515
Restricting shares .......................................................................................................516
Setting up application sharepoints ........................................................................... 516
Setting up data sharepoints .......................................................................................517
Offline Access (Caching) .................................................................................................517
Offline attributes ....................................................................................................... 519
Synchronizing cached resources ...............................................................................519
Securing Files and Folders by Using Permissions ......................................................520
Permission Types ............................................................................................................. 521
Permissions Attributes .................................................................................................... 524
Inheritance ........................................................................................................................ 525
Taking Ownership ............................................................................................................526
Copying and Moving ........................................................................................................527
Strategies for Managing Permissions ............................................................................527
Securing Files by Using the Encrypting File System ..................................................529
How EFS works .........................................................................................................530
Recoverability and the encryption recovery policy ..................................................532
Using EFS ..................................................................................................................533
Copying, moving, or renaming encrypted files ........................................................536
Accessing encrypted data remotely ...........................................................................537
Sharing encrypted data ............................................................................................. 537
Encrypting files for multiple users ........................................................................... 541
Backing up and recovering encrypted data ..............................................................543
Configuring and using a recovery policy .................................................................543
Summary ............................................................................................................................547
Part III Security and Active Directory
Chapter 16: Windows Server 2008 Security . . . . . . . . . . . . . . . 551
An Overview of Windows Server 2008 Security .........................................................551
The need for security ................................................................................................552
Data input ..................................................................................................................553
Data transport ............................................................................................................553
Why the threat exists ................................................................................................553
xxii
Page xxii
Shapiro
ftoc.tex
V1 - 06/13/2008
1:19pm
Contents
Rising to the Security Challenge ....................................................................................556
Security Enhancements in Server Roles ....................................................................... 556
Active Directory Domain Controller role service .....................................................557
The DHCP Server Role ..............................................................................................558
The DNS Server Role ................................................................................................558
Understanding Encryption Basics .................................................................................559
Getting to Know Cryptography ..................................................................................... 559
Cryptography Next Generation .................................................................................560
Keys ........................................................................................................................... 561
Private keys ................................................................................................................561
Public keys ................................................................................................................ 562
Session keys ...............................................................................................................562
Key certificates ...........................................................................................................562
Digital signatures .......................................................................................................563
Understanding Kerberos ................................................................................................. 563
Kerberos and the Single Sign-On initiative ..............................................................565
Psst...this is how Kerberos works .............................................................................565
Time authentication .................................................................................................. 566
Key distribution .........................................................................................................566
Session tickets ........................................................................................................... 567
Kerberos and trusts ...................................................................................................568
Locating KDCs ...........................................................................................................568
Getting to Know IPSec ....................................................................................................569
SSL/TLS ..............................................................................................................................571
Understanding Active Directory Certificate Services .................................................571
Public Key Infrastructure ..........................................................................................572
Digital certificates ......................................................................................................572
Creating the PKI with active directory certificate services .......................................573
Support for Legacy NTLM ..............................................................................................573
Smart Cards ......................................................................................................................574
Domains .............................................................................................................................574
Logon and Authentication .............................................................................................. 575
Windows Server 2008 logon ....................................................................................575
Bi-factorial and mono-factorial authentication .........................................................575
Trusts .................................................................................................................................576
Access Control ..................................................................................................................579
Auditing ............................................................................................................................. 579
Security Planning ............................................................................................................. 580
Firewalls ............................................................................................................................ 580
Active Directory Security Policy ....................................................................................580
Secure Sockets ..................................................................................................................581
Firewalls, Proxies, and Bastions ................................................................................... 582
Introduction to the Public Key Infrastructure ............................................................582
Setting up and Configuring Active Directory Certificate Services ...........................583
Understanding Active Directory Certificate Services .................................................584
xxiii
Page xxiii
Shapiro
ftoc.tex
V1 - 06/13/2008
1:19pm
Contents
Setting Up and Configuring a Certificate Authority ..................................................584
Deploying a PKI ............................................................................................................... 585
Trust model ...............................................................................................................586
Summary ............................................................................................................................595
Chapter 17: Windows 2008 and Active Directory . . . . . . . . . . . . 597
The Omniscient Active Directory .................................................................................. 598
Why do we need directories? ...................................................................................599
What Is Active Directory? .........................................................................................602
The grandfather of the modern directory: The X.500 specification ........................602
The father of the modern directory: LDAP ..............................................................605
After X.500 ................................................................................................................607
The open Active Directory ........................................................................................607
How the registry fits in .............................................................................................608
The Elements of Active Directory ..................................................................................610
Namespaces and naming schemes ............................................................................610
Active Directory and the Internet .............................................................................611
Active Directory everywhere .....................................................................................611
Inside Active Directory ....................................................................................................612
If it walks like a duck... ............................................................................................612
The Active Directory database structure ...................................................................615
Active Directory objects ............................................................................................616
Active Directory schema ........................................................................................... 618
Object attributes ........................................................................................................618
Walking the Active Directory ................................................................................... 618
Naming conventions ................................................................................................. 620
Domain objects ..........................................................................................................621
Organizational units ..................................................................................................623
Trees .......................................................................................................................... 624
Forests ........................................................................................................................624
Trusts .........................................................................................................................625
The global catalog .....................................................................................................626
My active directory ....................................................................................................627
Bridging the Divide: Legacy Windows and Windows Server 2008 ......................... 628
Single point of access and administration ................................................................630
Domains and more domains .....................................................................................631
Intra-domain trust relationships ...............................................................................631
Access control lists and access tokens ......................................................................632
Summary ............................................................................................................................632
Chapter 18: Planning for Active Directory . . . . . . . . . . . . . . . . 633
Active Directory Overview .............................................................................................. 633
Basic Design Principles ...................................................................................................634
Active Directory Structure ..............................................................................................634
A domain plan ...........................................................................................................634
Site topology ..............................................................................................................636
xxiv
Page xxiv
Shapiro
ftoc.tex
V1 - 06/13/2008
1:19pm
Contents
A forest plan ..............................................................................................................638
A trust plan ............................................................................................................... 639
An organizational unit plan ......................................................................................640
Planning for the Active Directory Enterprise ..............................................................640
Naming strategy plan ................................................................................................640
Domain and organizational units plan .....................................................................642
Branch office plan ..................................................................................................... 643
Administration Planning .................................................................................................647
Delegating administration .........................................................................................647
Delegating forests, trees, and organizational units ...................................................648
Implementing object security ....................................................................................648
Administrative roles .................................................................................................. 649
Migration Planning .......................................................................................................... 650
Upgrade plan .............................................................................................................650
Restructuring plan .....................................................................................................652
Migration tools ..........................................................................................................652
Test-lab plan ..............................................................................................................652
Backup and recovery plan ........................................................................................ 654
Deploying the Plan ...........................................................................................................655
Summary ............................................................................................................................655
Chapter 19: Organizing a Logical Domain Structure . . . . . . . . . . . 657
Keepers of the New Order .............................................................................................. 658
Active Directory Infrastructure Planning .....................................................................658
Planning for the Logical Domain Structure ................................................................ 659
Preparing yourself mentally ......................................................................................659
Assembling the team .................................................................................................660
The domain planning committee ..............................................................................660
Domain management ................................................................................................661
Change control management ....................................................................................661
Domain security ........................................................................................................662
Intradomain communication .....................................................................................662
Education and information .......................................................................................663
Surveying the enterprise ........................................................................................... 663
Enterprise analysis .....................................................................................................664
Enterprise environments ...........................................................................................665
Working with organizational charts .........................................................................667
Identifying the Key Management Entities .................................................................668
Strategic drivers .........................................................................................................669
Identifying the logical units ......................................................................................670
Identifying the physical units ................................................................................... 671
Documentation ..........................................................................................................671
Administrative modeling ...........................................................................................672
Logical Domain Structure: The Blueprint ....................................................................675
The top-level domain ................................................................................................675
xxv
Page xxv
Shapiro
ftoc.tex
V1 - 06/13/2008
1:19pm
Contents
DNS naming practices ...............................................................................................683
Second-level domains ................................................................................................685
Partitioning the Domain ................................................................................................. 690
Organizational units ..................................................................................................691
Working with groups ................................................................................................693
Securing the partitions ..............................................................................................694
Summary ............................................................................................................................696
Chapter 20: Active Directory Physical Architecture . . . . . . . . . . . 697
Past, Present, and Future ............................................................................................... 697
Forests and Trusts ...........................................................................................................699
Forest choice design implications .............................................................................703
Domain Controllers and Global Catalogs ................................................................... 704
Domain controllers ....................................................................................................704
Global catalogs .......................................................................................................... 707
The DC and GC locator services ..............................................................................709
Design decisions ........................................................................................................711
Sites .................................................................................................................................... 712
Replication within sites .............................................................................................713
Site links ....................................................................................................................714
Site link bridges ........................................................................................................ 715
Connection objects between sites .............................................................................715
Active Directory Replication .......................................................................................... 716
How replication works ..............................................................................................717
Directory Synchronization ..............................................................................................719
Active Directory Site Design and Configuration .........................................................720
Topology ....................................................................................................................720
Creating DC sites ...................................................................................................... 722
Deploying domain controllers .................................................................................. 722
Securing domain controllers .....................................................................................723
Deploying GC servers ............................................................................................... 725
Deploying DNS servers .............................................................................................726
A DDNS architecture .................................................................................................727
Hub sites ....................................................................................................................727
Deploying WINS servers ...........................................................................................728
Deploying DHCP servers .......................................................................................... 729
A Site Architecture ...........................................................................................................732
Architecture ...............................................................................................................734
Site link cost ..............................................................................................................736
Time ....................................................................................................................................740
Time service architecture ..........................................................................................741
Summary ............................................................................................................................743
Chapter 21: Active Directory Installation and Deployment . . . . . . . . 745
Getting Ready to Deploy .................................................................................................745
Millennium City Active Directory Deployment Plan ..................................................746
xxvi
Page xxvi
Shapiro
ftoc.tex
V1 - 06/13/2008
1:19pm
Contents
Executive Summary ..........................................................................................................746
MCITY network .........................................................................................................746
The GENESIS domain ...............................................................................................747
The CITYHALL domain ............................................................................................749
The DITT domain ..................................................................................................... 750
The MCPD domain ...................................................................................................751
Installing and Testing the Active Directory Domain Controllers ............................751
Installing the DC machine ........................................................................................752
Promoting to domain controller ...............................................................................753
Establishing in DNS/WINS .......................................................................................762
Creating sites .............................................................................................................764
Creating organizational units (OUs) .........................................................................766
Delegating OU administration ..................................................................................767
Securing the DC and following disaster recovery protocol .....................................768
Implementation ................................................................................................................ 769
Install .........................................................................................................................770
IP address reservations ..............................................................................................770
Installation of the root domain, MCITY.US .............................................................770
Quality assurance ......................................................................................................775
Summary ............................................................................................................................775
Chapter 22: Active Directory Management . . . . . . . . . . . . . . . . 777
Installing New Directory Services into an Existing Infrastructure ......................... 777
Replication Management .................................................................................................778
Installing New Domain Controllers ..............................................................................778
Installing New Catalog Servers ......................................................................................779
Protecting Active Directory from Corruption ..............................................................780
Online and offline database defragmentation ...........................................................780
Ensuring database integrity .......................................................................................783
Moving Active Directory ..................................................................................................783
Integrating Active Directory with Other Services .......................................................784
Active Directory and SQL Server ..............................................................................785
Active Directory and Microsoft Exchange ................................................................785
Logon without the Global Catalog ................................................................................785
Active Directory and DNS .............................................................................................. 786
Active Directory Administration Architecture .............................................................787
Architecture ...............................................................................................................791
Windows Server 2008 group membership .............................................................. 792
Network services administration .............................................................................. 795
Administration of Enterprise Service Servers ...........................................................795
Remote workstation administration architecture ..................................................... 797
Terminal Services policy ...........................................................................................797
Secure administration ................................................................................................798
Summary ............................................................................................................................805
xxvii
Page xxvii
Shapiro
ftoc.tex
V1 - 06/13/2008
1:19pm
Contents
Part IV Change Control and Workplace Management
Chapter 23: Managing Users and Groups . . . . . . . . . . . . . . . . . 809
The Windows Server 2008 Account: A User’s Resource ........................................... 810
What is a user? ..........................................................................................................810
What are contacts? ....................................................................................................810
Local users and ‘‘local users’’ ....................................................................................811
What is a group? .......................................................................................................811
Exploring the Users and Computers management tools ......................................... 813
Windows Server 2008 user accounts .......................................................................816
Account policy ...........................................................................................................821
Security principals and the logon authentication process .......................................821
Security identifiers .....................................................................................................822
SAM and LSA authentication ....................................................................................823
User Accounts in Action ................................................................................................. 823
Getting familiar with RunAs .....................................................................................824
Naming user accounts ...............................................................................................824
Passwords ..................................................................................................................825
Understanding logon .................................................................................................827
Granting remote access .............................................................................................827
Creating a user account ............................................................................................ 827
Renaming user accounts ........................................................................................... 835
Deleting and disabling user accounts .......................................................................835
Copying accounts ......................................................................................................836
Computer Accounts ......................................................................................................... 836
Group Accounts ................................................................................................................836
The scope of groups ..................................................................................................837
The elements of groups .............................................................................................840
Installing predefined groups .....................................................................................840
Groups on member servers .......................................................................................843
Nesting groups ..........................................................................................................843
Group creation ..........................................................................................................844
Managing groups .......................................................................................................847
Rights and permissions .............................................................................................848
Mixed mode versus native mode ..............................................................................850
The Zen of Managing Users and Groups ..................................................................... 851
Delegating responsibility ...........................................................................................853
User and Group Management Strategies ..................................................................... 854
Keep your eye on TCO .............................................................................................855
Determine the access and privileges needed ............................................................856
Determine the security level .....................................................................................856
Protect resources and lessen the load by using Local groups .................................856
Delegate with care .....................................................................................................857
Keep changes to a minimum ....................................................................................857
Summary ............................................................................................................................857
xxviii
Page xxviii
Shapiro
ftoc.tex
V1 - 06/13/2008
1:19pm
Contents
Chapter 24: Change Control, Group Policy, and Workspace Management 859
What Is Change Control? ............................................................................................... 860
Understanding Change Management ............................................................................861
The user .....................................................................................................................866
The computer ............................................................................................................866
Taking Control ................................................................................................................. 868
Applications ...............................................................................................................868
Security ......................................................................................................................869
Operating-system environment .................................................................................870
Workstation lockdown ..............................................................................................870
Getting ready for change-control policy ...................................................................871
Understanding Group Policy ..........................................................................................872
Types of Group Policy ..............................................................................................874
The elements of Group Policy ..................................................................................876
Where GPOs live .......................................................................................................878
How Group Policy Works ...............................................................................................881
Local or nonlocal Group Policy Objects .................................................................. 881
Group Policy application .......................................................................................... 882
Filtering policy ..........................................................................................................883
Delegating control of GP ...........................................................................................884
Security at the local Group Policy Objects .............................................................. 885
How Group Policy is processed ................................................................................885
Putting Group Policy to Work .......................................................................................889
The software policies .................................................................................................889
Security policies .........................................................................................................890
Group Policy and Change Management: Putting It All Together ............................891
Don’t accept the default policy .................................................................................892
Establishing a GP attack plan ...................................................................................893
Dealing with computer accounts ..............................................................................893
Getting Started ................................................................................................................. 894
Customizing logon/logoff ..........................................................................................894
Locking down the desktop .......................................................................................895
Controlling the Start menu .......................................................................................895
Folder redirection ......................................................................................................895
Older versions of Windows ......................................................................................896
Change Control Management for Group Policy ..........................................................897
From development to production with Group Policy .............................................898
Change control for Group Policy ............................................................................. 898
Planning and troubleshooting GP by using the Group Policy Results Wizard .......898
Architecting Group Policy .............................................................................................. 900
Password policy .........................................................................................................902
Account lockout policy .............................................................................................904
Audit policy ...............................................................................................................905
Event log ....................................................................................................................909
Locking down Domain Admins ................................................................................910
Summary ............................................................................................................................912
xxix
Page xxix
Shapiro
ftoc.tex
V1 - 06/13/2008
1:19pm
Contents
Chapter 25: Service Level . . . . . . . . . . . . . . . . . . . . . . . . 913
Understanding Service Level .......................................................................................... 913
Service level: example 1 ............................................................................................914
Service level: example 2 ............................................................................................914
The service level agreement ......................................................................................915
Service Level Management ..............................................................................................915
Problem detection .....................................................................................................915
Performance management .........................................................................................916
Availability .................................................................................................................916
SLM by design ...........................................................................................................916
SLM and Windows Server 2008 ....................................................................................918
Windows Server 2008 System Monitoring Architecture ........................................... 918
Understanding rate and throughput .........................................................................920
Understanding queues ...............................................................................................920
Understanding response time ...................................................................................920
How performance objects work ................................................................................921
System monitoring tools ...........................................................................................922
Task Manager ................................................................................................................... 922
Reliability and Performance Console ........................................................................... 924
Performance Monitor ................................................................................................ 924
Performance Logs and Alerts ....................................................................................928
Creating Data Collector Sets .....................................................................................929
Getting to Know Your Servers ....................................................................................... 931
Monitoring for bottlenecks ....................................................................................... 932
Understanding server workload ................................................................................934
Performance Monitoring Overhead ...............................................................................935
Service Level with Microsoft Systems Center Operations Manager ........................936
Summary ............................................................................................................................936
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 939
xxx
Page xxx
Shapiro
W
fintro.tex
V1 - 06/13/2008
1:26pm
elcome to Windows Server 2008, the long awaited OS once known only as
‘‘Longhorne.’’
Gone are the days when the Windows Server operating systems could be covered in a single book
or a week’s crash course at a training center. If I told you that this is the only book that you
need about Windows Server 2008, I would be lying. Many of the features that I cover warrant
advanced treatment under separate cover. In fact many features and roles of Windows Server
2008 need to be presented in specialized publications, hands-on seminars, and highly detailed,
narrow focus, technical manuals.
But I have attempted to build as complete a hands-on reference as possible, while still providing
a broad scope of coverage of the most important aspects and implications of the Windows Server
2008 platform.
This version builds on the solid foundation of an already released and widely used and tested
operating system; namely Windows Vista. In this regard the server and client code share a common code base. In fact, Windows Server 2008 is the first release to manufacturing (RTM) of an
operating system that already incorporates fixes and changes that would in the past need to be
applied incrementally over time after shipping, or in one wallop as a giant service pack. Service
Pack 1, which was applied to Vista, was ‘‘folded’’ into Windows Server 2008. The title of the
book could actually have been ‘‘Windows Server 2008 SP1’’ but there is now no such thing as
SP1. That might be a great marketing trick by Microsoft, but it also means deciding whether to
adopt Windows Server 2008 now or later is no longer a matter of waiting for the first service
pack.
If you are still supporting Windows 2000 (or, Heaven forbid, Windows NT), Windows Server
2008 offers many new and improved features that present you with both exciting and daunting
challenges. This book is the culmination of thousands of hours spent testing, evaluating, and
experimenting with just about everything that Windows Server 2008 can throw at you.
One of the most pervasive changes in Windows 2000 was the Active Directory, and Windows
Server 2008 expanded on and improved implementation of the Active Directory. In Windows
Server 2003 R2, Active Directory came with the so-called Active Directory Federation Services
(ADFS), light-weight directory services, and branch office services built-in. This technology
makes it easier than ever, and much more reliable, to extend AD to remote locations and branch
offices or integrate them with a variety of different services, operating systems, rights management
xxxi
Page xxxi
Shapiro
fintro.tex
V1 - 06/13/2008
1:26pm
Introduction
systems, and authentication services. These services are now further enhanced and built into the
operating system and are now entrenched in the core code of the OS.
AD affects most aspects of Windows Server 2008, including the areas of security and user and
group administration, network and domain topology, replication, DHCP and DNS, and more.
Other important changes include changes to the Distributed File System (DFS), which enable
you to build a homogenous file-system structure from shares located on various servers across
the network. The concept of presenting shared folders to users as a grouping called a namespace
has been further extended and enhanced. The enhanced DFS Namespaces (DFS-N) provides for
easier management of file system roots within a DFS network infrastructure. DFS-N gives you
far greater flexibility in deploying DFS; you now have a much more sophisticated tool to create
multiple DFS roots and manage them. The tools allow you to manage and maintain DFS, as well
as managing a dovetail into the Network File System (NFS) to interoperate with Unix or other
‘‘X’’- based operating systems.
The changes in DNS and DHCP enable DHCP clients to dynamically request updates of their host
records hosted by Windows Server 2003 DNS servers, enabling you to maintain up-to-date host
records for all systems in the enterprise, even when they are assigned an IP address dynamically,
or their host or domain names change. However, many services are now available against IPv6 of
TCP/IP.
If you have been creating and managing Windows Server 2003 networks, you should find many
features in Windows Server 2008 welcome improvements. A good example is Group Policy. A
lot of the tools, such as the Group Policy Management Console (GPC), were late add-on tools for
Windows Server 2003. These tools are now part and parcel of Windows Server 2008. You know
from all the previous versions of the OS that you cannot implement a Windows Server 2008
network without Group Policy, but Group Policy is difficult to master without supporting tools.
Windows Server 2008 greatly improves Group Policy technology with increased functionality,
such as Resultant Set of Policy (RSoP) built into the GPMC and the capability to more easily
report on Group Policy application with Resultant Set of Policy and so on.
There are also a number of revolutionary features of Windows Server 2008. The most dramatic
feature of the OS is the Server Core concept. For the first time Microsoft has created an OS that
lets you install a ‘‘core’’ operating system kernel without any additional roles and features added
and without the overhead of the Windows Server 2008 user interface. This means you can install
a headless server and provision it as a highly streamlined, light, and dedicated file server, or DNS
server, or DHCP server, or domain controller, and so on.
You can also install the OS as usual with the standard GUI but now the basic installation comes
with no roles or features added. Once you have a base OS running with the user interface, you
can incrementally add roles (such as DNS, DHCP, or IIS) and only maintain the surface area
you are actually exposing to the network. This provides a level of security for Windows Server
that can be highly sophisticated and advanced at the same time that it is easy to manage and
maintain. In the rapidly changing security landscape this is a very welcome feature of the OS and
a worthwhile reason to upgrade your servers . . . and if upgrading all your servers is not currently
xxxii
Page xxxii
Shapiro
fintro.tex
V1 - 06/13/2008
1:26pm
Introduction
practical, then your public facing or most vulnerable servers would be excellent candidates to
upgrade.
A number of services are no longer available in Windows Server 2008. These include add-ons
like Netware Services, Service for Macintosh, and even Services for UNIX (although the word is
still out on the latter service). Thus it is critical that you understand everything that Windows
Server 2008 offers and does not offer, lest your upgrade plans succumb to a gotcha you never
expected.
Who Should Read This Book
Windows Server 2008 Bible is for anyone involved in network administration, server management,
MIS, and so on. This book is for you if the questions you have are along the lines of ‘‘How do
we handle this?’’
Windows Server 2008 makes waves in all IS infrastructures. The audience covers a wide spectrum
. . . as broad as the number of services that the product offers. Not only does this book cater to
network or server administrators, but many chapters are aimed at people tasked with certain
responsibilities, such as security, user-account administration, service level, customer-relationship
management, and so on.
Although I assume that you are familiar with the Windows environment (from Windows 9x
through Windows XP and Vista), much of what I offer here is of value to administrators working
in heterogeneous environments — even midrange and mainframe facilities. I have also focused on
issues of concern to managers and information offices. This is very much an integration book, so
you find conversion tips aplenty, culled from an eagle eye cast on every process that may create
problems for business systems and processes that are still in place.
Whether you’re just trying to get a handle on what’s new in Windows Server 2008 and the effect
that it’s sure to have, looking at installing new Windows Server 2008 systems, considering an
upgrade from Windows Server 2003 Server, or are tasked with converting from the ancient Windows NT Server to Windows Server 2008, you will find a wealth of information between the
covers of this book that can help you meet your goals.
Everything that I discuss in these pages has been tested and deployed in several early adoptions,
in one form or another, so step into my shoes and get a heads-up on the road ahead. You will
no doubt go on to learn a lot more about Windows Server 2008, as will I. If you would like to
comment on anything or add to what I’ve written, I value your contributions. You can write to
me at jshapiro@misiq.com.
I have also made a number of white papers and reports available to readers of this book. If you
visit my Web site at www.misiq.com you’ll find a wide range of free documents covering various
aspects of Windows Server 2008, from architectural plans to deployment plans to implementation. Information on late additions to the operating system, such as Hyper-V, is also available at
the Web site.
xxxiii
Page xxxiii
Shapiro
fintro.tex
V1 - 06/13/2008
1:26pm
Introduction
How This Book Is Organized
The Windows Server 2008 Bible is divided into several parts. The following section summarizes the
parts, their topics, and how they are structured.
Part I: Windows Server 2008, Core, Configuration,
Networking, and Communication Services
Part I explores installation and several key networking and communications services in Windows
Server 2008. Chapters 1 and 2 cover basic installation, Server Core installation, Server Manager,
and the Microsoft Management Console. I also describe the various roles you can install to the
basic or Server Core operating system, the many additional features (such as Telnet Server, WINS,
clustering, and so on) that you can add, the various applets in Control Panel, and the Computer
Management console.
The chapters in Part I also explore in detail several key networking and communications services.
Chapter 3 lays the groundwork by covering the ubiquitous TCP/IP protocol, along with routing,
troubleshooting, Network Address Translation (NAT), SNMP, and legacy protocols. DNS and
client resolution management is covered in Chapter 4. Chapter 5 provides help configuring and
deploying DHCP for automatic IP-address assignment and administration. Chapter 5 also covers
WINS, while Routing and Remote Access and the Network Policy Server are covered in detail in
Chapter 6.
Chapters 7 through 11 cover core services such as the registry, auditing, the .NET Framework
backup and restore, and so on. Chapter 11 helps you develop and implement a backup and
recovery strategy and explores the new Windows Server 2008 Windows Backup utility, configuring removable storage, and media pools.
Part II: File, Print, and Storage Services
Chapters 12 through 15 explore file, print, and storage services. Chapter 12 covers high-end
print topics such as Internet printing, printer management, and troubleshooting. Chapter 13 deals
with storage features. Windows Server 2008 adds extensive fault tolerance, storage management,
recovery, and other availability features. Storage management in Chapter 13 includes removable
storage, fault tolerance, RAID, general file-system management, and related topics.
File systems are covered in Chapter 14. This chapter details the various advanced file system
features, such as DFS and NFS, available. Chapter 15 explains how to configure and optimize file
sharing and security, and manage file sharing effectively. It also provides thorough coverage of
file and folder encryption.
xxxiv
Page xxxiv
Shapiro
fintro.tex
V1 - 06/13/2008
1:26pm
Introduction
Part III: Security and Active Directory
Active Directory represents one of the most important parts of Windows Server 2008. Part III
provides a complete look at AD, starting with Chapter 16, which covers security in general
and Active Directory Certificate Services in particular. Chapter 16 takes a broad look at
security in Windows Server 2008, including Kerberos, certificates, encryption, and many other
security-related topics. A section on installing certificate authorities facilitates the establishment
of smart card systems, IPSec, encryption services, secure sockets, and so on.
Chapter 17 provides a concise introduction to AD for newcomers, and Chapter 18 goes into
planning for AD implementation. Chapter 19 looks at AD’s logical structure and what it really
represents, and examines the issues involved in developing a logical domain structure. Chapter
20 explores the physical structure of AD to explain it in the context of domains, sites, servers, and
security. Chapter 21 covers AD planning, installation, and deployment, and Chapter 22 explores
AD management.
Part IV: Change Control and Workplace Management
Managing users and groups is covered in detail in Chapter 23, and Chapter 24 adds to this
section with coverage of change management and how Group Policy facilitates change control
over users, computers, security, and the work space.
Chapter 25 takes a detailed look at Windows Server 2008’s service-level tools, such as the new
Reliability and Performance Monitor (which incorporates and enhances the legacy Performance
Logs and Alerts).
xxxv
Page xxxv
Shapiro
fintro.tex
V1 - 06/13/2008
1:26pm
Page xxxvi
Shapiro
p01.tex
V1 - 06/13/2008
1:49pm
Windows Server 2008, Core,
Configuration, Networking, and
Communication Services
IN THIS PART
Chapter 1
Installing Windows Server 2008
Chapter 2
Configuring Windows Server 2008
Chapter 3
Networking Windows Server 2008
Chapter 4
DHCP
Chapter 5
Windows Name Services
Chapter 6
Routing and Remote Access
Chapter 7
Backup and Restore
Chapter 8
Disaster Recovery
Chapter 9
The Registry
Chapter 10
Auditing Windows Server 2008
Chapter 11
.NET Framework Services
Page 1
Shapiro
p01.tex
V1 - 06/13/2008
1:49pm
Page 2
Shapiro
c01.tex
V1 - 06/12/2008
4:04pm
Installing Windows
Server 2008
T
his chapter reviews the installation of Windows Server 2008. It
discusses a number of hardware configurations and setup options
and reviews potential obstacles. Several recipes are discussed in
this chapter, and most of them use minimum hardware requirements; keep
that in mind when ordering your server. We also explain how to achieve
a fresh install or upgrade with different server configurations, installation
of the Server Core image, and installation of the base OS with Windows
Server 2008 GUI. We will have a look at Server Manager and the variety
of server roles and features it allows you to install. Several other topics,
including SQL Server, ASP, IIS, and Exchange, are also covered to help
you understand how they are incorporated into Windows Server 2008.
IN THIS CHAPTER
Going through the hardware
checklist
Understanding server role
configuration
Server setup recipes
Installing Server Core
Installing the basic operating
system
It’s All About the Core
Adding services and
applications
Before we begin, let’s review Microsoft’s so-called Core Server installation
paradigm, a new type of barebones OS that can also be headless, keyless,
and mouseless . . . and Windowless. During the years of Windows NT,
Windows 2000, and Windows Server 2003 (pre-R2) installing the operating system was a nail-biting event. We would always stand and gawk at
the screen and hold our breath as certain stages in the installation were
completed. Once we got through to the restart procedure it was high-fives
all round.
By Windows 2000, installing on various hardware platforms was a lot
easier. Gone, for the most part, were blue screens during installation or
mysterious restarts that had everyone scratching their heads. But another
problem arose. The Internet exploded in popularity and along with it the
scourge of viruses and hostile cyberspace junk.
3
Page 3
Shapiro
Part I
c01.tex
V1 - 06/12/2008
4:04pm
Core, Configuration, Networking, and Communication Services
The problem was compounded by the need to connect a server to the Internet and patch it with
all manner of fixes and updates that Microsoft issued after release to manufacturing (RTM). The
result was that unless you sealed the server on a secure network and applied all the patches
from a local update server, the chances that the server would be infected and compromised were
almost 100 percent.
One of the problems of updating a new server is that the process would usually include patches,
fixes, and configuration for just about every service running or not running on a server. It was a
tedious and time-consuming task. But that has now been changed with Windows Server 2008.
You no longer need to install the OS and worry about all the services and functionality on it
that you will not be using. Now you can install Server Core (a special build of the OS) or base
OS with GUI, and incrementally install and apply only the services and bits needed for specific
server functions. Server Core is like the birth of a baby, all naked and uncorrupted but not
exposed, while the base OS installation with Windows user interface is like a 3-year-old, ready
for ‘‘intelligence’’ to be added but with some exposure required.
What Is Server Core?
The Server Core installation lets you install a minimal OS for running just the chosen server
roles that would not even need a GUI. This means that you don’t have the huge ‘‘attack’’ surface
that will ensue from all the service requirements. One more thing: Once you install just Server
Core you can stand your server up in a secure environment, both physical and online, and
worry only about securing the services you are actually running. Once Server Core has been
installed you can then open Server Manager (remotely or via scripting) and install, among many
others, the following server roles:
■ Active Directory Domain Services (AD DS)
■ Application Server
■ DHCP Server
■ DNS Server
■ File Services
■ Print Services
Here are some more benefits of the Server Core installation alternative:
■ Lower maintenance. You only need to maintain on the server what is actually installed
on the server. Why worry about maintaining File Services on a server that is nothing more
than a simple domain controller?
■ You need less disk space. The Server Core requires only about 1 gigabyte (GB) of disk
space to install and approximately 2GB for operations after the installation.
■ Less management. Management costs in realms like security, availability, and service
level are far less than previous installation scenarios. You would not have to worry about
supporting a bunch of services and code that you are not using.
4
Page 4
Shapiro
c01.tex
V1 - 06/12/2008
4:04pm
Installing Windows Server 2008
More details of the server roles are presented throughout this chapter and in Chapter 2. We will
return to actual installation of the Server Core OS later in this chapter.
Installation and Configuration Strategy
If you have done your homework and have an installation plan and architecture document
ready, you are now ready to begin installing Windows Server 2008 in your lab. For help
creating an installation plan and an architecture document (including an architecture template)
visit www.misiq.com/whitepapers. You may be tempted (or you may have an urgent need)
to go directly to a working or production system in a production environment. Perhaps your
DHCP server died or a new DNS server is needed urgently. Resist — or stick with what you
know. If you have a Windows Server 2003 network and need to raise a new service to fill an
urgent need, stick with Windows Server 2003 until you have fully implemented a test lab and
are familiar with the way things work under Windows Server 2008. In many respects it is a very
different operating system. Microsoft Server 2008 has the same core kernel and presentation
functionality as Windows Vista, but with server bits added in. So in many respects it is new
code from the ground up compared to Windows Server 2003.
Conversely, if you are a seasoned administrator and you know what you’re doing, you probably
have issues such as a hardware checklist, remote or unattended installation, hot standby, and so
on well taken care of. Proceed directly to a production system only if you know what you are
doing and the production system is part of a conversion and rollout project.
Generally, you should always raise servers in a lab. Then you should burn them in (run them
continually) for about a week; hit them with work for at least another week. After that, and if all
test items check off, ship or go live. No two environments are the same. The following sections
look at various installation and configuration scenarios.
A lot of people want to know how to burn in a server that is standing idle and has
no users connected to it. One simple way is to set up Windows Server Backup to
run continually. Running Backup is great physical therapy for a server. It works the hard disks,
memory, system buses, access control, permissions and the NTFS, removable storage functions,
transactional file system, and more. You can also configure Backup (or any other backup utility,
for that matter) to perform both pre- and post-backup routines, such as sending alerts and moving
files around the house. Depending on your stress test, you may need to write a backup script to
automatically overwrite media and so on. In addition, if you want to test disk I/O and other routines, you may need to write some custom software for the job.
Getting psyched up about installing
This chapter takes you through the basic install routines and then to rollout a sophisticated
deployment strategy. We are going to help you cook up a variety of server meals. Microsoft has
spent many millions on the installation and configuration process, so Windows Server 2008
generally installs easily and performs well considering the power that it wields. It is certainly a
5
1
Page 5
Shapiro
Part I
c01.tex
V1 - 06/12/2008
4:04pm
Core, Configuration, Networking, and Communication Services
lot smoother and friendlier to install than any other server operating system in existence (other
than the machine you receive pre-installed from the factory).
We have installed the operating system numerous times and on at least ten different platforms
with a variety of hardware, from scrap piles to brand names. We have also deliberately sabotaged our systems (such as taking away drives, drivers, memory, and certain system files)
and tried a variety of recovery techniques. Our final verdict? If you experience any difficulty
installing Windows Server 2008, you must be using very unconventional methods, thrift store
hardware, or you’re not paying attention to details and recommended strategy.
Take a moment to sit back, close your eyes, and imagine that you are in a class going through
installation training.
Server recipes
In evaluating the various needs in the enterprise, we classify our installation options into various
recipes of server installation, which are discussed in the following sections.
Server Core or bare-bones system recipe
This option consists of using minimum hardware requirements as recommended by Microsoft
and some testing. All servers require at least 1GHz for x86-based computers except Datacenter
Server, which requires 1.4GHz for x86-based computers. These are bare minimums for production servers, but you could get away with less in lab or testing environments. For production
servers you’ll likely deploy Windows Server 2008 in the 2GHz and higher range, especially for
x64. We suggest a bare-bones minimum of 512MB of RAM for all servers except Datacenter Edition, which requires a bare-bones minimum of 1GB of RAM. You also want a DVD-ROM (the
OS no longer fits on CDs), a 1.4MB floppy disk drive, a standard network card, and a mouse,
keyboard, and monitor.
We have raised servers (Standard Server, Enterprise Server, and Web Server Edition) on CPUs
ranging from old Pentium 866s, 1.2s, 1.4s, and so on. You can raise the mentioned servers on
less, but we don’t recommend it for anything more than the smallest test server, described in the
section ‘‘Overview of Hardware,’’ later in this chapter. On the other hand, an old horse with a
lot of RAM might serve many of your needs. You can usually pick these servers up on the Internet for a song; and if they are good brands, they do well for many years, especially for servers
only running Server Core.
Small file and print server recipe
The IT department needs the capability to efficiently utilize file and print resources and keep
them available and secure for users. Networks tend to expand, with greater numbers of users
located onsite, in remote locations, or even in partner companies, and IT administrators face an
increasingly heavier burden. Windows Server 2008 now provides many enhancements to the file
and print infrastructure to help solve the never-ending administrators’ burden.
6
Page 6
Shapiro
c01.tex
V1 - 06/12/2008
4:04pm
Installing Windows Server 2008
You should still use the bare-bones components but add a second large IDE hard-disk drive
for file and print services, the usual peripherals, and so on. The amount of RAM that you need
depends on the number of connections and users. Printing services require a lot more RAM than
file services.
Your hard-disk demands are higher, and you should now consider adding a second drive. You
can stick to a cheap IDE disk (even the cheap IDE or EIDE drives are good disks) or begin
thinking about SATA and SCSI. Hold the thought about hard disks for the section ‘‘Overview of
Hardware,’’ later in this chapter.
You may have read information elsewhere calling for more firepower in Windows
Server 2008. My assessment is based on various experiments, projects, pilot systems,
and deployments. Every situation is different, and the only way to really know what you need to
throw at a situation is to test.
Application-server installation recipe
The Windows Server 2008 application environment builds on the solid enterprise capabilities of
Windows Server 2003 Server security, availability, reliability, scalability, and manageability. The
application development seems to be more dependable because the environment can be managed by fewer people, and it delivers lower TCO with better performance. Developers are one
of the most highly leveraged resources in IT. By integrating .NET Framework into the Windows
Server 2008 application-server development environment, developers are now freed from writing
‘‘plumbing’’ code and can instead focus their efforts on delivering business solutions.
You may want to install applications on servers for users who load them into local memory at
their workstations. The application is thus loaded across the network, but the ‘‘footprint’’ and
ensuing resource consumption is local to the user’s hardware.
You may also have applications that are server-based or server-oriented. These may
include database front ends, communications software, processing-oriented software, and
network-management applications. Hundreds of applications may be suited to server-side
execution and need no user interaction, such as process-control applications and data
processing.
You could use the recipe for file and print servers that we give in the preceding section; raising the ideal configuration for your purpose takes some testing. Depending on the availability
requirements, you may need to add RAID, hot-swap drive-bays, and so on, which are discussed
in the section ‘‘Partitioning Hard-Disk Drives,’’ later in this chapter.
Terminal Services installation recipe
A Terminal Services application server is a whole new ball game. The WinFrame licensing
arrangement between Citrix Systems, Inc., and Microsoft was the origin of Terminal Services.
Terminal Server, under the Hydra project name, first made its debut in Windows NT 4.0 in
late 1997. It was then launched as a separate NT 4.0 operating system called Windows NT
4.0 Terminal Server Edition (TSE). It was even further enhanced in Windows Server 2003.
Terminal Server in Windows Server 2008 is still called Terminal Services but it is now installed
7
1
Page 7
Shapiro
Part I
c01.tex
V1 - 06/12/2008
4:04pm
Core, Configuration, Networking, and Communication Services
as role. However, you can still connect to a server using Remote Desktop Connection (RDC)
in administrative mode. RDC provides substantial improvements over previous releases. RDC
provides administrators and users with a simplified user interface that still connects to previous
versions of Terminal Services (Windows NT 4–Terminal Server Edition and Windows 2000).
See Chapter 2 for more information about the Terminal Services and RDC.
Windows Server 2008 Terminal Server supports more users on each high-end server than
previous editions. Windows Server 2008, Enterprise Edition, provides a superior load-balancing
support than previous editions. Session Directory maintains a list of indexed sessions by username, enabling users to reconnect to the Terminal Server and resume working in that session.
It also provides unsurpassed remote manageability by taking advantage of technologies such as
Group Policy and Windows Management Instrumentation (WMI), which provides management
with complete remote capabilities through a comprehensive read/write system.
With Windows Server 2008 acting as a Terminal Services application server, all your users run
all their applications on the server. No such thing as a local Terminal Services client even exists.
The client can be a browser, a fat client running a Terminal Services terminal application (such
as a TN3270 character-based terminal running on Windows and accessing a DB2 database on
the mainframe), a dumb terminal (known as a Windows-based terminal), or terminals running
on the Windows CE or Pocket PC platforms. Your users’ terminals can also be installed on any
non-Windows platform, such as Macintosh, DOS, and Unix, but these require extras from Citrix,
which uses the ICA protocol.
Terminal Servers can be raised with any of the recipes discussed so far. What matters is not
what you start up with but what the terminal users do after they are attached to the server. We
have tested these services and deployed them in vigorous real-life situations with every version
of the OS, and the following configuration pointers, which apply to a different configuration
recipe that we discuss shortly, are key:
■ Restrict your users from having more than four applications open at one time. Make
sure, for example, that they can comfortably open and run a database application, a
word-processing application, e-mail, and a Web browser.
■ Configure the applications to run without fancy splash screens, animations, or any
resource-intensive software.
■ Assign and enforce hard-disk quotas. This is important to do for all users but is especially
useful if you are dealing with terminal users.
A server hosting no more than RDC users should be running on a CPU of no less than 1.4GHz.
Each user (depending on the applications and the type of processing) should be assigned no less
than 32MB of RAM. 128MB and higher should be your goal to cope with the high demand of
memory from many of today’s memory hungry applications, especially applications from suites
like Office 2007. You should also install fast SATA or SCSI drives and support them in hardware
RAID configurations on fast controller cards. In short, no bare-bones situation is possible for
Terminal Services and application hosting. After all, if you were deploying to standard clients,
they would likely each have more than 1.6GHz with 1 or 2 GB of RAM.
8
Page 8
Shapiro
c01.tex
V1 - 06/12/2008
4:04pm
Installing Windows Server 2008
At 128MB each, the recipe thus calls for the following total server RAM:
■ Operating system = 1GB
■ Five users at 128MB each = 640MB
■ Total RAM needed = 2GB
You’re likely to have a hard time adding a small amount of RAM into a modern motherboard.
Your configuration would thus be at least 2GB for a modern application server hosting one to
five RDC users.
Line-of-business role-server installation recipe
Role servers are servers running services such as DHCP, WINS, DNS, and Active Directory. Your
application and needs may vary widely, depending on the service and how many subscribers
it has. A small company may get away with a lightweight configuration, such as the small fileand print-server recipe offered in the section of that name, earlier in this chapter. In other cases,
you may require much more firepower, especially on medium to large intranets. You can easily
run DHCP, WINS, and DNS on Windows Server 2008 on 1GHz machines with 1GB of RAM
in each, servicing several thousand users across a nationwide WAN, but you have a lot more
replication and dynamic configuration overhead with Windows Server 2008, so you may need
to shell out for more powerful machines.
High-road, or mission-critical recipe
Mission-critical servers should have no less than 1.6GHz in CPU capability. For the most part,
and especially if you have more than a handful of users, your CPU should be more than 1GHz.
You may consider equipment running two-CPU configurations or possibly deploy quad systems.
Hard-disk needs may vary, but you need to configure a second drive letter running at RAID-5
under hardware control. (In case you’re wondering, these are SCSI devices, which we discuss in
the section ‘‘Partitioning Hard-Disk Drives,’’ later in this chapter.)
Redundant or standby system recipe
Any of the server recipes mentioned in the preceding sections can be cloned to provide an
offline or hot spare. These are obviously not clustered or automatic failover machines. If the
primary server goes down, you could pull dynamic volumes out of the primary arrays and install
them into the hot spares. A better solution, if you can afford it, is to install Enterprise Server
and run cluster services and network load balancing.
Large systems, clusters, and Datacenter Server installations
Advanced clustering (high availability) and Datacenter Server solutions are beyond the scope of
this book, although most of the configuration information in this book applies to the high-end
operating systems. Any large system calls for an external SCSI-based storage silo under hardware
RAID-5.
The various recipes that we’ve discussed so far are summarized in Table 1-1.
9
1
Page 9
Shapiro
Part I
c01.tex
V1 - 06/12/2008
4:04pm
Core, Configuration, Networking, and Communication Services
TABLE 1-1
Hardware Guide for Server Recipes
Recipe
CPU/GHz
RAM/GB
Bare-bones
1.6
1-2
SATA, eSATA or SCSI
Small File and Print
1.6
1-2
SATA, eSATA or SCSI
App server
2
1-2
SATA, eSATA/SCSI
Terminal Services
2
2+
SCSI-RAID
Role server
2
1+
SCSI-RAID
LOB
2
1+
SCSI-RAID
Standby
1
1+
SATA, eSATA/SCSI
2X2 or 2X4
4+
SCSI, eSATA – RAID
Large
HDD
Overview of Hardware
Choosing hardware is not a difficult exercise at all for Windows Server 2008. You really don’t
put a lot into your system. The list of hardware that we discuss in the following sections is as
follows:
■ Motherboards
■ CPU
■ Memory
■ Hard-disk drives
■ HDD controllers
■ Network interface cards (NICs)
Hardware compatibility
Before you go buy parts, review the Windows Server Catalog for hardware compatibility at
http://www.windowsservercatalog.com/. The ‘‘Designed for . . . ’’ or ‘‘Ready for . . . ’’
Windows logo identifies software and hardware products that have been designed for and
work well with Microsoft products. Software and hardware products displaying the logo must
pass rigorous testing to ensure that they provide ease of use and stability and that they take
advantage of the new features in Windows products. Software is tested by an independent
testing lab. All PCs and peripheral hardware must be tested by Microsoft approved labs.
10
Page 10
Shapiro
c01.tex
V1 - 06/12/2008
4:04pm
Installing Windows Server 2008
Businesses that use products meeting Windows logo criteria stand to gain the following benefits:
■ Lower support costs
■ Support for mixed Windows environments
■ Correct use of the operating system
■ Compliance with the Americans with Disabilities Act and other equal-rights legislation
According to Microsoft policy, Microsoft does not support you if the item is not on the so-called
‘‘HCL,’’ or hardware compatibility list, but not many items may be on the HCL yet. If you offer
to spend $195 with Microsoft to figure out whether hardware is the reason a server does not
start, do they refuse to take your money? They never have to date. Microsoft’s paid support team
is very responsive and helps you determine whether hardware is your problem. If they tell you
that you have a hardware-compatibility problem, that’s probably all the advice that you need.
The compatibility issues aside, you should heed the following advice: Most large companies buy
brands from the likes of IBM, Dell, HP, and so on; and if the budget is there, a small company
looking for one business server should go this route as well. The servers are burned in and
tested, and the manufacturer stands behind the compliance of its product running Windows
Server 2008, logo-compliant or not. The servers also come with warranties and various levels of
support.
If, however, you plan to build your own server, or if you need to upgrade a machine down the
road, by all means, buy your own parts and knock together your own server. For best motherboard results, however, try to stick to made-in-America components or well-known and popular
foreign imports. For RAM, only a handful of factories are left, but you’re okay buying products
from the likes of NEC, HP, IBM, TI, and others. For hard disks, IBM, Quantum, Western Digital, Maxtor, and Seagate are the leaders now, and really the only players. For CPUs, you have
Intel and AMD. If you are thinking other marginal CPUs, you need to talk to the likes of IBM or
Motorola. The other peripherals do not interfere with your server.
Installing Windows Server 2008
We have found, after dozens of installations, that the best practice for installing Windows Server
2008 is to follow this specific checklist of events:
■ Check system requirements — visit Microsoft’s site and review the System Requirements
for Windows Server 2008.
■ Read the setup instructions and release notes included with the Windows Server 2008
Installation DVDs.
■ Determine whether to upgrade or install.
11
Page 11
1
Shapiro
Part I
c01.tex
V1 - 06/12/2008
4:04pm
Core, Configuration, Networking, and Communication Services
■ Determine what licensing schema to use: per server or per seat.
■ Determine whether you want the capability to choose between different operating systems
each time that you start the computer.
■ Determine whether you need an NTFS or FAT32 file system.
■ Determine whether a special partition is necessary for this installation.
■ Choose the correct components to install. Determine the server’s purpose.
■ Determine how to handle networking, IP, TCP/IP, and name resolution.
■ Determine whether you want workgroups or domains.
■ Disconnect any UPS devices. The setup process tries to detect devices connected to serial
ports or USB ports; therefore, UPS equipment can cause problems with the detection
process.
Start setup after you have considered each of the events in the following sections and prepared a
checklist that is right for your installation.
Partitioning hard-disk drives
Give Windows Server 2008 a hand, and it takes an arm . . . or at least another drive. Installation
assesses all the hard-drive resources in the system, and if you have two drives (or partitions), the
OS attempts to use both. The first active partition gets snagged for the system files . . . the minimum required to raise the system to a point where you can run recovery tools or the Recovery
Console. Windows Server 2008 calls this volume — you guessed it — the system volume.
Windows Server 2008 then snags a second drive or partition and uses it for the boot files, the
files needed to boot the rest of the operating system all the way to the desktop on which you
can log in. Windows Server 2008 calls this volume the boot volume. (This is a reversal of the
old naming convention for boot and system partitions.)
Two reasons exist for the dual-disk consumption. First, Windows Server 2008 is optimized to
use more than one hard-disk drive. Second, a minimum boot disk can be configured to hold
just the boot files and can be formatted as FAT or FAT32 instead of NTFS. The theory is that
if you lose the base operating system — that is, if you cannot boot to the desktop — you can at
least boot to a DOS diskette and then, from DOS, copy new base files over the corrupt ones (or
replace a defective drive). Many NT and NetWare systems have been configured this way. However, a well-designed and managed system need not retain a FAT boot disk, which, because of
its poor security, is a risk to the entire system because it does not support file-level security.
Windows Server 2008, however, enables you to boot to the Boot Options console (whenever
it detects a disaster). Here you have several options, such as Safe Mode with Networking, and
from there you can attempt to boot without certain services and debug the problem after you
have the OS up and running. You can also boot the Recovery Mode Console, which takes you to
a command line that you can use to access NTFS partitions and the boot disks. The practice
12
Page 12
Shapiro
c01.tex
V1 - 06/12/2008
4:04pm
Installing Windows Server 2008
of leaving boot or system files on FAT volumes is old-fashioned — the result of bad memories
from Windows NT days. We recommend the partition arrangement options described in the
following sections.
Option 1: One HDD
This arrangement uses one hard-disk drive, which forces Windows Server 2008 to put both boot
files and system files onto the same drive and partition. To use this option, follow these steps:
1. Configure the system with one hard-disk drive of about 12GB in size. (Microsoft’s official
recommendation is to supply at least a 10GB partition, but with roles and features to be
added, as well as patches and fixes and new features coming down the road, you need to
leave room for expansion.)
2. Format the partition during the install as NTFS.
3. Have Windows Server 2008 choose the default partition name.
The pros of this partitioning option are as follows: First, you save on hard-disk drives. Second,
you can mirror this disk for fault tolerance. (Unfortunately, you can mirror the disk only under
hardware disk mirroring because Windows Server 2008 does not enable you to mirror a disk
that was installed as a basic partition . . . even if you make the disk a dynamic disk.)
The negatives of this partitioning option are that, if you must format the system or boot volumes
as FAT, you end up with a disk consisting of numerous partitions. This is not necessary on a
server and can later lead to problems, such as no capability to mirror or diminishing hard-disk
space and the advanced features of dynamic disks. You may also have trouble providing
dual-boot capability, but dual boot is not recommended, and besides, you have no need to
provide dual boot on a production server.
Option 2: Two HDDs
This arrangement uses two hard-disk drives: Windows Server 2008 puts boot files on one disk
and system files on the second disk. To use this option, follow these steps:
1. Configure the system with two hard-disk drives of about 2GB each in size.
2. Format the drives as NTFS during the install.
3. Have Windows Server 2008 choose the partition names and the default and put the files
where it needs to.
The positive aspect of this partitioning option, as far as we can tell, is that you have the option
of leaving the boot volume formatted as FAT (or FAT32) and formatting the rest of the partitions and drives as NTFS.
The negatives of this partitioning option are that you use up a second drive for a small amount
of hard-disk space, but if you are bent on dual or multi-boots, the second drive can hold the
additional OS.
13
Page 13
1
Shapiro
Part I
c01.tex
V1 - 06/12/2008
4:04pm
Core, Configuration, Networking, and Communication Services
Although you have a performance incentive to use a second hard disk, the increased performance is not worth the effort and the second drive, considering the speed and response of
modern hard disks. We are also talking about Server Core here and not Active Directory, LOB
servers, SQL Server, or Exchange, which are built to take advantage of additional drives. You
would be better off using a second drive as a mirror of the first to gain a fault-tolerance feature.
Performing a Server Core install
To create a server running on Server Core installation you need to have the following handy:
■ The Windows Server 2008 installation media
■ The product key
■ A computer with the recommended configuration for a Server Core installation
Before you begin, make sure you have clean or newly formatted hard disks or volume that
you can allow installation to format for you. You cannot upgrade from a previous version of
Windows Server to a Server Core installation. You also cannot upgrade from a full installation
of Windows Server 2008 to a Server Core installation. Only a clean installation is supported.
Be sure of your needs and configuration before you start. Once you start a Server Core installation you cannot go back later and try upgrading it to a full installation of Windows Server 2008
with the Windows UI. Microsoft does not support that route and you would have to blow away
the Server Core installation and start all over again.
To install a Server Core installation, perform the following:
1. Insert the Server Core Windows Server 2008 installation media into the DVD drive.
2. The auto-run dialog box will now appear. Click the Install Now option.
3. The installation wizard takes you through the instructions to complete Setup.
4. After the installation, press Ctrl+Alt+Delete and click Other User. At the login enter
Administrator with a blank password, and then press Enter. You will now be able to log
in and you will have the chance to set a password for the Administrator account.
Performing an unattended Server Core install
As with previous versions of the OS, you use an ‘‘unattend’’ file for a Server Core installation
or a regular Windows Server 2008 image. The unattended server install enables you to perform most of the initial configuration tasks during Setup. The following section describes an
unattended installation of the Server Core image. If you have a number of servers to install,
the unattended installation of Server Core can provide a host of benefits.
There is no need to perform initial configuration using command-line tools because you
can include options in the unattend file that will enable remote administration. Once Setup
completes you will be able to connect with various tools and applications and continue to
fine-tune and configure.
14
Page 14
Shapiro
c01.tex
V1 - 06/12/2008
4:04pm
Installing Windows Server 2008
To install a Server Core installation by using an unattend file, do the following:
1. First create an .xml file titled unattend.xml. You can use any text editor or the Windows System Image Manager.
2. Next copy the unattend.xml file to a local drive or place it on a shared network
resource.
3. Place the Windows Preinstallation Environment (Windows PE), Windows Server 2003, or
Windows XP media in the machine’s CD drive and start your computer.
4. Next place the CD of the Server Core installation image of Windows Server 2008 into your
disk drive. As soon as the auto-run Setup window appears, click Cancel. This will bring
you to the command prompt.
5. Next, change to the drive that contains the installation media, enter the following command, and press Enter:
setup /unattend:<path>\unattend.xml
The <path> is the path to your unattend.xml file described in step 2. Setup will run to
completion with whatever you have in the unattend.xml file.
Performing a basic install
The CD install consists of several stages, prompting you for information, copying files, and
restarting. Setup concludes with the Installation Server Wizard, which guides you through the
server configuration.
Initial setup: Using the DVD
To use the DVD for initial setup, follow these steps:
1. Insert the media into your DVD drive and then reboot your machine. Alternatively, you
can run Setup from the DOS command line by typing D:\setup.exe. Executing Setup
from the command line or from reboot loads a minimal footprint of Windows Server 2008
into memory. The code in memory contains the functions that start the setup program.
The machine is rebooted, and the text-based version of Setup starts.
2. Next you can check online if any new bits need to be downloaded for the installation or
you can continue with the bits you have on your DVD. Click Next to continue.
3. You are now required to add in your product key. Click Next and you will see the option
to install Server Core or the regular Server 2008 image (this is shown in Figure 1-1). Click
Next.
4. The next screen gives you the license terms and you have to agree to them to continue.
Check the agreement checkbox and click Next.
If you are installing on a server that already has a Windows Server installed you will be
prompted to upgrade or install a fresh image. You should install a fresh copy of Windows
Server 2008 on a newly formatted partition.
15
Page 15
1
Shapiro
Part I
c01.tex
V1 - 06/12/2008
4:04pm
Core, Configuration, Networking, and Communication Services
FIGURE 1-1
Choose standard installation image or Server Core.
5. Setup next asks you to choose the partition on which to install the operating system. You
can select existing partitions or choose to create a new partition. (You also have the option
to load disk drivers at this point.) After choosing the partition, click Next. Once you have
confirmed the file system you are on your way to installation.
6. Setup immediately begins installing files to the partition. If you have more than one disk
in the system and want to install to one disk, do not format or partition any other media at
this time.
7. Setup then saves the initial configuration and restarts the machine.
On boot up, the first screen that you see is the Windows Server 2008 Setup Wizard. The Windows Server 2008 operating system files are installed in the C:\Windows folder.
Running the Setup Wizard: Information to have handy
When you install Windows Server 2008 you will be asked for information about yourself, the
organization or company licensing the software, and the computer.
Windows Server 2008 takes this information and begins installation in which it copies software
to support machine configuration, installed devices, and so on. After this phase, Windows Server
2008 prompts you for the following information:
■ Language options. You are asked to customize language, locale, and keyboard settings. If
you are installing in the United States, you can, for the most part, leave these at the default
settings. You can also configure the server to use multiple languages and regional settings.
Choosing multiple languages forces Windows to install the character sets from multiple
languages.
16
Page 16
Shapiro
c01.tex
V1 - 06/12/2008
4:04pm
Installing Windows Server 2008
■ Name and organization. Provide the name of the person responsible for the software
and the name of the organization that owns the license.
■ Licensing mode. You can choose to select licensing on a per-server, per-seat, or
per-device basis. If you choose to license per seat, you must enter the number of client
access licenses (CALs) purchased. If you are going to provide application services by using
the Terminal Services in Application mode, choose the CAL option.
■ Computer name. This is where you get to add the NetBIOS name. Windows Server 2008
chooses a default name for you, which you should change because it doesn’t make very
much sense. Coming up with a convenient naming convention that your users recognize
is far better.
Windows pretty much leaves you to your own devices in naming your computers. The best
rule to follow is to name the machine according to any convention you dream up that works
for your situation . . . just be consistent. Resist cute names for several reasons: The names
may be hard for your users to relate to, and some may find them annoying. (Not everyone
loves Disney.) Server names are also the prefixes for the new Dynamic DNS names assigned
to the server. A simple machine name for the genesis.mcity.us domain name would be
MDENTS02.MCITY.US, which is far better than BULLWINKLE.MCITY.US. Be careful, too, about
using names that attract security problems. We once used the name Checkpointcharlie,
which was subsequently hacked the following week.
■ Password for the Administrator account. This account is installed into the local
domain’s Administrator account except for domain controllers.
■ Windows Server 2008 components. The next step is to add the optional components
and services. Ignore most of these services in trial installations and go directly to Networking Options. Here, you must provide DHCP information, the DNS server address, and
other information.
■ Terminal Services. You can also choose the operating mode of Terminal Services. For
now leave it as is, in Administration mode. There’s no point in installing Application
Server mode until you are ready, and the mode can be changed at any time.
■ Display settings. These settings enable you to configure the screen resolution, number of display colors, and video-related information such as refresh rate. You can leave
many of these settings at the default. Change your screen resolution, however, to at least
800 × 600. Many Windows Server 2008 folders and menus are jam-packed with icons
and information, and 640 × 480 just does not work. In many cases, you should go with
1,024 × 768 resolution.
■ Time and date. These settings enable you to set time zones and daylight saving information and to adjust the current date and time. After this information is applied, Windows
Server 2008 starts Phase 3 of the installation process: the network install.
17
Page 17
1
Shapiro
Part I
c01.tex
V1 - 06/12/2008
4:04pm
Core, Configuration, Networking, and Communication Services
Windows network install
This phase installs the networking components. Windows Server 2008 attempts to detect the
network interface cards (NICs). If you use standard well-known brands such as Intel, you’ll have
no problems getting through the installation. The following list describes the steps, both automatic and interactive:
■ Network card detection. After detecting and installing the drivers for the NICs,
Windows Server 2008 attempts to locate a DHCP server on the network. It does this by
broadcasting on DHCP Port 75 and then listening for a response from a DHCP server. If
Windows Server 2008 cannot obtain an IP address, it uses the auto-configuration protocol
and assigns itself an IP address. You can then continue with the installation, installing to a
new workgroup, and make the necessary network connections later.
■ Networking components. Next, you are asked to choose the networking components.
The basic options to choose are the client for Microsoft Networks, File and Print Sharing
for Microsoft Networks, and TCP/IP. You can install other services and components at any
time after installation. If you are installing into an existing NT domain that does not have
DNS or WINS servers in place, install NetBIOS as well.
■ Workgroup or domain. If you are installing into a domain, you need the name of the
account and password that has the authority to create new accounts in the domain. If you
have problems installing into the domain, install into a workgroup. If you do not have a
workgroup, create any workgroup name on the fly, such as awshucks, because you can
always change it after installation or change to a domain whenever you are ready, post
installation.
Final installation setup
This is the fourth phase of the installation, which involves final file copy, configuration, and
removal of temporary files. The Setup program copies all remaining files to the hard disk. These
include bitmap files, accessories, and services or component files that are either installed into
service or left dormant until activated. Setup then applies configuration settings specified during
earlier interactions.
The new configuration is saved in the registry databases and on disk to be used for the configuration after the computer starts anew. At this time, all temporary files are removed from the
computer. After this activity, the machine is rebooted.
Installing from the network
You can also install servers from network sharepoints, which are called distribution drives or
servers. Network installs should obviously be limited to local area network installation because
anything less than the standard 100-Mbit/sec network speed makes installation an excruciatingly
slow experience.
If you have not created a distribution share, simply copy the I386, I486, or ia64 (for
Itanium-based systems) folder on the Windows Server 2008 DVD to a drive and share it. Apply
18
Page 18
Shapiro
c01.tex
V1 - 06/12/2008
4:04pm
Installing Windows Server 2008
the necessary access control to prevent unauthorized users from accessing the distribution files.
The process, after you have a distribution point in place, is as follows:
1. Create a FAT partition on the target machine. This partition should be within the earlier
recommended parameters. You can use the old faithful DOS FDISK command to create
the partition, but if you are using a very large disk (more than 2GB), only Windows 98’s
FDISK for FAT32 enables you to configure all the space as one huge drive.
2. Boot to a network client. You can use Windows 95/98 boot disks (if you can still find
them), but a simple DOS may be all that you need. Your DOS client contains the following
software:
■ TCP/IP protocol files
■ DOS operating system files for minimum machine life
■ Network interface card drivers (another reason to use good cards that require no configuration)
3. You also need to create configuration files that log the target machine onto the network
and enable it to use the source distribution sharepoint.
4. After you have connected to the network sharepoint, you start the installation by executing
setup from the distribution server.
As Windows Server 2008 performs an upgrade, it first gathers information relating to installed
hardware and software and reports this to you before installation begins. If some components
preclude Windows Server 2008 from installing, you are given an option to remove those
components or circumvent attempts by the installation process to support them in the new
environment. After you have removed or dealt with the offending components, Windows Server
2008 enables the installation to proceed.
Roles, Features, and Applications
After you install the operating system and log in for the first time as an administrator, Windows
Server 2008 automatically presents you with the Server Manager console. This tool enables
you to configure role services such as Active Directory, DHCP, DNS, IIS, and more. If you
do not need to use the tool immediately, you can close it. It can be accessed again from the
menu items in Administrative Tools, from the Control Panel, and the command line. The OS,
however, presents this tool to anyone who logs on to a server interactively in the capacity of an
administrator.
Once you have completed a basic or Server Core installation, you have a variety of services and
applications that can be installed on the server. These are grouped by roles, features, and applications. We will go into these in more detail shortly.
Standalone servers
Standalone servers do not connect to any domain but rather to a workgroup. You can create
a workgroup from one standalone server or join the server to another workgroup, Windows
19
Page 19
1
Shapiro
Part I
c01.tex
V1 - 06/12/2008
4:04pm
Core, Configuration, Networking, and Communication Services
for Workgroups–style. Standalone servers can share resources with other computers on the
network, but they do not receive any of the benefits provided by Active Directory.
For a standalone server, you need the following items:
■ Workgroup name
■ An administrator’s password
■ Network protocols
■ IP address
■ DNS IP addresses and host names
■ NetBIOS name of host
Member servers
Member servers are members of domains. A member server is running Windows Server 2008,
a member of a domain, and not a domain controller. Because it is not a domain controller, a
member server does not handle the account logon process, does not participate in Active Directory replication, and does not store domain security-policy information.
Member servers typically function as the following types of servers:
■ File servers
■ Application servers
■ Database servers
■ Web servers
■ Certificate servers
■ Firewalls
■ Remote-access servers
■ Print servers
Member servers also have a common set of security-related features, as follows:
■ Member servers adhere to Group Policy settings that are defined for the site, domain, or
organizational unit.
■ Resources that are available on a member server are configured for access control.
■ Member server users have user rights assigned to them.
■ Member servers contain a local security-account database, the Security Account Manager
(SAM).
To install a member server into a domain, you need to add the following items to your checklist:
■ Domain name
■ Network protocols
20
Page 20
Shapiro
c01.tex
V1 - 06/12/2008
4:04pm
Installing Windows Server 2008
■ IP address
■ NetBIOS name of host
Role servers
A server on a network — standalone or member — can function in a number of roles.
As the needs of your computing environment change, you may want to change the role of a
server. By using the Server Manager and the Add Roles Wizard, you can install Active Directory
Domain Servers to promote a member server to a domain controller, or you can install individual roles or combinations of various roles, such as DHCP, WINS, and DNS. It is also relatively
straightforward to demote a domain controller to a simple role server or remove any number of
roles and features from a server.
Server Manager is the key configuration console you will use for installing server roles and
features on your server. It can be configured to open automatically as soon as you log in to the
Windows console or desktop. Figure 1-2 shows Server Manager opened to the File Services role
details page.
FIGURE 1-2
The Server Manager console.
21
Page 21
1
Shapiro
Part I
c01.tex
V1 - 06/12/2008
4:04pm
Core, Configuration, Networking, and Communication Services
Types of roles
Let’s look at the various roles and features you can install on Windows Server 2008.
■ Active Directory Certificate Services (AD CS). AD CS role services install on a number
of operating systems, including Windows Server 2008, Windows Server 2003, and
Windows 2000 Server. Naturally the fullest implementation of AD CS is only possible
on Windows Server 2008. You can deploy AD CS as a single standalone certification
authority (CA), or you can deploy multiple servers and configure them as root, policy, and
certificate issuing authorities. You also have a variety of Online Responder configuration
possibilities. AD CS is discussed in depth in Chapter 16.
■ Active Directory Domain Services (AD DS). This is the role in the Windows Server
2008 operating system that stores information about users, computers, and other
resources on a network. AD DS is also used for directory-enabled applications such as
Microsoft Exchange Server. AD also stores all information required for Group Policy. See
Chapters 17–24.
■ Active Directory Federation Services (AD FS). AD FS employs technology that
allows users over the life of a single online session to securely share digital identity
and entitlement rights, or ‘‘claims,’’ across security and enterprise boundaries. This
role — introduced and supported on all operating systems since Microsoft Windows
Server 2003 R2 — provides Web Single Sign-On (SSO) services to allow a user to access
multiple, related Web applications.
■ Active Directory Lightweight Directory Services (AD LDS). This service is ideal if you
are required to support directory-enabled applications. AD LDS is a Lightweight Directory
Access Protocol (LDAP) compliant directory service.
■ Active Directory Rights Management Services (AD RMS). This service augments
an organization’s security strategy by protecting information through persistent usage
policies. The key to the service is that the right management policies are bound to the
information no matter where it resides or to where it is moved. AD RMS is used to lock
down documents, spreadsheets, e-mail, and so on from being infiltrated or ending up in
the wrong hands. AD RMS, for example, prevents e-mails from being accidentally forwarded to the wrong people.
■ The Application Server role. This role supports the deployment and operation of custom business applications that are built with Microsoft .NET Framework. The Application
Server role lets you choose services for applications that require COM+, Message Queuing, Web services, and Distributed Coordinated Transactions.
■ DHCP and DNS. These two roles install these two critical network service services
required for every network. They support Active Directory integration and support IPv6.
See Chapters 3 and 4 for DNS and DHCP, respectively. WINS is not classified as a key
role for Windows Server 2008, and you install it as a feature, discussed later.
■ Fax Server role. The fax server lets you set up a service to send and receive faxes over
your network. The role creates a fax server and installs the Fax Service Manager and the
Fax service on the server.
22
Page 22
Shapiro
c01.tex
V1 - 06/12/2008
4:04pm
Installing Windows Server 2008
■ File Server role. This role lets you set up all the bits, bells, and whistles that come with a
Windows file server. This role also lets you install Share and Storage Management, the Distributed File System (DFS), the File Server Resource Manager application for managing file
servers, Services for Network File System (NFS), Windows File Services, which include
stuff like the File Replication Service (FRS), and so on. The File Server role is discussed in
Chapters 13 through 15.
■ Network Policy and Access Services. This provides the following network connectivity
solutions: Network Access Protection (NAP), the client health policy creation, enforcement, and remediation technology; secure wireless and wired access (802.1X), wireless
access points, remote access solutions, virtual private network (VPN) services, Radius, and
more. The Network Policy and Access Service is discussed in Chapter 6.
■ Print Management role. The print services provide a single interface that you use to
manage multiple printers and print servers on your network. Printer management is discussed in Chapter 12.
■ Terminal Services role. This service provides technologies that enable users to access
Windows-based programs that are installed on a terminal server. Users can execute applications remotely (they still run on the remote server) or they can access the full Windows
desktop on the target server.
■ Universal Description, Discovery, and Integration (UDDI). UDDI Services provide
capabilities for sharing information about Web services. UDDI is used on the intranet,
between entities participating on an extranet, or on the Internet.
■ Web Server role. This role provides IIS 7.0, the Web server, ASP.NET, and the Windows
Communication Foundation (WCF).
■ Windows Deployment Services. These services are used for deployment of new computers in medium to large organizations.
Features
Server Manager also lets you install dozens of ‘‘features’’ on Windows Server 2008. These
so-called features are actually programs or supporting layers that support or augment the
functionality of one or more roles, or simply add to the functionality of the server.
A good example of a feature is the clustering service. Now called Failover Clustering, this feature
can be used to support mission-critical roles such as File Services, Printer Services, and DHCP
Server, on server clusters. This provides for higher availability and performance.
Other features you will likely install include SMTP Server, Telnet Client and Server, Group Policy Management (for use with Active Directory), Remote Assistance, and more.
Net’s now look at some specific scenarios.
Windows Server 2008 as a domain controller
Member Servers or just standalone servers can be promoted to domain controller. The Active
Directory Wizard can help you install and configure components and enables you to provide
23
Page 23
1
Shapiro
Part I
c01.tex
V1 - 06/12/2008
4:04pm
Core, Configuration, Networking, and Communication Services
directory service to network computers and users. Before installing or even considering a domain
controller, however, review the following checklist:
■ Review the Active Directory topic ‘‘Introduction to Active Directory’’ in your Windows
Server 2008 Help guide.
■ Make sure that you review the role of a domain controller.
■ Review concepts about security.
■ Review concepts about Domain Name Service (DNS) namespace planning and integration
with DNS.
■ Verify that the server has an NTFS partition.
■ Verify that DNS is correctly configured.
Promoting member servers to domain controllers either creates new domains or adds additional
domain controllers to existing domains. In creating the first domain, you must have already created one domain controller in that domain. The act of creating the domain controller also creates
the domain.
If your organization needs additional domains, you must create one domain controller for each
additional domain. New domains in a forest must be either a new child domain or the root of
a new domain tree. If you decide to create a child domain, the name of the new domain must
contain the full name of the parent. To hierarchically organize domains within your organization, make sure that you use the domain tree structure. If you would rather create the root of a
new domain tree, make sure that its name is not related to the other domains in the forest.
To improve the availability and reliability of network services, add additional domains to a single
domain. You can create new domain controllers across the network or from backup media.
Windows Server 2008, Windows Enterprise Server 2008, and Windows Datacenter Server 2008
all support Active Directory. AD uses a structured datastore for logical, hierarchical organization
of directory information. The datastore is also known as the directory, and it contains information about Active Directory objects. Active Directory objects include shared resources such as
servers, volumes, printers, and the network users and accounts.
Active Directory is tightly integrated with security through logon authentication and access
control to objects. This makes managing directory data and organization throughout the
network easy for an administrator. Schemas also help administrators with daily tasks by setting
constraints and limits on instances of objects. Schemas consist of classes of objects and attributes
contained in the directory. Global catalogs consist of the information about each and every
object in a directory; therefore, a global catalog provides easy access to directory information
regardless of which domain of the directory actually contains the data.
24
Page 24
Shapiro
c01.tex
V1 - 06/12/2008
4:04pm
Installing Windows Server 2008
The following list summarizes the Active Directory features that are enabled by default on any
domain controller running Windows Server 2008:
■ The selection of multiple user objects and the capability to modify common attributes of
multiple user objects at one time.
■ The capability to drag and drop Active Directory objects from container to container or
to a desired location in the domain hierarchy. You also have the capability to drag objects
to group membership lists.
■ Enhanced search functionality is object-oriented and provides an efficient search that minimizes network traffic associated with browsing objects.
■ The capability to save queries, enabling you to save commonly used search parameters for
reuse in Active Directory Users and Computers.
■ Active Directory command-line tools, which give you the capability to run
directory-service commands for administration scenarios.
■ You can now create instances of specified classes in the base schema of a forest
and instances of several common classes, including country or region, person,
organizationalPerson, groupOfNames, device, and certificationAuthority.
■ The inetOrgPerson class is added to the base schema and can be used in the same manner
as the user class.
■ You can configure replication scope for application-specific data among domain controllers running Windows Server 2008.
■ The capability to add additional domain controllers to existing domains by using backup
media, thus reducing the time necessary for an administrator to create additional domain
controllers.
■ Universal group membership caching to help prevent the need to locate a global catalog
across a WAN.
Active Directory can provide a companywide network solution with one domain, reduced
sign-on capabilities, and one single point of management. Active Directory helps eliminate
unnecessary domains and reduces server hardware and maintenance costs.
Please refer to Chapters 17–22 for a more in-depth view of Active Directory.
Two approaches to installing a domain controller are possible. First, you can raise the machine
as a member server and promote it post-installation — and even post-burn-in. Alternatively, you
can promote it to domain controller status during an automated installation. The latter option
naturally requires a script.
We don’t recommend the latter option unless you are really confident about your machines and
their configuration or you have a huge rollout. If you are an Original Equipment Manufacturer
(OEM), you would not need to be concerned about domain controllers and Active Directory
25
Page 25
1
Shapiro
Part I
c01.tex
V1 - 06/12/2008
4:04pm
Core, Configuration, Networking, and Communication Services
because the domain specifics, such as creating a new tree or forest or joining existing trees
and forests, is done on the customer’s network. Conversely, if you, as a consultant or network
engineer, have created an extensive unattended or remote installation regimen that automatically
raises the machine as a domain controller, you know what you are doing.
For now, you have several reasons to not promote during or just after initial installation. First,
promoting a domain controller is a time-intensive operation. (Active Directory goes through
extensive self-configuration before the installation completes.) Second, if you experience a
problem with the machine, you must demote the domain controller, which can be a complicated
process. Third, after you have installed and raised a domain controller, you do not want to
demote it because of a hardware problem or risk trashing your domain controller.
If Active Directory is demoted, it tears down everything that it created and restores the machine
to the control of the registry and the local SAM. In fact, it is like watching a movie in reverse.
Active Directory asks you for a new administrator account name and password for the rollback.
All configuration changes made to the machine, such as desktop settings, are restored to the
default, newly created settings. After you reboot the machine, you are back to where you
started. You do not even get earlier changes that you made to the registry because the registry is
essentially reinstalled after Active Directory comes down (because it is wiped out if you promote
the server).
A good reason lies behind this. Everything configured on a domain controller is stored in the
directory databases, and after the registry is restored, you can re-promote it from scratch. Promoting a domain controller is dealt with in Chapter 21.
To promote a role server into a domain controller, you need to add the following items to your
checklist:
■ Domain name
■ An administrator’s password
■ Network protocols
■ IP address
■ DNS IP addresses and host names
■ NetBIOS name of host
■ Role service information
The checklist for a domain controller is as follows:
■ Domain name. If you are creating a new domain, you need the name of the parent
domain that you are installing under or the existing tree name (or the forest name if you
are installing a new domain tree). If you are adding a domain controller to an existing
domain, you need to have that name handy as well.
■ An administrator’s password
■ Network protocols
26
Page 26
Shapiro
c01.tex
V1 - 06/12/2008
4:04pm
Installing Windows Server 2008
■ IP address
■ NetBIOS name of host
■ DNS IP addresses and host names
Windows Server 2008 as a Communications
Server and Microsoft Exchange
Microsoft Exchange Server unites users with knowledge anytime, anywhere. Exchange is
designed to meet the messaging and collaboration needs of small organizations, large distributed
enterprises, and everything in between. Microsoft Exchange integrates with Windows Server
2008, although there have been a few hairy incompatibility problems with Exchange 2007 on
the RTM build of Windows Server 2008. We list a few of the Exchange Server main services
in the following sections.
Internet Information Services integration
Exchange is also integrated with IIS to provide for high-performance mail protocols, SMTP protocols, and POP protocols. Exchange also provides a browser interface to access the Microsoft
Outlook Web Access client.
Active Directory integration
Active Directory, which is covered in more detail in the final chapters of this book, is an
enterprise directory service that is highly scalable and fully integrated with Exchange at the
system level. Exchange takes full advantage of the Windows Server 2008 Active Directory; with
but a single point of administration, it enables users to control all messaging services seamlessly.
All directory information, including users, mailboxes, servers, sites, and recipients, is stored
in Active Directory. Administrators benefit from the unified administration, experience no
user-interface changes, and require no retraining after switching to Active Directory. Integration
features of Exchange Server and Active Directory include the following:
■ Unified administration of Exchange Server and Windows Server 2008 enables an administrator to manage all user data in one place using one set of tools.
■ Security groups in Windows Server 2008 can be automatically used as Exchange distribution lists, removing the need to create a parallel set of distribution lists for each department
or group.
■ Active Directory’s schema extensibility enables the management of distributed information
and easily configurable Exchange user and server information.
■ Lightweight Directory Access Protocol (LDAP) is a native access protocol for directory
information.
27
Page 27
1
Shapiro
Part I
c01.tex
V1 - 06/12/2008
4:04pm
Core, Configuration, Networking, and Communication Services
Distributed services
Distributed services enable subsystems to use storage, protocol, and directories on different
computers, providing for scalability for millions of users. This system is extremely configurable,
providing extensibility and flexibility for system architecture.
Security
Exchange Server offers you the only messaging system that is fully integrated with the Windows
Server 2008 security model. Administrators use the Windows Server 2008 security model to
define the permissions for all messaging and collaboration services, including public folders. This
means that administrators can learn a single permissions model for managing both Windows
Server 2008 and Exchange and can create a single set of security groups to apply to either
Windows Server 2008 resources or Microsoft Exchange objects. This helps simplify your domain
administration, and Exchange Server enables permissions to be set at the item or document
level. Security descriptors can be set for messages and components. These features provide for
new levels of security.
Single-seat and policy-based administration
Microsoft Exchange uses a graphic administration and monitoring system that integrates with
Windows Server 2008’s Microsoft Management Console (MMC) to provide single-seat administration. The MMC does not provide you with management capabilities, but with a common
interface that enables you to manage all your needs. The Microsoft Exchange System Manager,
Microsoft Active Directory, and Internet Services Manager are snap-ins that provide the management for Server 2008. Policy-based management provides the administrator with the capability
to perform single operations made up of hundreds of objects. Policies are a set of objects defined
by the administrator. The administrator can also define recipient policies that could potentially
affect hundreds of thousands of users, groups, and contacts in Active Directory.
SMTP message routing
Exchange Server supports SMTP, POP, LDAP, IMAP, HTTP, NNTP, S/MIME, and X.509
version 3. This versatility enables Exchange Server to act as an organization’s gateway to the
Internet. Providing high-performance routing of e-mail services, SMTP is, by default, the
transport protocol for routing all message traffic between servers, within an Exchange site
and between sites. Your organization’s use of SMTP results in increased performance and new
opportunities for integration with the Internet. Exchange Server’s message algorithms have been
enhanced to provide fault-tolerant message delivery and to eliminate messages that bounce,
even when multiple servers or network links are down. This provides for increased message
bandwidth and performance. SMTP routing provides customers with considerable flexibility in
designing a reliable, high-performance messaging backbone by using Exchange Server.
28
Page 28
Shapiro
c01.tex
V1 - 06/12/2008
4:04pm
Installing Windows Server 2008
Internet mail content
Exchange Server can significantly increase performance of e-mail, because you use e-mail clients
to store and retrieve Multipurpose Internet Mail Extensions (MIME) content directly from the
base, without any form of content conversion. Client software such as Outlook enables you to
stream data in and out of the database. This process helps performance immensely.
All the features discussed in the preceding sections provide low cost-of-ownership, which makes
Microsoft Exchange Server a valuable asset to every organization.
System Monitoring Using Windows
Management Instrumentation
Windows Management Instrumentation (WMI) helps simplify the instrumentation of computer
software and hardware. It provides you with a means of monitoring and controlling system
components, both locally and remotely. The sole purpose of the WMI is to define a set of
environment-independent specifications, thus helping you share management information that
works with existing enterprise-management standards, such as Desktop Management Interface
and the Simple Network Management Protocol (SNMP). The WMI provides a uniform model
that complements these standards.
WMI is fully integrated with Windows Server 2008 to provide a simplified approach to
management. Such tools as Microsoft Management Console help simplify the task of developing
well-integrated management applications, therefore enabling vendors to provide Windows
Server 2008 customers with enterprise-scalable management solutions. Combining local and
remote events and the WMI query language provides you with the tools that you need to create
complex management solutions.
The WMI also provides you with the Windows Driver Model (WDM), a kernel-level instrumentation technology. This technology provides you with consistent, open access to management
data. WMI extensions are available for the following WDM capabilities:
■ Publishing kernel instrumentation
■ Configuring device settings
■ Providing kernel-side event notification
■ Publishing custom data
■ Enabling administrators to set data security
■ Accessing instrumentation by way of WMI
29
Page 29
1
Shapiro
Part I
c01.tex
V1 - 06/12/2008
4:04pm
Core, Configuration, Networking, and Communication Services
You can run the WMI console from the command line in interactive mode or noninteractive mode. Interactive mode is used for entering commands at the computer, and
noninteractive mode is useful for processing batch procedures.
The console installs the first time that you run it. If a change is introduced to the managed
object format (MOF) files, the console automatically compiles the alias. To start the WMI
console from a command prompt, type wmic. The prompt now should look as follows:
wmic:root\cli>. The WMI console enables you to enter aliases, commands, and global
switches, or you can enter /? for Help.
You can also run WMI console in noninteractive mode, whereby the command prompt returns
to you after executing the command. An example is as follows:
<PROMPT>wmic os get /format:hform>OperatingSystem.html
The output from the command is redirected to an HTML file.
Windows Server 2008 for Database Services
with SQL Server
If you have a modest understanding of database connectivity, you should find SQL Server’s command syntax uncomplicated and easy to use. If you are an experienced developer, you are sure
to appreciate the scalable, high-performance access that SQL Server provides.
If you are concerned about backward compatibility, we suggest connecting using ODBC.
You want to avoid any security issues so we are going to go through the steps to create an
account for SQL Server to access data on a remote computer. Start by opening Management Studio; then, in the console tree, select Microsoft SQL Server SQL Server Group SQLComputerName. Select Databases and then double-click your database; proceed by
right-clicking Users New Database User. The login name should be domain\username, and
the Public checkbox should be selected for all the following items:
■ db_owner
■ db_accessadmin
■ db_securityadmin
■ db_ddladmin
■ db_datareader
■ db_datawriter
■ db_backupoperator
30
Page 30
Shapiro
c01.tex
V1 - 06/12/2008
4:04pm
Installing Windows Server 2008
Do not select db_denydatareader or db_denydatawriter. These options, if selected,
deny members read and write permissions to the database.
You can choose between the TCP/IP Sockets and Named Pipes connection methods for accessing
a remote SQL Server database. Named Pipes database clients must be authenticated by Windows Server 2008 prior to establishing a connection. Alternatively, connections using TCP/IP
Sockets connect directly to the database server without connecting through an intermediary
computer. Because connections made with TCP/IP Sockets connect directly to the database
server, users can gain access through SQL Server authentication, rather than Windows Server
2008 authentication.
One of the main challenges of designing a sophisticated Web database application seems to
involve managing database connections. After you open and maintain a database connection, it
can severely strain a database server’s resources and result in stability issues. Database servers
experiencing a sudden increase in activity can become backlogged, greatly increasing the time
necessary to establish a database connection.
Windows Server 2008 for IIS and ASP.NET
Windows Server 2008 offers integration between Visual Studio 2008 and IIS. This tight integration provides developers with very high levels of functionality. Now that the request-processing
architecture is integrated with IIS 7.0, it should provide an improved experience for those of you
using ASP.NET and the Microsoft .NET Framework. The new Windows Server 2008 Web Edition delivers a single-purpose solution for Internet Service providers, application developers, and
others wanting to use only the specific Web functionality.
Windows Server 2008 for
Application Services
Windows Server 2008 builds on the core strengths of the Windows family, providing security,
manageability, reliability, availability, and scalability across the board. Many advancements were
made in Windows Server 2008 that provide benefits for application development, resulting in
lower total cost-of-ownership and better performance. The following list describes a few of these
benefits:
■ Simplified integration and interoperability
■ Improved developer productivity
■ Increased enterprise efficiency
■ Improved scalability and reliability
31
Page 31
1
Shapiro
Part I
c01.tex
V1 - 06/12/2008
4:04pm
Core, Configuration, Networking, and Communication Services
■ End-to-end security
■ Efficient deployment and management
■ Simplified integration and interoperability
Windows Server 2008 delivers a revolutionary application environment to build, deploy, and
run XML Web services. Microsoft has provided integrated support for XML Web services, which
enables applications to take advantage of the loosely coupled principles of Internet computing.
The Windows Server 2008 application environment improves the productivity of developers by
providing integrated application services and industry-leading tool support. The following feature set helps increase the productivity of developers:
■ ASP.NET. Besides standard Web-based applications ASP.NET XML Web services allows
developers to write their business logic in Web services, and the ASP.NET infrastructure is
responsible for delivering that service via SOAP and other public protocols.
■ Automatic memory management. The .NET Framework runs in the common-language
runtime, which is a garbage-collected environment. Garbage collection frees applications
that are using .NET Framework objects from the need to explicitly destroy those objects,
reducing common programming errors dramatically.
■ Industry-leading tools. Visual Studio 2008 provides an integrated, multilanguage tool
for building Web applications.
■ Microsoft .NET Framework. By integrating the .NET Framework into the Windows
Server 2008 application-development environment, developers are freed from writing the
day-in, day-out code and can instead focus their efforts on delivering real business value.
■ Reusable code. Visual Studio 2008 provides an architecture that is easy to learn and that
enables improved code reuse.
■ Separation of code from content. This enables developers and content creators to work
in parallel by keeping content separate from application code.
■ Server-side Web controls. Visual Studio 2008 Web controls are compiled and run on
the server for maximum performance, and can be inherited and extended for even more
functionality.
Applications that are developed using Windows Server 2008 tend to be more responsive and
available because Windows Server 2008 can be managed by so few people. This helps lower
the total cost of ownership and provides better performance. Microsoft has also made many
programming-model enhancements, providing component aliases, public and private components, process initialization, and services without components. Component aliasing enables you
to configure the same physical implementation of a component as many times as you want. This
provides component reuse at the binary level. The public and private components enable you
to individually mark components as public for use in other applications, or private if the component can be seen and activated only by other components in that same application. Process
initialization provides the developer with the capability to execute code as the hosting process
starts and finishes. This helps your component take the opportunity to take any action, such
as initializing connections, files, caches, and so on. Services without components enable you to
32
Page 32
Shapiro
c01.tex
V1 - 06/12/2008
4:04pm
Installing Windows Server 2008
programmatically enter and leave a service domain. This enables you to build components that
use transactions without needing to inherit from ServicedComponent.
Building and deploying your application on Windows Server 2008 gives you better performance
and more options for the design and architecture of your system.
Windows Server 2008 for
Resolutions Services
The following sections describe what you need to create a plan to prepare and configure your
server by using DNS, WINS, and DHCP. These sections focus on decisions that you must make
for a complete Windows Server 2008 installation.
DNS
Before you begin using DNS on your network, decide on a plan for your DNS domain namespace. Coming up with a namespace plan involves making some decisions about how you intend
to use DNS naming and what goals you are trying to accomplish by using DNS. Some questions
that you may have at this stage include the following:
■ Have you previously chosen and registered a DNS domain name for use on the Internet?
■ Are you going to set up DNS servers on a private network or the Internet?
■ What naming requirements do you need to follow in choosing DNS domain names for
computers?
Choosing your first DNS domain name
In setting up DNS servers, you should first choose and register a unique parent DNS domain
name that can be used for hosting your organization on the Internet. Before you decide on a
parent DNS domain name for your organization to use on the Internet, search to determine
whether the domain name is already registered to another organization.
DNS, as it relates to Active Directory, is covered in more detail in Chapter 17.
DNS namespace planning for Active Directory
Before a DNS domain namespace can be correctly implemented, the Active Directory structure
needs to be available, so you must begin with the Active Directory design and support it with
the appropriate DNS namespace.
Active Directory domains are named by using DNS names. In choosing DNS names to use
for your Active Directory domains, start with the registered DNS domain-name suffix that
33
Page 33
1
Shapiro
Part I
c01.tex
V1 - 06/12/2008
4:04pm
Core, Configuration, Networking, and Communication Services
your organization has reserved for use on the Internet and combine this name with something
significant in your organization to form full names for your Active Directory domains.
In planning your DNS and Active Directory namespace, we recommend that you use
a different set of distinguished names that do not overlap as the basis for your internal and external DNS use.
Only use characters in your names that are part of the Internet standard character set permitted
for use in DNS host naming. Permitted characters are all letters (a–z), numbers (0–9), and the
hyphen (-).
DHCP
If you are still in the decision-making process as you are deciding how many servers your
organization needs, consider the locations of the routers on the network and whether you want
a DHCP server in each subnet. If you are planning on extending the use of a DHCP server
across more than one network, you may need to configure additional DHCP relay agents and
use superscopes as well. If DHCP service is provided between segments, transmission speeds
may also be a factor. If your WAN links or dial-up links are slower, you may need a DHCP
server on both sides of these links to service clients locally. Currently, the only limit that a
DHCP server can serve is determined by the number of available IP addresses.
Following are some Windows Server 2008 factors that could enhance DHCP server performance:
■ The primary contributing factor to improving DHCP server performance is the amount of
random access memory (RAM) and the speed of the server disk drives installed.
■ You should carefully evaluate disk-access times and average times for disk read/write operations in sizing and planning for your DHCP-server hardware specifications. You should
also try to increase RAM to the point where server performance is maximized.
For the best possible DHCP server design in most networks, we recommend that you
have, at most, 10,000 clients per server.
Most networks need one primary online DHCP server and one other DHCP server acting as
a secondary, or backup, server. If you choose not to implement two DHCP servers, using
the 80/20 rule for balancing scopes, but want to continue to provide a measure of potential
fault tolerance, you may consider implementing a backup or hot standby DHCP server as an
alternative.
WINS
The first decision that you need to make is how many WINS servers your organization needs. A
single WINS server can handle NetBIOS name-resolution requests for a large number of computers, but you must also consider the location of the routers on your network and the distribution
of clients in each subnet as you decide how many WINS servers are actually required.
34
Page 34
Shapiro
c01.tex
V1 - 06/12/2008
4:04pm
Installing Windows Server 2008
Determine whether you want to configure WINS servers as pull or push partners, and set
partner preferences for each server. WINS servers are designed to help reduce broadcast traffic
between local subnets; WINS creates some traffic between servers and clients. This can be
particularly important if you use WINS on routed TCP/IP networks. Consider the effects of
slower speed links on both replication traffic between WINS servers and NetBIOS registration
and renewal traffic required for WINS clients. In addition, consider how temporarily shutting
down a WINS server can affect your network. Use additional WINS servers for failure recovery,
backup, and redundancy.
The following two factors can enhance WINS server performance:
■ Installing dual processors on the computer running WINS. This can help increase performance by almost 25 percent.
■ Installing a dedicated disk drive, separate from the system drive, for the WINS database
After you establish a WINS server on your intranet, adjusting the renew interval,
which is the time between a WINS client-name registration and name renewal, can
help you trim server-response times.
You can also sometimes estimate WINS client traffic based on the behavior of the WINS clients.
In estimating WINS client traffic, however, you also need to consider the network topology and
the design or configuration of the network routers. In some cases, predicting the traffic load on a
specific network router is not possible because the routers are configured to autonomously route
traffic based on factors other than traffic load. By testing the performance of your network installation of WINS, you can better identify potential problems before they occur. Use WINS server
performance counters, which are available through the use of System Monitor. One last point
about WINS: it is not installed as a server role, but rather as an add-on feature.
Summary
This chapter took you through the Windows Server 2008 basic install procedure. We recommend that you install only what you need to get the system up and running. Later, you
can begin adding advanced components to the server and establish its role on the network or
promote it to an Active Directory domain controller.
We also took you through an exhaustive discussion of hardware. Unless you plan to install
complex adapter or interface cards for specialized purposes, such as modems, telephony cards,
sound cards, and so on, you won’t have problems as long as you stick to tried-and-tested
components.
The next chapter provides the information that you now need to configure and deploy your
running server.
35
Page 35
1
Shapiro
c01.tex
V1 - 06/12/2008
4:04pm
Page 36
Shapiro
c02.tex
V1 - 06/12/2008
4:08pm
Configuring Windows
Server 2008
T
his chapter explores the many tools for configuring and managing
the system, managing users, and controlling other aspects of Windows Server 2008.
IN THIS CHAPTER
Using the Microsoft
Management Console (MMC)
Getting to know the MMC
tools
Using the Microsoft
Management Console
More on Server Manager
One of the many changes in Windows 2000 from Windows NT that is
expanded in the Windows 2003 and 2008 interfaces and administrative
structure is the switch to a more homogenous approach to administrative
utilities. Although many system and operating properties still are controlled
through the Control Panel, most administrative functions have moved to
the Microsoft Management Console (MMC), host for a variety of so-called
‘‘snap-ins’’ used to manage the myriad roles, features, and applications of
the server. The MMC runs under Windows Server 2008, Windows 2000–
Windows Server 2003, Windows 9x, and Windows XP and Vista. This
section of the chapter examines the MMC and its component tools for
Windows Server 2008.
Understanding the function of the MMC
The MMC itself serves as a framework. Within that framework are various
administrative tools called consoles. In particular, the MMC provides a unified interface for administrative tools. This means that after you learn the
structure of one tool, you will be able to apply that knowledge to the rest,
37
Using the Security
Configuration Wizard
Working with data sources
(ODBC)
Understanding Control Panel
applets
Page 37
Shapiro
Part I
c02.tex
V1 - 06/12/2008
4:08pm
Core, Configuration, Networking, and Communication Services
which are going to follow suit (within limitations imposed by the differences in the function of
the various tools). Figure 2-1 shows the MMC with the Computer Management snap-in loaded
(more on snap-ins shortly). As you’ll learn later in this chapter, you use the Computer Management snap-in for most aspects of a system’s hardware and software configuration.
FIGURE 2-1
The MMC serves as a framework for a wide variety of administrative tools.
Perhaps more important than a unified interface is the fact that the MMC lets you combine
administrative tools to build your own console configuration, which you can store by name on
disk. The next time you need to work with it, you run the MMC console from the Start menu or
double-click its icon or shortcut. For example, let’s say that you want to put together a custom
console for managing a Windows Server 2008 Internet server. You can integrate the tools for
managing DNS, DHCP, Application Server, and IIS all under one interface. This custom console
gives you quick access to most of the settings you need to configure on a regular basis for the
server.
The MMC window usually consists of two panes, although many consoles in MMC on Windows
Server 2008 comprise a single console divided into three panes. The left pane typically contains
the Tree tab. The Tree tab generally shows a hierarchical structure for the object(s) being managed. When you use the Active Directory Users and Computers console, for example, the tree
shows the containers in the Active Directory (AD) that pertain to users, groups, and computers.
The right pane is the details pane. The details pane varies depending on the item you select in
the tree. When you select Services in the tree, for example, the details pane shows the list of
38
Page 38
Shapiro
c02.tex
V1 - 06/12/2008
4:08pm
Configuring Windows Server 2008
installed services. The details pane typically offers two views: single details pane and extended
Actions pane, which usually shows various tasks. The extended view adds an additional area that
typically shows instructions or additional information about a selected item.
MMC provides two different modes: user mode and author mode. In user mode, you work
with existing consoles and several variations of the user mode from full access to limited access.
Author mode enables you create new consoles or modify existing ones. Figure 2-2 shows the
Services console opened in user mode. Figure 2-3 shows the console opened in author mode. As
indicated in the figures, author mode offers access to commands and functions not available in
user mode.
FIGURE 2-2
Author mode, shown here, enables you to create new consoles while user mode restricts the
actions that a user can perform within a console.
User mode actually offers three different options: full access, limited access with multiple windows, and limited access with a single window. With full access, an MMC user can access all the
window management commands in MMC but can’t add or remove snap-ins or change console
properties. The limited access options limit changes to the window configuration of the console
and use either a single window or multiple windows depending on the mode. A console’s mode
is stored in the console and applies when you open the console. Console modes can be changed
via the Options property sheet (click File Options). Setting console options is discussed later
in the chapter.
39
Page 39
2
Shapiro
Part I
c02.tex
V1 - 06/12/2008
4:08pm
Core, Configuration, Networking, and Communication Services
FIGURE 2-3
Author mode provides the capability to change console options and add new snap-ins.
The default mode in Windows Server 2008 is user mode — limited access, single
window.
As mentioned earlier, you use author mode to author new consoles or modify existing ones. In
author mode, you can add and remove snap-ins, change window options, and set options for
the console.
Opening the MMC
You can open MMC consoles by selecting them from the Administrative Tools folder in the
Start menu or by double-clicking their icons in Explorer. You also can start consoles using a
command prompt. The format of the MMC command is as follows:
MMC path\file.msc /a
The following list explains the options for MMC:
■ Path\file.msc. Replace path with the path to the console file specified by file.msc.
You can use an absolute path or use the %systemroot% variable to reference the local
computer’s path to the Windows Server 2008 folder. Using %systemroot% is useful
when you’re creating shortcuts to consoles for use on different systems (where the system
root folder might be different).
■ /a. Use the /a switch to enter author mode and enable changes to the console. Opening
an existing console with the /a switch overrides its stored mode for the current session.
■ /32. This starts the 32-bit version of MMC. This is only needed when you want to run the
32-bit version on a 64-bit Windows version.
■ /64. This starts the 64-bit version of MMC. This option works only on a 64-bit version of
Windows.
40
Page 40
Shapiro
c02.tex
V1 - 06/12/2008
4:08pm
Configuring Windows Server 2008
For example, let’s say that you want to open the DNS console in author mode to add the DHCP
snap-in to it. Use this command to open the DNS console in author mode:
MMC %systemroot%\System32\dnsmgmt.msc /a
You can right-click an .msc file and choose Author from the context menu to open
the file in author mode.
After opening the DNS console, you add the DHCP console using the Add or Remove Snap-In
command in the Console menu. Snap-ins are covered in the next section.
If you prefer, you can open the MMC in author mode and then add both snap-ins
using the Add or Remove Snap-In command in the Console menu.
Windows 2008 Server provides several preconfigured consoles for performing various administrative tasks. Most of these console files are stored in \systemroot\System32 and have
.msc file extensions (for Microsoft Console). Windows 2008 Server places several of these
consoles in the Administrative Tools folder, which you access by clicking Start All Programs
Administrative Tools. In essence, each of the preconfigured consoles contains one or more
snap-ins geared toward a specific administrative task.
In an apparent effort to simplify the Start menu, Microsoft includes only some of these consoles
in the Administrative Tools folder. However, you can open any console by double-clicking its
file. When you do so, the MMC loads first and then opens the console. You also can open the
MMC and add snap-ins to your own consoles. This gives you the ability to create a custom
console containing whichever group(s) of snap-ins you use most often or that are targeted for
specific administrative tasks.
Using snap-ins
Although the MMC forms the framework for integrated administrative tools in Windows Server
2008, the tools themselves are called snap-ins. Each MMC snap-in enables you to perform a
specific administrative function or group of functions. For example, you use the DHCP snap-in
to administer DHCP servers and scopes. The various MMC snap-ins serve the same function
as individual administrative tools did in Windows NT. For example, the Event Viewer snap-in
takes the place of the standalone Event Viewer tool (see Figure 2-4). The Disk Management
branch of the Computer Management snap-in replaces Disk Administrator. The Active Directory
Users and Computers snap-in takes the place of User Manager for Domains, and so on.
Snap-ins come in two flavors: standalone and extension. Standalone snap-ins usually are
called simply snap-ins. Extension snap-ins usually are called extensions. Snap-ins function
by themselves and can be added individually to a console. Extensions are associated with a
snap-in and are added to a standalone snap-in or other extension on the console tree. Extensions
function within the framework of the standalone snap-in and operate on the objects targeted
by the snap-in. For example, the Services snap-in incorporates four extensions: Extended View,
Send Console Message, Service Dependencies, and SNMP Snapin Extension.
41
Page 41
2
Shapiro
Part I
c02.tex
V1 - 06/12/2008
4:08pm
Core, Configuration, Networking, and Communication Services
FIGURE 2-4
Snap-ins perform specific administrative functions and replace standalone tools such as Event
Viewer.
You can add snap-ins and extensions when you open a console in author mode. By default, all
extensions associated with a snap-in are added when you add the snap-in, but you can disable
extensions selectively for a snap-in.
To add a snap-in, open the MMC in author mode and choose File Add/Remove Snap-In. The
Standalone page of the Add/Remove Snap-In property sheet shows the snap-ins currently loaded.
The Extensions tab lists extensions for the currently selected snap-in and allows you to add all
extensions or selectively enable/disable specific extensions.
In the Standalone page, click Add to add a new snap-in. The Add Standalone Snap-In dialog
box lists the available snap-ins. Click the snap-in you want to add and click Add. Depending
on the snap-in, you might be prompted to select the focus for the snap-in. For example, when
you add the Device Manager snap-in, you can select between managing the local computer
or managing another computer on the network. Adding the IP Security Policy Management
snap-in enables you to choose between the local computer, the domain policy for the computer’s
domain, the domain policy for another domain, or another computer.
After you configure snap-ins and extensions the way you want them, save the console so that
you can quickly open the same configuration later. To do so, choose File Save, or Save
As, and specify a name for the console. By default, Windows Server 2008 will place the new
42
Page 42
Shapiro
c02.tex
V1 - 06/12/2008
4:08pm
Configuring Windows Server 2008
console in the Administrative Tools folder, which appears on the Start menu under Programs,
but you can specify a different location if desired.
Getting to know taskpads
A taskpad is a page on which you can add views of the details pane and shortcuts to various
functions inside and outside of a console. These shortcuts can run commands, open folders,
open a Web page, execute menu commands, and so on. In essence, taskpads enable you to
create a page of organized tasks to help you perform tasks quickly, rather than use the existing
menu provided by the snap-in. You can create multiple taskpads in a console, but the console
must contain at least one snap-in. Figure 2-5 shows a taskpad for performing a variety of tasks
in the DNS snap-in.
FIGURE 2-5
Use taskpads to create tasks for performing specific actions, such as these DNS-related tasks.
You must open a console in author mode to create taskpads.
A taskpad can contain a list from the details pane in horizontal or vertical format. Horizontal
works well for multiple-column lists (many fields per item), whereas vertical works well for
long lists (few fields per item). You also can configure a taskpad to show no lists. In addition
to the list, the taskpad includes an icon for each task with either a pop-up description or a text
description of the task. You click a task’s icon to execute the task.
Creating a taskpad
To create a taskpad, right-click the object in the tree that you want to be the focus of the
taskpad and then choose New Taskpad View. MMC starts a wizard to help you create the
taskpad. In the second page of the wizard right after the introduction screen (see Figure 2-6),
you define the appearance of the taskpad. As you make selections, the wizard shows the results
to help you determine the effect of your choices.
43
Page 43
2
Shapiro
Part I
c02.tex
V1 - 06/12/2008
4:08pm
Core, Configuration, Networking, and Communication Services
FIGURE 2-6
This wizard page helps you configure the way the taskpad appears.
In the next page of the wizard, you specify the items to which the taskpad applies. The
following list summarizes the options:
■ Selected Tree Item. This option applies the taskpad to only the selected item in the tree.
Using the DNS snap-in as an example, creating a taskpad for Forward Lookup Zones and
using this option will cause the taskpad to appear only when you click Forward Lookup
Zones. It will not appear if you click Reverse Lookup Zones.
■ All Tree Items That Are the Same Type as the Selected Tree Item. This option applies
the taskpad to all objects in the tree that are the same type as the selected object. In the
previous DNS example, choosing this option would cause the taskpad to display when
you click either Forward Lookup Zones or Reverse Lookup Zones.
■ Change Default Display to This Taskpad View for These Tree Items. Select this
option to have the MMC automatically switch to taskpad view when the user clicks the
object in the tree associated with the taskpad. Deselect the option to have the MMC default
to the normal view instead.
The next page of the wizard prompts you for a taskpad view name and description. The
name appears at the top of the taskpad and on the tab at the bottom of the taskpad.
The description appears at the top of the taskpad under the taskpad name.
On the final page of the wizard, you can click Finish to create the taskpad. The Start New Task
Wizard option, if selected, causes the Start New Task Wizard to execute when you click Finish.
This wizard, described in the next section, helps you create tasks for the taskpad.
44
Page 44
Shapiro
c02.tex
V1 - 06/12/2008
4:08pm
Configuring Windows Server 2008
Creating tasks
After you create a taskpad, you’ll naturally want to create tasks to go on it. Select the Start New
Task Wizard option if you are in the process of creating the taskpad. Alternatively, right-click
the node in the tree that is associated with the taskpad, choose Edit Taskpad View, click the
Tasks tab, and then click New.
The first functional page of the wizard prompts you to select the type of task to add. These
prompts include the following:
■ Menu Command. Choose this option to execute a menu command. In the subsequent
wizard page, you specify the source for the command and the command itself. The
available commands fall within the context of the selected source. Select an object and
then select the desired command.
■ Shell Command. Choose this option to start a program, execute a script, open a Web
object, execute a shortcut, or perform any other task you can execute from a command
line. The wizard prompts you for the command, optional command-line parameters or
switches, the startup folder, and window state (minimized, normal, maximized).
■ Navigation. Choose this option to add an icon for an existing item listed in Favorites.
The wizard also prompts you for a task name, description, and icon to associate with each task
and gives you the option at completion of running the wizard again to create another task.
Modifying a taskpad
You can modify an existing taskpad to add or remove tasks or change taskpad view options.
Right-click (in the tree) the object associated with the taskpad and then choose Edit Taskpad
View. MMC displays a property sheet for the taskpad. The General page shows the same
properties you specified when you created the taskpad, such as list type, list size, and so on.
Change options as desired.
The Tasks tab, shown in Figure 2-7, lists existing tasks and lets you create new ones. New starts
the New Task Wizard. Remove deletes the selected task. Modify lets you change the task name,
description, and icon for the task but not modify the task itself. To modify the task, remove the
task and re-create it. You also can use the up and down arrows to change the order of tasks in
the list, which changes their order of appearance on the taskpad.
Other add-in tools
Snap-ins are just one of the objects you can add to an MMC console. Other objects include
ActiveX controls, links to Web pages, folders, taskpad views, and tasks. The previous section
explained taskpad views and tasks. The following list summarizes the additional items:
■ ActiveX controls. You can add ActiveX controls to a console as the details/results view
(right pane) for the selected node of the tree. The System Monitor Control that displays
system performance status in Performance Monitor is an example of an ActiveX control.
Choose Console Add or Remove Snap-In, select ActiveX Control from the list, and then
click Add. The MMC provides a wizard to help you embed ActiveX controls, prompting
you for additional information when necessary.
45
Page 45
2
Shapiro
Part I
c02.tex
V1 - 06/12/2008
4:08pm
Core, Configuration, Networking, and Communication Services
■ Links to Web pages. You can add links to URLs in a console, which can be any URL
viewable within a browser (Web site, ftp site, and so on).
■ Folders. Insert folders as containers in the console to contain other objects. You can use
folders as a means of organizing tools in a console.
Would you like to add a local or network folder to a console? Just use the Link to
Web page object and point it to the folder instead of an Internet URL.
FIGURE 2-7
Use the Tasks tab to add, remove, and modify tasks.
Customizing MMC to suit your needs
Like most applications, you can customize the MMC to suit your needs or preferences. First,
you can configure the settings for a console when you author it to determine the way it is
displayed in subsequent sessions. For example, you might want to configure a console for user
mode — limited access, single window — to limit the actions the users can perform with the
console. To configure a console, first open the console in author mode. Choose File Options
to open the Options dialog box for the console (see Figure 2-8). Specify settings and then save
the console. The changes will take effect the next time the console is opened.
The following list explains the available options:
■ Change Icon. Click to change the icon associated with the .msc file. You’ll find several
icons in systemroot\system32\Shell32.dll.
■ Console Mode. Choose the mode in which you want the console to open for the next session. Choose between author mode and one of the three user modes discussed previously.
46
Page 46
Shapiro
c02.tex
V1 - 06/12/2008
4:08pm
Configuring Windows Server 2008
■ Do Not Save Changes to This Console. Select this option to prevent the user from
saving changes to the console — in effect, write-protecting it.
■ Allow the User to Customize Views. Select this option to allow users to add windows
focused on items in the console. Deselect to prevent users from adding windows.
FIGURE 2-8
Use the Options dialog box to configure the console for future sessions.
You also can control view options within the MMC. To do so, choose View Customize to
access the Customize View dialog box, shown in Figure 2-9. The options in the Customize View
dialog box are self-explanatory.
Control Panel versus MMC
Even though the MMC now serves as the focal point for many of the administrative tasks you’ll
perform on a regular basis, the Control Panel hasn’t gone away. The Control Panel is alive and
well and contains several objects for the system’s hardware and operating configuration. The
tools provided for the MMC do not take the place of the Control Panel objects or vice versa.
However, you will find some of the MMC tools in the Administrative Tools folder in the Control
Panel.
The Control Panel in Windows Server 2008 works much like the Control Panels in Windows
Server 2003 and earlier Windows platforms. In fact, many of the objects are the same or similar.
Later sections of this chapter explore the Control Panel objects. The following section examines
the core set of MMC tools for managing a Windows Server 2008 system.
47
Page 47
2
Shapiro
Part I
c02.tex
V1 - 06/12/2008
4:08pm
Core, Configuration, Networking, and Communication Services
FIGURE 2-9
Use the Customize View dialog box to set view properties in the MMC.
Windows Firewall Changes for MMC Tools
Before you learn about specific MMC tools included with Windows Server 2008, you should
understand some limitations imposed by the Windows Firewall changes in Windows Server
2008. These changes affect the capability to remotely manage a Windows Server 2008 computer
with many of the MMC tools. Here’s why.
Windows Firewall by default blocks incoming traffic on port 445. This port is used by many of
the administrative tools for remote management. If you receive one of the following error messages when attempting remote management, this firewall policy could be the culprit:
■ Unable to access the computer Computer_Name
■ Failed to open Group Policy object on Computer_Name. You might not have appropriate
rights.
■ Details. The network path was not found.
■ An object (Computer) with the following name cannot be found. ‘‘Computer_Name.’’
Check the selected object types and location for accuracy and ensure that you have typed
the object name correctly, or remove this object from the selection.
48
Page 48
Shapiro
c02.tex
V1 - 06/12/2008
4:08pm
Configuring Windows Server 2008
■ Computer Computer_Name cannot be managed. The network path was not found. To
manage a different computer, on the Action menu, click Connect to Another Computer.
■ System error 53 has occurred. The network path was not found.
To remediate this problem, configure Windows Firewall on the remote server to allow port 445.
You can do so through the Windows Firewall GUI interface on the server, through a command
line, or through Group Policy (see Chapter 24 for details on configuring Windows Firewall
through Group Policy).
Getting to Know the MMC Tools
As explained previously, Windows Server 2008 contains several predefined consoles for managing a variety of tasks both on local computers and across the network. The following sections
provide an overview of these tools. If you look for some of these ‘‘snap-ins’’ and can’t find them,
the reason could be that roles or features are not installed on the server.
Certification Authority
The Certification Authority console appears in the Administrative Tools folder but is installed
only if you configure the server as a Certification Authority (CA). You can set up a CA once
Active Directory Certificate Services is installed. Certificate Services enables the server to create
certificates for itself and for other servers, workstations, and users on the network, either locally
or across the Internet. For example, if you need to configure your Web server to require SSL for
authoring, you need to install a certificate for that purpose on the server (Certificate Services are
not required on the Web server itself to support SSL, only the certificate). A Windows Server CA
can generate the certificate, eliminating the need for you to purchase one from a commercial CA,
such as Thawte or VeriSign. However, unless the people viewing your site add your CA to their
list of trusted sources, they’ll receive certificate warnings when they view the site.
You use the Certification Authority console to manage Certificate Services on the local server or
a remote server. You can configure certificate policy settings, view pending and failed certificate
requests, and view issued and revoked certificates. You also use the console to manage general
CA properties such as the capability to publish certificates to the Active Directory, configure how
the server responds to certificate request, control CA security, and other options.
Several sections in Chapter 16, including ‘‘Understanding Active Directory Certificate Services,’’ explain Certificate Services in detail and how to manage them with
the Certification Authority console.
Failover Cluster Management
The Failover Cluster Management console is available with Windows Server 2008 Enterprise
Server and is the primary means by which you configure clustering. Clustering allows a group
(cluster) of servers to function as a single logical unit for failover capability.
49
Page 49
2
Shapiro
Part I
c02.tex
V1 - 06/12/2008
4:08pm
Core, Configuration, Networking, and Communication Services
The Standard Server and Web Server platforms do not include clustering.
You can use the Failover Cluster Management console to create and configure a cluster and for
performing common tasks such as adding cluster nodes, configuring node and cluster properties,
pausing the cluster service, and so on.
Component Services
The primary function of the Component Services console (see Figure 2-10) is to provide management tools for COM+ applications. COM+ provides a structure for developing distributed
applications (client/server applications). The Component Services console enables you to configure a system for Component Services, configure initial service settings, install and configure
COM+ applications, and monitor and tune components.
FIGURE 2-10
Use Component Services to configure COM+ applications as well as general Windows Server
2008 services.
Configuring COM+ applications goes hand-in-hand with COM+ application
development. For that reason, this book doesn’t provide detailed coverage of COM+
configuration.
The primary branches of the Component Services node under each computer are as follows:
■ COM+ Applications. Use this branch to configure Component and Role properties and
settings for COM+ components.
■ DCOM Config. Use this branch to configure Distributed COM (DCOM) components,
including setting security for them.
■ Distributed Transaction Coordinator. Use this branch to view the DTC transaction list
and monitor transaction statistics.
50
Page 50
Shapiro
c02.tex
V1 - 06/12/2008
4:08pm
Configuring Windows Server 2008
■ Running Processes. Use this branch to monitor and debug running processes.
Right-click an application and choose Dump to dump the application state to a file for
debugging and analysis.
You’ll notice that the Component Services console provided with Windows Server
2008 includes nodes for Event Viewer, Active Directory Users and Computers,
and Services. These are also available as separate consoles. See the sections ‘‘Event Viewer,’’
‘‘Services,’’ and ‘‘Using Event Viewer’’ later in this chapter, for more details. See Chapters 17–23
for a discussion of Active Directory.
Computer Management
The Computer Management console (see Figure 2-11) provides tools for managing several
aspects of a system. Right-click My Computer and choose Manage or click Start All Programs
Administrative Tools Computer Management to open the Computer Management console.
Computer Management is composed of three primary branches: System Tools, Storage, and
Services and Applications. System Tools provides extensions for viewing information about the
system, configuring devices, viewing event logs, and so on. Storage provides tools for managing
physical and logical drives and removable storage. Services and Applications enables you to
configure telephony, Windows Management Instrumentation (WMI), services, the Indexing
Service, and IIS. Other applications can appear under this branch as well, depending on the
system’s configuration.
FIGURE 2-11
Computer Management integrates several snap-ins to help you manage a system, its storage
devices, and services.
51
Page 51
2
Shapiro
Part I
c02.tex
V1 - 06/12/2008
4:08pm
Core, Configuration, Networking, and Communication Services
You can use Computer Management to manage either the local computer or a remote computer.
Right-click the Computer Management node and choose Connect to Another Computer to
manage a remote system. The tasks you can perform are usually the same whether local or
remote, but some tasks can be performed within the context of the local system only. This
chapter assumes that you’re using Computer Management to manage the local system.
This section covers the snap-in extensions provided in the Computer Management
console. However, many of these extensions can be used individually within their
own consoles. For example, you can open Services.msc to configure services, rather than
use the Services node in Computer Management. Look in systemroot\System32 for available
snap-ins (.msc file extension).
Event Viewer
Use Event Viewer to view events in the Application, Security, and System logs, as well as to
configure log behavior (size, rollover, and so on). See the section ‘‘Using Event Viewer’’ later in
this chapter for more information.
Reliability and Performance
The Reliability and Performance branch of the Computer Management snap-in provides tools
for setting up performance monitoring. You can configure counter logs, trace logs, and alerts.
This branch is useful only for viewing or modifying settings — it doesn’t enable you to actually execute any performance monitoring. Instead, you need to use the Reliability and Performance MMC snap-in. See Chapter 25 for detailed information on configuring performance logs
and alerts and monitoring system performance.
Shared Folders
The Shared Folders branch of the Computer Management snap-in enables you to view and
manage shared folders, connections, and open files. The Shares node enables you to view shares
on the selected computer. In addition, you can double-click a share to view and modify its
properties and share permissions. See Chapter 15 for information on publishing folders in Active
Directory.
You can create and manage shared folders through the Explorer interface. The advantage to using the Shared Folders console instead is that you can see all shares on the
system at a glance.
You’ll notice that a system includes a handful of shares by default, most of which are hidden
shares (suffixed with a $ sign). These shares include the following:
■ drive$. Windows Server 2008 shares the root of each drive as a hidden share for
administrative purposes. You can connect to the share using the UNC path
\\server\drive$, where server is the computer name and drive is the drive
letter, such as \\appsrv\d$. Members of the Administrators and Backup Operators
groups can connect to administrative shares on Windows 2000 Professional, Windows
52
Page 52
Shapiro
c02.tex
V1 - 06/12/2008
4:08pm
Configuring Windows Server 2008
XP, and Vista systems. Members of the Server Operators group can connect to administrative shares on Windows Server 2008 systems, as well as Administrators and Backup
Operators.
■ ADMIN$. This administrative share points to the systemroot folder on the system
(typically, \Windows or \WINNT) and is used by the system during remote administration.
■ IPC$. The IPC$ share is used to share named pipes and is used during remote
administration and when viewing a computer’s shares.
■ PRINT$. This share enables remote printer administration and points by default to
systemroot\System32\spool\drivers.
■ NETLOGON. This share is used to support user logon, typically for storing user logon
scripts and profiles. In Windows Server 2008 and Server 2003 domains, the NETLOGON
share points to sysvol\domain\Scripts on the domain controller(s).
For a complete discussion of sharing and security, offline folder access, and related
topics, see Chapter 15.
The Sessions node enables you to view a list of users currently connected to the system. You
can disconnect a user by right-clicking the user and choosing Close Session. Disconnecting a
user could result in lost data for the user, so you might want to broadcast a console message to
the user first. To do so, right-click the Shares or Shared Folders branch and choose All Tasks Send Console Message.
When you are viewing sessions for a remote computer, your connection appears as
an open-named pipe and can’t be closed.
The Open Files branch enables you to view files opened by remote users. Right-click an
individual file and choose Close Open File to close the file. Alternatively, right-click the Open
Files node and choose Disconnect All Open Files to close all files. As when disconnecting users,
closing files could result in a loss of data, so try to broadcast a console message to the user first.
Device Manager
Device Manager provides a unified interface for viewing and managing devices and their
resources (DMA, memory, IRQ, and so on). Device Manager displays devices using a branch
structure. Expand a device branch to view the devices in the branch. No icon beside a device
indicates that the device is functioning properly. A yellow exclamation icon indicates a potential
problem with the device, such as a resource conflict. A red X indicates that the device is
disconnected, disabled, or not in use in the current hardware profile.
Device Manager is the primary tool you use for configuring a system’s hardware. To view or
manage a device, locate it in the details pane and double-click the device (or right-click and
choose Properties) to display the device’s property sheet. The contents of the property vary
according to the device type. Figure 2-12 shows a typical property sheet for a network adapter.
The General tab, shown in Figure 2-12, provides general information about a device, such as
device type, manufacturer, and so on.
53
Page 53
2
Shapiro
Part I
c02.tex
V1 - 06/12/2008
4:08pm
Core, Configuration, Networking, and Communication Services
FIGURE 2-12
Use a device’s property sheet to view and configure settings such as resource usage.
It isn’t practical to cover every possible setting for every possible type of device in this chapter.
The following sections explain tasks common to most devices: changing drivers and modifying
resource assignments.
Driver changes
The Driver property page enables you to view details about, uninstall, and update a device’s
driver. Click Driver Details to view a list of the files that comprise the device’s driver. This list
is useful for checking the file or driver version to make sure that you’re using a specific version.
Use Uninstall if you want to remove the selected device’s driver.
The Update Driver button opens the Upgrade Device Driver Wizard. Use the wizard to install an
updated driver for the device. The wizard gives you the option of searching your system’s floppy
and CD-ROM drives, other specific location (local or remote share), or the Microsoft Windows
Update Web site. Just follow the prompts to complete the update. In some cases, changing
drivers requires a system restart.
Resource assignment
Because it supports plug and play (PnP), Windows Server 2008 can assign device resources
such as DMA, IRQ, I/O base address, and UMA memory allocation automatically. In some cases,
particularly with legacy devices (those not supporting PnP), you’ll have to configure resource
54
Page 54
Shapiro
c02.tex
V1 - 06/12/2008
4:08pm
Configuring Windows Server 2008
allocation manually. To do so, open a device’s property sheet and click the Resources tab. If the
Resources page doesn’t provide any resources to change, click Set Configuration Manually to
switch the page to manual property configuration (see Figure 2-13).
FIGURE 2-13
Set a device’s resource utilization through its Resources property page.
In most cases, Windows Server 2008 provides multiple, predefined configurations for devices,
such as a combination of a specific IRQ and I/O range. Deselect the Use Automatic Settings
option and then select a different configuration set from the drop-down list. To modify individual settings, first click in the Resource Settings list the resource you want to change and then
click Change Setting. Specify the desired setting in the resulting dialog box and click OK.
Local Users and Groups
The Local Users and Groups branch of the Computer Management snap-in enables you to create
and manage local user accounts and groups on Windows Server 2008 standalone and member
servers. This branch is absent on a domain controller because you use the Active Directory Users
and Computers snap-in to create user accounts and groups in the Active Directory.
Users and groups are covered in detail in Chapter 23.
55
Page 55
2
Shapiro
Part I
c02.tex
V1 - 06/12/2008
4:08pm
Core, Configuration, Networking, and Communication Services
If you’re familiar with creating user accounts and groups under previous versions of Windows
Server, you’ll have no problem using Local Users and Groups to create accounts. If not, see
Chapter 23 for a detailed description of how to create accounts and groups. The primary
difference between creating local accounts and groups and the same objects in the Active
Directory is that the Active Directory provides for additional account and group properties. In
addition, creating accounts and groups requires an understanding of permissions, rights, group
policy, and user profiles, all of which are explained in Chapter 23.
Disk Management
The Disk Management node is the place to go to manage physical disks and volumes. Disk Management takes the place of the Windows NT Disk Administrator. Unlike the Disk Administrator,
Disk Management performs most tasks immediately. In Disk Administrator, you must commit
changes for most tasks (such as creating or deleting a partition). If you’re an experienced Windows NT administrator, keep this important point in mind when making storage changes with
Disk Management.
Some of the tasks you can perform with Disk Management include managing partitions, converting basic disks to dynamic disks, creating volumes (basic, spanned, striped, mirrored, RAID-5),
creating and deleting physical volumes, formatting disks, and so on.
For a complete discussion of storage devices and management (including Disk Management node), see Chapter 13.
Disk Defragmenter
As a disk is used over time, the data on the disk is scattered into noncontiguous clusters,
becoming fragmented. Disk performance is greatest when data is not fragmented, as it takes less
time to read the data (because the drive heads don’t have to move as much to reassemble the
data). The Disk Defragmenter node in Computer Management enables you to analyze a disk for
fragmentation and then defragment the disk.
See Chapter 13 for a discussion of Disk Defragmenter and other options for improving disk performance.
Removable Storage
The Removable Storage node provides a tool for configuring and managing removable storage
devices and media. You use Removable Storage to track media such as tapes and optical disks
and their hardware devices (jukeboxes, tape changers, and so on). Removable Storage is a technology subset of Hierarchical Storage Management (HSM). These new technologies provide a
means for automatic data archival and retrieval of archived data.
The Removable Storage node enables you to create and manage media pools, insert and eject
media, mount and dismount media, view media and library status, inventory libraries, and
assign permissions for security on media and libraries.
56
Page 56
Shapiro
c02.tex
V1 - 06/12/2008
4:08pm
Configuring Windows Server 2008
Telephony
The Telephony node provides a centralized tool for managing telephony properties for the
selected computer, including configuring telephony providers and assigning user permissions for
various providers.
WMI Control
The WMI Control node in Computer Management provides tools for configuring and managing
Windows Management Instrumentation (WMI) on a computer. WMI works in conjunction
with the Web-Based Enterprise Management initiative to provide a means of collecting data
about computers and their component devices both locally and remotely. WMI functions at the
device-driver level, providing event notification from drivers and enabling WMI to collect data
for analysis and management purposes. WMI is a key component in enterprise management. The
WMI Control node provides a means for configuring general settings, logging, backing up and
restoring the WMI repository, and security to control WMI access.
Services
In Windows Server 2008, services are applications that perform specific functions such as
networking, logon, print spooling, remote access, and so on within the operating system. You
can think of services as operating-system-oriented applications that function by themselves or
in concert with other services or user applications to perform specific tasks or provide certain
features within the OS. Device drivers, for example, function as services. Windows Server 2008
includes several standard services by default, and many third-party applications function as
or include their own services. A background virus scrubber is a good example of a possible
third-party service.
In Windows Server 2008, the Services node in the Computer Management snap-in (and by itself
as the Services.msc console) takes over that function (see Figure 2-14). Services lists the
installed services on the target system, and when Detail view is selected, displays description,
status, startup type, and the account the service uses to log on.
Starting and stopping services
A running service processes requests and generally performs the task it was designed to accomplish. Stopping a service terminates the service and removes it from memory. Starting a service
initializes and activates the service so that it can perform its task or function. For example, the
DNS client functions as a DNS resolver, processing requests for names to address mapping in
the DNS namespace. If you stop the DNS Client service, it is no longer available to process DNS
queries.
Windows Server 2008 supports three startup modes for services:
■ Automatic. The service starts automatically at system startup.
■ Manual. The service can be started by a user or a dependent service. The service does not
start automatically at system startup unless a dependent service is set for automatic startup
(therefore causing the service to start).
■ Disabled. The service cannot be started by the system, a user, or a dependent service.
57
Page 57
2
Shapiro
Part I
c02.tex
V1 - 06/12/2008
4:08pm
Core, Configuration, Networking, and Communication Services
FIGURE 2-14
Use Services to configure, start, stop, and pause services, as well as view service dependencies.
You set a service’s startup mode through the General page of the service’s properties. Open the
Services node in the Computer Management MMC snap-in (or open the Services.msc console
in systemroot\System32) and double-click the service. Figure 2-15 shows the General property page for a typical service. From the Startup Type drop-down list, choose the desired
startup mode and click Apply or OK.
The General tab also enables you to start, stop, pause, or resume a service. Starting and stopping
were explained previously. Pausing a service causes it to suspend operation but doesn’t remove
the service from memory. Resume a paused service to have it continue functioning. Open a
service’s General property page and then click Start, Stop, Pause, or Resume, as appropriate.
You also can start and stop services from a console prompt using the NET START and NET STOP
commands along with the service’s name, which you’ll find on its General property page in the
Service Name field. For example, use the command NET START ALERTER to start the Alerter
service. Use NET STOP ALERTER to stop it.
NET START and NET STOP are very useful for controlling services remotely. If the
telnet service is running on the remote computer, you can telnet to the computer and
use NET START and NET STOP to start and stop services on the remote system.
Setting General service properties
Other settings on a service’s General property page control how the service is listed in the details
pane and how the service starts up. Use the Display Name field to specify the name that will
58
Page 58
Shapiro
c02.tex
V1 - 06/12/2008
4:08pm
Configuring Windows Server 2008
appear under the Name field for the service in the details pane. Specify the service’s description
in the Description field. Use the Start Parameters field to specify optional switches or parameters to determine how the service starts. These are just like command-line switches for a
console command.
FIGURE 2-15
Use the General tab to configure service startup, control the service (start/stop), and set general
properties.
Configuring service logon
The Log On property page for a service specifies how the service logs on and the hardware
profiles in which the service is used. Most services log on using the System account, although
in some cases, you’ll want to specify a different account for a service to use. Some types of
administrative services often use their own accounts because they require administrative
privileges. Therefore, you would create an account specifically for the service and make it
a member of the Administrators group or give it the equivalent permissions, subject to its
specific needs.
Avoid using the Administrator account itself. When you change the Administrator
password, which you should do often if you use this account, you also have to
reconfigure each service that used the Administrator account to change the password in the
service’s properties. Using a special account for those services instead enables you to change the
59
Page 59
2
Shapiro
Part I
c02.tex
V1 - 06/12/2008
4:08pm
Core, Configuration, Networking, and Communication Services
Administrator account password without affecting any services. See Chapter 16 for a discussion of
how to protect the Administrator account and discontinue its use.
The Log On property page contains the following controls:
■ Local System Account. Select to have the service log on using the local System account.
■ Allow Service to Interact with Desktop. Select to allow the service to provide a UI for
the currently logged-on user to interact with the service. This setting has no effect if the
service isn’t designed to provide a UI.
■ This Account. Select and specify an account in the associated text box (or browse
through the account list) to have the service log on with an account other than the local
System account.
■ Password/Confirm Password. Enter and confirm the password for the account specified
in this account.
■ Enable/Disable. Select a hardware profile from the list of profiles and click Enable to
enable the service in that profile, or Disable to disable the service in the profile.
Configuring service recovery
Another behavior you can configure for services is what happens when the service fails. You can
configure the service to restart, execute a file, or reboot the computer. In addition, you can configure a fail counter to track how many times the service has failed. You set a service’s recover
options through its Recovery property page (see Figure 2-16).
The Recovery page contains the following options:
■ First Failure/Second Failure/Subsequent Failures. With these three drop-down lists,
select the action (or no action) to take on the specified failure. You can choose to take no
action, restart the service, execute a file, or reboot the computer.
■ Reset Fail Count After. Specify the number of days after which the fail counter is reset
to zero.
■ Restart Service After. Specify the number of minutes that will pass between service failure and restart. Increase from the default of one minute if the system needs more time to
stabilize after the service fails.
■ Run Program. Use this group of commands to identify a program or script that will
execute when the service fails. For example, you might create a script that broadcasts a
message with the fail count and other information to the Administrators group. Use the
Append Fail Count option to append the current fail count to the end of the command
line (passing the fail count to the command for internal processing).
■ Restart Computer Options. Click this button to specify the number of minutes to wait
before restarting the computer and an optional message to broadcast on the network prior
to restart (such as a reboot warning to users).
60
Page 60
Shapiro
c02.tex
V1 - 06/12/2008
4:08pm
Configuring Windows Server 2008
FIGURE 2-16
Configure service recovery options to specify what actions the service should take when it fails.
Viewing dependencies
You can use the Dependencies page to view other services on which the selected service depends
as well as services that are dependent on the selected service. This property page displays
information only and doesn’t allow you to configure or modify dependencies. The page is
self-explanatory.
Indexing Service
The Indexing Service is still available for backward compatibility in Windows Server 2008. It
uses document filters to read and create a catalog of documents on a system and enables a quick
text-based search through the catalog for documents that meet the search criteria. You should
rather use the new Windows Search Service if you are starting search and indexing for the first
time on Windows Server 2008. The service is discussed in Chapter 15. You cannot install both
the new Search Service and the Indexing Service at the same time (as part of the File Services
role). When installing the File Services role, you have the option of choosing one or the other,
but not both.
The document filter extracts information from the document and passes that information to
the Indexing Service for inclusion in the catalog. You can search using the Search command in
61
Page 61
2
Shapiro
Part I
c02.tex
V1 - 06/12/2008
4:08pm
Core, Configuration, Networking, and Communication Services
the Start menu, the Query the Catalog node of Indexing Service in Computer Management, or
a Web page. You can search based on a variety of criteria, including document name, author,
contents, and so on. You might, for example, use the Indexing Service to build a catalog of
internal documents or to catalog your organization’s Web site(s). The Indexing Service will index
the following document types:
■ HTML
■ Text
■ Microsoft Office
■ Internet Mail and News
■ Other documents supported by an appropriate document filter (such as a third-party
filter)
Indexing Service is useful even on a workstation to index user documents and to
speed up searching for specific documents or groups of documents.
Use the Indexing Service branch of the Computer Management console to configure the Indexing Service and query the index for a list of documents matching your query criteria. The
Indexing Service branch appears in Computer Management, even if the Indexing Service is not
yet installed. To install the Indexing Service, open the Control Panel and run Add or Remove
Programs. Click Add or Remove Windows Components in the left toolbar, select Indexing Service in the Components list, and then click Next and follow the prompts to install the service.
Planning for the Indexing Service
When planning for the Indexing Service, understand that the system configuration determines
the service’s performance. Indexing Service has the same minimum hardware requirements as
Windows Server 2008, but increasing the number of documents to be indexed increases the
memory requirements. See the Help file for Indexing Service (press F1 with Indexing Service
selected in Computer Management) for specific recommendations.
You also need to plan the file system to accommodate Indexing Service. Placing the catalog on
a FAT volume will enable users to see the catalog even if they have no permission to view individual documents in the catalog. Placing the catalog on an NTFS volume offers the best security
because Indexing Service maintains all NTFS security ACLs (Access Control Lists). Users will not
see documents in the results list of a query if they don’t have the permissions necessary to view
the documents. In addition, the Indexing Service uses the System account to log on. If you deny
the System account access to a given folder or file, Indexing Service will not be able to access
the folder or file and won’t index it. Encrypted documents are never indexed.
Where you store the index catalog(s) is also important. You should not store catalogs within
a Web site (in the Web site’s folder), because Internet Information Services (IIS) can lock the
catalog and prevent it from being updated. Also avoid running antivirus or backup software
that locks the catalog files, which would cause Indexing Service to time out while attempting to
62
Page 62
Shapiro
c02.tex
V1 - 06/12/2008
4:08pm
Configuring Windows Server 2008
update the catalogs. The best practice is to create a folder on an NTFS volume specifically for
your catalog files and place each catalog in its own subfolder of that primary folder.
You can change the location of the default System catalog created automatically
when you install Indexing Service. First, create the folder to contain the catalog.
Then right-click Indexing Service and choose Stop to stop the service. Open the Registry Editor
and modify the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
ContentIndex\Catalogs\System\Location to point to the desired location. Close the
Registry Editor and restart the Indexing Service.
Creating and configuring a catalog
You can create multiple index catalogs to suit your needs. To create a new catalog, open the
Computer Management snap-in and right-click the Indexing Service branch. Choose New Catalog. Specify a name for the catalog and its location and then click OK. The catalog remains
offline until you restart the Indexing Service.
Next, expand the newly created catalog in the Indexing Service branch in Computer Management. Right-click Directories under the catalog’s branch and choose New Directory to display
the Add Directory dialog box, shown in Figure 2-17. Specify options according to the following
list:
FIGURE 2-17
Add directories to a catalog to include their contents in the index.
■ Path. Specify the path to the folder you want to add in the catalog or click Browse to
access the folder.
■ Alias (UNC). If you’re specifying a folder on a nonlocal computer, type the UNC path to
the share in the form \\computer\share, where computer is the remote computer’s name
and share is the share where the folder is located.
■ Account Information. For a directory on a remote computer, specify the
domain\account and the password to be used to access the computer.
63
Page 63
2
Shapiro
Part I
c02.tex
V1 - 06/12/2008
4:08pm
Core, Configuration, Networking, and Communication Services
■ Include in Index?. Select Yes to include the folder or No to exclude it from the catalog.
This option enables you to exclude a subfolder of a folder that is included in the catalog.
Add the parent folder and set it to Yes and then add the subfolder separately and set it to
No to exclude it.
After you define the directories for the catalog, stop and restart the Indexing Service to populate
the catalog. The Properties branch will be empty until you stop and restart the service.
Querying the catalog
As mentioned previously, you can query a catalog through a computer’s Search command in the
Start menu, a Web page, or the Computer Management snap-in. To perform a query using the
snap-in, open the Indexing Service branch and click Query the Catalog under the desired catalog
entry. Windows Server 2008 provides a query form in which you can specify the query criteria
and options and view the results of the query.
Tuning performance
On a system with a large number of documents, you might want to fine-tune Indexing Service
for best performance. Right-click Indexing Service in the Computer Management snap-in and
choose Stop to stop the service. Right-click Indexing Service again and choose Tune Performance
to display the Indexing Service Usage dialog box (see Figure 2-18). The options on the dialog
box enable you to specify how often Indexing Service is used on the computer, and Windows
Server 2008 automatically configures the service based on your selection. Choose the Customize
option and then click the Customize button to specify custom settings for indexing and querying. For indexing, you can set a slider control between Lazy and Instant. Lazy causes indexing
to function more as a background task, and Instant grants it maximum system resources, which
takes resources from other running tasks. For querying, you can set a slider between low load
and high load, depending on how many queries the computer receives. Be sure to restart the
service after you finish configuring it.
Using Event Viewer
Microsoft defines an event in Windows Server 2008 as any significant occurrence in the
operating system or an application that requires users (particularly administrators) to be notified.
Events are recorded in event logs. Events and the event log are important administrative tools
because they’re indispensable for identifying and troubleshooting problems, tracking security
access (logon, logoff, resource auditing, and so on), and tracking the status of the system and its
applications.
Some features are not available if you use the Event Viewer console within the
Computer Management console. This section assumes that you are opening the Event
Viewer console directly from the Administrative Tools folder.
64
Page 64
Shapiro
c02.tex
V1 - 06/12/2008
4:08pm
Configuring Windows Server 2008
FIGURE 2-18
Use the Indexing Service Usage dialog box to optimize Indexing Service’s performance.
Events fall into these general categories:
■ System. These include system-related events such as service startup and shutdown, driver
initialization, system-wide warning messages, network events, and other events that apply
to the system in general.
■ Security. These include events related to security, such as logon/logoff and resource
access (auditing).
■ Application. These events are associated with specific applications. For example, a virus
scrubber might log events related to a virus scan, cleaning operation, and so on, to the
application log.
■ Setup. These events are associated with setup processes such as adding roles and features.
■ Forwarded Events. The Forwarded Events log contains log entries from another computer system. Here you create a subscription to an event log on another system, and then
filter the event log that you have subscribed to so that only the desired events are retrieved.
The retrieved events are placed into the Forwarded Events log.
In addition to the three default event logs, other Windows Server 2008 services
create their own logs. The Directory Service, DNS Service, and File Replication
Service are some examples of services that create their own event logs. You view these logs with
the Event Viewer, just as you do the three standard logs.
65
Page 65
2
Shapiro
Part I
c02.tex
V1 - 06/12/2008
4:08pm
Core, Configuration, Networking, and Communication Services
Events range in severity from informational messages to serious events such as service or
application failures. The primary event categories include informational, warning, error, success
audit, and failure audit. The severity of an event is identified by an icon beside the event in the
log. For example, warnings use an exclamation icon and errors use an X in a red circle. Each
event has common properties associated with it:
■ Date and Time. This is the date and time the event occurred.
■ Source. This identifies the source of the event, such as a service, device driver, application, resource, and so on. The source property is useful for determining what caused the
event (cause and event source are not synonymous).
■ Category. The source determines the category for an event. For example, security
categories include logon, logoff, policy change, and object access, among others.
■ Event. Each event includes an event ID, an integer generated by the source to identify the
event uniquely.
■ User. This property identifies the user who caused the event to be generated
(if applicable).
■ Computer. This property identifies the computer that caused the event to be generated
(if applicable).
The Event Viewer MMC snap-in is the tool you use to view and manage the event logs. The
Event Viewer presents the logs in the tree pane as individual branches. When you click a log, its
events appear in the pane on the right (see Figure 2-19).
Viewing and filtering events
Viewing an event is easy — just open Event Viewer, locate the event, and double-click it (or
select it and press Enter). Event Viewer opens a dialog box showing the event’s properties (see
Figure 2-20). The top of the dialog box includes general information about the event such
as time and date, type, and so on. The description text provides a detailed description of the
event, which usually (but not always) offers a decipherable explanation of the event. The bottom
portion of the dialog box displays additional data included with the event, if any. You can
choose between viewing the data in byte (hexadecimal) or DWORD format. In most cases, it
takes a software engineer to interpret the data because doing so requires an understanding of the
code generating the data.
Use the up and down arrows in the right side of the dialog box to view previous and
subsequent events, respectively. Click the Copy button to copy the selected event to the
Clipboard.
By default, the Event Viewer shows all events for a selected log. In many cases, it is helpful to
be able to filter the view so that Event Viewer shows only events that meet specific criteria. To
apply a filter, click a log and choose View Filter to access the Filter property sheet for the log
(see Figure 2-21).
66
Page 66
Shapiro
c02.tex
V1 - 06/12/2008
4:08pm
Configuring Windows Server 2008
FIGURE 2-19
The new greatly enhanced Event Viewer.
FIGURE 2-20
An event’s property sheet provides detailed information about the event.
67
Page 67
2
Shapiro
Part I
c02.tex
V1 - 06/12/2008
4:08pm
Core, Configuration, Networking, and Communication Services
FIGURE 2-21
Use the Filter page to determine which events are displayed for the selected log in the Event
Viewer.
You can choose to view events based on their type, source, category, ID, user, computer, or date
range. For example, you might want to filter based on source if you’re trying to troubleshoot a
problem with a specific application, service, or driver. To create the filter, select your criteria
in the dialog box and click OK. Choose View All Records to remove the filter and view all
events in the log.
Setting log properties
Each log includes general properties that define the way the log appears in Event Viewer, the
size of the log, how it reacts when the maximum size is reached, and so on. Select a log and
right-click to choose Properties to display its General property page (see Figure 2-22).
Some of the information displayed in the General page is read-only, such as the location of the
log file. You can change the Display Name property to change the name by which the log is
listed in the tree pane in the Event Viewer.
68
Page 68
Shapiro
c02.tex
V1 - 06/12/2008
4:08pm
Configuring Windows Server 2008
FIGURE 2-22
Configure a log’s appearance and size through its General property page.
The Log Size group of controls specifies the maximum log size and the action Windows Server
2008 takes when the maximum size is reached. The options are generally self-explanatory. Keep
in mind, however, that if you select Do Not Overwrite Events, Windows Server 2008 will stop
logging events to the log when it fills up. Although Windows Server 2008 will notify you when
the log is full, you’ll need to monitor the event log and clear it periodically to ensure that you
don’t lose events.
Using a low-speed connection prevents Event Viewer from downloading all of the
event data before you specifically request it and is useful when the logs are located
on another computer, which is accessible through a slow network connection (such as dial-up).
Saving and clearing logs
Occasionally, you’ll want to save an event log and/or clear the log. Saving a log copies it to
another event file of a name you specify. Clearing a log removes all the events in the log. You
might want to create a benchmark, for example, prior to troubleshooting a problem, or you
might want to periodically archive your event logs. In any case, you save the log and then
clear it.
69
Page 69
2
Shapiro
Part I
c02.tex
V1 - 06/12/2008
4:08pm
Core, Configuration, Networking, and Communication Services
To save a log, select the log and choose Action Save Log File As or right-click the log and
choose Save Log File As. Specify a name and location for the log file and click OK. After you
save a log file, you can open the log again in Event Viewer to view its contents. Keep in mind
that a saved log is static and doesn’t gather additional events.
When it’s time to clear a log, open the log’s General property page and click Clear Log.
Windows Server 2008 will prompt you to confirm the action.
Viewing logs on another computer
You can use Event Viewer to view the log file of other computers in your network (or across
the Internet via a VPN connection). To open another computer’s event logs, open Event Viewer,
right-click the Event Viewer branch, and choose Connect to Another Computer. Specify the
computer’s name or browse the network for the computer and then click OK. Select the Local
Computer option to reconnect to the local computer’s event logs.
Arranging the log view
You can arrange the Event Viewer results pane to specify which columns appear and their
display order. If you seldom need to see the User or Computer columns, for example, you can
turn them off.
To control column display, click any node in the Event Viewer and choose View Add/Remove
Columns to open the Modify Columns dialog box. Add and remove columns as desired and use
Move Up and Move Down to change the display order. Click OK to apply the changes.
You can drag columns in Event Viewer to change their display order.
Server extensions
In addition to the MMC snap-ins described in previous sections, Windows Server 2008 incorporates several other snap-ins for managing specific services. For example, the DNS, DHCP, and
IIS services all have their own snap-ins. Because these snap-ins are the primary means by which
you control these services, they are best discussed in the context of the service. You’ll find these
snap-ins discussed throughout this book where appropriate.
Using the Security Configuration Wizard
Windows Server 2008 improves on the Security Configuration Wizard introduced in Windows
Server 2003 to help administrators fine-tune security on a server. The wizard configures security
settings based on server roles. The wizard prompts for information about the server and its roles,
and then stops all services not required to perform those roles, locks down ports as needed,
modifies registry settings, and configures settings for IIS and other components to apply the
desired level of security.
70
Page 70
Shapiro
c02.tex
V1 - 06/12/2008
4:08pm
Configuring Windows Server 2008
Rather than cover the wizard step by step, this section explains the purpose of the
wizard and its general function. You should have no trouble following through in the
wizard once you understand this background information.
The Security Configuration Wizard is now installed by default. You no longer have to add it like
you did with Windows Server 2003.
The first step in the wizard is to specify the policy action you want to take:
■ Create a New Security Policy. Create a new policy based on the server’s roles.
■ Edit an Existing Security Policy. Modify a policy created previously on the server or
another server.
■ Apply an Existing Security Policy. Apply a previously created policy to the server.
■ Rollback the Last Applied Security Policy. Roll the server back to its previous state
prior to the last security policy application.
After you select the policy action and specify a server to use as the baseline for the policy set
(you can choose the local server or a remote server), the Security Configuration Wizard steps
you through several key areas:
■ Selecting server roles. In this phase of the wizard, you specify the roles that the target
server will perform. As explained earlier in this section, the wizard does not add or remove
server roles.
■ Selecting client roles. Each server performs several client roles, such as automatic
update, DNS client, domain member, and others. Choose the client roles the server
will fill.
■ Selecting administration and other options. Specify options the server will include,
such as backup methods, specific services, optional applications, and specific tasks (see
Figure 2-23). The wizard uses the selections you make to determine which ports should
be opened and which services enabled. When you click Next, the wizard displays a list of
any additional third-party services it found installed on the server to enable you to include
or exclude those services from the security configuration.
To view additional information about any item in the wizard, click the arrow button to the
left of the item name (refer to Figure 2-23).
■ Determine handling of unspecified services. Choose how services not specified by the
policy are handled. You can choose to have a service’s startup modes set to Disabled or
direct the wizard to ignore the services (not make a change to the startup mode).
■ Confirming service changes. The Confirm Service Changes page of the wizard (see
Figure 2-24) simply displays the changes that will be made to individual services. If you
need to modify the actions the wizard will take for a particular service, note the contents
of the Used By column for that service. Then, click Back to reach the appropriate page
where you can configure the role(s) identified in the Used By column. Make changes as
needed, move forward through the wizard to reach the confirmation page, and verify that
your change was applied.
71
Page 71
2
Shapiro
Part I
c02.tex
V1 - 06/12/2008
Core, Configuration, Networking, and Communication Services
FIGURE 2-23
Select the options, services, and tasks required for the server.
FIGURE 2-24
Confirm service changes before moving on and then adjust roles as needed.
72
4:08pm
Page 72
Shapiro
c02.tex
V1 - 06/12/2008
4:08pm
Configuring Windows Server 2008
■ Configuring network security settings. In this stage of the wizard, you specify which
ports will be opened in the firewall and which ports will be blocked (see Figure 2-25).
The wizard offers several view options to help you identify specific ports. You can also
click Add to add additional open ports or allowed applications. The wizard displays a
confirmation page to help you validate your choices before continuing.
FIGURE 2-25
Specify ports to be opened on the server.
■ Configure registry settings. The wizard offers a handful of pages to obtain information
about protocols used to communicate with other computers, authentication methods
used, and minimum operating system requirements for other computers. The wizard
uses the information gathered to modify selected registry settings to improve security and
prevent specific exploits. It displays a confirmation page you can use to verify the target
changes.
■ Configure system audit policy. This section of the wizard helps you specify an audit
policy for the security policy set.
73
Page 73
2
Shapiro
Part I
c02.tex
V1 - 06/12/2008
4:08pm
Core, Configuration, Networking, and Communication Services
■ Configure Internet Information Services. If the Application Server role is selected,
the wizard displays a set of pages to prompt for options for Web service extensions,
virtual directories, and anonymous authentication for IIS. Use these pages to specify IIS
configuration for the security policy.
At the completion of the wizard, you are prompted to specify a security policy filename under
which the wizard will store the policy configuration (see Figure 2-26). The wizard stores the
settings as an XML file. You can then use the file to apply the configuration to other servers.
FIGURE 2-26
Specify the name of an XML file in which to store the policy settings.
The Security Policy File Name page also provides two additional tasks you can perform. If you
click View Security Policy, the wizard opens the SCW Viewer application (see Figure 2-27),
which you use to view the settings specified in the policy.
You can also add security templates to the policy. These templates are located by default in
%systemroot%\securit\templates as a set of INF files. You can view and modify these
security templates (as well as create additional templates) with the Security Templates MMC
snap-in. To add a template to a security policy in the Security Configuration Wizard, click
Include Security Templates on the Security Policy File Name page to open the Include Security
Templates dialog box. Here you can add and remove templates from the policy as needed.
74
Page 74
Shapiro
c02.tex
V1 - 06/12/2008
4:08pm
Configuring Windows Server 2008
FIGURE 2-27
The SCW Viewer page shows you policy settings.
Working with Data Sources (ODBC)
ODBC, which stands for Open Database Connectivity, provides a framework for database
engines to communicate with client applications. ODBC drivers serve as a middleman between
a database and a client application, coordinating transactions and translating between the client
and the database. In some cases, they can take the place of the database engine. For example,
a server doesn’t need Microsoft Access installed to enable clients to query an Access database
file stored on the server, which is a typical practice of report engines such as Seagate Crystal
Reports.
In order for client applications to communicate with a data source stored on a computer, you
must configure the appropriate ODBC driver and connection on the target server. For example,
if the client application needs to access an Access database, then you need to first configure
the Access ODBC driver on the computer where the database is located. The Data Sources
administrative tool enables you to configure and manage ODBC drivers and their associated data
sources. This section of the chapter explains how to configure ODBC drivers.
75
Page 75
2
Shapiro
Part I
c02.tex
V1 - 06/12/2008
4:08pm
Core, Configuration, Networking, and Communication Services
The Data Sources tool is one of the few administrative tools that functions as a
standalone utility, rather than an MMC snap-in.
Defining DSNs
You make data sources available to clients by creating a Data Source Name (DSN). Three types
of DSNs exist:
■ User. A user DSN is visible only to the user who is logged on when the DSN is created.
■ System. A system DSN is visible to all local services on a computer and all users who log
on locally to the computer.
■ File. A file DSN can be shared by all users who have the same drivers installed and who
have the necessary permissions to access the DSN. Unlike user and system DSNs, file
DSNs are stored in text files, rather than the registry.
The DSN identifies the data source, the driver associated with a data source, and other properties that define the interaction between the client and the data source, such as timeout, read-only
mode, and so on. You use the same process to create a DSN for most database types. The
exception is SQL Server, which provides a wizard for setting up a data source.
Defining a data source
To create a data source, you first open the ODBC Data Source Administrator. To do so, click
Start All Programs Administrative Tools Data Sources (ODBC). In the ODBC Data Source
Administrator, click the tab for the DSN type you want to create and then click Add. Select the
desired data source type and click Finish. Except in the case of the SQL Server driver, ODBC
prompts you for information, which varies according to the driver selected. Define settings as
desired and click OK to create the DSN.
Setting up an SQL Server data source
The Microsoft SQL Server ODBC driver provides a wizard to configure an SQL data source. This
section explains the options you find when setting up an SQL Server ODBC driver. The first
wizard page contains the following options:
■ Name. This name appears in the Data Sources list on the DSN page for the data source.
■ Description. This optional description appears with the DSN name on the DSN page for
the data source.
■ Server. Here, you specify the IP address or host name of the SQL server computer.
The second page of the wizard, shown in Figure 2-28, prompts for connection and authentication options for the data source. The following list summarizes the options:
76
Page 76
Shapiro
c02.tex
V1 - 06/12/2008
4:08pm
Configuring Windows Server 2008
FIGURE 2-28
Specify connection and authentication options.
■ With Windows NT Authentication Using the Network Login ID. Select this option to
have the SQL Server ODBC driver request a trusted connection to the server. The driver
uses the current client logon username and password to authenticate the request on the
server. In the case of a service or Web server, the credentials are assigned to the service or
specified in the code that makes the query. The specified username and password must
have an association to an SQL Server login ID on the SQL Server computer.
■ With SQL Server Authentication Using a Login ID and Password Entered by the
User. Select this option to require the user to specify an SQL Server login ID and password
for all connection requests.
■ Connect to SQL Server to Obtain Default Settings for the Additional Configuration Options. Select this option to have the SQL Server ODBC driver connect to the SQL
Server identified on the first page of the wizard to obtain the correct settings for options
in remaining Configuration Wizard pages. When you click Next with this option selected,
the driver connects to the SQL Server and obtains the data. Deselect this option to use
default settings rather than connect to the SQL Server to obtain the information.
■ Login ID. Specify the username to connect to the specified SQL Server to retrieve the
settings for subsequent wizard pages (see the preceding bullet). This username and the
associated Password field are not used for actual data connections after the data source is
created, but are used only to retrieve information from the SQL Server for the remaining
configuration pages.
■ Password. Specify the password to use with the username specified in the Login ID field.
77
Page 77
2
Shapiro
Part I
c02.tex
V1 - 06/12/2008
4:08pm
Core, Configuration, Networking, and Communication Services
■ Client Configuration. Click to use the Network Library Configuration dialog box.
Although you usually don’t have to configure the network client configuration for the
data source, sometimes you might need to specify the network connection mechanism
and other options that define how the client connects to the data source. The options in
Connection Parameters are specific to the network connection type you select from the
Network Libraries list of options.
In the next page of the wizard, shown in Figure 2-29, you specify the database name and other
options for the data source. The following list describes its options:
FIGURE 2-29
Specify the database name and other database options.
■ Change the Default Database To. Choose a database from the drop-down list to define
the default database for the data source, overriding the default database for the specified
login ID. Deselect this option to use the default database defined for the login ID on the
server.
■ Attach Database Filename. Specify the full name and path of the primary file for an
attachable database. The specified database is used as the default database for the data
source.
■ Create Temporary Stored Procedures for Prepared SQL Statements and Drop the
Stored Procedures. Select this option to have the driver create temporary stored procedures to support the SQLPrepare ODBC function and then choose one of the associated
options (see the following bullets). Deselect this if you don’t want the driver to store these
procedures.
■ Only When You Disconnect. Have the stored procedures created for the SQLPrepare
function dropped only when the SQLDisconnect function is called. This improves
78
Page 78
Shapiro
c02.tex
V1 - 06/12/2008
4:08pm
Configuring Windows Server 2008
performance by reducing the overhead involved in dropping the stored procedures while
the application is running, but it can lead to a buildup of temporary stored procedures.
This particularly applies to applications that issue numerous SQLPrepare calls or that
run for a long time without disconnecting.
■ When You Disconnect and as Appropriate While You Are Connected. Have the
stored procedures dropped when SQLDisconnect is called, when SQLFreeHandle is
called for the statement handle, when SQLPrepare or SQLExecDirect are called to process a new SQL statement on the same handle, or when a catalog function is called. Using
this option entails more overhead while the application is running, but it helps prevent a
build-up of temporarily stored procedures.
■ Use ANSI Quoted Identifiers. Enforce ANSI rules for quote marks so that they can
only be used for identifiers such as table and column names. Character strings must be
enclosed in single quotes.
■ Use ANSI Nulls, Paddings and Warnings. Specify that the ANSI_NULLS,
ANSI_WARNINGS, and ANSI_PADDINGS options are set to on when the driver connects to
the data source.
■ Use the Failover SQL Server if the Primary SQL Server Is Not Available. Have the
connection attempt to use the failover server if supported by the primary SQL Server.
When a connection is lost, the driver cleans up the current transaction and attempts to
reconnect to the primary SQL Server. The driver attempts to connect to the failover server
if the driver determines that the primary server is unavailable.
The final page of the wizard, shown in Figure 2-30, prompts for miscellaneous options as
described in the following list:
FIGURE 2-30
Specify miscellaneous database options from the final page of the wizard.
79
Page 79
2
Shapiro
Part I
c02.tex
V1 - 06/12/2008
4:08pm
Core, Configuration, Networking, and Communication Services
■ Change the Language of SQL Server System Messages To. Specify the language used
to generate SQL Server system messages. The server can contain multiple sets of system
messages, each in a different language. This option is grayed out if the server has only one
language installed.
■ Use Strong Encryption for Data. Encrypt data using strong encryption.
■ Perform Translation for Character Data. Select this option to convert ANSI strings
using Unicode. Deselect the option to disable translation of extended ANSI codes.
■ Use Regional Settings When Outputting Currency, Numbers, Dates and Times.
Select this option to have the regional settings of the client computer used to display
currency, numbers, dates, and other region-specific elements.
■ Save Long Running Queries to the Log File. Log any query that takes longer than the
time specified in the Long Query Time field.
■ Long Query Time (Milliseconds). This specifies the maximum threshold value for
logging long-running queries.
■ Log ODBC Driver Statistics to the Log File. Log driver statistics to a tab-delimited
log file.
ODBC Component Checker
A nonhomogenous set of ODBC components can lead to all sorts of strange and difficult-to-trace
problems. For example, a Web application that queries an ODBC connection might receive a
nonspecific server error when it attempts the connection if the ODBC component versions do
not match one another. Keeping the components synchronized is therefore very important.
Microsoft offers a tool called the Component Checker to help you scan the system and determine whether the Microsoft Data Access Components (MDAC) are synchronized. You’ll find the
Component Checker at www.microsoft.com/data. You’ll also find the latest version of MDAC
at the site, along with additional technical information on MDAC and ODBC.
Viewing driver information
The Drivers page of the ODBC Data Sources Administrator enables you to view information
about installed ODBC drivers. The Drivers page is useful for verifying driver version but doesn’t
provide any options you can change.
Tracing
Use the Tracing page of the ODBC Data Sources Administrator to configure tracing options to
help you troubleshoot problems with a client connection. With tracing turned on, ODBC actions
are logged to the specified file. You can view the log using any text editor.
80
Page 80
Shapiro
c02.tex
V1 - 06/12/2008
4:08pm
Configuring Windows Server 2008
Connection Pooling
Use the Connection Pooling page to specify whether or not ODBC drivers can reuse open
connection handles to the database server. You can improve performance by eliminating the
need for applications to establish new connections to a server, because the time and overhead
involved in establishing the connection is reduced. Oracle and SQL connections are pooled by
default, but others are not.
Understanding Control Panel Applets
As in other Windows platforms, the Windows Server 2008 Control Panel serves as a control
center for configuring hardware and operating system settings. Some Control Panel applets
control fairly simple sets of options, while others are relatively complex. The following sections
explain the more complex Control Panel applets and their functions. Applets that require no
explanation (such as configuring the mouse, game controllers, and so on) are not included. In
addition, note that not all applets appear in the Control Panel by default. The Wireless Link
applet, for example, only appears on systems with infrared ports or similar wireless hardware.
You can configure the Start menu to display the Control Panel applets in the menu,
enabling you to access individual Control Panel applets through the Start menu
without having to open the Control Panel folder. To display the Control Panel applets on the Start
menu, right-click the taskbar and choose Properties. Click the Advanced tab, select Expand Control
Panel in the Start Menu Settings group, and click OK.
To open the Control Panel, click Start Control Panel. If you’ve configured the Start menu to
expand the Control Panel and want to open the Control Panel folder, click Start, then right-click
Control Panel and click Open. You also can open the Control Panel from My Computer.
Ease of Access applet
This applet enables you to configure interface and input/output functions designed to assist users
with various physical challenges, such as limited vision. You can configure a variety of settings
and features for the display, keyboard, mouse, and sound.
Add Hardware applet
The Add Hardware applet, when selected, runs the Add Hardware Wizard, which helps you add
new hardware, remove hardware, unplug a device, and troubleshoot problems with devices.
The wizard scans the system for changes and helps automate the process of installing drivers to
support new devices.
81
Page 81
2
Shapiro
Part I
c02.tex
V1 - 06/12/2008
4:08pm
Core, Configuration, Networking, and Communication Services
If you choose to add or troubleshoot a device, Windows Server 2008 automatically performs a
search for plug and play (PnP) hardware. If it finds and recognizes a new device, it takes you
step-by-step through the process of installing support for the device. If it finds but can’t recognize the device, the wizard prompts you to select the device from a list and manually specify the
device’s driver(s).
To troubleshoot a device, allow Windows Server 2008 to perform the hardware detection and
then locate the device in the Choose a Hardware Device list and click Next. The wizard will help
you perform steps to troubleshoot the device. To add a new device, choose Add a New Device
from the list and then click Next. Follow the prompts to insert the Windows Server 2008 CD or
provide a path to the appropriate driver files when prompted.
If you choose to uninstall a device, Windows Server 2008 presents a list of all devices. Select
the device you want to remove, click Next, and follow the prompts to complete the process.
If you’re unplugging a device, Windows Server 2008 presents a list of devices that can be
unplugged. Select the device, click Next, and follow the prompts (if any) to complete the
process.
Default Programs applet
The Add or Remove Programs applet is no more. Much of the old functionality in the old applet
in Windows Server 2003 has been integrated into Server Manager (role and features). Instead
you now have the Default Programs applet. Windows Components are in Server Manager, split
between roles and features (and no longer known as Windows Components).
The Default Programs applet is essentially a custom or third-party software installation and
management interface. As you can see in Figure 2-31, the only application that I have installed
on the example server is Skype. You do not have to do anything special when you install
applications to ensure they end up being managed by the Default Programs applet.
Like the old application, the applet serves three main functions. It enables you to change the
installation of or remove existing programs, install new programs, and turn Windows features
on or off. The first two options are geared typically toward user-oriented applications. You use
the latter option to add or remove features such as Indexing Service, Certificate Services, IIS,
additional tools, and so on, to or from Windows Server 2008. The big difference between
Windows Server 2008 and Windows Server 2003 is that on the latter you actually removed
the application from the server, whereas now you can turn off the application without
actually having to remove its bits and pieces from the server. At any time you want to add the
application back, simply toggle the option ‘‘Turn Windows features on or off.’’ However, you
should know that only applications that support this API or that are Windows Server 2008 or
Vista logo compliant support this feature.
82
Page 82
Shapiro
c02.tex
V1 - 06/12/2008
4:08pm
Configuring Windows Server 2008
FIGURE 2-31
Use Program and Features to add or remove or reconfigure and update programs.
The list of installed applications does not, by default, include updates and patches.
To view these installed items, click the View Installed Updates option in the applet
as shown in Figure 2-31.
Administrative Tools applet
The Administrative Tools applet in the Control Panel serves as a container for various administrative tools, including the Computer Management MMC snap-in, the Services snap-in, Event
Viewer, and others. Each of these tools is covered where appropriate in this chapter or in other
chapters.
Windows Update
This applet (see Figure 2-32) enables you to specify how or if the server uses the Automatic
Updates feature. In most situations, you will likely not use automatic updates for a server
because of the need to test and validate updates prior to rollout. You can use Windows
Server Update Services (WSUS) in conjunction with Group Policy to carefully control
how and when automatic updates are deployed to servers and client systems. See
www.microsoft.com/technet/prodtechnol/windowsserver2008/technologies
/featured/wsus/default.mspx for details on WSUS.
Date and Time applet
This applet is the same one that appears if you double-click the clock on the system tray. The
resulting dialog box enables you to set the server’s date, time, and time zone, all of which are
self-explanatory.
83
Page 83
2
Shapiro
Part I
c02.tex
V1 - 06/12/2008
4:08pm
Core, Configuration, Networking, and Communication Services
FIGURE 2-32
You can configure Automatic Updates behavior for the server.
Having an accurate time on a server is extremely important for authentication purposes but
is also important for error and event tracking, as well as security. For example, if you receive
a denial-of-service attack from a particular dynamic IP address, knowing the time the attack
occurred will enable you to track down the user of that IP at the specified time. Accurate
timestamps are also important for reliable backup and restore operations.
Computers in a domain perform their own synchronization. Workstations and member servers
automatically synchronize with the domain controller serving as the operations master in the
domain. This DC should be checked and adjusted periodically for the accurate time, but a better option is to configure it to take its time from an Internet time source such as time.nist.gov.
Domain members will then receive an accurate time when they synchronize with the DC.
The Windows Time service is the component responsible for time synchronization.
This service is set for automatic startup by default.
You can configure time synchronization settings through Group Policy. You’ll find the policies
in the \Computer Configuration\Administrative Templates\System\Windows Time
Service Group Policy branch. Use the Global Configuration Settings policy to enable and
configure a wide variety of properties that determine the way the server handles the time
samples it receives from time providers.
The policies in the Time Providers sub-branch control time synchronization from both a client
and server standpoint:
■ Enable Windows NTP Client. Enabling this policy allows the server to synchronize its
time with the server specified in the Configure Windows NTP Client policy. Disable this
policy if you don’t want the server to synchronize its time.
84
Page 84
Shapiro
c02.tex
V1 - 06/12/2008
4:08pm
Configuring Windows Server 2008
■ Configure Windows NTP Client. Enable this policy if you want the server to synchronize its time with a remote time server. When you enable the policy, you gain access to
several properties that specify the time server, update frequency, server type, and other
time synchronization aspects.
■ Enable Windows NTP Server. Enable this policy if you want the server to act as a time
server, enabling it to service NTP requests from other computers on the network.
You don’t need Windows Server 2008 to host your own time server. Windows Server
200X, Windows XP, and Vista also offer the capability to act as a time server.
Display object . . . Personalization
The Display applet in no longer available on its own. It has been moved into the Personalization applet. It still, however, enables you to configure desktop settings such as wallpaper,
background, color scheme, color depth, and desktop size (resolution). You also can configure
a screen saver, enable and configure Web effects, and set general desktop effects and settings.
If the system contains multiple display adapters, you can configure settings for each as well as
configure how each adapter fits into the desktop.
Folder Options applet
The Folder Options applet in the Control Panel enables you to configure how Explorer folder
windows appear and function. You can use it to enable/disable the active desktop, specify the
type of window used for displaying folders (Web content or classic), and specify whether new
folders open in the same window or in a new window, and so on. You also can configure other
options such as file associations and offline files.
Internet Options applet
The Internet Options applet offers several property pages that enable you to configure settings
for Internet Explorer and related programs such as Outlook Express and NetMeeting:
■ General. Set the default home page, delete cached files, clear the URL history, and set
general properties such as fonts, colors, languages, and accessibility features.
■ Security. Use the Security page to configure security level for various zones. A zone is a
group of Web sites that share a common security level. Click one of the predefined zones
and click Sites to add or remove Web sites from the zone. Then use the slider on the Security page to set the security level for the zone or click Custom Level to specify individual
settings for the way Internet Explorer handles cookies, ActiveX controls and plug-ins,
scripts, file downloads, and so on.
■ Privacy. Use the Privacy page to change the way Internet Explorer handles cookies, both
globally and for individual Web sites.
85
Page 85
2
Shapiro
Part I
c02.tex
V1 - 06/12/2008
4:08pm
Core, Configuration, Networking, and Communication Services
■ Content. Use the Content page to enable and configure Content Advisor, which helps
guard against access to restricted sites (such as sites with adult content). You also use
the Content page to configure certificates for use on secure Web sites and for e-mail. Use
the Personal Information group on the Content page to create a profile with your name,
address, phone number, and other information. Bear in mind that this information is visible to Web sites you visit unless you configure the security zones to prevent it.
■ Connections. Use the Connections page to configure your Internet connection(s) and
to specify how and when Internet Explorer uses auto-connect to connect to the Internet.
Click Setup to run the Internet Connection Wizard to create a new Internet connection.
Click LAN Settings to configure proxy server settings.
■ Programs. This page enables you to associate specific programs with tasks such as e-mail,
newsgroups, and so on.
■ Advanced. This page contains several individual options that determine how Internet
Explorer handles HTTP versions, multimedia, printing, security, and a variety of other
properties.
Network and Sharing Center applet
The Network and Sharing Center applet in the Control Panel opens the Network and Sharing
Center applet. This applet contains icons for each of your network connections, including
LAN and dial-up connections. Click the ‘‘Manage network connections’’ link to configure the
connection’s protocols, bindings, clients, services, sharing, and other properties.
For more in-depth coverage of network configuration, refer to Chapter 3.
Power Options applet
The Power Options applet in the Control Panel controls power-saving features on the computer,
such as turning off system peripherals after a specified idle time and setting up hibernation
(suspend to disk). You can configure power settings and save the configuration as a power
scheme, making it easy to switch between different groups of settings.
The UPS page of the Power Options property sheet controls the UPS service. If a UPS is connected to the computer via one of the computer’s ports, the UPS page shows UPS status such as
estimated runtime and battery condition. You can configure the UPS through the UPS page or
select a different UPS.
Printers Control Panel applet
The Printers Control Panel applet opens the Printers folder, which contains an icon for each
installed printer, as well as a wizard for adding local or remote printers.
For detailed information on the Printers folder and printing services, see Chapter 12.
86
Page 86
Shapiro
c02.tex
V1 - 06/12/2008
4:08pm
Configuring Windows Server 2008
System applet
The System applet provides access to general system properties. You also can open the System
applet by right-clicking Computer and choosing Properties. The first page of the System
property applet provides basic information about your system, including OS version, installed
memory, CPU type, and registration information.
Clicking Advanced Systems Settings loads the Systems Properties dialog box. The first tab is the
Computer Name page.
Computer Name
The Computer Name tab is the place to go to change the workgroup or domain to which the
computer is assigned, as well as to change its computer name. You also can change the primary
DNS suffix for the computer, as well as its NetBIOS name.
Hardware page
The Hardware page offers a handful of features for controlling the system’s hardware and
resource settings (see Figure 2-33). The Hardware Wizard was covered earlier in this chapter
in the section ‘‘Add Hardware Applet.’’ The Device Manager was covered earlier in the section
‘‘Device Manager.’’
FIGURE 2-33
Use the Hardware page to add, remove, and configure hardware and hardware profiles.
In Windows Server 2008, drivers can be signed digitally by Microsoft to certify that the driver
has been tested and meets certain compatibility criteria defined by Microsoft. Clicking Windows
87
Page 87
2
Shapiro
Part I
c02.tex
V1 - 06/12/2008
4:08pm
Core, Configuration, Networking, and Communication Services
Update Driver Settings opens a dialog box you can use to configure driver installation. You can
choose between the following:
■ Check for Drivers Automatically (Recommended).
■ Ask Me Each Time I Connect a New Device Before Checking for Drivers.
■ Never Check for Drivers When I Connect a Device.
You can configure driver signing behavior through Group Policy.
Advanced page
You can use the Advanced page of the System properties applet in the Control Panel to
configure performance options for the computer, to view and set environment variables, and
to configure system startup and recovery options.
User Profiles
User profiles store a given working environment, including desktop configuration, mapped
drives and printers, and other properties. When a user logs on, the user profile applies the desktop configuration and other properties. User profiles are most useful for providing a consistent
user interface for each user even when other users share the same computer. They’re also useful
for providing a consistent UI for users who log in from a variety of computers (roaming users).
You access user profiles through the Settings button in the User Profiles group of the
Advanced tab in the System property sheet.
A user profile comprises a registry file and a set of folders. The registry file applies settings to
the UI such as mapped drives, restrictions, desktop contents, screen colors and fonts, and so on,
and is a cached copy of the HKEY_CURRENT_USER portion of the registry. The folders include
the user’s My Documents, My Pictures, and other folders stored under the Documents and Settings folder for the user.
The three types of profiles are personal, mandatory, and default. Personal profiles enable users to
modify their working environments and retain those changes from one logon session to the next.
Mandatory profiles enable certain configuration changes (subject to restrictions in the profile
itself), but those changes are not saved for future logon sessions. The only difference between
a personal profile and a mandatory profile is the profile’s file extension. Personal profiles use a
.dat extension for the registry file portion of the profile, and mandatory profiles use a .man
extension.
A default profile is preconfigured by Windows Server 2008 and is applied for new users that
log on with no pre-existing profile. The profile then is stored as the user’s profile for later logon
sessions.
You specify a user’s profile through the user’s account properties when you create or modify
the account. You use the Local Users and Groups MMC console to create and modify local
88
Page 88
Shapiro
c02.tex
V1 - 06/12/2008
4:08pm
Configuring Windows Server 2008
accounts and use the Active Directory Users and Computers console to create and modify
domain accounts in the Active Directory. The Profile tab of the user’s account properties (see
Figure 2-34) specifies the path to the user’s profile, the logon script, and other properties. When
the user logs on, Windows Server 2008 applies the profile located on the specified path.
FIGURE 2-34
The Profile page defines the path to the user’s profile.
Chapter 24 has more information about Group Policy objects and how they’re
integrated with Active Directory.
Creating a profile
Windows Server 2008 provides no specific utility for creating user profiles. Instead, you first log
on as the target user to a system with similar video hardware as the user’s target workstation
(because video settings are stored in the profile and you need to ensure compatibility). You
configure the working environment as needed, mapping drives and printers, setting desktop
schemes, and so on. When you log off, the profile is stored locally along with the user’s folder
structure.
Copying profiles
In order to copy a user profile from one location to another, you use the User Profiles page of
the System object in the Control Panel. Open the User Profiles page on the system from which
you’re copying the profile. Select the profile from the list of profiles stored on the computer and
click Copy To. Select the local folder or network share where you want the profile copied and
click OK.
89
Page 89
2
Shapiro
Part I
c02.tex
V1 - 06/12/2008
4:08pm
Core, Configuration, Networking, and Communication Services
Supporting roaming users
A roaming profile is the same as a local personal profile except that the profile is stored on a
network share accessible to the user at logon. You specify the UNC path to the user’s profile in
his or her account properties so that when the user logs on, the profile can be applied regardless
of that user’s logon location. If a profile exists on the specified path, Windows Server 2008
applies that profile at logon. If no profile exists on the specified path, Windows Server 2008
creates a new profile automatically, stores it on that path, and uses the profile for future logon
sessions.
Creating a mandatory profile
You create a mandatory profile in the same way you create a personal profile, but with one additional step. After you create the profile and copy it to the target location (such as the user’s local
computer or a network share for a roaming profile), change the name of the profile’s registry file
from Ntuser.dat to Ntuser.man.
Performance options
Click Settings under the Performance group on the Advanced page to display the Performance
Options dialog box. The Visual Effects tab enables you to configure a variety of interface options
that can affect overall system performance. In the default configuration, 2008 disables all visual
effects except visual styles on windows and buttons. Essentially all of the visual effects are eye
candy and have no significant administrative benefit, so you should leave them turned off.
You can select options on the Advanced tab to optimize the system for applications or
background services. In most cases, you’ll select Applications for a Windows Server 2008
Workstation or Background Services for a Server.
The Performance Options dialog box also enables you to change the system’s virtual memory
allocation (size of the system’s swap file) and space allocated to the registry files. Why change
swap file size or location? The swap file is used to emulate memory (thus the term virtual
memory), making the system appear as if it has more physical memory than it really does. As
memory fills up, Windows Server 2008 moves memory pages to the swap file to create space in
physical memory for new pages, or it swaps pages between physical and virtual memory when
an existing page stored in the swap file is needed. Windows Server 2008 automatically selects
a swap file size based on physical memory size, but in some cases, you might want to increase
the swap file size to improve performance. You also might want to move the swap file from the
default location to a different disk with greater capacity or better performance (such as moving
from an IDE drive to a SCSI drive).
Click Change on the Advanced tab of the Performance Options dialog box to access the Virtual
Memory dialog box, shown in Figure 2-35. Select a drive for the swap file, specify the initial and
maximum sizes (Windows Server 2008 will resize as needed within the range), and click Set.
Specify the maximum registry size in the field provided and click OK to apply the changes.
90
Page 90
Shapiro
c02.tex
V1 - 06/12/2008
4:08pm
Configuring Windows Server 2008
FIGURE 2-35
Use the Virtual Memory dialog box to control swap file size and registry size.
Changing the maximum registry size doesn’t change the size of the registry. It
imposes a maximum size that when reached, causes Windows Server 2008 to
generate a warning message that the maximum registry size has been reached.
Environment Variables
Click Environment Variables on the Advanced tab to open the Environment Variables dialog
box, which you can use to view, delete, and add environment variables. The variables you define
in the upper half of the page apply to the user who currently is logged on. Variables defined in
the bottom half apply to all users.
Startup/Shutdown options
The Startup and Recovery page (see Figure 2-36) enables you to configure boot options, how the
system handles a system failure, and how debugging information is handled. The options in the
System Startup group enable you to specify which boot option is selected by default and how
long the boot menu is displayed. These settings are stored in the Boot.ini file, located in the
root folder of the drive on which the boot loader is located. You can edit the file manually with
a text editor to change values if you prefer.
91
Page 91
2
Shapiro
Part I
c02.tex
V1 - 06/12/2008
4:08pm
Core, Configuration, Networking, and Communication Services
FIGURE 2-36
Configure startup, recovery, and debugging options in the Startup and Recovery dialog box.
Click Settings in the Startup and Recovery group on the Advanced tab to display the
Startup and Recovery dialog box.
The System Failure group of controls determines how Windows Server 2008 reacts when a
system failure occurs. The system always attempts to write an event to the system log, if
possible. If you need to see the blue screen of death after a system failure to gather information
for troubleshooting, deselect Automatically Restart.
Use the Write Debugging Information group of controls to specify the action Windows Server
2008 takes to create a memory dump file when a system failure occurs. Microsoft support engineers can use the debugging information to determine the cause of the failure and recommend
or develop a fix for the problem.
Remote tab
The Remote tab, shown in Figure 2-37, controls Remote Desktop/Terminal Services access to the
server, as well as Remote Assistance.
The Remote Assistance group enables you to allow remote users to connect to the server through
the Remote Assistance feature. If you click Advanced, you can enable or disable the option
92
Page 92
Shapiro
c02.tex
V1 - 06/12/2008
4:08pm
Configuring Windows Server 2008
Allow This Computer to Be Controlled Remotely. When this option is enabled, a remote user
is allowed remote control over the server; disabling the option allows the user to view the
server but not control it. You can also set the period of time during which a Remote Assistance
invitation can remain open.
You can send Remote Assistance requests with MSN Messenger or by e-mail.
FIGURE 2-37
Use the Remote tab to configure remote control features.
Remote Desktop is, essentially, a stripped-down version of Terminal Services. Enabling the Allow
option in the Remote Desktop group allows remote users to initiate a Remote Desktop or Terminal Services connection to the server. Click Select Remote Users to specify the users that can log
in through this service.
Windows XP and Vista include a built-in Remote Desktop client that you can use to connect
to Windows Server 2008. In addition, users can employ a Terminal Services client to connect
to the server through Remote Desktop. The Remote Desktop Web Connection ActiveX component enables Internet Explorer users to access a computer hosting Remote Desktop connections
93
Page 93
2
Shapiro
Part I
c02.tex
V1 - 06/12/2008
4:08pm
Core, Configuration, Networking, and Communication Services
through their Web browser. Remote Desktop Web Connection is included with Windows XP
and Vista and is available for download from Microsoft’s Web site.
As handy as it is for remote control and management, Remote Desktop has security implications.
You should read through Chapter 16 to ensure that you understand these security implications
before enabling Remote Desktop on a server.
If you’re having problems getting Terminal Services clients to connect to Windows
Server 2008 running Terminal Services, be sure to enable the Allow Users to Connect
Remotely to This Computer option on the Remote tab of the System Properties sheet. Disabling
this option prevents Terminal Services clients from connecting, even if you’ve enabled access
through Group Policy.
Windows PowerShell
A new addition to the server administration tools on Windows Server 2008 is the Windows
PowerShell. Released before the server RTM, it is a new command-line shell and scripting
language that lets you automate or organize repetitive administrative tasks on the server.
Windows PowerShell is great for server administrators because you don’t need to be a code guru
to use it like you would have to on Windows Server 2003 with VB and JavaScript, or complex
C# applications. The Windows PowerShell is built to sit atop the .NET common language
runtime (CLR) and the .NET Framework, accepting and returning .NET objects that you can
interact with.
Windows PowerShell works with the so-called cmdlet. This ‘‘’let’’ is a simple, single-function
command-line tool built into the shell. More than 130 standard cmdlets ship with the system,
and you can open them and manipulate them for your own use. You can also easily write your
own cmdlets. The cmdlets can be used on their own or they can be combined and dovetailed
with each other to perform tasks on a server that would be very difficult through the regular
command line or via Control Panel applets and features.
You can use Windows PowerShell to manage Windows Server 2008 roles, such as IIS 7.0, DNS,
DHCO, Terminal Server, and so on. You can also create cmdlets for line of business servers like
Exchange Server 2007, SQL Server, and Microsoft Operations Manager.
To use PowerShell take the following action: Click Start All Programs Windows PowerShell
1.0 Documents, and then drill down to the folder that holds the GettingStarted manual. This
is a WordPad file that will get you running cmdlets in short order. There is also a user guide in
the same folder, release notes, and more.
94
Page 94
Shapiro
c02.tex
V1 - 06/12/2008
4:08pm
Configuring Windows Server 2008
Summary
Windows Server 2008 provides several tools for administering system hardware, operating
environment properties, users, and other objects. Although most of the administrative functions are incorporated into Microsoft Management Console (MMC) snap-ins or extensions,
a few — such as the ODBC Data Source Administrator — still exist as standalone utilities.
The Control Panel serves as a control center for configuring hardware and OS settings and
properties.
Understanding the administrative tools available to you is an important step in configuring and
monitoring a system. This chapter examined the majority of the administrative tools you’ll work
with on a regular basis. Other chapters cover additional administrative tools or cover in more
detail some of the tools mentioned here.
95
Page 95
2
Shapiro
c02.tex
V1 - 06/12/2008
4:08pm
Page 96
Shapiro
c03.tex
V2 - 06/13/2008
5:27pm
Networking Windows
Server 2008
T
his chapter provides a detailed discussion of Windows Server 2008
networking, including an explanation of Transmission Control Protocol/Internet Protocol (TCP/IP), versions 4 and 6, routing, network address translation (NAT), legacy protocols, and other topics related
to Windows Server 2008 network configuration.
IN THIS CHAPTER
Understanding TCP/IP on
Windows 2008
Learning TCP/IP basics (IPv4)
TCP/IP on Windows Server 2008
A little more than a decade ago, TCP/IP was used by a relatively small
number of computers connected to the Internet. As the number of
networks connected to the Internet grew explosively, and as companies
expanded to include more and more networks within the enterprise,
TCP/IP has come to be the protocol of choice for most organizations.
The reasons are many, but they commonly include the organization’s
need for standardization, the capability to route, and of course, Internet
connectivity.
Windows Server 2008 offers strong support for TCP/IP. TCP/IP is the
primary protocol for, and the foundation of, Active Directory (AD), which
is the keystone of Windows Server 2008 networks. On the client side,
the TCP/IP protocol enables full support for connecting to both peer and
server computers running TCP/IP, the Internet, and TCP/IP-based services
such as networked printers.
The stack has been completely rebuilt. It is called
Next Generation TCP/IP Stack. This new stack is also
included in Vista.
97
Configuring TCP/IP
Understanding and using IPv6
Troubleshooting TCP/IP
Working with legacy protocols
Understanding SNMP
Configuring and managing
Windows Firewall
Page 97
Shapiro
Part I
c03.tex
V2 - 06/13/2008
5:27pm
Core, Configuration, Networking, and Communication Services
On the server side, Windows Server 2008 offers the configuration and management tools you
would expect, including support for dynamic address allocation through Dynamic Host Configuration Protocol (DHCP), name resolution through Domain Name System (DNS), Network
Basic Input Output System (NetBIOS) name resolution through Windows Internet Name Service
(WINS), and a full range of configuration and troubleshooting tools.
Windows Server 2008 builds on features introduced in previous versions of Windows Server to
support additional capabilities for TCP/IP clients. Windows 2000, 2003, XP, and Vista DHCP
clients, for example, can request updates for their host records with a Windows Server 2008
DNS server, enabling DHCP clients to have up-to-date host entries in their domains. Windows
Server 2008 DHCP servers can also initiate updates on behalf of TCP/IP clients, including those
that are not designed to support dynamic DNS. Windows Server 2008 DHCP servers can request
an update of the client’s pointer record in DNS as well.
Windows Server 2008 includes other features related to TCP/IP, such as the capability to bridge network connections; Internet Connection Sharing (ICS), which enables
a single Internet connection to be shared by other users on the local network; and Windows Firewall, a rudimentary firewall. For more information on ICS and other remote-access-related topics,
see Chapter 6.
On both the client and server side, Windows Server 2008 provides easy TCP/IP configuration.
As with other Windows applications, you configure TCP/IP through various dialog boxes, but
Windows Server 2008 also includes command-line utilities such as ipconfig to help you view
and manage a system’s TCP/IP configuration. A very useful feature is the capability to change IP
addresses and other settings without requiring the system to reboot.
Before you begin configuring and using TCP/IP in Windows Server 2008, you need to understand the basics of how TCP/IP works, which are covered in the following section. If you’re
already familiar with TCP/IP and are ready to configure it in Windows Server 2008, turn to the
section ‘‘Configuring TCP/IP’’ later in this chapter.
The following section explains IP version 4, generally referred to as IPv4. The next
generation IP protocol, IPv6, is also included in Windows Server 2008. See the
section ‘‘Understanding and Using IPv6’’ later in this chapter for a detailed explanation of IPv6
and its use.
TCP/IP Basics (IPv4)
TCP/IP is actually a suite of protocols. The IP portion of TCP/IP provides the transport protocol.
TCP provides the mechanism through which IP packets are received and recombined, ensuring
that IP traffic arrives in a usable state. TCP/IP arose from the ARPANET, which was the
precursor to today’s Internet. TCP/IP is standards-based and supported by nearly every operating
system, including all Microsoft operating systems, Unix, Linux, Macintosh, NetWare, OS/2,
Open VMS, and others. This wide compatibility and the capability to interconnect dissimilar
systems are the primary reasons why TCP/IP has become so popular.
Although TCP/IP is most often used to provide wide-area networking (such as on the Internet),
it is an excellent choice as a local network transport protocol, particularly where organizations
98
Page 98
Shapiro
c03.tex
V2 - 06/13/2008
5:27pm
Networking Windows Server 2008
want to serve network resources to local clients through an intranet. You can use TCP/IP as your
only network protocol, or you can use it in conjunction with other protocols, such as NetBIOS.
IP addressing
Any device that uses TCP/IP to communicate is called a host, including a computer, a printer,
and a router. As smart devices begin to pervade our daily existence, it’s conceivable that even
your washing machine or microwave oven will become a host, if not on the Internet, then at
least on your home intranet. This will enable the device to notify the manufacturer (or you)
when it needs service.
Each host must have a unique IP address that identifies it on the network so that IP data packets
can be routed to and from it. IP data packets are simply data encapsulated in IP format for transmission using TCP. Each address must be unique; identical addresses on two or more hosts will
conflict and prevent those computers from communicating properly. In fact, Windows Server
2008 shuts down the TCP/IP protocol on a computer if it detects an address conflict at TCP/IP
initialization.
IPv4 addresses are 32-bit values usually expressed in dotted decimal notation, with four octets
separated by decimals, as in 192.168.0.221. Each IP address contains two separate pieces of
information: the network address and the host address. How these two items of information are
defined in the IP address depends on its class.
There are five classes of IP addresses, class A to class E, but only three classes are relevant to
you in relation to Windows Server 2008 networking: A, B, and C. Class A networks yield the
highest number of host addresses, and class C networks yield the lowest number. Table 3-1
provides information about each class. The designation w.x.y.z indicates the portion of the IP
address that defines network and host ID portions of the address.
TABLE 3-1
IP Address Classes
Class
Network ID
Network Host ID
Number of Available
Networks
Number of Hosts
per Network
A 1–126
W
x.y.z
126
16,777,214
B 128–191
w.x
y.z
16,384
65,534
C 192–223
w.x.y
Z
2,097,151
254
As Table 3-1 indicates, the address range 127.x.y.z is missing. 127.x.y.z is reserved on the
local computer for loopback testing and can’t be used as a valid network address. Addresses
224 and higher are reserved for special protocols such as IP multicast and are not available as
host addresses. In addition, host addresses 0 and 255 are used as broadcast addresses and can’t
be used as valid host addresses. For example, 192.168.120.0 and 192.168.120.255 are both
broadcast addresses that are not available for use as host addresses.
99
Page 99
3
Shapiro
Part I
c03.tex
V2 - 06/13/2008
5:27pm
Core, Configuration, Networking, and Communication Services
The number of addresses in a given address class is fixed. Class A networks are quite large, with
more than 16 million hosts, and class C networks are relatively small, with just 254 hosts. The
class you choose depends on how many hosts you need to accommodate; most important, it
depends on whether you are using a public address range or a private one. The address ranges
listed here are reserved by convention for private networks:
■ 10.0.0.0, subnet mask 255.0.0.0
■ 169.254.0.0, subnet mask 255.255.0.0
■ 172.16.0.0, subnet mask 255.240.0.0
■ 192.168.0.0, subnet mask 255.255.0.0
However, if you are not connecting your systems to the Internet, you can use any IP address
class except the loopback addresses. For example, a class A addressing scheme can provide a
large number of host addresses for your enterprise; but if you’re connecting the network to the
Internet, at least some of the addresses need to be valid, public addresses that fall in the range
described in Table 3-1 (excluding the private ranges mentioned previously).
If all your systems connect to the Internet directly, rather than through a proxy server or other
device that performs NAT, each host must have a unique, valid, public IP address. If you
use NAT, only those hosts on the public side of the Internet connection need valid, public
addresses. Those hosts on the private side can use one of the private address ranges described
previously, but only NAT and proxy services will allow the public addresses to translate to the
private ones. This means you can accommodate a large class A network internally, if needed.
Figure 3-1 illustrates a network that uses a private IP range but connects to the Internet through
a proxy server and router with public addresses.
FIGURE 3-1
This network uses private IP addresses internally and a proxy server to connect to the Internet.
Internet
192.168.0.6 192.168.0.5 192.168.0.4
Router- CSU/DSU
205.219.129.1
Hub
205.219.129.2
192.168.0.1
192.168.0.3 192.168.0.2
100
Proxy Server
Page 100
Shapiro
c03.tex
V2 - 06/13/2008
5:27pm
Networking Windows Server 2008
Subnetting
Each host, in addition to an IP address, needs a subnet mask. The subnet mask, like an IP
address, is a 32-bit value typically expressed as four octets separated by periods. The subnet
mask serves to mask the IP address into its two components, network ID and host ID, which
enables traffic to be routed to the appropriate network and then to the destination host.
Table 3-2 shows the subnet masks for the three standard network classes.
TABLE 3-2
Standard Subnet Masks
Class
Binary Value
Subnet Mask
A
11111111 00000000 00000000 00000000
255.0.0.0
B
11111111 11111111 00000000 00000000
255.255.0.0
C
11111111 11111111 11111111 00000000
255.255.255.0
In addition to masking the host ID from the network ID, a subnet mask also can serve to
segment a single network into multiple logical networks. For example, assume that your small
company obtains Internet access from a local ISP. The ISP uses a class C address space to
accommodate a group of small business clients, of which your company is one. The ISP uses a
subnet mask of 255.255.255.224 to divide the network into eight subnets with 30 hosts each.
Table 3-3 lists the host ranges for each subnet.
TABLE 3-3
Sample Subnet
Subnet
Host Range
0
205.219.128.1– 205.219.128.30
1
205.219.128.33– 205.219.128.62
2
205.219.128.65– 205.219.128.94
3
205.219.128.97– 205.219.128.126
4
205.219.128.129– 205.219.128.158
5
205.219.128.161– 205.219.128.190
6
205.219.128.193– 205.219.128.222
7
205.219.128.225– 205.219.128.254
101
Page 101
3
Shapiro
Part I
c03.tex
V2 - 06/13/2008
5:27pm
Core, Configuration, Networking, and Communication Services
In this example, the ISP uses the first address range (subnet 0) for a routing cloud (a network
subnet that functions solely for the purpose of routing), and the remaining seven subnets to
accommodate the customers. You are the first customer and you get subnet 1, with addresses
from 33 through 62. Figure 3-2 illustrates the network.
FIGURE 3-2
This ISP serves seven customers with a class C address space and a subnet mask of
255.255.255.224.
Other frame
customer
Internet Service Provider (ISP)
205.219.126.1
255.255.255.224
Router
Router
205.219.126.3
255.255.255.224
Internet
Frame Relay
Cloud
205.219.126.2
255.255.255.224
Your Local Subnet
205.219.126.33 Router
255.255.255.224
You can calculate subnet masks manually, but it’s a real chore. Instead, download a
copy of Net3 Group’s IP Subnet Calculator from www.wildpackets.com
/products/free utilities/ipsubnetcalc/overview. Alternatively, search your favorite
shareware/freeware site, such as www.tucows.com, for additional tools such as Advanced Subnet
Calculator, also available at www.solarwinds.net/download-tools.htm.
102
Page 102
Shapiro
c03.tex
V2 - 06/13/2008
5:27pm
Networking Windows Server 2008
As you’re designing your network and assigning IP addresses and subnet masks, keep in mind
that all nodes on the same logical segment need to have the same subnet mask. This places them
in the same logical network for routing purposes.
A full understanding of subnetting is essential for deploying Active Directory across
multiple sites in an enterprise or the Internet. For more information, see Chapters 22
through 25.
Classless Interdomain Routing notation
Given the length of a subnet mask, it isn’t always efficient to specify an address using the
address and subnet mask. Classless Interdomain Routing (CIDR) simplifies addressing notation
by enabling you to specify the network ID using the number of bits that define the network ID.
Table 3-4 illustrates the concept.
TABLE 3-4
Classless Interdomain Routing Notation
Class
Binary Value
Network Prefix
A
11111111 00000000 00000000 00000000
/8
B
11111111 11111111 00000000 00000000
/16
C
11111111 11111111 11111111 00000000
/24
For example, the class C address space 192.168.0.0/255.255.255.0 can be expressed using CIDR
as 192.168.0.0/24.
CIDR is also known as network prefix notation.
CIDR is not limited to specifying these three network IDs. You can also use CIDR to identify the network ID for networks with different subnets. To determine the network prefix,
simply add the number of subnet bits. For example, assume you create a subnet using the
mask 255.255.255.224, or three additional subnet bits. The notation for the address range
192.168.0.n with this subnet mask would be 192.168.0.0/27. Table 3-5 shows the network
prefixes for subnets of a class C network ID.
103
Page 103
3
Shapiro
Part I
c03.tex
V2 - 06/13/2008
5:27pm
Core, Configuration, Networking, and Communication Services
TABLE 3-5
CIDR Subnets of a Class C Network ID
Number of Subnets
Subnet Bits
Subnet Mask/CIDR Notation
Number of Hosts per Network
1–2
1
255.255.255.128 or /25
126
3–4
2
255.255.255.192 or /26
62
5–8
3
255.255.255.224 or /27
30
9–16
4
255.255.255.240 or /28
14
17–32
5
255.255.255.248 or /29
6
33–64
6
255.255.255.252 or /30
2
Obtaining IP addresses
How you assign IP addresses depends on whether your systems are connected to the public
Internet. Systems connected to the Internet directly, rather than through a proxy server or other
device doing NAT, must have unique, valid IP addresses, often termed ‘‘legal’’ addresses. This
means you can’t arbitrarily choose an address range for these systems. Instead, you need to
obtain an address range from your ISP to ensure that you are using unique addresses (and that
proper routing takes place). The number of addresses you need to obtain depends on how many
hosts you will have on the public side of your proxy server or other NAT device, if any. For
example, assume you configure your network so that a proxy server sits between the router and
all other hosts. You would need only three public addresses: one for each side of the router
and one for the public side of the proxy server. The hosts on the private side of the proxy server
can use private addresses.
If your network is not connected to the Internet, you could theoretically choose any network
address range, including a public range in use by someone else, but you will not be able to
connect your network to the Internet. You should, however, follow the convention of using one
of the reserved address ranges for your private network (discussed previously in this chapter),
because it will make life easier for you if you install NAT services. You won’t have to re-address
all of your hosts later if you decide to connect the network to the Internet — you simply
provide some means of NAT through a router (such as Routing and Remote Access Service,
RRAS, discussed later) or a proxy server.
Gateways and routing
TCP/IP subnets use gateways to route data between networks. Usually, a gateway is a dedicated
router or firewall, but it could be any device running routing services, such as a Windows Server
2008 server running RRAS. The router maintains IP address information about remote networks
so it can route traffic accordingly. Traffic coming from the local network with a public address is
104
Page 104
Shapiro
c03.tex
V2 - 06/13/2008
5:27pm
Networking Windows Server 2008
routed through the appropriate port on the router. Figure 3-3 shows a simple network with two
connections to the Internet. The second connection provides redundancy in the event that the
primary connection fails.
FIGURE 3-3
A simple network with two gateways to the Internet.
Internet
Gateway 2
Gateway 1
On the host, IP inserts the originating and destination addresses into each packet. The host
then checks (using its subnet mask) the destination address to determine whether the packet
is destined for another host on the same local network or for a host on another network. If
the packet is for a local host, it is sent directly to the local host on the same subnet. If the
destination host is on a remote network, IP sends the packet to the local host’s default gateway,
which routes the traffic to the remote network. You can configure multiple gateways if more
than one is present on the network, and the local host attempts to connect through them in
turn. If the default gateway is down, the host attempts to reach the next gateway in the list. The
packet then travels through (possibly) several other routers until it reaches its destination.
Standalone subnets do not require gateways because there is nowhere for the traffic to
go — all traffic is local. Subnets connected to other subnets or to the Internet require at least
one gateway.
105
Page 105
3
Shapiro
Part I
c03.tex
V2 - 06/13/2008
5:27pm
Core, Configuration, Networking, and Communication Services
Dynamic Host Configuration Protocol (DHCP)
Because every host must have a unique IP address, how you allocate and manage addresses is
an important consideration when setting up an IP network. You can allocate addresses in one
of two ways: static addressing or dynamic addressing. With static addressing, you simply assign
a specific IP address to each host. The address doesn’t change unless you manually reconfigure
the host’s TCP/IP properties (thus the term static). Static addressing is fine for small networks
for which you don’t need to add or remove nodes or change addresses very often. As the number of nodes increases, however, static addressing can become an administrative nightmare. It’s
easy to accidentally assign conflicting IP addresses, and when subnet properties change (such as
a default gateway address), you have to manually reconfigure those properties.
Dynamic addressing through DHCP is a much better solution than static addressing, particularly
for large networks or dynamic networks in which IP properties change. DHCP enables a server
to automatically allocate IP addresses and related properties (gateway, DNS servers, and so on)
to clients as they boot. A dynamically assigned address and associated properties is called a lease.
Depending on the configuration at the DHCP server, a lease can have an infinite duration or
expire after a certain period. If a lease expires, the client can renew the lease to obtain a new IP
address (which could be the same one provided by the previous lease).
DHCP in Windows Server 2008 offers some additional benefits in its interaction with Windows
Server 2008 and Windows 2000 Server–based DNS servers. A Windows 2000 or Windows XP
DHCP client can request that the DNS server update its host address in the DNS namespace
for its domain. This means that even if the client receives a new IP address each time it boots,
its host record in DNS will remain accurate. Windows Server 2008 DHCP servers can also
request host record updates on behalf of clients, including non-Windows 2000/XP clients that
don’t support dynamic DNS updates. Remember, however, that the DNS records are updated
locally. Servers that are hosting secondary records for the domain(s) will have to perform a zone
transfer to retrieve the up-to-date records. Local clients that have DNS entries cached will obtain
up-to-date queries when their caches expire.
See Chapter 4 for detailed information on DHCP and how to configure Windows
Server 2008 DHCP clients and servers.
Domains and name resolution
IP hosts communicate using IP addresses, but humans would have trouble remembering more
than a few IP addresses. How would you like to try to remember the addresses of all the Web
sites you visit in a week’s time? Domain names, host names, and name resolution help simplify
internetworking for the user.
Domain names identify networks using a dotted format similar to IP addresses, except that
domain names use letters (usually words), rather than numbers. For example, the domain
mcity.us identifies a specific network in the .us domain. Each host in the mcity.us domain
has a host name that identifies the host uniquely on the network. The host name and domain
106
Page 106
Shapiro
c03.tex
V2 - 06/13/2008
5:27pm
Networking Windows Server 2008
name combine to create a Fully Qualified Domain Name, or FQDN, that uniquely identifies
the host. For example, a host in the mcity.us domain might have the host name server1.
The FQDN for the host would be server1.mcity.us. If the domain contains delegated
subnets, those figure into the FQDN as well. For example, assume mcity.us includes a
subdomain called support. The host named fred in support.mcity.us would have the
FQDN fred.support.mcity.us.
There is not necessarily a correlation between a computer’s FQDN and e-mail
address. Although the user in the previous example might have the e-mail address
fred@support.mcity.us, there is no correlation with his computer’s FQDN. The host name and
e-mail account have nothing in common.
There isn’t any direct connection between FQDNs or IP addresses, so some method is required
to map host names to IP addresses. When you type http://www.mcity.us in your Web
browser, for example, some translation needs to occur to map www.mcity.us to its IP address
so your browser can connect to the site. That’s where DNS comes in.
DNS
Domain Name System (DNS) provides a distributed database to enable host names to be
mapped to their corresponding IP addresses. DNS name servers maintain records for domains
they host, and they respond to queries for a given host name with the IP address stored in the
DNS database for that host. For example, when you attempt to connect to www.mcity.us,
your computer submits a DNS request to the DNS server configured in your computer’s TCP/IP
properties to resolve the host name www.mcity.us into an IP address. The DNS server looks
up the data and passes the address back to your computer, which connects to the site using the
IP address. The only interaction you provide in the process is to enter http://www.mcity.us
in your browser. Everything else happens behind the scenes.
The name resolution process described here is simplified for the purpose of this discussion. See Chapter 5 for a detailed explanation of how DNS works.
WINS
Another name resolution service provided by Windows Server 2008 is WINS. WINS provides
much the same service for NetBIOS names that DNS provides for TCP/IP host names. NetBIOS
is an application programming interface (API) that programs can use to perform basic network
operations such as sending data to specific computers on the network. NetBIOS is used by earlier Microsoft operating systems to identify and locate computers on the network. Just as DNS
provides a means for mapping host names to IP addresses, WINS provides a means for mapping
NetBIOS names to IP addresses for systems running NetBIOS over TCP/IP.
NetBIOS is not required in Windows Server 2008, because Windows Server 2008
uses host names and DNS to locate hosts on the local network. See Chapter 5 for a
complete discussion on how to configure WINS.
Unless you are using applications that use NetBIOS over TCP/IP, you don’t need to configure
WINS on your computer.
107
Page 107
3
Shapiro
Part I
c03.tex
V2 - 06/13/2008
5:27pm
Core, Configuration, Networking, and Communication Services
Obtaining a domain name
You should obtain a domain name if your network will be connected to the Internet, and
to protect a root Active Directory domain name (discussed in Chapters 18 through 22). The
domain will identify your computers on the Internet. Some years ago, domain management was
managed by a single organization, Network Solutions. Now, you can register a domain through
any authorized domain registration organization, like GoDaddy. See Chapter 5 for additional
information on domain names and domain registration.
Preparing for installation
You now have enough information to begin configuring TCP/IP. Before you jump in with both
feet, however, do a little planning. Make sure that you have the following information:
■ Network address and domain. Obtain valid public addresses from your ISP for computers connected directly to the Internet. Decide which private, reserved address space you’ll
use for computers on private network segments. Register your domain with a domain registration authority. This step is required only if you intend to use DNS to enable users on
the Internet to connect to your network and its resources.
■ Identify an IP address for the computer. Obtain the IP address(es) you will be assigning to the computer if you are allocating them statically. If you’re using DHCP, you don’t
need to obtain a specific IP, nor do you need the IP address of a DHCP server on your
network. Windows Server 2008 TCP/IP locates the DHCP server automatically at startup.
■ Subnet mask. Determine the subnet mask you’ll need for the computer based on the way
your network is configured.
■ Default gateway(s). Determine the IP addresses of the router(s) that will function as the
computer’s gateway(s).
■ DNS servers. Determine the IP addresses of the computers that will serve as the client’s
DNS servers.
■ WINS servers. Determine the IP addresses of the computers that will serve as the client’s
WINS servers (if any).
Setting Up TCP/IP
Windows Server 2008 installs TCP/IP by default unless you override the installation during
setup. However, you can add the protocol later if it was not installed by Setup or was deleted
after installation.
Setup installs TCP/IP by default when you install Windows Server 2008. In fact, you
can’t uninstall TCP/IP, although you can disable it for a particular interface.
Although you can’t uninstall TCP/IP, there might be occasions when you would like to have
that capability. For example, the registry settings for TCP/IP might have become so corrupted
108
Page 108
Shapiro
c03.tex
V2 - 06/13/2008
5:27pm
Networking Windows Server 2008
that you need to reset the protocol back to its initial post-Setup state. You can use the netsh
command from a console to reset the protocol. The following example shows the syntax for
the command:
netsh int ip reset c:\ResetIP.txt
The last parameter specifies the name of a log file in which netsh logs the results of the reset
operation. When netsh completes, the TCP/IP registry keys and values will be reset to the
just-installed configuration.
The following sections explain how to configure TCP/IP.
Configuring TCP/IP
Open the Network Connections folder from the Control Panel to configure TCP/IP. Right-click
the network interface whose TCP/IP properties you want to change and click Properties to open
its property sheet. Double-click TCP/IP or select TCP/IP and click Properties to display the General property page (see Figure 3-4).
FIGURE 3-4
Use the General tab to set a static IP address or configure the server for DHCP.
109
Page 109
3
Shapiro
Part I
c03.tex
V2 - 06/13/2008
5:27pm
Core, Configuration, Networking, and Communication Services
Use the following list as a guide to configure options:
■ Obtain an IP Address Automatically. Select this option to use DHCP to automatically
obtain an IP address and other configuration properties.
■ Use the Following IP Address. Select this option if you need to assign a static IP address.
■ IP Address. Specify a static IP address in dotted octet format.
■ Subnet Mask. Specify the subnet mask for the interface in dotted octet format.
■ Default Gateway. Specify the default gateway your computer should use to route
nonlocal IP traffic.
■ Obtain DNS Server Address Automatically. Select this option to automatically retrieve
the list of DNS servers from a DHCP server. This option is available only if you obtain the
IP address automatically.
■ Use the Following DNS Server Addresses. Select this option to statically assign DNS
server IP addresses.
■ Preferred DNS Server. Specify the IP address of the DNS server you want to use by
default for resolving host names to IP addresses.
■ Alternate DNS Server. Specify the IP address of the DNS server you want to use for
resolving host names if the preferred DNS server is unavailable.
These properties are sufficient for computers connected in a small private network, but in most
cases, you’ll need to configure additional properties. Click Advanced on the General tab to
access the Advanced TCP/IP Settings property sheet. The following sections explain the options
on each property page.
IP settings
Use the IP Settings tab (see Figure 3-5) to configure additional IP addresses for the computer
and additional gateways. The Add, Edit, and Remove buttons in the IP Addresses section enables
you to add, modify, and remove IP addresses and associated subnet masks on the computer.
You might add multiple IP addresses to a server to host multiple Web sites, for example, with
each site at its own IP address. Click Add to display a simple dialog box in which you type the
new IP address and subnet mask to add. Select an existing address and click Edit or Remove to
modify or remove the address, respectively.
Use the Add, Edit, and Remove buttons in the Default Gateways section to add, modify, or
remove gateways. In small networks, there is often only one gateway, but in larger networks,
multiple gateways are used to provide fault tolerance and redundancy, enabling users to connect
outside their local network should one gateway become unavailable. Click Add to specify
the IP address of another gateway, or select an existing address and click Edit or Remove to
respectively modify or remove the selected gateway. The metric value of a gateway specifies the
110
Page 110
Shapiro
c03.tex
V2 - 06/13/2008
5:27pm
Networking Windows Server 2008
relative cost of connecting through the selected gateway. When routing is possible through more
than one gateway, the one with the lowest metric is used by default.
FIGURE 3-5
Use the IP Settings tab to configure additional addresses.
Here’s an example of when the metric value comes into play: Assume your network
has two connections to the Internet. Connection A is the one you want to use most
because you pay a flat, monthly fee for it. Connection B is charged by bandwidth usage, and you
only want to use B when A is unavailable. Therefore, you’d assign a metric of 1 to A and a higher
value to B to ensure that traffic always goes through A if it’s available.
The interface metric value on the IP Settings page specifies the relative cost of using the
selected network interface. The default value is 1. This setting performs the same function for
multi-homed systems (those with multiple network interfaces) as the metric value assigned to
111
Page 111
3
Shapiro c03.tex
Part I
V2 - 06/13/2008
5:27pm
Core, Configuration, Networking, and Communication Services
the default gateway(s). However, this value determines which interface is used to route traffic
when multiple interfaces can be used to route the traffic. The interface with the lowest metric is
used by default.
DNS
Use the DNS tab (see Figure 3-6) to configure DNS settings for the connection. In addition to
specifying DNS servers, you can configure other options that control the way the client performs
name resolution and enable dynamic DNS updates. The following list explains the available
options:
■ Append Primary and Connection Specific DNS Suffixes. Select this option to append
the primary DNS suffix and connection-specific DNS suffix to unqualified host names for
resolution. Define the primary DNS suffix for the computer through the computer’s Network Identification property page (right-click My Computer, choose Properties, and click
Network Identification). The primary DNS suffix applies globally to the system unless
overridden by the connection-specific DNS suffix, which you set in the property ‘‘DNS
suffix for this connection’’ (described later). For example, assume your primary suffix is
mcity.us and your connection-specific DNS suffix is support.mcity.us. You query
for the unqualified host name fred. This option then causes Windows Server 2008 to
attempt to resolve fred.mcity.us and fred.support.mcity.us. If you have no
connection-specific DNS suffix specified, Windows Server 2008 will attempt to resolve
only fred.mcity.us.
■ Append Parent Suffixes of the Primary DNS Suffix. This option determines whether
or not the resolver attempts resolution of unqualified names up to the parent-level
domain for your computer. For example, assume your computer’s primary DNS suffix is
support.mcity.us and you attempt to resolve the unqualified host name jane. The
resolver would attempt to resolve jane.support.mcity.us and jane.mcity.us
(attempting to resolve at the parent level as well as the computer’s domain level).
■ Append These DNS Suffixes (In Order). Use this option to only append the specified
DNS suffixes for resolving unqualified names.
■ DNS Suffix for This Connection. Use this option to specify a DNS suffix that is different
from the primary DNS suffix defined in the computer’s Network Identification property
page.
■ Register This Connection’s Addresses in DNS. Select this option to have the client
submit a request to the DNS server to update its host (A) record when its host name
changes or its IP address changes. The client submits the full computer name specified in
the Network Identification tab of the System Properties sheet along with its IP address
to the DNS server. You can view the System properties through the System object in the
Control Panel, or right-click My Computer and choose Properties.
■ Use This Connection’s DNS Suffix in DNS Registration. Select this option to have the
client submit a request to the DNS server to update its host record when the host name
112
Page 112
Shapiro
c03.tex
V2 - 06/13/2008
5:27pm
Networking Windows Server 2008
changes or the IP address changes. The difference between this and the previous option is
that this option registers the client using the first part of the computer name specified in
the System properties along with the DNS suffix specified by the option ‘‘DNS suffix for
this connection’’ on the DNS page. You can use this option along with the previous option
to register two different FQDNs for the host.
FIGURE 3-6
The DNS tab controls how the client interacts with DNS servers.
Use the DNS tab when you need to add more than two DNS servers.
WINS
Use the WINS tab (see Figure 3-7) of the connection’s TCP/IP properties to configure WINS services. You can use the Add, Edit, and Remove buttons in the WINS Addresses group to add,
modify, and remove WINS servers by IP address.
113
Page 113
3
Shapiro
Part I
c03.tex
V2 - 06/13/2008
5:27pm
Core, Configuration, Networking, and Communication Services
FIGURE 3-7
The WINS tab specifies Windows Internet Name Service properties for the interface.
The following list explains the other options on the page:
■ Enable LMHOSTS Lookup. Select this option to enable the computer to use a local
LMHOSTS file to resolve NetBIOS names to IP addresses. LMHOSTS provides a way
to supplement or even replace the use of WINS servers to resolve NetBIOS names. See
Chapter 5 for more information on using LMHOSTS.
■ Import LMHOSTS. Click to import an LMHOSTS file into your local LMHOSTS file.
■ Default. Use this option to have the DHCP server automatically assign WINS settings.
■ Enable NetBIOS Over TCP/IP. Select this option to use NetBIOS over TCP/IP (NetBT)
and WINS. This option is required if the computer communicates by name with other
computers running NETBIOS. NetBT is not required in a homogeneous Windows Server
2008 environment or when connecting to computers on the Internet through DNS.
■ Disable NetBIOS Over TCP/IP. Select this option to disable NetBT in situations where
it is not needed (see previous item).
114
Page 114
Shapiro
c03.tex
V2 - 06/13/2008
5:27pm
Networking Windows Server 2008
Understanding and Using IPv6
With the proliferation of IP-based devices, the pool of available IPv4 IP addresses will eventually run dry. The lack of more addresses won’t stop you from wanting that new integrated cell
phone/PDA with wireless Internet connectivity, so something needs to be done about the dwindling pool of addresses. IPv6 is that something.
IPv6 is intended to be the eventual replacement for IPv4. The goals of IPv6 naturally include
expanding the available address space, but they also target routing performance improvements, Quality of Service (QoS) for low-latency applications, increased security, and other
improvements.
IPv6 terms and concepts
As with IPv4, a node in IPv6 is any device that implements IPv6, and it is either a router or
host. The connection to a transmission medium through which packets are sent is called an
interface. The medium used to transmit IPv6 is called a link, and can be loosely associated with
an IPv4 subnet. Neighbors are nodes connected to the same link. Each link supports a specific
maximum transmission unit (MTU) size, which is the maximum packet size that the link supports.
The IPv6-capable portion of the Internet is called the 6bone.
IPv4 supports both unicast routing and multicast routing; IPv6 supports these as well as anycast
routing. Unicast traffic is directed at a particular interface. Multicast traffic is directed at a set of
interfaces. Anycast addresses reference multiple interfaces, but anycast traffic is directed only to
the closest interface to the sender, rather than to all interfaces.
IPv6 addresses are also different from IPv4 addresses: Whereas IPv4 uses 32-bit dotted decimal
values, IPv6 uses 128-bit hexadecimal values comprising eight 16-bit sections. Here’s a typical
IPv6 address:
ABCD:EF12:0000:7890:0000:3412:0006:A327
Fields that contain leading zeros can omit the leading zeros, so the preceding example can be
simplified as follows:
ABCD:EF12:0:7890:0:3412:6:A327
In addition, any fields that contain all zeros can be represented by a blank set (::), although a
blank set can be used only once in an address. The following is an example:
■ Full address. ABCD:0:0:1234:0:0:0:5678
■ Simplified address. ABCD:0:0:1234::5678
■ Not acceptable. ABCD::1234::5678
115
Page 115
3
Shapiro
Part I
c03.tex
V2 - 06/13/2008
5:27pm
Core, Configuration, Networking, and Communication Services
In addition, in mixed-mode environments that support IPv4 and IPv6 nodes, the six leftmost
fields use hexadecimal values, but the remaining bits are entered as dotted decimal values, as in
the following examples:
■ 0:0:0:0:0:0:206.10.22.150, or ::206.10.22.150 compressed
■ 1234:FFFF:0:0:0:0:206.12.15.108, or 1234:FFFF::206.12.15.108
compressed
■ ::ACF5:0:206.142.68.11
In an IPv6 address, a variable-length field of bits identifies the address type. This variable-length
field is called the Format Prefix (FP). The following sections discuss the various IPv6 address
types and their corresponding FPs.
Unicast addresses
The FP value 11111111, or FF, identifies an IPv6 address as a multicast address, so any address
with an FP value other than FF is a unicast address. As with IPv4, unicast addresses identify a
single node on the link. There are several types of unicast IPv6 addresses.
You can assign a single unicast address to multiple interfaces on a single node as long
as the interfaces are recognized by the upper layers of the protocol as a single logical
entity.
There are two reserved IPv6 unicast addresses. The first, 0:0:0:0:0:0:0:0, or :: in compressed format, is called the unspecified address. This address is used during IPv6 initialization
before a node has obtained its own address. You can’t assign :: to a node, and it can’t be used
as the source address in an IPv6 packet or routing header.
The second reserved address is the loopback address. It corresponds to the 127.0.0.1 loopback
address in IPv4. The IPv6 loopback address is 0:0:0:0:0:0:1, or ::1 in compressed format.
The loopback address enables the node to send a packet to itself, which is useful for testing
proper function of the protocol stack.
Local-use unicast addresses support communication over a single link where no routing is
required. They are also used for automatic configuration of addresses and neighbor discovery,
which is the process used to discover neighboring nodes on the link. Table 3-6 shows the
structure of a local-use unicast address.
TABLE 3-6
IPv6 Local-Use Unicast Addresses
10 Bits
1111111010
116
54 Bits
64 Bits
0
Interface ID
Page 116
Shapiro
c03.tex
V2 - 06/13/2008
5:27pm
Networking Windows Server 2008
Site-local unicast addresses provide connectivity within a single private network and are similar
to reserved private addresses used in IPv4. Just as these private IPv4 addresses are not routed,
IPv6 routers do not route traffic for site-local unicast addresses. Table 3-7 shows the structure of
a site-local unicast address.
TABLE 3-7
IPv6 Site-Local Unicast Addresses
10 Bits
38 Bits
1111111010
0
16 Bits
64 Bits
Subnet ID
Interface ID
The third type of unicast address is an IPv6 address with embedded IPv4 addresses. This type
of address is used for tunneling IPv6 packets over IPv4 networks, and serves as a transitional
mechanism to move from IPv4 to IPv6. There are two primary address types. In the first, only
the 32 lower-order bits contain address data; the upper-order bits contain zeros. The second
form is called an IPv4-mapped IPv6 address, and precedes the 32-bit IPv4 address with FFFF.
Table 3-8 illustrates the structure of IPv6 addresses with embedded IPv4 addresses.
TABLE 3-8
IPv6 Addresses with Embedded IPv4 Addresses
80 Bits
16 Bits
32 Bits
0000 . . . 0000
0000 or FFFF
IPv4 Address
Aggregatable global unicast addresses are used to allocate public address pools and are used primarily by ISPs to carve up the public address space on the 6bone (the IPv6 backbone network).
Table 3-9 illustrates the structure of aggregatable global unicast addresses.
TABLE 3-9
Aggregatable Global Unicast Addresses
Public Topology
Site Topology
Interface
FP
TLA ID
RES
NLA ID
SLA ID
Interface ID
001
13 bits
8 bits
24 bits
16 bits
64 bits
117
Page 117
3
Shapiro
Part I
c03.tex
V2 - 06/13/2008
5:27pm
Core, Configuration, Networking, and Communication Services
The Public Topology portion of the address hierarchy is managed by the large ISPs that maintain
the structure of the 6bone and enable them to allocate address pools (aggregates) to smaller
organizations, including individual companies and smaller ISPs. The Site Topology portion of
the address hierarchy represents the internal routing information needed to route the packets
internally. The interface ID provides the information needed to route to individual nodes.
Table 3-10 defines the individual components.
TABLE 3-10
Aggregatable Address Components
Item
Field
Bit Length
Description
FP
Format Prefix
3
The value 001 identifies the address as an
aggregatable global unicast address.
TLA ID
Top-Level
Aggregation
13
Identifies the top-level authority for the
routing hierarchy.
RES
Reserved
8
Reserved for future expansion of TLA and
NLA fields, when needed.
NLA ID
Next-Level
Aggregation ID
24
Used by top-level authorities to define and
identify the routing hierarchy for the sites
that they service.
SLA ID
Site-Level
Aggregation ID
16
Used by organizations to create the internal
routing structure to support their networks.
Interface ID
Interface
64
Identifies the interfaces on a link.
Multicast addresses
IPv6 multicast addresses serve much the same purpose as multicast IPv4 addresses, replacing
broadcast addresses used in the IPv4 design. A multicast address is assigned to multiple
nodes, and all nodes with the same multicast address receive the packets sent to that address.
Table 3-11 shows the structure of a multicast address.
TABLE 3-11
IPv6 Multicast Addresses
8 Bits
11111111
118
4 Bits
4 Bits
112 Bits
Flags
Scope
Group ID
Page 118
Shapiro
c03.tex
V2 - 06/13/2008
5:27pm
Networking Windows Server 2008
The Format Prefix of 11111111 identifies the address as a multicast address. The Flags field
identifies the address type, and the first three bits of the Flags field are reserved as zero. A
fourth bit of zero indicates a permanent multicast address assigned by the IANA. A fourth bit of
1 indicates a dynamically assigned address not under the authority of the IANA.
The Scope field defines the scope of the address, as shown in Table 3-12.
TABLE 3-12
Scope Field Values
Value
Scope
0
Reserved
F
Reserved
1
Node-local scope
2
Link-local scope
5
Site-local scope
8
Organization-local scope
E
Global scope
All others
Unassigned
The Group ID field identifies a particular group.
Anycast addresses
Anycast addresses use the same physical structure as unicast addresses. Unlike unicast addresses,
however, anycast addresses are assigned to multiple nodes. Currently, only routers can use
anycast addresses. A router that needs to send a packet to an anycast address uses a neighbor
discovery mechanism to locate the nearest node that owns the specified address. The router then
sends the packet to that node.
See the following section to learn how you can assign IPv6 addresses in Windows
Server 2008.
Using IPv6 in Windows Server 2008
Windows Server 2008 includes support for the IPv6 protocol, so you can assign IPv6 addresses
to Windows Server 2008 computers. In addition, the RRAS in Windows Server 2008 supports
IPv6 packet forwarding and route announcements. This section of the chapter explains how to
install and configure the IPv6 protocol in Windows Server 2008.
119
Page 119
3
Shapiro
Part I
c03.tex
V2 - 06/13/2008
5:27pm
Core, Configuration, Networking, and Communication Services
Installing and configuring IPv6
Installing support for IPv6 in Windows Server 2008 is easy. Open the Network Connections
folder from the Control Panel, right-click the interface on which you want to install IPv6, and
choose Properties. On the General tab, click Install. Select Protocol and click Add. In the Select
Network Protocol dialog box, select Microsoft TCP/IP version 6 and click OK. Then, click Close
to close the interface’s property sheet. To configure IPv6, click the Properties button. The dialog
box in Figure 3-8 appears.
FIGURE 3-8
The IPv6 protocol appears in the interface’s properties.
IPv6 address assignment
As with IPv4, you can assign IPv6 addresses either statically or dynamically, but the implications
and implementation of automatic address assignment are very different from IPv4. Let’s take a
look at automatic address assignment first.
IPv6 address autoconfiguration
IPv6 doesn’t require the use of a configuration protocol such as DHCP to assign addresses automatically, although IPv6 supports automatic assignment through DHCPv6 servers. Automatic
configuration without a DHCPv6 server is called stateless autoconfiguration. With this method,
120
Page 120
Shapiro
c03.tex
V2 - 06/13/2008
5:27pm
Networking Windows Server 2008
the host configures its address using router advertisement messages received from the routers
on its link. The result is similar to IPv4 address assignment with APIPA (Automatic Private IP
Addressing), which enables Windows platforms to derive a valid IP address from the private
169.254.x.x/16 address space (class B with subnet mask 255.255.0.0). Windows Server 2008
supports stateless autoconfiguration.
IPv6 also provides for stateful autoconfiguration, which relies on a DHCPv6 server to allocate the
address. However, Windows Server 2008 does not at this point support stateful autoconfiguration, nor does the DHCP service included with Windows Server 2008 support DHCPv6 address
allocation. Therefore, you need to either rely on stateless autoconfiguration or configure the
address and other properties manually.
Static IPv6 address configuration
Unfortunately, Windows Server 2008 doesn’t provide a graphical means to configure IPv6.
Instead, you must use the netsh command from a console to configure IPv6. Open a command
console and issue the following commands to initiate a Netsh session to configure IPv6:
NETSH
INTERFACE IPV6
Next, add the interface and address using the following command:
ADD ADDRESS INTERFACE=string ADDRESS=address
Replace string with the string that identifies the IPv6 interface; address specifies the IPv6
address.
Generally, even if you assign the address statically in this way, the computer will determine the
default router from router advertisements; however, you can assign the default router statically if
need be. Still in the netsh IPv6 interface, execute the following command:
ADD ROUTE PREFIX=IPv6Address/Integer INTERFACE=string
Replace IPv6Address with the valid IPv6 address, and Integer with the prefix length. Replace
string with the interface name on which to add the route. If you need to remove a route, use
the following commands:
SHOW ROUTES
DELETE ROUTE PREFIX=IPv6Address/Integer INTERFACE=string
Use the results of the SHOW ROUTES command to determine the route prefix and interface index
for the route to be deleted. Then replace the IPv6Address, Integer, and string values
accordingly.
See Chapter 5 for a discussion of the implications of IPv6 for DNS. See Chapter 6
for a complete discussion of using Windows Server 2008 for routing and remote
access.
121
Page 121
3
Shapiro c03.tex
Part I
V2 - 06/13/2008
5:27pm
Core, Configuration, Networking, and Communication Services
Troubleshooting TCP/IP
When TCP/IP works well, life is good. Occasionally, however, TCP/IP connections will fail and
you will need to determine the cause of the problem. Windows Server 2008 includes a handful
of TCP/IP utilities you can use to test connectivity and troubleshoot connections. This section of
the chapter examines TCP/IP troubleshooting in general and the tools included with Windows
Server 2008 for that purpose.
Common troubleshooting concepts
As is the case when troubleshooting any problem, the first thing to consider when troubleshooting TCP/IP connections is whether anything has changed in the system’s configuration. Problems
with a newly installed computer typically point to an invalid IP address, a wrong subnet mask,
or an incorrect default gateway. If TCP/IP has never worked on the system, open the TCP/IP
properties for the connection and verify that they are correct.
For systems that have been working but have stopped, you need to more narrowly define the
problem. For example, if you’ve been able to connect to a specific Web site but can’t anymore,
see if you can connect to other sites. If the problem lies with one site, it’s almost surely a
problem on the server side and not something you can correct on your end. However, if a
range of Web sites work but others do not, you probably have a DNS or routing problem.
The same holds true for FTP sites and local resources such as other computers on your local
segment.
A methodical, logical approach will help you identify the point of failure, if not the cause.
Though you could work from the problem backwards, we prefer to troubleshoot from the local
computer outward until we find the point of failure, using Packet InterNet Groper (ping).
For example, you should first ping the loopback address (type ping 127.0.0.1 or ping
localhost from a command prompt) to verify that TCP/IP is functioning on your computer.
You can then begin moving farther out into the network and Internet until you find the point at
which communication breaks down. Ping a computer on the local segment, and if successful,
ping the internal side of the router. If that works, ping the external side of the router, and then
a system past the router. If the ping fails at any point, it typically indicates that the packets
generated by the ping command are not being returned, either because the remote node is
configured to discard ping traffic or a problem with the routing table is preventing the packets
from being returned. If ping localhost fails, you probably have a problem with your network
interface card or a corrupt TCP/IP protocol stack.
If you have problems pinging a particular host and know that the host does not discard ping traffic, verify that the host has a properly configured default gateway. If
not, the ping traffic will not be properly routed back to you.
The following list describes common problems and potential solutions:
■ TCP/IP won’t initialize on the host or a service fails to start. These problems
typically point to a configuration error. Open the properties for the interface and check
the settings for TCP/IP closely to make sure they are correct, particularly that you haven’t
122
Page 122
Shapiro
c03.tex
V2 - 06/13/2008
5:27pm
Networking Windows Server 2008
specified a conflicting static IP address. For multi-homed systems, check the priority
order of the interfaces. To do so, open the Network Up Connections folder and choose
Advanced Advanced Settings. On the Adapters and Bindings tab, use the Up and
Down arrows for the Connections list to move the primary adapter to the top of the
list. In addition, verify in the same property page that TCP/IP is bound to the selected
adapter.
■ Communication to other hosts fails, or other hosts don’t respond. This often results
from an IP address conflict, network hardware failure, or possibly an incorrect DHCP
lease. Use the ipconfig /all command to check your IP address, subnet mask, and
default gateway settings.
■ Pinging localhost works but you can’t communicate with local or remote
hosts. Verify that you have the correct subnet specified. The ability to ping local hosts
but not remote hosts can be caused by incorrect default gateway setting or router
problems.
■ You can ping the local computer by name, but you cannot ping remote computers by name. You’re having a problem with DNS. Verify that you are specifying
valid DNS servers in the system’s TCP/IP configuration and that those servers are
available.
■ You can ping a non-Windows 2000/XP workstation but can’t connect to it using
a Windows Server 2008 console command. You might be experiencing a problem
with NetBIOS name resolution. Check WINS settings and verify that you haven’t disabled
NetBIOS over TCP/IP on the WINS page of the computer’s TCP/IP settings. You might
also have a problem with the workstation service on the local computer or the computer
to which you are trying to connect. This is not a TCP/IP problem, but you would not be
alone thinking it is. If the workstation service is stopped, try restarting it. If you can restart
it and still have the problem, then name-to-IP address resolving is the likely cause. If you
cannot restart the workstation service, you will likely have to reboot the culprit machine.
A dead workstation service points to an installation that went bad.
■ You can connect to a host or Web site by IP address but not by host name. This is
clearly a DNS issue. Verify that your system is configured for valid DNS servers and that
the servers are available. (See Chapter 5 for troubleshooting DNS entries.)
Windows Server 2008 includes several utilities for troubleshooting TCP/IP connectivity. The following sections explain these tools, starting with the most basic and sometimes most useful tool:
the ping command.
ping
In its most basic use, ping works like a submarine’s sonar: It bounces a packet off a remote
host and listens for the return packet. If the packet comes back, you have basic TCP/IP connectivity between the two hosts. Lack of a response can indicate routing problems, a configuration
problem with TCP/IP on the local host, unavailability of the remote host, or increasingly, that
the remote host is configured to ignore ping traffic.
123
Page 123
3
Shapiro
Part I
c03.tex
V2 - 06/13/2008
5:27pm
Core, Configuration, Networking, and Communication Services
The ping command generates Internet Control Message Protocol (ICMP) packets and transmits
them to the designated host, and then waits for a response. The version of ping included with
Windows Server 2008 sends four packets by default and waits for a period of one second for
the response from each. You can specify the number of packets to transmit and the timeout
period to override the defaults, if desired. For example, you might send a larger number of
packets to test response time over a more realistic sample period. Following is sample output
from ping:
C:\>ping 192.168.0.6
Pinging 192.168.0.6 with 32 bytes of data:
Reply
Reply
Reply
Reply
from
from
from
from
192.168.0.6:
192.168.0.6:
192.168.0.6:
192.168.0.6:
bytes=32
bytes=32
bytes=32
bytes=32
time=16ms
time<10ms
time=16ms
time<10ms
TTL=128
TTL=128
TTL=128
TTL=128
Ping statistics for 192.168.0.6:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 16ms, Average = 8ms
ping is also useful in identifying name resolution problems. If you can ping a host by IP
address but not by host name, one of the following could be the cause:
■ There is no valid host record in the remote host’s domain. Add an entry to the DNS zone
or add an entry in your local Hosts file for the remote host.
■ You have an incorrect entry in your local Hosts file for the host. Remove or correct the
entry in the Hosts file. See Chapter 5 for a discussion of the Hosts and LMHOSTS files.
■ Your DNS configuration is incorrect (pointed to wrong or unavailable DNS servers).
Correct the configuration and try again.
Before you begin testing any connectivity problem, verify that you can ping your own workstation. Use ping to perform an internal loopback test that verifies whether or not TCP/IP
is functioning on your computer. Use one of the following commands to ping your own
computer:
ping 127.0.0.1
ping localhost
ping YourIPAddress
Following is the syntax for the ping command:
ping [-t] [-a] [-n count] [-l size] [-f] [-i ttl] [-v tos]
[-r count][-s count] [[-j HostList] | [-k HostList]]
[-w timeout] [-R] [-S srcaddr] [-4] [-6] target_name
Table 3-13 describes the switches you can use with ping.
124
Page 124
Shapiro
c03.tex
V2 - 06/13/2008
5:27pm
Networking Windows Server 2008
TABLE 3-13
ping Command Switches
Switch
Function
Use
-t
Pings continuously until
terminated by Ctrl+C. Press
Ctrl+Break to view statistics.
Perform extended testing or check for
intermittent problems.
-a
Resolves address to host
name
Test name resolution and troubleshoot Hosts
file.
-n count
Specifies number of packets
to send
Perform extended testing.
-l size
Specifies packet size in
bytes; the default is 64, the
maximum is 8,192
Check for packet fragmentation and response
time.
-f
Sets Don’t Fragment flag in
packet
Prevent routers from fragmenting packet.
-i ttl
Sets packet time-to-live
Increase timeout on slow connections.
-v tos
Sets Type of Service field
Specify type of action remote router should
perform on the packet.
-r count
Records packet route;
specify from 1 to 9
Determine route of outgoing and incoming
packets.
-s count
Sets timestamp for number
of hops specified by count
Set current hop count for the packet.
-j HostList
Routes packets using host
list; specify maximum of 9
hosts
Direct traffic through specific route; hosts can
be separated by intermediate gateways (loose
source route).
-k HostList
Routes packets using host
list
Similar to -j but hosts can’t be separated by
intermediate gateways (strict source route).
-w timeout
Sets packet timeout in
milliseconds
Increase timeout value to overcome timeout
on slow connections.
-R
Traces a round-trip path
Trace back to client; used on IPv6 only.
-S srcaddr
Source address to use
Specify source address to ping from; used on
IPv6 only.
-4
Forces IPv4
Force ping to use IPv4; not necessary if
specifying IPv4 address.
-6
Forces IPv6
Force ping to use IPv6.
target_name
Specifies remote host(s) to
ping
Specify destination to ping.
125
Page 125
3
Shapiro
Part I
c03.tex
V2 - 06/13/2008
5:27pm
Core, Configuration, Networking, and Communication Services
ping and IPv6
You can use the ping command to test connectivity to systems that use IPv6. To test the function of the stack, ping the local interface using the following command:
ping ::1
If that works, try pinging the local computer using its IPv6 address, rather than the localhost
address. Use the following command to ping a link-local node:
ping address
Replace address with the link-local address of the other node. Next, try pinging a different
host using the same format, replacing address with the IPv6 address of the remote node
and optionally using -s to specify the source interface. See Table 3-13 for a list of additional
command switches you can use with ping to test IPv6 connectivity.
ipconfig
Use the ipconfig command to display configured TCP/IP properties for all adapters, set certain
properties, renew or release address leases, and update host records through dynamic DNS.
The ipconfig command is useful for determining TCP/IP settings on any system, but is most
helpful for determining settings on systems that obtain settings through DHCP. Knowing your
address and related settings is the first step in troubleshooting any connectivity problem. In
addition, you can use ipconfig to release and renew a lease, set a class ID, manage the DNS
cache, and request an update of the host record in DNS.
The equivalent tool for ipconfig in Windows 9x is WINIPCFG.EXE.
The following shows the syntax for ipconfig:
Ipconfig [/all | /renew [adapter] | /release [adapter] | /flushdns |
/displadns | /registerdns /showclassid [adapter] | /setclassid
adapter [classid]
Table 3-14 lists the switches and their uses.
netstat
The netstat command provides three primary functions: monitoring connections to remote
hosts, viewing protocol statistics for a connection, and extracting the IP address of a host to
which you’ve connected using domain names (or determining domain name if connected by
address). The syntax for netstat is as follows:
netstat [-a] [-enos] [-p protocol] [-r] [interval]
Table 3-15 describes the options you can use with netstat.
126
Page 126
Shapiro
c03.tex
V2 - 06/13/2008
5:27pm
Networking Windows Server 2008
TABLE 3-14
ipconfig Command Switches
Switch
Function
Use
/all
Shows all TCP/IP properties,
including MAC address
Obtain complete information; omit to
view only address, subnet mask, and
gateway.
/renew
[adapter]
Renews DHCP properties on
adapter
Omit adapter to renew DHCP
properties on all adapters.
/release
[adapter]
Releases current DHCP lease on
adapter
Release address, disabling TCP/IP for
adapter; omit adapter to release
all leases.
/flushdns
Purges local DNS resolver cache
Overcome problems with bad cache
entries.
/registerdns
Refreshes all leases and register
host name with DNS
Ensure up-to-date host records in
DNS; dynamic updates require a
Windows Server 2003 DNS server.
/displaydns
Displays contents of local
resolver cache
Check cache for potential bad entries.
/showclassid
Displays all class IDs allowed for
adapter
Class IDs enable DHCP to assign
properties on a client-by-client basis,
using the class ID as the client
identifier.
/setclassid
Sets the current class ID for
adapter
See above.
TABLE 3-15
netstat Command Switches
Switch
Function
Use
-a
Displays all connections
Show all connections, including server
connections.
-b
Displays executable that created
connection
Identify programs that open specific
connections.
-e
Shows Ethernet statistics
Use with -s.
continued
127
Page 127
3
Shapiro
Part I
c03.tex
V2 - 06/13/2008
5:27pm
Core, Configuration, Networking, and Communication Services
TABLE 3-15
(continued )
Switch
Function
Use
-n
Shows addresses and port numbers in
numerical format
Use numerical rather than
host.domain format.
-o
Displays owning process ID
Show the ID of the process that owns
each connection.
-s
Shows statistics on per-protocol basis
netstat by default shows TCP, UDP,
ICMP, and IP.
-p protocol Shows connections for protocol
View connections for a specific protocol.
-r
Shows contents of routing table
Troubleshoot routing problems.
-v
Shows components that created
connection
Use with -b to identify programs that
open specific connections.
interval
Specifies interval for update; terminate
with Ctrl+C
Omit interval to display information a
single time.
As mentioned earlier in this chapter, you can use netstat to determine the IP address of a
remote host. To do so, issue the command netstat -n. The following examples first issue
netstat with no parameters, and then use -n to derive IP addresses:
C:\>netstat
Active Connections
Proto
TCP
TCP
Local Address
bart:netbios-ssn
bart:3454
Foreign Address
NOTE2KSRV:1117
ftp.BayNetworks.COM:ftp
State
ESTABLISHED
ESTABLISHED
C:\>netstat -n
Active Connections
Proto
TCP
TCP
Local Address
192.168.0.1:139
209.105.38.181:3454
Foreign Address
192.168.0.2:1117
134.177.3.22:21
State
ESTABLISHED
ESTABLISHED
This example shows two connections: a local connection to a server named NOTE2KSRV and
another to ftp.baynetworks.com. Note that the second example displays the IP address,
rather than the host name.
hostname
Use the hostname command to derive the host name of the local computer. If no host
name is set through the DNS properties for the computer, the computer name set in the
128
Page 128
Shapiro
c03.tex
V2 - 06/13/2008
5:27pm
Networking Windows Server 2008
Network Identification tab of the computer’s properties is used as the host name. Using the
hostname command is often easier than opening the properties for the connection to hunt for
the host name. There are no options for the hostname command.
tracert
Being able to determine the route used to connect to a given host is extremely useful in troubleshooting routing problems. Use tracert to trace the route used to connect to another host
and determine where, if at all, a connection is failing. For example, if you’re having problems
reaching sites on the Internet, you can use tracert to locate the problem and identify the
router where the traffic is dying.
Like ping, tracert generates ICMP packets, but the tracert command sends a series of
ICMP packets to the destination host using steadily incrementing time-to-live (TTL) values.
Each gateway decrements the TTL value by one. The first packet has a TTL of 1, so it is
decremented to 0 by the first gateway, which then sends an ICMP Time Exceeded packet back
to the originating host (your computer) along with the transit time in milliseconds. The local
host then transmits the next packet with a TTL of 2. The first gateway decrements it to 1, and
the second gateway decrements it to 0. The second gateway then sends back the ICMP Time
Exceeded packet. Subsequent packets make it one gateway, or hop, further than the previous one
before being expired. The result is a table showing the data for each packet. When the packets
stop coming back, you’ve potentially identified the problem router.
The following is a sample output from tracert (text in bold is the typed command):
C:\>tracert ftp.happypuppy.com
Tracing route to ftp.happypuppy.com [199.105.102.130]
over a maximum of 30 hops:
1
110 ms 109
[209.105.38.198]
2
109 ms
94
[209.105.38.50]
3
281 ms 110
[207.229.192.1]
4
109 ms
94
[137.192.7.141]
5
125 ms 109
[157.130.98.189]
6
109 ms 109
[146.188.209.134]
7
141 ms 125
[146.188.208.230]
8
140 ms 141
[146.188.136.126]
9
141 ms 125
ms
125 ms
USR1RRT-TS1.DialUp.rrt.net
ms
125 ms
CISCO1RRTGW-TS.DialUp.rrt.net
ms
94 ms
ms
110 ms
core1-A0-0-0-722.PLY.MR.Net
ms
109 ms
Serial5-1-0.GW2.MSP1.ALTER.NET
ms
125 ms
152.ATM3-0.XR2.CHI4.ALTER.NET
ms
125 ms
194.ATM3-0.TR2.CHI4.ALTER.NET
ms
125 ms
106.ATM7-0.TR2.EWR1.ALTER.NET
ms
140 ms
196.ATM6-0.XR2.EWR1.ALTER.NET
border1-h4-0.ply.mr.net
129
Page 129
3
Shapiro
Part I
c03.tex
V2 - 06/13/2008
5:27pm
Core, Configuration, Networking, and Communication Services
[146.188.176.81]
10
172 ms 141 ms
[146.188.177.169]
11
907 ms 953 ms
140 ms
192.ATM9-0-0.GW3.EWR1.ALTER.NET
891 ms
ftp.happypuppy.com [199.105.102.130]
Trace complete.
The following is the syntax for tracert:
Tracert [-d] [-h max_hops] [-j hostlist] [-w timeout] [-R]
[-S srcaddr] [-4] [-6] target_name
Table 3-16 describes the switches for tracert.
TABLE 3-16
tracert Command Switches
Switch
Function
Use
-d
Does not resolve names of
interim systems
Simplify output.
-h max_hops
Specifies maximum hops to
trace
Limit testing to specified number of hops.
-w timeout
Sets time in milliseconds to
wait for reply
Overcome slow connections.
-j hostlist
Specifies a loose-source route
along hostlist
Perform a trace along the specified route.
-R
Traces round-trip path
Use on IPv6 only to trace back to the
source.
-S srcaddr
Specifies the source address
Use on IPv6 only to specify the source IP
address.
-4
Forces IPv4
Force tracert to use IPv4; not
necessary when specifying IPv4 address.
-6
Forces IPv6
Force tracert to use IPv6; not
necessary when specifying IPv6 address.
target_name
Returns the FQDN or IP
address of destination host
Specify the destination.
arp
The arp command, which stands for Address Resolution Protocol, enables you to view
the arp table on your local computer, which associates physical MAC addresses of other
130
Page 130
Shapiro
c03.tex
V2 - 06/13/2008
5:27pm
Networking Windows Server 2008
computers on the local network with their IP addresses. The arp table speeds up connections
by eliminating the need to look up MAC addresses for subsequent connections. Viewing the
contents of the arp table can be useful for troubleshooting connections to specific computers on
the network.
The following are the syntaxes for the arp command:
arp -s inet_addr eth_addr [if_addr]
arp -d inet_addr [if_addr]
arp -a [inet_addr] [-N if_addr]
Table 3-17 describes the options for arp.
TABLE 3-17
arp Command Switches
Switch
Function
Use
-a or –g
Shows arp table data for all hosts
Provide a detailed view.
-d inet_addr
Removes entry for inet_addr from Clear up a connection problem due
arp cache
to a bad arp cache entry.
-s Inet_addr
eth_addr
Adds new arp cache entry for
Inet_addr pointing to
eth_address
Add an entry for specified host.
-N IfAddr
Displays arp entries for interface
specified by IfAddr
Display arp entries.
route
You can use the route command to view or modify entries in the local computer’s static routing table. Static routes are used in place of implicit routes determined by the default gateway
for the computer. For example, you can add a static route to direct traffic destined for a specific
host through a gateway other than the default to improve response time, reduce costs, and so
on. The route command is also useful for troubleshooting, either for identifying incorrect static
routes or for adding temporary routes to bypass a problem gateway.
The syntax for route is as follows:
route [-f] [-p] [print|add|delete|change] [destination] [MASK
netmask] [gateway] [METRIC metric]
Table 3-18 explains the options for route.
131
Page 131
3
Shapiro
Part I
c03.tex
V2 - 06/13/2008
5:27pm
Core, Configuration, Networking, and Communication Services
TABLE 3-18
route Command Switches
Switch
Function
-f
Clears all gateway entries from table
-p
Use with add to create a persistent
route
Print
Prints a route
Add
Adds a route to the table
Delete
Deletes a route from the table
Change
Modifies an existing route
Destination
Specifies the host address
MASK netmask
Uses subnet mask specified by
netmask
Gateway
Specifies the address of gateway for
route
METRIC metric
Specifies the metric, or cost, for the
route using the value metric
IF interface
Specifies the interface for routing table
to modify
Use
Nonpersistent routes are lost
at each boot.
Use -p to make the route
persistent for subsequent
sessions.
If MASK isn’t used, defaults
to 255.255.255.255.
You can use the wildcards * and ? with the print and delete switches. As with filenames, a *
matches any number of characters, and a ? matches one character.
nbtstat
Use the nbtstat command to display statistics for NetBIOS-over-TCP/IP (NetBT) connections.
You also can use nbtstat to purge the name cache and reload the Hosts file, which offers the
benefit of reloading the LMHOSTS file without rebooting.
The following is the syntax for nbtstat:
nbtstat [-a RemoteName] [-A RemoteAddress] [-c] [-n]
[-R] [-RR] [-r] [-S] [-s] interval
Table 3-19 describes the switches for nbtstat.
132
Page 132
Shapiro
c03.tex
V2 - 06/13/2008
5:27pm
Networking Windows Server 2008
TABLE 3-19
nbtstat Command Switches
Switch
Function
-a RemoteName
Shows the NetBIOS name table for computer RemoteName
-A RemoteAddress
Shows the NetBIOS name table for computer at the IP address
RemoteAddress
-c
Shows contents of the NetBIOS name cache
-n
Shows NetBIOS names for the local computer
-R
Purges the NetBIOS name cache and reloads LMHOSTS
-RR
Submits Name Release packets to WINS, then refreshes
-r
Shows NetBIOS name resolution statistics
-S
Shows current NetBIOS workstation and server sessions by IP
address
-s
Shows current NetBIOS workstation and server sessions by name
Interval
Returns number of seconds between subsequent display of
protocol statistics
Legacy protocols
Microsoft has continued to support a number of legacy protocols in Windows Server. Windows
Server 2008, however, clearly puts these protocols behind the network administrator, and
you should begin to phase these out like an old OS such as Windows NT. I have left this
section in for network administrators who have legacy protocols to support. These will need
to be supported on your Windows Server 2003 machines. The following sections explain
these protocols and their properties, but I do not provide a detailed explanation of how these
protocols are structured or how they function.
NetBEUI
NetBEUI is one of two protocols that support NetBIOS, the name resolution method used by
previous Microsoft operating systems, including DOS, Windows 3.x, Windows for Workgroups,
Windows 9x, and Windows NT.
NetBEUI is useful on small networks because it is easy to install and configure. As the number
of nodes on the network increases, however, NetBEUI becomes less practical due to the amount
of network traffic it generates. In addition, NetBEUI is not routable, which limits it to local segments only.
133
Page 133
3
Shapiro
Part I
c03.tex
V2 - 06/13/2008
5:27pm
Core, Configuration, Networking, and Communication Services
NetBEUI can be routed if encapsulated in PPTP or L2TP for a VPN connection. This
enables you to use NetBEUI for accessing resources on remote networks, but it also
requires a TCP/IP link between the two networks.
There are no configurable properties for NetBEUI. Simply install the NetBEUI protocol on the
selected interface and ensure that all nodes using NetBEUI on the network have unique names.
IPX/SPX
Like TCP/IP, IPX/SPX is actually two protocols: Internetwork Packet eXchange and Sequenced
Packet eXchange. IPX/SPX provides connectivity for Novell NetWare servers and clients, but it
can also serve as a primary network protocol when no NetWare servers are present.
With IPX/SPX, two types of numbers are used to route traffic: the external network number and
the internal network number. The external network number is associated with the physical network adapter and network. All nodes on the network that use the same frame type (explained
shortly) must use the same external network number. You can specify an external network number manually or allow Windows Server 2008 to detect it automatically. The external network
number is a hexadecimal value between one and eight digits.
The internal network number identifies a virtual network in the computer, and programs
identify themselves as being located on this virtual network, rather than the physical network
identified by the external network number. Each virtual network appears as a separate network
to the user. By default, Windows Server 2008 assigns the value 00000000 as the internal
network number. The internal network number helps improve routing in multi-homed systems
or in a system where more than one frame type is used on a single adapter.
The following are the configuration properties for the IPX/SPX protocol:
■ Internal Network Number. This property defines the internal network number associated with the interface.
■ Auto Frame Type Detection. Select this option to allow Windows Server 2008 to automatically detect the frame type. If multiple frame types are detected in addition to 802.2,
NWLink defaults to 802.2.
■ Manual Frame Type Detection. Select this option to manually configure the frame
type or to configure multiple frame types. Specify the internal network number for each:
Choose 802.2 for NetWare 3.3 or later on Ethernet; choose 802.3 for other Ethernet configurations; choose 802.5 for Token Ring adapters.
DLC
DLC stands for Data Link Control. All network adapters have a DLC address or DLC identifier
(called a DLCI, pronounced del-see). Some protocols, including Ethernet and Token Ring, use
DLC exclusively to identify nodes on the network. Other protocols use logical addresses to identify nodes. TCP/IP, for example, uses the IP address to identify a node. However, at the lower
layers of the network, some translation still needs to take place to convert the logical address to
the DLC address. Address Resolution Protocol (ARP) performs this translation for TCP/IP.
134
Page 134
Shapiro c03.tex
V2 - 06/13/2008
5:27pm
Networking Windows Server 2008
DLC is required as a protocol only for those situations where DLC is used rather than a logical
address. For example, DLC enables Windows Server 2008 computers to connect to IBM mainframe systems and use DLC-enabled network printers.
There are no user-configurable properties for DLC.
SNMP
Simple Network Management Protocol (SNMP) provides a standardized means for managing
hosts on TCP/IP (and IPX) networks. SNMP enables hosts to communicate with one another
and is commonly used for remote monitoring and configuration. For example, you might use an
SNMP management tool to manage routers or other devices in your network, gather information
about workstations on the network, detect unauthorized attempts to reconfigure certain network
devices, and so on.
Understanding how SNMP works
SNMP functions through SNMP management systems and SNMP agents. A management system is
an application that requests information from SNMP agents and directs agents to perform certain
tasks, such as setting options on the remote device or returning configuration data. For example,
you might have a non-Windows Server 2008 router on the network that contains firmware to
enable it to function as an SNMP agent. You use a management system (SNMP-aware application) on your local workstation to manage the router, by viewing and changing the router’s
configuration and monitoring its status.
SNMP management systems send SNMP messages to agents, which respond to those messages. In
most cases, the management system requests information from a management information base, or
MIB, managed by the agent. The MIB is a set of objects that function as a database of information about the managed host. The only message an SNMP agent generates on its own is a trap,
which is an alarm-triggered event on the agent host. A system reboot on the agent host is an
example of a trap.
SNMP uses communities to provide a limited amount of security for SNMP and a means of
grouping SNMP management systems with agents. Agents respond only to management
systems in the list of communities to which they belong. The community name serves as a
password for access by the management system to the agent. Agents can belong to multiple
communities.
The SNMP service included with Windows Server 2008 enables a Windows Server 2008
computer to function as an SNMP agent to allow remote administration of the following:
■ Windows 2000/2003, Windows Server 2008
■ Windows 2000/XP/Vista
■ Windows Server 2008–based DHCP
135
Page 135
3
Shapiro
Part I
c03.tex
V2 - 06/13/2008
5:27pm
Core, Configuration, Networking, and Communication Services
■ Windows Server 2008–based WINS
■ Internet Information Services (IIS)
■ LAN Manager
■ Exchange 2000/2003, 2007 and later
■ SQL Server 2000, 2005, 2008 or later
Windows Server 2008 core does not include any management system software, and the SNMP
service functions only as an SNMP agent. However, there are third-party SNMP management
tools for Windows Server 2008 and related services.
Installing and configuring SNMP
You add the SNMP service through the Add Features wizard.
Also install the WMI SNMP Provider if you want to be able to manage the server
through the Windows Management Interface.
The following sections explain how to configure the SNMP service (set community names and
other tasks). You manage the SNMP service through the properties for the SNMP service. You
can access the service through the Services console in the Administrative Tools folder or through
the Services snap-in in the Computer Management console.
Configuring agent properties
After installing the SNMP service, you need to configure agent properties, which includes general
information such as who is responsible for managing the agent host and the types of services
with which the agent will interact on the computer.
Right-click the SNMP service in the Services console and choose Properties to open the properties for the SNMP Service, or select the service and choose Action Properties to display the
service’s property sheet. The General, Log On, Recovery, and Dependencies pages are the same
as for other services. Click the Agent tab to configure the following agent properties:
■ Contact. Specify the name of the person responsible for managing the host computer.
■ Location. Specify the physical location of the computer or the contact’s location or other
information (phone number, extension, and so on).
■ Physical. Select this option if the agent host manages physical hardware such as hard disk
partitions.
■ Applications. Select this option if the agent uses any applications that transmit data using
the TCP/IP protocol.
■ Datalink and Subnetwork. Select this option if the agent host manages a bridge.
■ Internet. Select this option if the agent host is an Internet gateway.
■ End-to-End. Select this option if the host uses IP. This option should always be selected.
136
Page 136
Shapiro
c03.tex
V2 - 06/13/2008
5:27pm
Networking Windows Server 2008
Configuring traps
Use the Traps tab of the SNMP service to configure computers to which the SNMP service sends
traps. From the Community Name drop-down list, select the community for which you want
to assign a trap destination. If you have no communities set yet, type the community name in
the combo box and click Add to List. Then, click Add to display a simple dialog box in which
you specify the host name, IP address, or IPX address of the remote computer to receive the trap
notification. Repeat the process to add other trap destinations as needed.
Configuring security
Use the Security tab of the SNMP Service’s properties to configure the communities in which the
agent participates and optionally a list of hosts from which the agent accepts SNMP packets. By
default, the agent accepts packets from all hosts. This presents a security risk, however, so take
care to configure security settings to allow SNMP traffic only from authorized hosts. The Security
page contains the following options:
■ Send Authentication Trap. Select this option to have the agent send a message to all trap
destinations if the agent receives an SNMP request from a host or community not listed in
the ‘‘Accepted community names’’ list or the ‘‘Accept SNMP packets from these hosts’’ list.
The message is sent to all hosts in the trap destination list on the Traps property page to
indicate that a remote management system failed authentication (potentially indicating an
unauthorized access attempt).
■ Accepted Community Names. Use this list and the associated buttons to modify the list
of communities in which the agent participates and the community rights for each. You
can select from the following rights:
■ None. This option prevents the agent host from processing any SNMP requests from
the specified community. For example, you might configure None for the Public
community for enhanced security.
■ Notify. Select this option to allow the agent host to send traps only to the selected
community.
■ Read Only. Use this option to allow remote consoles to view data in the local
MIB but not change it. This option prevents the agent from processing SNMP SET
requests.
■ Read Write. Use this option to allow remote consoles to make changes on the managed system. This option allows the agent to process SNMP SET requests.
■ Read Create. Use this option to allow the agent to create new entries in the SNMP
tables.
■ Accept SNMP Packets from Any Host. Select this option to allow the agent to process
requests from all hosts in the ‘‘Accepted community names’’ list.
■ Accept SNMP PACKETS from These Hosts. Select this option to define a specific list of
hosts from which the agent will process SNMP requests.
137
Page 137
3
Shapiro c03.tex
Part I
V2 - 06/13/2008
5:27pm
Core, Configuration, Networking, and Communication Services
Translating events to traps
To trap events and enable the agent to transmit the traps to the management systems defined in
its Traps properties, you need to first translate the event to an SNMP trap. For example, to trap
a system shutdown, you need to convert the system event 513 to an SNMP trap.
Windows Server 2008 provides two utilities you can use to translate local events to SNMP
traps. The first, evntcmd.exe, is a command-line utility you can integrate in batch files or use
dynamically from a command console. For a description of command switches for evntcmd,
issue the evntcmd /? command at a console prompt. The other tool, evntwin.exe, provides a
graphical user interface for translating events to traps. Click Start Run and enter evntwin to
run the Event to Trap Translator.
To translate a trap, select the Custom option and click Edit to expand the dialog box to include
the Event Sources and Events lists (see Figure 3-9). Search through the Event Sources list to
find the source of the event you want to trap (such as Security for system shutdown, startup,
logon, and so on). In the Events list, locate and select the event you want to trap, and then click
Add. Windows Server 2008 displays the Properties dialog box, which contains the following two
options:
■ If Event Count Reaches. Specify how many times the event can occur before a trap is
generated.
■ Within the Time Interval. Specify an optional time interval in which the number of
events specified by the previous option must occur to generate a trap.
After you specify the properties for the trap, click OK to add it to the list. Repeat the process for
any other events you need to trap.
Setting general properties
You can configure a handful of settings in the Event to Trap Translator to limit trap length and
throttle the number of traps transmitted by the agent. With the Event to Trap Translator program open, click Settings to display the Settings dialog box. Configure the following options as
needed:
■ Limit Trap Length. Select this option to limit the length of data sent with the trap to the
number of bytes specified by the following option.
■ Trap Length n Bytes. Set the size in bytes for the trap. Any additional data is truncated if
the trap exceeds the specified length.
■ Trim Insertion Strings First. Trim insertion strings from the trap data before truncating
the data when the trap exceeds the specified length.
■ Trim Formatted Message First. Trim formatted message text from the trap data before
truncating the data when the trap exceeds the specified length.
■ Apply Throttle. Select this option to limit the number of traps that can be sent in a given
period of time.
138
Page 138
Shapiro
c03.tex
V2 - 06/13/2008
5:27pm
Networking Windows Server 2008
■ Don’t Apply Throttle. Setting this allows an unlimited number of traps to be transmitted.
■ Number of Traps. Set the maximum number of traps allowed in the given time frame
when throttling is turned on.
■ Interval of Time (Seconds). Set the interval, in seconds, that the specified number of
traps can be transmitted before throttling takes effect.
FIGURE 3-9
The Event to Trap Translator, expanded to show event sources.
Exporting the trap list
After you’ve taken the time to weed through the Events list and create traps for a number
of events, you probably will want to archive the data in case you experience a problem with
the Event to Trap Translator or the system and need to reconfigure the traps. You might also
want to configure the same traps on several other systems without having to reconfigure them
manually. The solution in both situations is to export the trap list. After you have the traps
139
Page 139
3
Shapiro c03.tex
Part I
V2 - 06/13/2008
5:27pm
Core, Configuration, Networking, and Communication Services
configured as needed, click Export in the Event to Trap Translator. Windows Server 2008
prompts you for a filename. Save the file in an appropriate archive location or where you can
access it from the other workstations. The file automatically receives a .cnf file extension.
Use the evntcmd command to load the Events list into the system. For example, the following
command will load the file events.cnf from a network share into the local computer:
Evntcmd \\srv2\config\events.cnf
Use the following command to load the file from a local file named netevents.cnf to a
remote system named work23:
Evntcmd -s work23 c:\snmp-stuff\netevents.cnf
When configuring traps on a remote computer, the SNMP service need not be running on the
local computer. You will, however, have to copy the evntcmd.exe application to the local computer, because it is not installed by default (it installs with the SNMP service).
Windows Firewall Configuration
and Management
This section explores Windows Firewall and explains how to configure and manage it.
Overview of Windows Firewall changes
Windows Firewall is secure, yet geared to deliver performance:
■ On by default. Windows Firewall is enabled for all network interfaces by default.
■ Boot-time security. Windows Firewall incorporates a selection of boot-time filters that
restrict the traffic that can reach the computer while it is booting and until the system
loads and initializes the network drivers and run-time firewall. Traffic is restricted to
only those ports required to boot the system, such as DNS, DHCP, and application of
Group Policy. Boot-time security is controlled with the run-time firewall; if you disable
the run-time firewall, the boot-time firewall is also disabled.
■ Global configuration. To simplify firewall configuration, Windows Firewall by default
uses the same configuration for all network interfaces. You can then modify settings for
individual interfaces as needed.
■ Local subnet restriction. Windows Firewall includes the capability to restrict incoming
traffic to one of three sources:
■ My network (subnet) only. Allow traffic from sources in the same subnet as the
server.
140
Page 140
Shapiro
c03.tex
V2 - 06/13/2008
5:27pm
Networking Windows Server 2008
■ Any computer (including those on the Internet). Allow traffic from any source.
■ Custom list. Allow traffic from a list of individual computers or subnets, or a range
of IP addresses you specify.
■ On with No Exceptions Mode. This mode ignores any preconfigured exceptions and
drops all unsolicited traffic, making it easy to temporarily lock down the interface without
reconfiguring ports or application exceptions.
■ Windows Firewall Exceptions Lists. You can configure specific application exceptions
to allow those applications to receive incoming traffic through ports that are blocked for
all other applications. The benefit is that Windows, rather than the application, controls
the port and can close it if the application hangs.
■ Multiple Profiles. You can configure different firewall profiles for different situations.
This feature is primarily targeted at client systems, but it can be useful for servers in
troubleshooting situations.
■ RPC Support. ICF did not support RPC traffic, which is required for several common
services such as file and printer sharing and remote administration. With Windows Firewall in place, an application can request that Windows Firewall open the necessary ports
as long as the application is running in the Local System, Network Service, or Local Service security contexts. You can also configure the RPC application on the exceptions list to
enable it to accept incoming traffic on dynamic ports.
■ Restore Defaults and Unattended Setup. You can easily restore the default firewall
settings, as well as modify what Windows Firewall maintains as its default settings.
In addition, you can specify a custom firewall configuration for unattended Windows
Server setup.
■ Group policy support. Windows Firewall can be fully configured and managed with
Group Policy settings.
■ Multicast and broadcast traffic. Windows Firewall will allow a unicast response for
three seconds on the same port from which multicast or broadcast traffic came. This
feature makes it possible for applications and services to alter firewall policy to accommodate client-server scenarios that use multicast and broadcast traffic, without unduly
exposing ports.
■ IPv4 and IPv6 support. Windows Firewall supports unified configuration for both IPv4
and IPv6 traffic, eliminating the need to configure firewall settings separately for each
protocol.
Configuring Windows Firewall
To configure Windows Firewall on a server through a GUI, open the Windows Firewall applet
in the Control Panel. If the Windows Firewall/Internet Connection Sharing (ICS) service is
141
Page 141
3
Shapiro
Part I
c03.tex
V2 - 06/13/2008
5:27pm
Core, Configuration, Networking, and Communication Services
not running, the applet asks if you want to start the service. Figure 3-10 shows the Windows
Firewall property sheet.
FIGURE 3-10
The Windows Firewall configuration interface.
Turning on the firewall is as easy as clicking On and then clicking OK. However, you’ll likely
want to configure exceptions and set advanced settings. To configure exceptions to allow specific
applications or ports, click the Exceptions tab, shown in Figure 3-11.
As Figure 3-11 indicates, Windows Firewall includes a small selection of exceptions by default.
These include File and Printer Sharing, Remote Desktop, and UPnP Framework. However, none
of these exceptions is enabled by default. To enable one, place a check beside its entry.
To add a program exception, click Add Program. Windows Firewall displays an Add a Program
dialog box in which you select the application’s executable. If adding a port, click the Add Port
button instead, which displays the Add a Port dialog box, in which you specify a name and the
port number (see Figure 3-12).
142
Page 142
Shapiro
c03.tex
V2 - 06/13/2008
5:27pm
Networking Windows Server 2008
FIGURE 3-11
Add application or port exceptions on the Exceptions tab.
FIGURE 3-12
Use the Add a Port dialog box to open a port in the firewall.
143
Page 143
3
Shapiro
Part I
c03.tex
V2 - 06/13/2008
5:27pm
Core, Configuration, Networking, and Communication Services
When adding an application or port exception, you must specify the scope for the exception.
The scope determines the source traffic to which the exception will be applied. To set the scope,
click the Change Scope button on the Add an Application or Add a Port dialog box. Figure 3-13
shows the resulting Change Scope dialog box.
FIGURE 3-13
Specify rule scope with the Change Scope dialog box.
As mentioned previously in this chapter, you can specify that the rule apply to all sources, to
only addresses on the local subnet, or to a custom list of addresses, hosts, or IP ranges.
The Exceptions tab includes an option labeled ‘‘Notify me when Windows Firewall
blocks a new program.’’ Enable this option if you want the firewall to notify
you when an application attempts to access ports for which it has not be designated an
exception.
You can also configure a selection of advanced options for the firewall. To do so, click the
Advanced tab (see Figure 3-14). The network interfaces installed on the computer appear
in the Network connection list. You can enable or disable Windows Firewall for a specific
interface — just select or deselect the checkbox beside the interface name.
The final group on the Advanced tab, Default Settings, enables you to quickly restore Windows
Firewall to its default settings. Just click Restore Defaults to do so.
144
Page 144
Shapiro c03.tex
V2 - 06/13/2008
5:27pm
Networking Windows Server 2008
FIGURE 3-14
Configure additional settings on the Advanced tab.
Managing Windows Firewall with Group Policy
In a well-managed network, it’s likely that you will want to manage Windows Firewall settings
using Group Policy. Windows Server 2008 adds several Group Policy settings to the Computer
Configuration\Administrative Templates\Network\Network Connections\Windows Firewall
Group Policy branch. This branch contains two sub-branches, Domain Profile and Standard
Profile (see Chapter 24). The settings control Windows Firewall in domain and nondomain
environments, respectively.
Managing Windows Firewall from a console
In many situations, you’ll find it useful to be able to manage Windows Firewall settings from a
console, whether for a local or remote server. The netsh console command also allows Windows Firewall configuration. The commands available in netsh for firewall management include
the following:
■ Add. Add programs or ports to the exceptions list and specify scope for the new rule.
■ Delete. Remove programs or ports from the exceptions list.
145
Page 145
3
Shapiro
Part I
c03.tex
V2 - 06/13/2008
5:27pm
Core, Configuration, Networking, and Communication Services
■ Dump. Dump the current configuration to a script.
■ Reset. Reset Windows Firewall to its default settings.
■ Set. Configure individual Windows Firewall settings (allow programs and ports, ICMP
configuration, and so on).
■ Show. Show the current firewall configuration.
To manage Windows Firewall with netsh, open a command console and execute the netsh
command. Then, execute the firewall command in the netsh interface to enter firewall management mode. For help with specific commands, type a command followed by the ? character.
Windows Firewall with Advanced Security
Windows Server 2008 ships with an advanced security version of the firewall. Called Windows
Firewall with Advanced Security, it resembles a traditional firewall configuration utility a la ISA
Server. To open this console, double-click the option in Administrative Tools or Server Manager
(under Configuration). The console that loads is shown in Figure 3-15.
FIGURE 3-15
Windows Firewall with Advanced Security console.
The console lets you set inbound and outbound filtering rules as well as connection security
rules. Rules can be set for applications, ports, various predefined services, and custom settings.
146
Page 146
Shapiro
c03.tex
V2 - 06/13/2008
5:27pm
Networking Windows Server 2008
The Ports option, for example, lets you filter according to the protocol (UDP or TCP) and the
ports being targeted. Figure 3-16 demonstrates setting up a new Protocol/Port rule.
FIGURE 3-16
Creating a new Protocol and Ports rule.
The ICMP and the Security Logging setting are now managed from the Windows Firewall with
Advanced Security console. Security Logging enables you to configure logging options for Windows Firewall. Click the Customize button to open the Log Settings dialog box, where you can
specify which events are logged, the location of the log file, and the maximum size of the file.
ICMP options are now enables by creating inbound and outbound rules using the ICMPv4 or
ICMPv6 protocols.
Summary
The Transmission Control Protocol/Internet Protocol (TCP/IP) is the protocol of choice for
many networks, partly because of the proliferation of the Internet, but also for the flexibility
the protocol offers. TCP/IP is a complex protocol, however, so you need to address several
issues when you configure a network for TCP/IP. Once you understand addressing and
subnet issues, you need to decide how systems will receive their IP addresses (statically or
dynamically) and assignments for name servers, gateways, and so on. You can use DHCP to
automatically configure TCP/IP settings for clients on the network, which simplifies administration and helps protect against address conflicts from statically assigned addresses (see
147
Page 147
3
Shapiro
Part I
c03.tex
V2 - 06/13/2008
5:27pm
Core, Configuration, Networking, and Communication Services
Chapter 4). You can have local clients retrieve IP address leases from an external network
through a DHCP relay agent. A Windows Server 2008 server running RRAS can function as a
DHCP relay agent. RRAS is covered in Chapter 6.
Although its use is still currently rather limited, IPv6 will continue to gain popularity as
development of the 6bone continues and companies realize the benefits offered by IPv6.
Several tools included with Windows Server 2008 will help you troubleshoot TCP/IP connections. The ping command, for example, is one of the most useful tools for checking basic
TCP/IP connectivity. Other tools enable you to trace network routes, view IP configurations,
view routing tables, and perform other troubleshooting tasks.
One final topic covered in this chapter is SNMP, or Simple Network Management Protocol.
Windows Server 2008 includes an SNMP agent that enables the computer to respond to SNMP
requests from local and remote management services. You can configure a Windows Server
2008 server to generate traps for specific events and have those traps transmitted to specific
management services for monitoring and administration purposes.
148
Page 148
Shapiro
c04.tex
V2 - 06/12/2008
4:12pm
Page 149
DHCP
T
his chapter covers configuring and managing a Windows
Server–based Dynamic Host Configuration Protocol (DHCP) server
and DHCP clients.
IN THIS CHAPTER
Understanding DHCP
The Windows Server 2008
DHCP server
Overview of DHCP
Installing and configuring
the DHCP server
The TCP/IP protocol, which is required for Internet connectivity and has
become the protocol of choice for most intranets, requires that each node
on the network have a unique IP address. This includes any individual
network object, such as a server, workstation, printer, or router. You can
assign IP addresses to network nodes either statically or dynamically. With
a statically assigned address, you specify a fixed address for a given node,
and that address never changes unless you manually change it. Static
assignment is the option used when the network node must always have
the same IP address. Web and FTP servers or devices such as printers that
don’t support anything other than static assignments are prime examples of
devices with statically assigned addresses.
You also can assign IP addresses dynamically through the Dynamic Host
Configuration Protocol (DHCP). DHCP enables network nodes to take
IP address assignments from a DHCP server automatically at startup.
Although dynamic assignment means that IP addresses for network nodes
can (and do) sometimes change each time the node is restarted, that
poses a problem only when a computer needs the same IP address for
every session. In all other situations, including for most workstations and
many servers, dynamic assignment enables you to manage a pool of
149
Defining and implementing
user and vendor classes
Creating and using superscopes
Creating multicast scopes
Configuring global DHCP
server properties
Managing the DHCP database
Configuring Windows DHCP
clients
Shapiro
Part I
c04.tex
V2 - 06/12/2008
4:12pm
Core, Configuration, Networking, and Communication Services
IP addresses more effectively to prevent address conflicts. DHCP also enables you to allocate a
smaller number of IP addresses than the number of computers using them, provided the maximum number of live nodes at any given time doesn’t exceed the number of available addresses.
An example would be when you’re using a server to provide dial-up access for multiple users.
You might allocate 20 IP addresses to accommodate 50 dial-in users. Each user would receive a
unique IP address assignment from the DHCP server at connection time, to a maximum of 20
concurrent connections.
Perhaps the most important benefit of DHCP is in the area of administration. DHCP makes it
much easier to manage the IP address configuration of clients because you can effect all changes
from a central server, rather than require changes on individual clients. The more computers
on the network, the greater the advantage DHCP brings to address management. Rather than
manually reconfigure network settings at several hundred (or more) workstations when a
network change occurs, you can simply change the settings at the server, either pushing the
changes transparently to the user or allowing the changes to take place when the clients restart.
The Windows Server DHCP Service
Windows Server 2008 includes a built-in DHCP service that offers excellent functionality for
allocating and managing addresses. The DHCP Server service is built on industry standards
(Request for Comments, or RFCs) defined by the Internet Engineering Task Force (IETF). This
adherence to standards ensures that the DHCP service will accommodate not only Windows
clients, but also other clients, including Unix, Macintosh, and so on.
As with other services, you manage DHCP on a Windows Server through the Microsoft Management Console (MMC). The DHCP service console snap-in enables you to create DHCP scopes
(a range of addresses and corresponding properties), assign global properties, view current
assignments, and perform all other DHCP administration tasks.
In addition to supporting the IETF standards, the Windows Server 2008 DHCP service extends
the functionality of standard DHCP to include logging, monitoring, and other features that
integrate DHCP with the Windows Server 2008 operating system. In addition to the many
powerful features added to previous versions of the operating system that improve DHCP’s
usefulness, administration, and integration with other services, such as DNS, Windows Server
2008 includes Dynamic Host Configuration Protocol for IPv6 (DHCPv6) support. This and other
features are discussed in the following sections.
Support for dynamic DNS
DHCP provides for dynamic address assignment and can therefore make it difficult to maintain
accurate name-to-address mapping in DNS servers. As soon as a node changes its address,
records in the DNS database become invalid. Windows Server 2008 DHCP integrates with
150
Page 150
Shapiro
c04.tex
V2 - 06/12/2008
4:12pm
DHCP
DNS by enabling the DHCP server and clients to request updates to the DNS database when
addresses or host names change. This capability enables the DNS database to remain up-to-date
even for clients with dynamically assigned IP addresses.
Dynamic DNS (DDNS) functions through a client-server mechanism. Windows Server and
Windows XP/Vista DHCP clients support DDNS, and they can directly request that a Windows
Server 2008 DNS server update their host resource records (also called A records) when the
clients’ IP addresses or host names change. Windows Server 2008 servers can also submit
requests on behalf of clients, although a DHCP server can request an update to both the clients’
host and pointer (PTR) records. Host records are used for host-to-address mapping, and pointer
records are used for reverse lookup.
A Windows Server 2008 DHCP server also can act as a proxy for non-Windows 2000/XP/Vista
DHCP clients to perform dynamic DNS updates. For example, a Windows Server 2008 DHCP
server can perform updates for Windows 95/98 and Windows NT clients, which do not natively
support dynamic DNS and are unable to submit requests to either the DHCP server or the DNS
server to update their resource records. Figure 4-1 illustrates how DHCP and DNS interact.
FIGURE 4-1
DHCP supports automatic updates to DNS when host name or IP address changes occur.
Request to update A
and PTR records
Windows XP/Vista Client
No update
requests
Windows 2008 DHCP Server
Windows 95/98 Client
DHCP Server requests
updates for Windows XP
and Windows 95/98 Clients
Update A Record
Windows 2008 DNS Server
See the section ‘‘Configuring Windows DHCP Clients,’’ later in this chapter for an
explanation of how to configure clients to use DDNS.
151
Page 151
4
Shapiro
Part I
c04.tex
V2 - 06/12/2008
4:12pm
Core, Configuration, Networking, and Communication Services
Vendor and user classes
Vendor classes enable you to define a set of DHCP settings for a specific equipment vendor
and apply those settings to any node falling into that class. User classes enable you to do much
the same thing, defining DHCP settings to apply to a specific group of nodes. Vendor and user
classes offer enhanced flexibility in assigning custom settings to individual nodes or groups of
nodes without affecting others on the same network. Through a vendor or user class, a node
can request a custom set of DHCP settings to suit its configuration. For example, you might
assign shorter lease durations to notebook PCs because they leave the network more frequently.
You define a user class called Notebook and assign to it a shorter lease period; the client, which
presents the user class to the server, receives the shorter lease based on that user class.
Multicast address allocation
Multicast addresses enable IP traffic to be broadcast to a group of nodes. They are most
commonly used in audio or video conferencing. A standard IP address is also known as a unicast
address because traffic is broadcast to a single address. A multicast address, however, enables
you to send a group of computers the same data packets with a single broadcast, rather than
using multiple broadcasts to a group of unicast addresses. The use of multicasting enables a
group of computers to receive the same data without duplicating the packets, thereby reducing
packet traffic.
Unauthorized DHCP server detection
Unauthorized DHCP servers can cause real problems in a network by allocating incorrect or
conflicting configuration information to clients. For example, an administrator or power user
might install and start a DHCP server, unaware that one or more DHCP servers already exist on
the network.
The Active Directory (AD) stores a list of authorized DHCP servers. When a Windows Server
2008 DHCP server in a domain starts, it attempts to determine whether it is listed as an authorized server in the AD. If it is unable to connect to the AD or does not find itself listed in the
AD as an authorized server, it assumes it is unauthorized and the service does not accept DHCP
client requests. If the server does find itself in the AD, it begins processing client requests.
Workgroup DHCP servers (standalone servers not belonging to a domain) behave somewhat
differently. When a workgroup DHCP server starts, it broadcasts a dhcpinform message. Any
domain-based DHCP servers on the network respond with dhcpack and provide the name
of the directory domain of which they are a part. If the workgroup DHCP server receives any
dhcpack messages from domain DHCP servers, the workgroup server assumes it isn’t authorized
and does not service client requests. If a workgroup DHCP server detects no other servers or
detects only other workgroup DHCP servers, it begins processing client requests. Therefore,
workgroup DHCP servers will not operate on a network where domain-based DHCP servers are
active, but they can coexist with other workgroup DHCP servers.
152
Page 152
Shapiro
c04.tex
V2 - 06/12/2008
4:12pm
DHCP
Automatic client configuration
Windows 200X, XP, and Vista DHCP clients attempt to locate a DHCP server at startup and
renew any unexpired leases (a lease is an IP address and the associated data allocated from a
DHCP server). If no DHCP server is found, the client pings the default gateway defined by the
lease. If the ping succeeds, the client continues to use the lease and automatically attempts to
renew the lease when half the lease time expires.
If the client is unable to locate a DHCP server and pinging the default gateway fails, the
client assumes that it is on a network without DHCP services, automatically assigns itself an
IP address, and continues checking for a DHCP server every five minutes. The client assigns
itself an address in the subnet 169.254.0.0/16 (class B, subnet mask 255.255.0.0), but prior
to assigning, the client tests to confirm that the address is valid and doesn’t conflict with
other nodes.
Automatic address assignment is a useful feature, particularly for small peer networks, such as a
home network, without a DHCP server. It enables users to move between networks with relative
ease, and eliminates the need to reconfigure their systems. For example, a user can move his or
her notebook from the office to home and have a valid address within the current network without having to reconfigure TCP/IP each time.
Monitoring and reporting
The DHCP service performs its own monitoring, and logs events to the System log, which you
can view with the Event Viewer console. DHCP also provides additional monitoring and statistical reporting. For example, you can configure DHCP to generate alerts when the percentage of
available addresses in a given scope drops below a specified level.
Installing and Configuring
the DHCP Server
The process of installing DHCP is relatively simple. Configuring a server and putting it into
service is much more complex, however, particularly if you are new to DHCP. The following
sections explain how to install the DHCP service and configure global and scope-specific
settings.
Installing DHCP
As with other services, you add DHCP through the Add Roles wizard, which you can access
though the Server Manager or the Initial Configuration Tasks application. Select Dynamic Host
Configuration Protocol and click Next. Then follow the prompts to complete the software
installation. After the software is installed, you can begin configuring and using DHCP without
restarting the server. (See Chapter 2 for information about using Server Manager and the Add
Roles wizard.) While installing DHCP Server you will be able to add DHCPv6 features as well.
153
Page 153
4
Shapiro
Part I
c04.tex
V2 - 06/12/2008
4:12pm
Core, Configuration, Networking, and Communication Services
You should configure a DHCP server with a static IP address prior to adding the
DHCP service.
Using the DHCP console
Windows Server 2008 provides an MMC console to enable you to manage DHCP servers both
locally and on remote computers (see Figure 4-2). You can perform all DHCP administrative
functions through the DHCP console. To open the DHCP console, choose Start All Programs
Administrative Tools DHCP.
FIGURE 4-2
The DHCP console.
By default, the DHCP console connects to the local DHCP server, showing the server’s IP
address in the left pane. You can use the console to manage DHCP servers both locally and
remotely. To connect to a different server, right-click the DHCP node (the topmost node) in the
left pane and choose Add Server. Type the name or IP address of the server you want to manage
and click OK. DHCP adds the server to the list.
Like most MMC consoles, DHCP functions as a two-pane console, with the tree pane on the left
and the contents pane on the right.
Creating scopes
A DHCP scope is a set of properties that define a range of IP addresses and related settings, such
as DNS servers, default gateways, and other information that the client needs to obtain from the
DHCP server. Before you can begin using DHCP to assign addresses, you need to create at least
one scope. Scopes can be active or inactive, so you also need to make the scope active before
the server can allocate addresses from the scope to clients. This chapter assumes you are going
to fully define the scope before activating it.
154
Page 154
Shapiro
c04.tex
V2 - 06/12/2008
4:12pm
DHCP
DHCP provides a New Scope wizard to take you through the process of creating a scope. To do
so, right-click IPv4 or IPv6 nodes under the server in the tree and choose New Scope. Alternatively, select the server and choose Action New Scope. Click Next, and the wizard prompts
you for the following information:
■ Name. This is the friendly name that appears in the DHCP console for the scope. An
example might be ‘‘Miami Office scope.’’
■ Description. This optional description appears on the scope’s General property page
(right-click the scope and choose Properties to view). Assign a description to help you
recognize the purpose of the scope. For example, you might use the address range in the
description.
■ Start IP Address. Specify the beginning address of the range of IP addresses you want to
assign to the scope using dotted octet format.
■ End IP Address. Specify the ending address of the range of IP addresses you want to
assign to the scope using dotted octet format.
■ Length or Subnet Mask. You can specify the subnet mask for the address range using
either the address length or subnet mask in dotted octet format.
■ Exclusions, Start IP Address and End IP Address. Use this page to specify one
or more ranges of addresses to be excluded from the scope. Addresses in an excluded
range are not used by DHCP or allocated to clients. If the addresses you want to exclude
fall outside of the address range defined for the scope, you don’t have to explicitly
define an exclusion. For example, assume you create a scope with the included range
192.168.0.100 through 192.168.0.254. You do not have to create an exclusion for
192.168.0.1 through 192.168.0.99, which are implicitly excluded. Using this same
example, however, you would need to create an exclusion if you wanted to prevent the
address range 192.168.0.150 through 192.168.0.160 from being allocated to clients. If
you choose an exclusion range, it must fall within the scope created on the previous page.
■ Lease Duration. This property defines the length of time an IP address assignment is
valid and is applicable to all clients unless modified by a user or vendor class assignment
(in effect, it is the default lease period). When the lease duration expires, the client must
request a renewal of the address. Failing that (because the address might already have
been reassigned while the client was offline, for example), the client must request a new
address lease. The default is eight days. See the section ‘‘Defining and Implementing User
and Vendor Classes’’ later in this chapter for additional information.
■ Configure Other Options. The wizard gives you the option of configuring the default
gateway and DNS server properties to assign to the scope. See the section ‘‘Setting General
Scope Options’’ later in this chapter for more information.
■ Activate the Scope. Although you can activate the scope immediately after creating it,
you should make sure you’ve fully defined all required scope properties prior to activation
in order to ensure that clients receive all necessary DHCP properties. You can activate the
scope later after fully defining it.
155
Page 155
4
Shapiro c04.tex
Part I
V2 - 06/12/2008
4:12pm
Core, Configuration, Networking, and Communication Services
After you create a scope, it shows up in the DHCP console as a branch under the server’s node
in the tree pane, as shown in Figure 4-2. You’ll see multiple scope branches when the server
hosts more than one scope. Each scope branch includes the following objects:
■ Address Pool. This branch lists the included address pool for the scope along with
any exclusion ranges. Each scope has only one inclusion range, but it can contain multiple
exclusion ranges.
■ Address Leases. This branch lists current client address leases, including the IP address,
name, and lease expiration.
■ Reservations. This branch lists address reservations, which reserve specific IP addresses
for specific users based on the user’s MAC address (physical network adapter address). See
the section ‘‘Creating Reservations’’ later in this chapter for more information.
■ Scope Options. This branch lists additional properties passed to clients when they
receive address leases from this scope. Typical properties include default router, DNS
server assignments, time server, and time offset. The following section explains how to
configure these settings.
Setting general scope options
You can specify a wide range of scope properties in addition to those discussed so far. These
properties are given to clients when they receive a lease from the server. For example, the
scope’s properties can assign the default gateway and DNS servers the client should use, a time
server for synchronizing the client’s internal clock with the network or server, and many other
properties. In most situations, you will need to configure only the default gateway and DNS
servers, although some situations might warrant configuring other properties as well.
To configure general scope options, open the DHCP console and then open the scope whose
properties you want to modify. Right-click Scope Options and choose Configure Options to display the Scope Options property sheet, shown in Figure 4-3.
The General tab enables you to configure properties that apply to all clients receiving address
leases through the scope. You select an item by clicking it, and then you specify the value(s) for
the item in the lower half of the property sheet. Enable or disable properties by selecting or deselecting their checkboxes in the list. Set the value for each one and then click OK.
The Advanced tab, shown in Figure 4-4, enables you to configure global properties for specific
vendor and user classes. The default vendor classes are as follows:
■ DHCP Standard Options. These are the same options that appear on the General tab by
default and apply to all client connections for which no vendor or user class is specified.
■ Microsoft Options. These options define Microsoft-specific DHCP properties for
Microsoft clients.
156
Page 156
Shapiro
c04.tex
V2 - 06/12/2008
4:12pm
DHCP
■ Microsoft Windows 2000 Options. These options define Microsoft Windows
2000/XP/Vista–specific properties for Windows 2000 and Windows XP/Vista clients.
■ Microsoft Windows 98 Options. This selection can be used to define Windows
98–specific options, although by default none are defined.
FIGURE 4-3
The Scope Options property sheet.
FIGURE 4-4
The Advanced tab.
157
Page 157
4
Shapiro
Part I
c04.tex
V2 - 06/12/2008
4:12pm
Core, Configuration, Networking, and Communication Services
By default, three user classes are defined:
■ Default BOOTP Class. These properties apply to clients that receive a lease via bootp.
The command bootp enables clients to retrieve a valid address along with a boot image,
which enables the computer to boot; it is typically used as a mechanism to boot diskless
workstations.
■ Default Routing and Remote Access Class. These properties apply to clients that
receive a lease through RRAS connections.
■ Default User Class. These properties apply to all clients not handled by a different user
class.
See the section ‘‘Defining and Implementing User and Vendor Classes’’ later in this
chapter for detailed information on configuring and using vendor and user classes to
customize lease properties for specific systems and users.
The following sections explain how to configure the most common DHCP properties.
Default gateway
The router lease property defines the default gateway assigned to the DHCP client. You can
specify an array of addresses, giving the client multiple gateways to use. If the client’s primary
gateway fails for some reason, traffic will route through the next available gateway, providing
fail-over insurance against a loss of connectivity. To assign a gateway to the array, enter the IP
address in the IP Address text box in dotted octet format, and then click Add. You can enter
a host name in the Server Name text box and click Resolve if you know the host name of the
gateway but not its IP address. Clicking Resolve performs a DNS lookup and returns the IP
address in the IP Address field if successful. You can specify multiple IP addresses, clicking Add
to add each one to the array. Use the Up and Down buttons to change the order of the list. The
client then tries the routers in sequence, starting with the top router.
Domain name and DNS servers
In addition to assigning one or more gateways, you will probably also want to assign at least one
DNS server. Select 006 DNS Servers in the list and then add the IP addresses of the DNS servers
to the list, just as you would when adding a router to the router list. The order of servers in the
list defines the order in which the client will attempt to resolve names to addresses. Use the Up
and Down buttons to change the order.
Domain name
Another property you should consider setting is the domain name. This property defines the
client’s domain and is used to create the user’s fully qualified domain name (FQDN). The client
prepends its host name to the domain name to create the FQDN. You can specify the domain
name within the client’s DNS properties, but setting it through DHCP instead enables the
domain name to be changed dynamically when the client is granted a lease. If all the systems on
158
Page 158
Shapiro
c04.tex
V2 - 06/12/2008
4:12pm
DHCP
the network use DHCP, you can change your entire organization’s domain without changing any
client settings — you simply change the domain name property in the DHCP server. Because of
potential unseen pitfalls (clients with statically assigned domain names, for example), this isn’t
the recommended way of changing domain names.
Other scope properties
You can configure a wide range of other properties that are passed to the DHCP client when a
lease is granted. Review the list of properties and configure those that apply to your network
and client needs.
Configuring global DHCP options
Within each scope, you can configure properties such as domain name, gateway, and DNS
servers, as explained earlier. These properties apply to all leases granted through the selected
scope. You also can configure these properties to apply globally to all scopes defined on the
server. These global options are used unless overridden by a scope-assigned property.
To configure global DHCP options, open the DHCP console, right-click the Server Options
node, and choose Configure Options. The DHCP console displays the same property sheet you
use to assign properties for a scope. Select and configure properties as needed.
Creating reservations
A reservation reserves a specific IP address for a specific Media Access Control (MAC) address.
The MAC address is a unique hardware-based address that identifies a network adapter (Network Interface Card, or NIC) on the network. Reservations enable a specific adapter to receive
the same IP address assignment from the DHCP server, and prevent the address from being
leased to any other adapter. In effect, reservations let you enjoy the flexibility offered by DHCP
while still enabling you to assign a static IP address. Through reservations, you ensure that the
NIC always has the same IP address, but other configuration changes can be applied dynamically
(such as domain name, router, DNS servers, and so on).
Reservations do not assign the same IP address to a computer per se, because the
reservation is associated with the NIC’s MAC address, not the computer name. This
is only a real distinction in multi-homed systems (those containing multiple NICs).
Before creating a reservation for a NIC, you need to know the NIC’s MAC address. On Windows
NT, Windows 2000, Windows XP/Vista, and Windows Server 2008 systems, you can use the
ipconfig command at a console prompt to view MAC addresses for NICs in the computer.
Open a console prompt on the system and issue the command ipconfig /all. The command
lists network configuration data for each NIC, including the MAC address.
For Windows 9x and Me systems, use the WINIPCFG utility to determine the MAC address.
WINIPCFG includes the adapter address in the information it displays, along with the IP
address, the gateway, and other configuration information.
159
Page 159
4
Shapiro
Part I
c04.tex
V2 - 06/12/2008
4:12pm
Core, Configuration, Networking, and Communication Services
When you have the MAC address of the client’s NIC, open the DHCP console and then open
the scope where you want to create the reservation. Right-click the Reservations node and
choose New Reservation to open the New Reservation dialog box (see Figure 4-5). Use the
following list as a guide to configure the reservation:
■ Reservation Name. This name appears in the DHCP console next to the reservation IP
address (left pane). You can specify the computer’s name, the username, or other information to help you identify the NIC for which the address is reserved.
■ IP Address. Specify the IP address within the scope to reserve for the specified NIC.
■ MAC Address. Enter the MAC address of the NIC for which the address is reserved.
■ Description. This optional description appears in the contents pane of the DHCP
console.
■ Supported Types. You can designate the type of client (DHCP, BOOTP, or both) that can
use the reservation.
FIGURE 4-5
Reservations assign an IP address to a specific network adapter.
Setting global scope properties
Before you activate a scope and begin using it, you should configure a handful of properties
that apply to the scope on a global basis. To set these, open the DHCP console, right-click
the scope, and choose Properties to display the Scope Properties sheet. Use the General tab to
modify the scope-friendly name, IP address range, lease period, and description. These options
are self-explanatory.
160
Page 160
Shapiro
c04.tex
V2 - 06/12/2008
4:12pm
DHCP
The DNS tab determines how DHCP integrates with DNS. You’ll learn how to configure DHCP
clients to use DDNS in the section ‘‘Configuring Windows DHCP Clients’’ later in this chapter.
For now, you can use the following list as a guide to configuring settings on the DNS page:
■ Enable DNS Dynamic Updates According to the Settings Below. Select this option
to direct the DHCP server to attempt to update client DNS information in the DNS server.
The server will, by default, attempt to update the client’s host and pointer records to associate the client’s host name with its IP address.
■ Dynamically Update DNS A and PTR Records Only if Requested by DHCP Clients.
Select this option to have the server update the DNS records only if the client requests the
update. Currently, only Windows 2000, Windows XP, and Windows Server 2003/2008
clients can request the update.
■ Always Dynamically Update DNS A and PTR Records. Select this option to update
the DNS records regardless of whether the client requests an update.
■ Discard A and PTR Records When Lease Is Deleted. Select this option to have the
DNS server discard the host record for a client when its lease expires and is deleted.
■ Dynamically Update DNS A and PTR Records for DHCP Clients That Do Not
Request Updates. Select this option to enable the DHCP server to update host and
pointer records with DNS for clients that don’t support dynamic update (such as versions
of Windows prior to Windows 2000).
Use the Advanced property tab to configure the types of clients the DHCP server will handle
with the selected scope. You can support DHCP only, bootp only, or both. If you select bootp
only or both, you can configure the lease duration for bootp clients using the lease duration
group, specifying a lease duration or configuring the scope to provide unlimited leases to
bootp clients.
Activating and deactivating a scope
At this point, you should have enough data in the scope to activate it, although you might
want to further configure your DHCP server by implementing vendor or user classes, using
superscopes or multicast scopes, and so on (both are discussed later in this chapter). When
you’re ready to activate the scope, open the DHCP console. Right-click the scope in question
and choose Activate. To deactivate a scope and prevent it from being used to assign leases,
right-click the scope and choose Deactivate.
Authorizing the server
An additional step for domain-based DHCP servers is authorizing the server. Authorizing a
server lists it in the Active Directory as an authorized DHCP server. As explained earlier,
Windows Server 2008 DHCP servers attempt to determine whether they are authorized at
startup and prior to processing client lease requests. Domain-based DHCP servers attempt to
check the AD to determine whether they are listed as an authorized server. If the server is
161
Page 161
4
Shapiro
Part I
c04.tex
V2 - 06/12/2008
4:12pm
Core, Configuration, Networking, and Communication Services
unable to contact the AD or doesn’t find itself listed, it does not begin servicing client requests.
A workgroup-based DHCP server queries the network for other DHCP servers; if it identifies
any domain-based DHCP servers, it assumes it is not authorized and does not service client
requests. If no domain-based DHCP servers respond, however, the server starts servicing
client requests. This means that multiple workgroup-based DHCP servers can operate on the
network concurrently.
When you install the DHCP service on a domain-based server, the server is unauthorized by
default. You must authorize the server before it can begin servicing client requests. Authorizing
a server simply lists the server in the AD. To authorize a domain-based DHCP server, open the
DHCP console, right-click the server in the left pane, and choose Authorize.
Defining and Implementing
User and Vendor Classes
Vendor and user classes are new features incorporated into the Windows Server 2008 DHCP
service. Vendor classes enable you to create new, predefined scope options without having to go
through the lengthy process of submitting RFCs and getting approval for adding new options.
You can use vendor classes to create options specific to a particular device or operating platform,
and then assign those options based on user classes.
User classes enable you to assign unique scope options to individual clients. For example, you
may apply to all notebook users a specific DHCP configuration that, among other things, sets
the lease expiration at eight hours rather than the default of eight days. You can incorporate
other special properties to suit that group’s requirements as well.
Vendor classes
In many respects, a vendor class is really just a container object that groups together custom
DHCP options. You name the vendor class and assign to it new scope options not otherwise
defined by the standard options. To create a vendor class, you specify a display name for
the vendor class, a description, and an ID. The display name and description are primarily
for convenience and identification within the DHCP console. The ID uniquely identifies the
vendor class.
Creating a vendor class
To create, modify, or remove a vendor class, open the DHCP console. Right-click the server on
which you want to work with vendor classes and choose Define Vendor Classes. DHCP displays
a DHCP Vendor Classes dialog box that lists all currently defined vendor classes. Click Add to
display the New Class dialog box, shown in Figure 4-6.
The display name is the friendly name for the vendor class within the DHCP console. You can
include an optional description to further identify the vendor class. The ID is the data that
clients use to request a specific set of DHCP options based on their vendor class. Click in the ID
box under the Binary column if you want to enter the data in hexadecimal, or click under the
162
Page 162
Shapiro
c04.tex
V2 - 06/12/2008
4:12pm
DHCP
ASCII column to enter the ID in ASCII characters. Choose a string that uniquely identifies the
vendor class but is also easy to remember (and perhaps easy to type). Bear in mind that this is
an identifier string only and doesn’t need to have any real relationship with the actual vendor
name or other product information. However, using the vendor name in the ID will help you
recognize the purpose for the vendor class.
FIGURE 4-6
The New Class dialog box.
Configuring vendor class options
After you create a new vendor class, you need to specify the DHCP options that will be available to that vendor class. To do so, open the DHCP console, right-click the server on which you
want to define vendor class options, and choose Set Predefined Options. DHCP displays the Predefined Options and Values dialog box. Select the option class for which you want to modify
values and click Add. DHCP displays the Option Type dialog box, shown in Figure 4-7.
FIGURE 4-7
Use the Option Type dialog box to add vendor class options.
163
Page 163
4
Shapiro
Part I
c04.tex
V2 - 06/12/2008
4:12pm
Core, Configuration, Networking, and Communication Services
Provide information in the dialog box using the following list as a guide:
■ Name. This is the name of the option as it appears in the Available Options list of the
Scope Options property sheet. Specify a descriptive name such as Name Servers.
■ Data Type. Select from this drop-down list the type of data represented by the class
option (byte, word, long, IP address, and so on).
■ Array. Select this option if you are creating an array, such as a DNS server list or
gateway list.
■ Code. Specify a unique numeric code for the option.
■ Description. Specify an optional description to help identify the function of the
option value.
You may have surmised that creating a vendor class and assigning class options to it can be a
time-consuming task, particularly if you need to assign many options. Whenever possible, you
should use standard DHCP options and override selected options with vendor class options only
when needed.
Windows Server 2008 incorporates three predefined vendor classes: Microsoft
Options, Microsoft Windows 2000 Options, and Microsoft Windows 98 Options. The
Microsoft Options and Microsoft Windows 2000 Options currently define three options: Disable
NetBIOS, Release DHCP Lease on Shutdown, and Default Router Metric Base. You can use these
options to implement the associated features for Windows 2000 clients. There are no predefined
scope options for Windows 98 clients.
User classes
Although vendor classes enable you to define new DHCP scope options, user classes enable you
to allocate DHCP scopes (whether standard or vendor class-defined) on a client-by-client basis.
Each client can be configured with one or more user class IDs that the client submits to the
DHCP server. The server responds with an appropriate lease based on the settings defined for
that user class ID. For example, you might create a user class ID called notebook and configure
its DHCP options to decrease the lease period, or you might have a group of computers that
requires a different set of DNS servers or default gateway. You can use user class IDs in all of
these cases to assign DHCP options on a selective basis.
User classes must be supported at the client level. Currently, only Windows 200X,
Windows XP, and Windows Vista clients support user classes. This capability is not
included with Windows 98 or Windows NT clients.
When a client submits a class ID to a DHCP server, the server provides all the default options
defined for the scope not otherwise defined by the class ID. You can allocate DHCP options
using the default options for the scope and apply selective options with the user class. This
means you do not have to duplicate the default settings for a user class; you need to configure
only those settings that are unique to clients in that user class.
164
Page 164
Shapiro
c04.tex
V2 - 06/12/2008
4:12pm
DHCP
Creating a user class
You define a user class in much the same way that you define a vendor class. Open the DHCP
console, right-click the server for which you want to define the user class, and then choose
Define User Classes. Click Add in the DHCP User Classes dialog box. As you do with a vendor
class, specify a display name to appear in the DHCP console, an optional description, and
the class ID. The class ID is the data you will configure at the client level to enable it to request
a lease based on the class ID. You can enter the class ID in either hexadecimal or ASCII format.
Configuring user class options
After you create a user class, assign to it the DHCP scope options that need to apply to each
client having the specified class ID. To do so, open the DHCP console and expand the server in
question. Right-click Scope Options, choose Configure Options, and click Advanced to display
the Advanced tab (refer to Figure 4-4). You can select options from the DHCP Standard Options
vendor class or use any other defined vendor class. Select the desired user class from the User
Class drop-down list. The scope options predefined for the selected vendor class appear in the
Available Options list. Browse through the list and configure scope options as you would
the default options.
There is no need to configure options that will otherwise be assigned through the global options
for the scope. Instead, configure only those options that are unique to the user class. For
example, if all you are doing with the user class is reducing the lease period, then you need to
configure only the lease value within the user class. All other settings can be assigned to the
client through the global scope properties. When you have configured all necessary properties,
click OK.
Configuring a client to use class IDs
You can assign multiple class IDs to Windows 200X and Windows XP/Vista clients, although
only the last one assigned is actually used to retrieve DHCP data. Each client, by default,
assumes the class ID ‘‘Default BOOTP Class,’’ which enables Windows 200X/XP/Vista clients
that require bootp to retrieve settings from the DHCP server. If you assign any other class
IDs, however, the class ID assigned last takes precedence and the client takes on all global
scope options plus the scope options assigned to that last class ID. The scope options are not
cumulative — the client will not take on all options for all class IDs assigned to the adapter
in question.
Use the ipconfig command to assign a class ID to a Windows 200X/XP/Vista client. You can
assign class IDs manually through a command console or startup script. The syntax for assigning
a class ID is as follows:
ipconfig /setclassid [adapter] [ClassIDString]
To configure a client with the class ID ‘‘portable’’ on the default network connection (Local Area
Connection), use the following command:
ipconfig /setclassid "Local Area Connection" portable
165
Page 165
4
Shapiro
Part I
c04.tex
V2 - 06/12/2008
4:12pm
Core, Configuration, Networking, and Communication Services
You might want to rename your network connections using simpler names, if only
to make it easier to perform ipconfig commands. To rename a network connection, open the Network and Dial-Up Connections folder, right-click the connection, and choose
Rename. For example, you might rename ‘‘Local Area Connection’’ to simply ‘‘LAN.’’
Creating and Using Superscopes
As Windows 2000/2003 Server does, Windows Server 2008 also supports a DHCP feature called
superscopes, an administrative feature that enables you to create and manage multiple scopes as
a single entity. You can use superscopes to allocate IP addresses to clients on a multinet, which
is a physical network segment containing multiple logical IP networks (a logical IP network is a
cohesive range of IP addresses). For example, you might support three different class C logical
IP networks on a physical network segment. Each of the three class C address ranges is defined
as one of three individual child scopes under a superscope.
In many cases, you won’t plan or set out to use a multinet because using a single logical IP
network is much simpler from an administrative standpoint; however, you might need to use
a multinet as an interim measure as your network size grows beyond the number of addresses
available within the original scope. Or, you might need to migrate the network from one logical
IP network to another, such as would be the case if you switched ISPs and therefore had to
switch address assignments.
Superscopes are useful on high-speed wide area networks, especially when planning
for and managing shallow Active Directory domain trees (trees with multiple Active
Directory sites and few domains). This is discussed in Chapter 25.
You also can use superscopes to support remote DHCP clients located on the far side of
a DHCP or bootp relay agent. This enables you to support multiple physical subnets with a
single DHCP server. Figure 4-8 illustrates a single DHCP server supporting multiple logical
IP networks on the local physical network, as well as logical IP networks on the far side of a
relay agent.
Naturally, you will want to assign certain scope options, such as the default gateway within each
scope, to place the option within the context of the scope. You can assign global options that
apply to all scopes in a superscope at the server level. All scopes on the server, whether in a
superscope or not, will use the global options when options are not specifically defined within
the individual scopes. For example, all clients can probably use the same set of DNS servers, so
you would define the DNS server array at the server level.
Keep in mind that superscopes are just an administrative feature that provide a
container for managing scopes as groups on the same server. A superscope does not
actually allocate options of its own. DHCP options come either from the server (global) or from
the properties of the individual scopes within the superscope.
166
Page 166
Shapiro
c04.tex
V2 - 06/12/2008
4:12pm
DHCP
FIGURE 4-8
A single DHCP server can support multiple local IP networks and remote networks.
Router port on 192.168.0.1 with
relay agent set to 192.168.0.2
192.168.0.3 192.168.0.4 192.168.0.5
192.168.1.3 192.168.1.4 192.168.1.5
Router
192.168.0.6 DHCP Server
192.168.0.2
192.168.2.6 192.168.2.7
Router port on 192.168.1.1
and 192.168.2.1
Scope for local subnet:
192.168.0.1 through 192.168.0.254
Superscope with:
192.168.1.1 through 192.168.1.254
192.168.2.1 through 192.168.2.254
Creating a superscope
You can create a superscope only after you define at least one scope on the server (this prevents
you from creating an empty superscope). Windows Server 2008 enables you to select which
existing scopes will be moved to the superscope. You can create additional scopes within the
superscope afterwards. You can also create multiple superscopes and create scopes both inside
and outside of a superscope. Therefore, a given server might have two superscopes with four
scopes each, along with three scopes defined at the server level that are not part of either
superscope.
To create a superscope, open the DHCP console. Right-click the server in which you want
to create the superscope and choose New Superscope (the command is not available if no
scopes exist on the server), and then click Next. Windows Server 2008 prompts you to
choose a friendly name for the scope and to specify which existing scopes will be added to the
superscope. Hold down the Shift key to select multiple scopes.
167
Page 167
4
Shapiro
Part I
c04.tex
V2 - 06/12/2008
4:12pm
Core, Configuration, Networking, and Communication Services
Activating and deactivating a superscope
Windows Server 2008 automatically activates the superscope if one or more scopes in the
superscope are active when you create the superscope. If not, you can activate individual scopes
in the superscope, and then activate the superscope itself. To activate individual scopes, rightclick the scope and choose Activate. If the superscope contains only one scope, Windows Server
2008 activates the superscope as well. Otherwise, right-click the superscope and choose Activate.
You can deactivate an individual scope within a superscope, or you can deactivate the superscope, which deactivates all scopes in the superscope. Deactivating a scope prevents it from
servicing additional client requests for address leases. Right-click either a scope or superscope
and choose Deactivate to deactivate it.
Removing scopes from a superscope
You can remove one or more scopes from a superscope if necessary to restructure the scopes
on the server. Removing a scope from a superscope does not delete the scope or deactivate it.
Instead, it simply makes it a scope directly under the server branch, rather than a child scope of
the superscope. This enables you to add it to a different scope or eliminate the superscope without affecting its individual scopes.
To remove a scope from a superscope, open the DHCP console and open the superscope
in question. Right-click the scope and choose Remove from Superscope. If the scope being
removed is the only scope in the superscope, Windows Server 2008 removes the superscope
because you can’t have an empty superscope.
Deleting superscopes
Deleting a superscope removes the superscope and places its child scopes directly under the
server branch of the DHCP server. The scopes are unaffected and continue to service client
requests — they are simply no longer a member of a superscope. Open the DHCP console,
right-click the superscope to be deleted, and choose Delete.
Creating Multicast Scopes
A multicast scope, as explained earlier, is used to broadcast IP traffic to a group of nodes using
a single address, and is traditionally used in audio and video conferencing. Using multicast
addresses simplifies administration and reduces network traffic because the data packets are sent
once to the multicast address, rather than individually to each recipient’s unicast address.
A Windows Server 2008 DHCP server can allocate multicast addresses to a group of computers
much as it allocates unicast addresses to individual computers. The protocol for multicast
address allocation is Multicast Address Dynamic Client Allocation Protocol (MADCAP). Windows
Server 2008 can function independently as both a DHCP server and a MADCAP server.
168
Page 168
Shapiro c04.tex
V2 - 06/12/2008
4:12pm
DHCP
For example, one server may use the DHCP service to allocate unicast addresses through the
DHCP protocol, and another server may allocate multicast addresses through the MADCAP
protocol. In addition, a client can use either or both. A DHCP client doesn’t have to use
MADCAP, and vice versa, but a client can use both if the situation requires it.
Because the use of multicasting is somewhat specialized, this chapter assumes you have a working knowledge of multicast addressing, routing, and so on, and focuses on explaining how to
configure a Windows Server 2008 DHCP server to act as a MADCAP server.
For additional information on using multicast scopes, open Help in the DHCP console
and search for ‘‘multicast scope.’’
You can create multiple multicast scopes on a Windows Server 2008 DHCP server as long as the
scope address ranges don’t overlap. Multicast scopes exist directly under the server branch and
cannot be assigned to superscopes, which are intended only to manage unicast address scopes.
To create a multicast scope, open the DHCP console, right-click the server in which you want
to create the multicast scope, and choose New Multicast Scope. Windows Server 2008 starts a
wizard that prompts you for the following information:
■ Name. This is the friendly name as it appears for the scope in the DHCP console.
■ Description. Specify an optional description to identify the purpose of the multicast
scope.
■ Address Range. You can specify an address range between 224.0.0.0 and
239.255.255.255, inclusive, which gives you a large range of addresses to use.
■ Time to Live (TTL). Specify the number of routers the traffic must pass through on your
local network.
■ Exclusion Range. You can define a range of multicast addresses to exclude from the
scope, just as you can exclude unicast addresses from a DHCP scope.
■ Lease Duration. Specify the duration for the lease. The default is 30 days.
You can choose to activate the scope through the wizard or activate the scope later. Right-click a
multicast scope and choose Activate to activate the scope.
Configuring Global DHCP
Server Properties
After configuring scopes and other DHCP options, turn your attention to a handful of global
DHCP server properties that you can configure to fine-tune your DHCP server. To configure
these settings, open the DHCP console, right-click the server, and choose Properties. Some of
the server override settings you configure at the scope level. For example, the settings on the
DNS tab correspond to the settings covered earlier in this chapter in ‘‘Setting Global Scope
Properties.’’
169
Page 169
4
Shapiro
Part I
c04.tex
V2 - 06/12/2008
4:12pm
Core, Configuration, Networking, and Communication Services
FIGURE 4-9
Configure global settings with the General tab.
The General tab is shown in Figure 4-9.
It contains the following three settings:
■ Automatically Update Statistics Every. Use this option to have the DHCP server
refresh statistics in the DHCP console at the specified interval. The statistics update when
you open the console; you can also refresh them manually by choosing Action Refresh.
Use this option if you keep the console open for extended periods for monitoring.
■ Enable DHCP Audit Logging. Enable this option (the default) to record DHCP server
events to a log file. See the following material on the Advanced tab for more information.
■ Show the BOOTP Table Folder. Enable this option to add a BOOTP Table branch to the
DHCP console. You can then right-click the BOOTP Table branch and choose New Boot
Image to display the Add BOOTP Entry dialog box (see Figure 4-10). Use this dialog to
specify the boot image file, path, and TFPT server for the boot image.
The Advanced tab (see Figure 4-11) provides several settings for logging, backup, network configuration, and authentication.
170
Page 170
Shapiro c04.tex
V2 - 06/12/2008
4:12pm
DHCP
FIGURE 4-10
Add BOOTP images through the BOOTP Table branch.
FIGURE 4-11
Configure a variety of settings with the Advanced tab.
These settings include the following:
■ Conflict Detection Attempts. Specify the number of times the server should attempt
to detect address conflicts before leasing an address to a client. Increase the value in
situations where detection typically takes longer, such as in heavily saturated networks or
when clients take longer to respond because they are operating in power-saving mode.
171
Page 171
4
Shapiro
Part I
c04.tex
V2 - 06/12/2008
4:12pm
Core, Configuration, Networking, and Communication Services
■ Audit Log File Path. Specify where you want the DHCP server to place its audit log files.
The default location is %systemroot%\System32\dhcp.
■ Bindings. Click this button to open a dialog box in which you choose the network interfaces on which the DHCP server will respond to DHCP client requests. The list will be
empty if the server has no static IP addresses.
■ Credentials. Click this button to specify the account credentials, including domain, that
the DHCP server will use when authenticating dynamic DNS requests to a Windows DNS
server. You need to specify credentials only if the DNS server is configured to require
secure updates.
Windows Server 2008 also supports stateless and stateful DHCPv6 server functionality. DHCPv6 stateless mode clients use DHCPv6 to obtain network addresses and
configuration in addition to the IPv6 address. The IPv6 parameters include DNS server addresses.
See Chapter 3, which covers IPv6.
Managing the DHCP Database
Windows Server 2008 makes it easy to back up and restore the DHCP database, which provides
recoverability from server failures and an easy means to move DHCP data to a different server.
The DHCP data you can back up includes all defined scopes, reservations, and leases, as well as
all options at the server, scope, reservation, and class levels. The default location for the backup
is %systemroot%\System32\dhcp\backup. Consider copying the backup folder to another
server frequently for improved recoverability in case the DHCP server fails and the backup folder
is lost.
To specify the database and backup paths, right-click the topmost node representing the DHCP
server and select Properties. The dialog box that appears provides the following two options.
■ Database Path. Specify the location where the DHCP server will place its database files.
The default location is %systemroot%\System32\dhcp.
■ Backup Path. Specify the location where the DHCP server will back up its database. The
default location is %systemroot%\System32\dhcp\backup. See the following section
for information on backing up and restoring the DHCP database.
Backing up and restoring the DHCP database
The DHCP server provides three backup mechanisms. It backs up its database automatically
to the backup folder every hour, which Microsoft terms a synchronous backup. You can also
manually initiate a backup with the DHCP console, which Microsoft terms an asynchronous
backup. The final method is to use the Windows Server 2008 Backup utility or third-party
backup utility to perform scheduled or as-needed backups.
172
Page 172
Shapiro
c04.tex
V2 - 06/12/2008
4:12pm
DHCP
All of these methods back up the items mentioned previously, but do not back up authentication credentials, registry settings, or other global DHCP configuration information
such as log settings and database location. Instead, you need to back up the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters
to back up these additional items.
The easiest way to back up the DHCP registry key is to export the key from the
Registry Editor. Open the Registry Editor, select the key, and export it to the same
backup location as the other DHCP backup files.
To perform an asynchronous backup of the DHCP data, open the DHCP console, right-click the
server, and choose Backup. In the resulting Browse for Folder dialog box, select the folder location where you want the data to be backed up. You can create a new folder through this dialog
box, if needed.
To change the interval for synchronous backups from its default setting of 60 minutes, open
the Registry Editor and open the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\DHCPServer\Parameters. Modify the value BackupInterval as desired. (See
Chapter 9 for information on how to edit the registry.)
With the Edit DWORD Value dialog box open, switch to decimal view and specify a
value in minutes for the backup interval.
If the DHCP server suffers a failure, you can quickly restore the DHCP service by restoring the
DHCP database. Bring the server back online and install the DHCP service. If you backed up
the DHCP registry key, stop the DHCP service, import the key, and restart the service; then,
open the DHCP console. Right-click the server in the console and choose Restore. Select the
location to which you previously backed up the DHCP database and restore the data.
You can only restore a backup that you created manually with the DHCP console.
Do not use the DHCP backup files created automatically by the DHCP service during a synchronous backup. This will cause the DHCP service to fail. The synchronous backups are
used only by the DHCP service to automatically restore the database if the service detects that the
DHCP database has become corrupted.
Moving the DHCP database to another server
Whether you are upgrading servers or simply migrating the DHCP service to another computer
for performance reasons, moving the DHCP database is relatively easy. On the source server,
open the DHCP console and back up the DHCP database to a location accessible by the target
server. Stop the DHCP service on the source server and, if needed, export the DHCP registry key
to a file, as explained in the preceding section.
Stopping the DHCP service prevents the DHCP server from responding to client
requests and potentially conflicting with the new server when it comes online.
173
Page 173
4
Shapiro c04.tex
Part I
V2 - 06/12/2008
4:12pm
Core, Configuration, Networking, and Communication Services
Next, install the DHCP service on the target server. Stop the DHCP service and import the
registry file. Copy the contents of the DHCP database backup folder from the source server to
the appropriate location on the target server (the default is %systemroot%\System32\dhcp).
Then, start the DHCP service.
Make sure you authorize the new DHCP server in the Active Directory.
Configuring Windows DHCP Clients
Configuring Windows 2000, Windows XP/Vista, and Windows 2003/2008 clients to use DHCP
is a relatively simple process. At the client, right-click My Network Places and choose Properties,
or choose Start Settings Network and Dial-Up Connections to open the Network Connections folder. Right-click the connection you want to configure for DHCP and choose Properties.
Double-click the TCP/IP protocol in the list of installed components or select it and click Properties to display its property sheet.
On Windows 2000 systems, the Network Connections folder is named Network and
Dial-Up Connections.
To configure a Windows 9x or Me client, right-click Network Neighborhood on the desktop or
open the Network applet in the Control Panel. Locate and double-click the TCP/IP protocol in
the list of installed network components.
You can configure the client to obtain its IP address from the DHCP server, obtain DNS server
addresses through DHCP, or both. The controls on the General tab are self-explanatory.
Configuring DNS options for DHCP
You can configure a Windows 2000, Windows XP, Vista, or Windows Server 3003/2008 client
to use Dynamic DNS (DDNS) to automatically update its host record when its host name
changes or its IP address changes (including through DHCP lease renewal). Click Advanced on
the General property page for the TCP/IP protocol for the connection in order to display the
Advanced TCP/IP Settings dialog box; then, click the DNS tab to display the DNS page. This is
illustrated in Figure 4-12.
Two settings on the DNS page control integration of DHCP and DDNS for the client:
■ Register This Connection’s Addresses in DNS. Select this option to have the client
submit a request to the DNS server to update its host (A) record when its host name
changes or IP address changes. The client submits the full computer name specified in the
Network Identification tab of the System Properties sheet along with its IP address to the
DNS server. You can view the System properties through the System object in the Control
Panel, or right-click My Computer and choose Properties.
174
Page 174
Shapiro
c04.tex
V2 - 06/12/2008
4:12pm
DHCP
■ Use This Connection’s DNS Suffix in DNS Registration. Select this option to have the
client submit a request to the DNS server to update its host record when the host name
changes or the IP address changes. The difference between this and the previous option is
that this option registers the client using the first part of the computer name specified in
the System properties along with the DNS suffix specified by the option ‘‘DNS suffix for
this connection’’ on the DNS tab.
FIGURE 4-12
The DNS tab of the Advanced TCP/IP Settings dialog box.
Network Access Protection
Network Access Protection on Windows Server 2008 makes use of DHCP enforcement
features. In other words, a client computer must meet compliance levels in order to obtain
an unlimited access IP address configuration from a DHCP server. For noncompliant computers, network access is limited by an IP address configuration that allows access only to the
restricted network.
DHCP enforcement policy kicks in when a DHCP client requests a lease or asks to renew an IP
address configuration from the server. The DHCP enforcement policy also actively monitors the
NAP client, and if it falls into noncompliance the server will renew the IPv4 address configuration and limit the client to the restricted network until the client becomes compliant.
175
Page 175
4
Shapiro
Part I
c04.tex
V2 - 06/12/2008
4:12pm
Core, Configuration, Networking, and Communication Services
NAP compliance and DHCP can be set on the Network Access Protection tab of the IPv4
Properties dialog box. This tab is shown in Figure 4-13.
FIGURE 4-13
The Network Access Protection tab of the IPv4 Properties dialog box.
Summary
DHCP provides a means through which you can allocate IP addresses to clients automatically
when the clients boot, making it much easier to manage IP leases and corresponding properties in a network. Rather than modify clients manually when a required change occurs (such as
DNS server change, router change, and so on), you simply modify the properties of the scope
on the DHCP server and allow the clients to retrieve the new data when they renew their leases.
Through class IDs, you can allocate specific scope properties to clients to satisfy unique requirements of the client, such as gateways, DNS servers, lease duration, and so on.
The DHCP server service provided with Windows Server 2008 also enables a Windows Server
to act as a multicast address provider, allocating multicast addresses to clients that require them.
A server can function as a unicast scope server, multicast scope server, or both.
A new management feature provided with the DHCP server service is the capability to tie DHCP
configuration issues to Network Access Protection policy. In addition, the DHCP server also
supports IPv6 scopes.
176
Page 176
Shapiro
c05.tex
V2 - 06/13/2008
2:09pm
Page 177
Windows Name Services
I
n Part III of this book, you learn that Active Directory domains are
modeled on Internet domains. You learned in Chapters 2 and 3 that
Windows Server networks rely on TCP/IP as the network protocol of
choice. To resolve Windows Server domain controllers and many other
hosts running Windows services, you need to fully understand and know
how to configure Domain Name Service (DNS). This chapter explains the
services that you can use to create DNS. It also covers Windows Internet
Name Service (WINS) name servers, and includes coverage of Dynamic
DNS (DDNS), client configuration, and related topics.
IN THIS CHAPTER
Getting an overview of the
Domain Name Service (DNS)
Understanding Microsoft
Domain Name Services
Configuring subdomains and
delegation
Understanding DNS and Active
Directory
Overview of the Domain
Name Service
Using Dynamic DNS
Using Windows Internet Name
Service (WINS)
The Internet comprises many millions of devices, including computers,
routers, printers, and other devices, and each device is called a node.
Each node requires a unique IP address to differentiate it from others and
enable traffic to be routed to and from the node. Intranets also can employ
the TCP/IP protocol and require that each node have a unique address,
although in the case of an intranet, these IP addresses can come from
a nonpublic reserved address space such as 192.168.0.x. Nodes on the
Internet must have a unique, public IP address. IP addresses are difficult
for most people to remember, and their sheer number makes trying to do
so impractical. The Domain Name Service (DNS) overcomes this problem
177
Configuring Windows Server
2008 clients for DNS and
WINS
Using Hosts and LMHOSTS
files for name resolution
Shapiro
Part I
c05.tex
V2 - 06/13/2008
2:09pm
Core, Configuration, Networking, and Communication Services
by enabling users to work with names, rather than addresses. In effect, DNS provides a means
of mapping names to addresses. Rather than type 146.57.248.13 to connect to Fox News’ Web
site, for example, you connect your browser to www.foxnews.com. DNS takes care of translating www.foxnews.com into the appropriate IP address. Mapping a name to an IP address is
called name resolution.
The Internet arose from a network called the ARPANET, which comprised a relatively small
number of computers in the 1970s (mostly defense and educational systems). With few nodes, it
was fairly simple to provide name resolution. The Stanford Research Institute (SRI) maintained
a single text file named Hosts.txt that contained the host-to-address translations for all the
ARPANET’s hosts. The operating systems (predominantly Unix) used the Hosts.txt file to
resolve names to addresses. System administrators copied the Hosts.txt file from SRI to their
local systems periodically to provide an updated list.
As the number of hosts grew, the continued use of a Hosts.txt file to provide name resolution soon became impractical. In the mid-1980s, the DNS system was developed to provide a
dynamic name resolution system that no longer relied on a static name-to-address map. Before
you learn about the DNS system, however, you need to understand domain names.
Understanding domain names
As mentioned in the preceding section, each device on an IP network is a node. Many nodes
are also termed hosts. Generally, a host is a computer, router, or other ‘‘smart’’ device, but any
device can be considered a host and have a host name associated with it. In Windows Server
2008, a computer’s name as it appears on the LAN is typically its host name. Assume, for
example, that your computer’s name is ‘‘tia’’ and that your computer resides in the mcity.us
domain. The host name is tia, the domain name is mcity.us, and the Fully Qualified Domain
Name (FQDN) of your computer is tia.mcity.us. The FQDN identifies the host’s absolute
location in the DNS namespace.
Domain names are not limited to a single level, as in the preceding example. Assume that
the mcity.us domain comprises several sites, each with its own subdomains. In addition,
assume that each domain is divided into three subdomains: east, midwest, and west. The
domain names would be east.mcity.us, midwest.mcity.us, and west.mcity.us.
These domains could further be divided into subdomains, such as sales.west.mcity.us,
support.west.mcity.us, and so on. Taking this example one step further, consider a
host named ‘‘tia’’ in the support.west.mcity.us domain. This host’s FQDN would be
tia.support.west.mcity.us.
Table 5-1 lists the original top-level domains. Notice that the root of the domain namespace is a
null, which is often represented by a dot (.). The dot is omitted from Table 5-1.
Table 5-2 lists new top-level domains.
178
Page 178
Shapiro
c05.tex
V2 - 06/13/2008
2:09pm
Windows Name Services
TABLE 5-1
Original Top-Level Domains
Suffix
Purpose
Example
com
Commercial organizations such as businesses
microsoft.com
edu
Educational organizations such as colleges and universities
berkeley.edu
gov
Governmental organizations such as the IRS, SSA, NASA, and
so on
nasa.gov
int
International organizations such as NATO
nato.int
mil
Military organizations such as the Army, Navy, and so on
army.mil
net
Networking organizations such as ISPs
mci.net
org
Noncommercial organizations such as the IEEE standards body
ieee.org
TABLE 5-2
New, Additional Top-Level Domains
Suffix
Purpose
Example
aero
Restricted to the air-transport industry
http://www.information.aero
biz
Businesses
latinaccents.biz
coop
Restricted to co-op organizations or those
that serve co-ops
redriver.coop
info
Informational sites
windows.info
museum
Restricted to museums, museum
associations, and museum professionals
smithsonian.museum
name
Personal names
boyce.name
pro
Restricted to credential-bearing
accountants, lawyers, and doctors
shapiro.pro
us
Individual, businesses, and organizations
with a presence in the United States
ford.us
See www.icann.org for information about the new domain namespaces.
179
Page 179
5
Shapiro
Part I
c05.tex
V2 - 06/13/2008
2:09pm
Core, Configuration, Networking, and Communication Services
Several other domain types exist in addition to the domain types specified in Tables 5-1
and 5-2. The .us domain, for example, is used by governmental, regional, and educational
institutions in the United States. Other countries have their own domains, such as .uk for the
United Kingdom, .jp for Japan, and so on.
NeuStar, based in Washington, D.C., has been assigned authority for the .us domain
by the U.S. government. NeuStar’s .us Web site provides links to enable you to
research, register, and delegate within this domain. Point a Web browser to www.nic.us or
www.neustar.us for more information on the .us domain or to request delegation for .us
subdomains.
Until a few years ago, an organization called InterNIC was responsible for managing and
allocating domain names within the top-level domains. InterNIC, however, became a
for-profit business named Network Solutions, forfeiting its monopoly on the domain namespace. Network Solutions still can allocate domain names, however, as can a multitude
of other companies on the Internet. To acquire a domain name for your organization,
point your Web browser to www.icann.org to locate a domain registrar. Most domain
registrars provide features on their Web sites to look up domain names — to determine
whether the names are in use or are available, to register new domains, to modify domains,
and so on.
Today’s DNS system
Today’s DNS system functions as a distributed database through a client-server relationship
between DNS servers and clients requiring name resolution. The entire namespace of all
domains comprises the DNS namespace. By using a distributed database architecture, DNS
provides for local control of each domain while still enabling all clients to access the entire
database whenever needed.
The DNS namespace comprises a hierarchical structure of domains, with each domain representing a branch on the tree and subdomains residing underneath. At the topmost level are the root
servers that maintain the root domains, such as .com, .net, .org, .biz, and so on. The root of
the domain namespace is a null, often represented by a dot (.). Figure 5-1 illustrates the DNS
namespace.
The root servers maintain only a limited amount of information about a given domain. Typically,
the information includes only the name servers identified as authoritative for the zone (that
is, those having authority over the domain’s records). Records that map names to addresses
within individual domains reside on the name server(s) for the domains in question. These name
servers are typically managed by ISPs for the ISPs’ clients or by companies that manage their
own domains. Certain other domains are delegated to other organizations (ISPs, state agencies,
educational institutions, and so on) that manage the domains for the respective domain holders.
Distributing the DNS namespace in this way enables users to control their own domains while
still remaining a part of the overall namespace.
180
Page 180
Shapiro
c05.tex
V2 - 06/13/2008
2:09pm
Windows Name Services
FIGURE 5-1
The DNS namespace is a hierarchical distributed database.
""
com
net
org
(others)
foofang.com
sales.foofang.com
support.foofang.com
srv1.support.foofang.com
Resolvers, name servers, and forward lookup
DNS clients called resolvers submit queries to DNS servers to be resolved into IP addresses.
Assuming, for example, that you want to connect to www.mcity.us, www is the host name
(or an alias to a different host name), and mcity.us is the domain name. The resolver on your
client computer prepares a DNS query for www.mcity.us and submits it to the DNS server
identified in your client computer’s TCP/IP settings, which in this case we assume is a DNS
server on your LAN. The DNS server checks its local cache (which stores results of previous
queries) and database and finds that it has no records for www.mcity.us. Therefore, the DNS
server submits a query to the root server for the .us domain. The root server looks up the
mcity.us domain and responds with the IP address(es) of the name servers for the domain.
Your DNS server then submits a query to the specified DNS server for mcity.us, which
responds with the IP address of the host www. Your DNS server in turn provides this information
to your resolver, which passes the data to your client application (in this case, a Web browser),
and suddenly the www.mcity.us site pops up on your browser. Mapping a host name or alias
to its address in this way is called forward lookup. Figure 5-2 illustrates a forward-lookup
request.
Keep in mind that domains and IP address ranges have no direct relationship.
A single domain can use any number of different subnets, and host records in a
domain can point to hosts outside your local network and even outside your domain. You might
outsource e-mail for your organization, for example, which would mean that your domain contains
mail-related records that point to a server outside your subnet and LAN.
181
Page 181
5
Shapiro
Part I
c05.tex
V2 - 06/13/2008
2:09pm
Core, Configuration, Networking, and Communication Services
FIGURE 5-2
A forward-lookup query.
3.
Re
fe
rra
l
2.
Q
ue
r
y
Root Server
4. Query
5. Resolution
Client’s designated name server
Name server for queried domain
1. Query
6. Results
Resolver/Client
Application
Client
Name servers range from the root servers all the way down to the name servers at your
department or organizational level. In most cases, a given name server manages all the records
for some portion of the DNS namespace called a zone. The terms ‘‘zone’’ and ‘‘domain’’ are
generally synonymous, but not always. A zone comprises all the data for a domain, with the
exception of parts of the domain delegated to other name servers. (See the section ‘‘Configuring
Subdomains and Delegation’’ later in this chapter for details.) A zone is the part of the domain
hosted on a particular name server. The domain comprises the whole of the domain, wherever
its components reside. Whenever the entire domain resides on a single name server, zone and
domain are synonymous.
A name server that has full information about a given zone is said to be authoritative or has
authority for the zone. A given name server can be authoritative for any number of zones and
can be both authoritative for some and nonauthoritative for others. In addition, a name server
can be either a primary master or a secondary master. A primary master maintains locally the
records for those domains for which it is authoritative. The system administrator for a primary
master can add new records, modify existing records, and so on, on the primary master.
Figure 5-3 illustrates the relationship between zones and domains.
182
Page 182
Shapiro
c05.tex
V2 - 06/13/2008
2:09pm
Windows Name Services
FIGURE 5-3
Portions of a domain can be delegated to name servers in subdomains.
Name Server for
mcity.us
mcity.us Domain
Name Server for
support.mcity.us
Name Server for
sales.mcity.us
A secondary master for a zone pulls its records for the zone from a primary master through a
process called a zone transfer. The secondary master maintains the zone records as a read-only
copy and periodically performs zone transfers to refresh the data from the primary master.
You control the frequency of the zone transfers according to the requirements of the domain
in question, the desired amount of network traffic (reducing network traffic by reducing zone
transfers if needed), and any other issues pertinent to your domain(s). A secondary master is
essentially a backup DNS server. A server can function as a primary master for some zones and a
secondary master for others. The difference lies in how the server handles the zones and not in
the zones themselves.
Domain records and zone files
Each zone contains records that define hosts and other elements of the domain or a portion
of the domain contained within the zone. These records are stored collectively in a zone file
on the DNS server. A zone file is a text file that uses a special format to store DNS records.
The default name for a zone file is domain.dns, where domain is the name of the domain
hosted by the zone, such as mcity.us.dns. Windows Server 2008 stores zone files in
%systemroot%\System32\Dns and provides an MMC console to enable you to manage the
contents of the zone files with a graphical interface.
Each zone contains a certain number of resource records that define the hosts and other data for
the zones. Several different types of records exist, with each serving a specific purpose. Each
record has certain properties associated with it that vary from one record type to the next.
Table 5-3 lists the record types and their purposes.
183
Page 183
5
Shapiro
Part I
c05.tex
V2 - 06/13/2008
2:09pm
Core, Configuration, Networking, and Communication Services
TABLE 5-3
Windows Server 2008 DNS Resource Records
184
Record
Purpose
A
Maps host name to an address
AAAA
Maps host name to Ipv6 address
AFSDB
Location of Andrew File System (AFS) cell’s database server or Distributed
Computing Environment (DCE) cell’s authenticated server
ATMA
Maps domain name to Asynchronous Transfer Mode (ATM) address
CNAME
Creates an alias (synonymous) name for the specified host
HINFO
Identifies the host’s hardware and operating system type
ISDN
Maps host name to Integrated Services Digital Network (ISDN) address (phone
number)
KEY
Public key related to a DNS domain name
MB
Associates host with specified mailbox; experimental
MG
Associates host name with mail group; experimental
MINFO
Specifies mailbox name responsible for mail group; experimental
MR
Specifies mailbox name that is correct rename of other mailbox; experimental
MX
Mail exchange server for domain
NS
Specifies address of domain’s name server(s)
NXT
Defines literal names in the zone; implicitly indicates nonexistence of a name if
not defined
PTR
Maps address to a host name for reverse lookup
RP
Identifies responsible person for domain or host
RT
Specifies intermediate host that routes packets to destination host
SIG
Cryptographic signature record
SOA
Specifies authoritative server for the zone
SRV
Defines servers for specific purpose such as http, ftp, and so on
TXT
Associates textual information with item in the zone
WINS
Enables lookup of host portion of domain name through WINS server
WINS-R
Reverses lookup through WINS server
WKS
Describes services provided by specific protocol on specific port
X.25
Maps host name to X.121 address (X.25 networks); used in conjunction with RT
records
Page 184
Shapiro
c05.tex
V2 - 06/13/2008
2:09pm
Windows Name Services
The primary record is the SOA, or Start of Authority. The SOA record indicates that the server is
authoritative for the domain. Whenever you create a new zone, Windows Server 2008 automatically creates the SOA record for the zone. NS records identify name servers, and a zone should
contain NS records for each name server in the domain.
Address, or A, records map host names to IP addresses. Multi-homed hosts — those that have
multiple IP addresses — can be represented by multiple A records, each mapping the same host
name to the different addresses of the host. A DNS lookup retrieves all matching records when
multiple A records reference the same name. To improve performance, the name server sorts
the address list so that the closest address is at the top of the list when the resolver and name
server are on the same network. Otherwise, addresses are rotated through subsequent queries to
respond in round-robin fashion. One query responds with the address of the first address in the
list, for example, and subsequent queries respond with the second and third, respectively.
CNAME (Canonical Name) records map an alias name to a Fully Qualified Domain Name
(FQDN) and are, therefore, called alias records. Therefore, A and CNAME records typically
work hand-in-hand. You create a host (A) record for a host and then use CNAME records to
create aliases. You may create a host record for server.mcity.us, for example, and then use
CNAME records to create aliases for www and ftp that point to that server.
Mail Exchanger, or MX, records are another common resource record type. MX records enable
servers to route mail. The MX records in a zone determine how mail is routed for the domain
hosted by the zone. An MX record includes the FQDN of the mail server and a preference
number from 0 to 65535. The preference number determines the priority of the mail server
specified by the MX record. If multiple mail servers exist for a domain, then the zone includes
multiple MX records. Mail delivery is attempted based on the preference number, with the lowest numbered server(s) tried first. If the MX records all have the same preference number, the
remote mail server has the option of sending to any of the domain’s mail servers with the given
preference number.
Service Locator (SRV) resource records offer the same flexibility for other services that MX
records offer for mail routing. You create SRV records for specific services such as HTTP, FTP,
LDAP, and so on. Resolvers that are designed to work with SRV records can use the preference
number to connect to hosts offering the specified service. As with MX records, servers with
lower preference numbers are attempted first.
The Pointer (PTR) record is another common record type. Pointers map addresses to names, the
reverse of what host records do, in a process called reverse lookup. You learn more about reverse
lookup in the following section. For now, be aware that whenever you create or modify resource
records for forward lookup, the Windows Server 2008 DNS service can automatically create or
modify the associated PTR record.
Each record has certain properties associated with it, and many properties are common to all
records. Each record, for example, has a time-to-live, or TTL, property. The TTL value, a 32-bit
integer, specifies the number of seconds for which the resolver should cache the results of
a query before it is discarded. After the specified TTL period is reached, the resolver purges
185
Page 185
5
Shapiro
Part I
c05.tex
V2 - 06/13/2008
2:09pm
Core, Configuration, Networking, and Communication Services
the entry from the cache, and the subsequent query for the item is sent to the name server,
rather than pulled from the cache. Although the TTL value and caching can speed performance
by caching frequently used queries, the dynamism of the Internet requires that records can
change. Mail servers, Web servers, FTP servers, and other hosts can and do change addresses,
and those changes need to be reflected in the DNS namespace. The TTL value enables caching,
but also enables query results to grow stale and the resolver to query for fresh results. You
need to adjust the TTL value for records to suit the type of record and how often you want the
record updated across the intranet/Internet. If you’re not sure what value to use initially, use the
default value.
The TTL value is optional for most resource records. The minimum default value
specified with the SOA record is used if no TTL is specified for a record. In addition,
the Windows Server 2008 DNS GUI presents some data differently from the way it is stored.
The TTL is a 32-bit integer in the data file, for example, but the GUI represents it in the format
DD:HH:MM:SS (days:hours:minutes:seconds) for readability.
Reverse lookup
Forward lookup maps names to addresses, enabling a resolver to query a name server with a
host name and receive an address in response. A reverse query, also called reverse lookup, does
just the opposite — it maps an IP address to a name. The client knows the IP address but needs
to know the host name associated with that IP address. Reverse lookup is most commonly used
to apply security based on the connecting host name, but it is also useful if you’re working with
a range of IP addresses and gathering information about them.
Address-to-name mapping through the regular forward lookup mechanism is simply not practical, because it requires an exhaustive search of the entire DNS namespace to locate the appropriate information. Imagine scanning through the New York City phone book trying to match a
phone number with a name: Multiply that task by the number of computers on the Internet and
you begin to understand that reverse lookup requires a special mechanism to make it practical.
The solution is to create a namespace of IP addresses — in other words, a domain in the namespace that uses IP addresses, rather than names. In the DNS namespace, the in-addr.arpa
domain serves this purpose. The in-addr.arpa domain serves as the root for reverse lookup.
To understand how the in-addr.arpa domain and reverse lookup work, you need to first
examine IP addresses.
Each IP address is a dotted octet, or four sets of numbers ranging from 0 to 255, separated by
periods. An example of a valid IP address is 206.210.128.90. The in-addr.arpa domain
delegates each octet as a subdomain. At the first level is n.addr.arpa, where n represents a
number from 0 to 255 that corresponds to the left-most octet of an IP address. Each of these
domains contains 256 subdomains, each representing the second octet. At the third level are
subdomains that represent the third octet. Using the IP address given in this example, the
reverse-lookup zone is 128.210.206.in-addr.arpa. Figure 5-4 illustrates the reverse lookup
domain in-addr.arpa.
186
Page 186
Shapiro
c05.tex
V2 - 06/13/2008
2:09pm
Windows Name Services
FIGURE 5-4
The domain in-addr.arpa provides the capability to perform reverse lookup, mapping addresses
to host names.
Lookup of 206.210.128.90
""
arpa
in-addr
0 through 205
206
207
208
209 through 255
0 through 208
209
210
211
212 through 255
0 through 125
126
127
128
129 through 255
90-host resolved by name
server for parent domain
As the example in Figure 5-4 illustrates, reverse-lookup zones are structured in reverse notation
from the IP address ranges that they represent. Take a forward lookup as an example, assuming that you’re querying for the host bob.support.midwest.mcity.us. The lookup starts in
the .us domain, moves to mcity, to midwest, to support, and then finally locates the bob
host record. Reverse lookups happen in the same way, moving from least significant to most significant, right to left. Using the address from the preceding example, the reverse lookup starts
in in-addr.arpa, moves to the 206 subdomain, to 210, and then to 128, where it finds the
PTR record for the .90 address and maps it to a host name. Using reverse notation to create the
reverse lookup zones enables the query to start with the first octet of the address, which in this
example is 206.
The upper-level reverse lookup domains are hosted primarily by large ISPs such as AT&T,
which delegate the subdomains to individual customers (or handle reverse lookup for them).
Your primary concern is probably creating reverse-lookup zones for your subnets. Creating
a reverse-lookup zone is a relatively simple task and is much like creating a forward-lookup
zone. The only real difference is that instead of manually creating records in the reverselookup zone, you rely on the DNS service to do it for you automatically as you create records in
forward-lookup zones. (You can find detailed steps for creating both forward and reverse lookup
zones in the section ‘‘Microsoft Domain Name Services’’ later in this chapter.)
187
Page 187
5
Shapiro
Part I
c05.tex
V2 - 06/13/2008
2:09pm
Core, Configuration, Networking, and Communication Services
Delegation
Delegation is the primary mechanism that enables DNS to be a distributed namespace. Delegation
enables a name server to delegate some or all of a domain to other name servers. The delegating
server in effect becomes a ‘‘gateway’’ of sorts to the delegated domain, with individual domain
records residing not on the delegating server but on those servers to which the subdomains are
delegated. Figure 5-5 illustrates the process.
FIGURE 5-5
Delegation enables local control of subdomains where another organization has control and
responsibility for the parent domain.
""
Managed by root
server manager
biz
mcity.us
west.mcity.us
Managed by west
coast IT admins
cen.mcity.us
Managed by
corporate IT admins
Managed by corporate
HQ IT admins
east.mcity.us
Managed by east
coast IT admins
srv1.west.mcity.us
(Individual server)
In the example of delegation shown in Figure 5-5, the root server for the .biz domain controls
the mcity.us domain. The west.mcity.us domain is delegated to the West Coast IT staff,
which hosts its own DNS servers and manages the DNS records for the subdomain. The subdomains for cen.mcity.us and east.mcity.us are managed by the corporate IT staff in Miami.
Delegation provides two primary benefits. One, it reduces the potential load on any given name
server in the delegation chain. Suppose that all domains in the .com domain were hosted by
one company. The company would need to host millions of domains, imposing an impossible
load on their servers. More important, this situation would place a significant load on the poor
administrators who would administer the zones. This load reduction leads to the second benefit:
Delegation enables a decentralized administration, further enabling other organizations, such
as subsidiaries of the company, to administer their own domains and have control over their
resource records. (See the section ‘‘Configuring Subdomains and Delegation’’ later in this chapter
for detailed steps on creating and delegating subdomains.)
188
Page 188
Shapiro
c05.tex
V2 - 06/13/2008
2:09pm
Windows Name Services
Caching, forwarders, and slaves
The number of queries that could potentially hit an active and popular domain on the Internet
could easily overwhelm a name server. Caching helps reduce that load and reduce network
traffic. Each server caches successful and unsuccessful resolution queries for a period of time
defined by the server’s administrator. Whenever a resolver queries the server for an address, the
server checks its cache first for the data, and, if the data exists in the cache, submits the cached
data to the client, rather than look up the data again.
Caching unsuccessful queries is called negative caching . Negative caching speeds
response time, reduces server load, and reduces network traffic by eliminating
repeated queries for names that can’t be resolved (such as non-existent domains or hosts). As with
positive caching, however, negative-cache results age and expire, enabling lookups to succeed
when the domain or host record does become available.
Name servers can function as caching-only servers, which don’t maintain any zone files and
are not authoritative for any domain. A caching-only server receives queries from resolvers,
performs the queries against other name servers, caches the results, and returns the results to the
resolvers. Therefore, a caching-only server essentially acts as a lookup agent between the client
and other name servers. At first glance, caching-only servers may seem to make little sense.
They reduce network traffic, however, in two ways: Caching-only servers reduce zone transfers
because the caching-only name server hosts no zones and, therefore, requires no zone transfers.
Caching-only servers also reduce query traffic past the caching-only server as long as query
results for a given query reside in the server’s cache. Because the cache is cleared after the server
restarts, the most effective caching-only server is one that remains up for extended periods.
A name server typically attempts to resolve queries against its own cache and zone files and,
failing that, queries one or more other name servers for the information. In certain situations,
you may not want all name servers for an organization to be communicating with the outside
world — for network security, bandwidth, or cost reasons. Instead, you’d forward all traffic
through a given name server that would act as a sort of agent for the other name servers in the
organization. Assume, for example, that you have a few relatively slow or expensive Internet
connections to your site and one with higher bandwidth or that is less costly. Servers A, B,
and C connect through the former, and server D connects through the latter. Rather than have
all servers generating traffic through their respective links, you might want to funnel all traffic
through server D. In this case, server D would act as a forwarder, which forwards offsite name
queries for other name servers on the network. Servers A, B, and C would handle queries against
their local caches and zone files, and, failing those queries, would pass the query on to server D.
Name servers can interact with forwarders either exclusively or nonexclusively. If interacting
nonexclusively, the server attempts to resolve queries against its cache and own zone files first.
Failing that, the server forwards the request to the designated forwarder. If the forwarder fails
the query, the server attempts to resolve the query on its own through other name servers. To
prevent a server from doing this, you need to configure it as a slave, which makes it function in
exclusive mode with the forwarder. When functioning as a slave, a name server first attempts to
resolve a query against its cache and local zone files. Failing that, it forwards the query to the
189
Page 189
5
Shapiro
Part I
c05.tex
V2 - 06/13/2008
2:09pm
Core, Configuration, Networking, and Communication Services
designated forwarder. If that fails, the forwarder responds with an unsuccessful query, and the
local server fails the request to the client resolver without attempting any further resolution.
You also can configure a slave name server as a caching-only slave. In this configuration, the
server hosts no zone files. It attempts to resolve queries against its local cache only and, failing
that, forwards the query to the designated forwarder and takes no further action to resolve the
query. It does not itself fail the request to the resolver.
Recursion, iteration, and referrals
Figure 5-6 illustrates a query for resolution of the host name jane.west.mcity.us. As the
figure shows, the name server directly queried by the client must perform several queries to
find a definitive answer. The other name servers do relatively little work, mostly responding
with referrals, which simply point the originating server to a different name server farther down
the namespace hierarchy. In effect, these other servers are saying, ‘‘I don’t have the answer, but
so-and-so does,’’ referring to the name server contained in the referral.
FIGURE 5-6
Resolution of the host name jane.west.mcity.us shows recursion and referrals.
2. Query/Referral
B
Root Server
C
l
rra
efe
3.
A
/R
ery
Qu
4. Query/Referral
5.
Client’s designated name server
US name server
Qu
ery
/Re
sol
uti
on
D
mcity.us name server
1. Query
E
6. Results
west.mcity.us name server
Resolver/Client
Application
Client
190
Page 190
Shapiro
c05.tex
V2 - 06/13/2008
2:09pm
Windows Name Services
DNS uses two primary means to resolve queries: recursion and iteration (also referred to
as nonrecursive). A recursive query is the method used by server A in Figure 5-6. In this
example, the resolver sends a recursive query to server A, which starts the resolution process
by querying the root server B. Server B responds with a referral to server C, which hosts
the root of the .biz domain. Server C responds with a referral to server D, which hosts the
mcity.us domain. Server D responds with a referral to server E, which hosts the delegated
west.mcity.us subdomain. Server E contains the appropriate host record and returns the
address for jane.west.mcity.us. In other words, in a recursive query, the queried server (in
this case A) continues to query other servers until it finds a definitive answer; then it returns
that answer to the resolver. A recursive query places the most load on the client’s name server.
An iterative query places the majority of the load on the client. In the iterative query shown in
Figure 5-7, the client resolver requests resolution of the same host, jane.west.mcity.us. In
this example, however, name server A simply responds with the best information that it already
has for the query. If the resolved query resides in Server A’s cache, it responds with that data.
Otherwise, it gives the client a referral to a name server that can help the resolver continue the
query on its own. In the case of Figure 5-7, server A provides a referral to server B, which gives
the client resolver a referral to C, and so on, until server E finally provides the answer to the
resolver.
FIGURE 5-7
An iterative query of jane.west.mcity.us.
2. Query/Referral
B
Root Server
C
fer
ral
US name server
D
ery
/R
e
A
Qu
l
mcity.us name server
ry/
5.
1. Query
rra
fe
Re
4.
Client’s designated name server
e
Qu
tion
/Resolu
3. Referral
6. Query
E
west.mcity.us name server
Resolver/Client
Application
Client
191
Page 191
5
Shapiro
Part I
c05.tex
V2 - 06/13/2008
2:09pm
Core, Configuration, Networking, and Communication Services
One main difference between recursive and iterative queries is the fact that recursive queries
place the majority of the responsibility for resolving the query on the name server, whereas the
iterative query places the responsibility with the client resolver. To adequately process iterative
queries, therefore, a client resolver must be more complex and ‘‘smarter’’ than one that relies
only on recursive queries. Recursive queries also tax the client’s designated name server(s) much
more than iterative queries. Name servers in general and Windows Server 2008 in particular
enable you to disable the server’s support for recursive queries, forcing the clients to use iterative
queries. You might choose this option in situations where you need to limit the load on the
server. Another reason to disable recursion is if you’re setting up a name server that services
only the LAN or WAN and you don’t want it to attempt to resolve queries for domains outside
that general area.
Microsoft Domain Name Services
Windows Server 2008 includes the Microsoft Domain Name Services (DNS) service, which you
can use to set up and manage a Windows Server 2008 DNS server. As with other services, Windows Server 2008 provides a Microsoft Management Console (MMC) to enable you to manage
DNS servers, zones, and resource records. The previous sections of the chapter explain the concepts behind the DNS service. The following sections focus on installing and configuring DNS
and setting up zones and domains.
Installing DNS
You can install DNS through the Add or Remove Programs applet in the Control Panel. Open
the Add or Remove Programs applet and in the Add or Remove Programs window that appears,
click Add/Remove Windows Components. Double-click Networking Services or select the item
and click Details. Select Domain Name System (DNS) and click OK. Follow the remaining
prompts to complete installation of the software.
Overview of the DNS console
The DNS console included with the DNS service enables you to set up a DNS server, create and
manage zones, create and manage resource records, and so on. In short, the DNS console is a
single point of contact for all DNS management. Figure 5-8 shows the DNS console. Open the
DNS console from the Administrative Tools folder.
By default, the DNS console shows the local server, but you can connect to any Windows Server
2008 DNS (or the DNS servers of previous versions of Windows Server) through the console.
The console now provides you with the ability to set up conditional forwarding — this is not
available with versions prior to Windows Server 2008. Conditional forwarding is a new feature
that improves conventional forwarding by forwarding according to domain names provided
in the queries. In other words, you can configure the DNS servers to forward queries to other
forwarders by the provided domain names contained in the queries.
192
Page 192
Shapiro c05.tex
V2 - 06/13/2008
2:09pm
Windows Name Services
FIGURE 5-8
Use the DNS console to manage DNS servers locally and remotely.
To connect to a server, right-click DNS in the left pane and choose Connect to DNS Server.
Select The Following Computer radio button and then specify the computer’s name or IP
address in the corresponding text box. Click OK to connect.
After you connect to a server, you find three primary branches in the left pane: Forward Lookup
Zones, Reverse Lookup Zones, and Conditional Forwarders. Expanding the Forward Lookup
Zones, branch displays all forward-lookup zones, each under its own sub-branch. Expanding the
Reverse Lookup Zones branch displays all reverse-lookup zones in their own sub-branches.
How the contents of a zone branch appear depends on whether the zone is for a Windows
Server 2008 Active Directory domain or simply a DNS domain. If it’s for a Windows Server
2008 domain, you find additional branches for domain-related services and objects, such as
Kerberos, LDAP, sites, and more (see Chapters 20 and 21).
Creating forward-lookup zones
Each domain that you host for DNS requires a forward-lookup zone, a zone file, and associated
records. You create the zone in the DNS console by using one of the following three options:
■ Active Directory Integrated. This option creates the zone in the Active Directory, or
AD, which provides for replication, integrated storage, security, and the other advantages
inherent in the AD. The zone file is stored within the AD. You can create an AD-integrated
zone only on a domain controller, giving the DNS service direct access to the database
mechanisms of AD. You can’t create AD-integrated zones on member servers that function
as DNS servers.
■ Standard Primary. This option creates a standard primary zone using a .dns file in
%systemroot%\System32\Dns (default location). You can add and modify resource
records in a primary zone.
193
Page 193
5
Shapiro
Part I
c05.tex
V2 - 06/13/2008
2:09pm
Core, Configuration, Networking, and Communication Services
■ Standard Secondary. This option creates a standard secondary zone using a .dns file in
%systemroot\System32\Dns. This is a read-only copy of a zone on another server. You
cannot create or modify resource records in a secondary zone.
Windows Server 2008 provides a wizard to help you create a zone. Right-click either the server
name or on the Forward Lookup Zone branch and choose New Zone from the context menu to
start the New Zone Wizard. In addition to prompting you for the type of zone (AD-integrated,
primary, secondary, stub), the wizard prompts for the following information:
■ Forward Lookup Zone/Reverse Lookup Zone. Choose the type of zone that you want
to create. In this case, choose Forward Lookup Zone.
■ Zone Name. Specify the full name of the zone, such as mcity.us, west.mcity.us, and
so on. If you are specifying a second-level zone such as west.mcity.us, make sure that
you first create the first-level zone for mcity.us on its designated name server. You then
delegate west.mcity.us on that server to the current server.
■ DNS Zone File. Specify a zone-file name under which to store the zone’s records if you’re
creating a standard primary or standard secondary zone. Specifying an existing file enables
you to migrate existing resource records to the new zone. AD-integrated zones are stored
in the AD and don’t require an external file.
After you create a forward-lookup zone, you can begin populating it with resource records.
Before doing so, however, first create any required reverse-lookup zones. Creating the
reverse-lookup zone(s) before creating the resource records enables DNS to automatically
create the PTR records in the reverse-lookup zones for resource records that you create in the
forward-lookup zones.
Creating reverse-lookup zones
You create a reverse-lookup zone in much the same way that you create a forward-lookup zone.
The primary difference is that you specify the subnet for the zone, and the DNS console converts that to the appropriate reverse zone name. Enter 208.141.230 after you’re prompted, for
example, and the DNS console creates the reverse lookup zone 230.141.208.in-addr.arpa.
You do not need to specify three octets unless you’re creating a reverse-lookup zone for a
domain that uses a class-C address space. Specify the appropriate number of octets to define
your reverse lookup zone. In addition, you can choose to specify the DNS filename yourself, but
remember to enter it in reverse notation.
Creating resource records
After you create a zone, you can populate it with resource records. As you create a zone, the
Windows Server 2008 DNS service automatically creates the SOA record and NS record for you.
To create new records, right-click the zone in the left pane or right-click the right pane and
choose New Host, New Alias, or New Mail Exchanger from the context menu to create A,
CNAME, or MX records. Alternatively, choose Other New Records to create other types of
resource records. The information that you provide will vary slightly depending on the type of
record that you’re creating.
194
Page 194
Shapiro
c05.tex
V2 - 06/13/2008
2:09pm
Windows Name Services
Host records (A)
Host, or A, records map a host name to an IP address and are the primary means by which
names are resolved. Each host in your network that you want visible through DNS needs to
have a host record in its corresponding zone.
In creating a host record, you specify the host name (such as www, ftp, tia, server, and
so on) and the IP address to map to that host. You can’t add a host name containing periods,
because anything after the period is considered part of the domain name. Select the Create
Associated Pointer (PTR) Record option after creating the record in the DNS console to have
DNS automatically create a pointer record in the reverse-lookup zone for the domain. DNS
chooses the appropriate reverse-lookup zone based on the IP address that you specify for
the host.
If you need to create a host name that contains a period, first create a parent-level
zone for the second half of the name. If you’re attempting to create joe.west in
the mcity.us domain, for example, you first need to create a west zone as a subdomain of
mcity.us. Then create the host record for joe in the west.mcity.us subdomain.
Alias (CNAME) records
Alias, or CNAME, records map an alias name to an existing FQDN. Assume, for example, that
you’re the administrator for mcity.us and you have a server in your network named srv1,
with a corresponding A record for srv1 that points to the server’s IP address. You want to use
the server as a Web server, so you create an alias for www that points to srv1.mcity.us. Users
connect to www.mcity.us, and DNS actually routes them transparently to srv1.mcity.us.
In creating an alias record, you specify the alias name and the Fully Qualified Domain Name
of the host to which the alias points. As with a host record, you can’t include a period in the
host name for the alias. The FQDN for the alias can and does have periods in it, because by
definition an FQDN contains the domain name in which the host resides.
Mail Exchanger records (MX)
Mail Exchanger, or MX, records enable mail to be routed through or to a domain. They specify
mail exchangers, or servers that process mail for the domain. For MX records, specify the
single-part name for the Mail Exchanger in the Host or Domain field. If you leave this field
blank, the Mail-Exchanger name is the same as the parent domain name. In the Mail Server
field, specify the FQDN of the server that acts as the Mail Exchanger. The FQDN that you
specify here must resolve to a host (A) record in the zone, so make sure that you create the A
record for the Mail Exchanger as well as the MX record. You can click Browse to browse the
DNS namespace for the appropriate host name if you’re not sure what it is. Finally, specify the
preference number for the Mail Exchanger in the Mail Server Priority field.
Service Location records (SRV)
Service Location, or SRV, records are another common resource record type that offers excellent
flexibility if a domain contains multiple servers for specific services, such as multiple HTTP
servers. SRV records enable you to easily move a service from one host to another, and to
195
Page 195
5
Shapiro c05.tex
Part I
V2 - 06/13/2008
2:09pm
Core, Configuration, Networking, and Communication Services
designate certain hosts as primary for a given service and others as secondary for that same
service. You might designate a server as the primary Web (HTTP) server, for example, and two
others as secondary servers to handle HTTP requests whenever the primary server is heavily
loaded or offline.
Resolvers that support SRV records submit a request to the DNS server for servers in the subject domain that provide a specific TCP/IP service (such as HTTP). The DNS server responds
with a list of all servers in the domain that have a corresponding SRV record for the requested
service type.
To create an SRV record, right-click the zone in the DNS console and choose Other New
Records from the context menu. Select Service Location from the list and click Create Record to
open the New Resource Record dialog box (it opens to the Service Location tab), as shown in
Figure 5-9.
FIGURE 5-9
Use the Service Location (SRV) tab of the New Resource Record dialog box to create SRV records
for specific services offered by specific servers.
Fill in the fields for the SRV record, using the following list as a guide:
■ Service. Select the predefined service type offered by the target server (FTP, HTTP, and
so on).
■ Protocol. Select either tcp or udp, depending on the requirements of the service.
196
Page 196
Shapiro c05.tex
V2 - 06/13/2008
2:09pm
Windows Name Services
■ Priority. Specify an integer between 0 and 65535. This value specifies the preference
order of the server, just as the preference number for an MX record identifies the priority of the target Mail Exchanger. A lower value places the server higher in the priority list
(0 is highest priority); a higher value gives the server a lower priority. The client tries the
server with the highest priority first. Failing that, it attempts connections to other servers
in decreasing priority. Multiple servers can have the same priority value.
■ Weight. Specify an integer between 0 and 65535 to allocate a weight to the target server
for load-balancing purposes. If multiple servers have the same priority value, the weight
value serves as a secondary priority indicator. Hosts with a higher weight value are
returned first to the resolver client. Use a value of 0 to turn off weighting if you don’t need
load balancing. Using a value of 0 speeds up SRV queries and improves performance.
■ Port Number. Specify an integer from 0 to 65535 to indicate the tcp or udp port number
used by the target service.
■ Host Offering This Service. Specify the FQDN of the target server offering the service.
The FQDN must resolve to a valid name supported by a host record in the server’s
domain.
■ Allow Any Authenticated User to Update All DNS Records with the Same Name.
Apply an ACL to the record, enabling any authenticated user to update the record. This
setting is available only for resource records of zones stored in the Active Directory.
Other record types
You can create other types of resource records by right-clicking the zone in the DNS console
and choosing Other New Records from the context menu. The DNS console displays the
Resource Record Type dialog box. Select from this dialog box the type of record that you need
to create and then click Create Record. DNS displays the New Resource Record dialog box,
which prompts for the required data, which varies from one record type to the next.
Configuring zone properties
A zone’s properties determine how the zone performs zone transfers, ages resource records, and
other behavior for the zone. The following sections explain the options available for a zone. To
set these options, open the DNS console, right-click the zone, and choose Properties.
General zone properties
A zone’s General property page enables you to configure the following options:
■ Status. Click Pause to pause a zone and stop it from responding to queries. Click Start
to start a paused zone. You might pause a zone while making extensive changes to the
records in the zone or performing other administrative tasks on the zone.
■ Type. You can change a zone’s type on the General page to any of the three supported
types (AD-integrated, standard primary, or standard secondary). If a server for a primary
standard zone fails, for example, you can change its secondary zone on a different server
to a primary zone.
197
Page 197
5
Shapiro c05.tex
Part I
V2 - 06/13/2008
2:09pm
Core, Configuration, Networking, and Communication Services
■ Zone File Name. Use this property to change the file in which the zone records are
stored. By default, the zone filename is zone.dns, where zone is the name of the zone.
The resource records for west.mcity.us, for example, would be stored by default in
west.mcity.us.dns.
■ Dynamic Updates. Use this option to enable/deny dynamic updates by Dynamic Host
Configuration Protocol (DHCP) clients and servers to resource records in the zone and
corresponding pointer records. See the section ‘‘Dynamic DNS’’ later in this chapter for
detailed information.
■ Aging. Select this to specify aging properties for records in the zone. See the section ‘‘Configuring Scavenging’’ later in this chapter for a detailed explanation.
Start of Authority properties
The Start of Authority (SOA) property page for a zone enables you to configure the zone’s SOA
record. This property page contains the following properties:
■ Serial Number. DNS uses this value to determine when a zone transfer is required. The
DNS service increments the value by 1 each time the zone changes to indicate that the
zone is a new version. Other servers performing zone transfers with the server use this
value to determine whether a zone transfer is needed. If the value is higher than the remote
server’s records for the zone, the server initiates a zone transfer to update the remote
server’s zone records. Use the Increment button to increment the serial number and force
a zone transfer.
■ Primary Server. This specifies the host name of the primary master for the selected zone.
If you need to change the value, type the host name of the primary master or click Browse
to browse the network for the primary master. Make sure that you include a period at the
end of the host name.
■ Responsible Person. This property specifies the e-mail address of the person responsible
for managing the zone. The data takes the form of an FQDN. The address administrator@mcity.us, for example, should be entered as administrator.mcity.us,
replacing the @ symbol with a period.
■ Refresh Interval. This value specifies how often servers that host secondary copies of
the zone should check the currency of their zone data against the primary zone data. The
default is 15 minutes.
■ Retry Interval. This value specifies the amount of time that must elapse before a server
hosting a secondary copy of the zone retries a connection to the primary zone when a previous connection attempt failed. This value should usually be less than the refresh interval
and defaults to 10 minutes.
■ Expires After. This specifies the period of time that a server hosting a secondary copy
of the zone can wait before discarding its secondary data if its zone data hasn’t been
refreshed. This prevents the secondary servers from serving potentially stale data to client
requests. The default is 24 hours.
198
Page 198
Shapiro
c05.tex
V2 - 06/13/2008
2:09pm
Windows Name Services
■ Minimum (Default) TTL. This value specifies the amount of time that querying servers
can cache results returned from this zone. After this period expires, the remote server
removes the record from its cache. The default is one hour.
■ TTL for This Record. This value specifies the time-to-live for the SOA record itself. The
default is one hour.
Name servers properties
The Name Servers page enables you to modify the NS records for the zone. The advantage to
using this method, rather than manually changing each record, is that you can view all NS
records in the zone in a single dialog box. To modify a record, select the record and click Edit.
Windows Server 2008 DNS displays a dialog box that you can use to modify the host name, IP
address, or time-to-live value for the NS record. When modifying the host name, make sure that
the name contains a period at the end. You can click Add to add a new NS record.
WINS properties
The WINS page determines whether the DNS service attempts to resolve through WINS
any names that it can’t resolve on its own. Use the following properties to configure WINS
integration:
■ Use WINS Forward Lookup. Select this option to enable the DNS service to query
WINS for any names that it can’t resolve on its own through DNS.
■ Do Not Replicate This Record. Select this option to prevent the DNS server from replicating WINS-specific resource data to other DNS servers during zone transfers. You need
to use this option if you are performing zone transfers to servers that don’t support WINS
(such as non-Microsoft DNS servers).
■ IP Address. Specify the IP addresses of the WINS servers to query.
■ Advanced. Click to set the cache timeout and lookup timeout periods. The cache timeout
specifies the amount of time other servers can cache results returned through a WINS
lookup. The lookup timeout specifies the amount of time that the DNS server can wait for
a response from the WINS server(s) before generating a ‘‘Name not found’’ error.
Zone transfer properties
The Zone Transfers page of a zone’s properties specifies the servers that can request and receive
a copy of the zone’s data through a zone transfer. You can configure the zone to enable all
servers to request a transfer, only servers listed on the zone’s Name Servers property page, or
only servers included in a list of IP addresses that you define.
Click Notify to specify how other servers are notified of zone updates. You can configure the
zone to automatically notify servers listed on the Name Servers property page for the zone,
or servers included in a list of IP addresses that you define. Deselect the Automatically Notify
option if you don’t want the DNS server to notify the other servers whenever the zone data
changes.
199
Page 199
5
Shapiro c05.tex
Part I
V2 - 06/13/2008
2:09pm
Core, Configuration, Networking, and Communication Services
Managing DNS Server
Options and Behavior
You can use the DNS console to configure various options that determine how the DNS service
functions. The following sections explain the different properties and behavior that you can configure, including how to set up a forwarder and perform monitoring and logging.
Configuring multiple addresses on a DNS server
By default, the DNS service responds on all IP addresses bound to the server. You face no real
performance penalty in enabling the DNS service to respond on all bound IP addresses, but
in some situations, you may want to reduce the addresses to only those that you specifically
want associated with the DNS service. You might allocate two addresses that are always used
for DNS, but, in effect, ‘‘reserve’’ the other IP addresses on the server for other uses. Assume,
for example, that you have the addresses 192.168.0.2 through .10 bound to the server.
If you enable the DNS service to respond on all addresses, users may conceivably start using
192.168.0.10 for DNS if they know that it’s there. A few months down the road, you remove
.10 from the server because you want to use it elsewhere. Suddenly, those users who have been
using .10 as a DNS server find themselves unable to resolve. If you start out limiting DNS to a
specific set of addresses that is always used on the server for DNS, you can avoid the problem.
In addition, you might want to restrict DNS to a subset of the available addresses for security,
firewall configuration, or other infrastructure reasons.
You configure the addresses on which the server responds through the Interfaces tab of the
server’s property sheet. Open the DNS console, right-click the server, and choose Properties
from the context menu to open the property sheet for the server. On the Interfaces page, choose
All IP Addresses if you want the server to respond to DNS queries on all IP addresses bound to
the server. Choose the Only the Following IP Addresses option if you want to limit the server
to responding on only the IP addresses listed in the associated box. Use Add and Remove to
change the contents of the list.
Using a forwarder
The section ‘‘Caching, Forwarders, and Slaves’’ earlier in this chapter discusses the use of
forwarders and how they enable you to funnel DNS requests through specific servers for
purposes of administration, access, or bandwidth control. You configure a Windows Server 2008
DNS server to use a forwarder through the Forwarders page of the server’s property sheet. Open
the DNS console, right-click the server, choose Properties to display the property sheet, and then
click the Forwarders tab. Use the following controls to configure forwarding:
■ DNS Domain. Click New to add the domain name to which queries will be forwarded.
■ Selected Domain’s Forwarder IP Address List. Specify the IP address of a server to
which queries should be forwarded. You can specify multiple servers.
200
Page 200
Shapiro c05.tex
V2 - 06/13/2008
2:09pm
Windows Name Services
■ Number of Seconds Before Forward Queries Time Out. Specify the time in seconds
that the DNS server waits for a response from a listed forwarder. At the end of this timeout
period, the local DNS server submits a query to the next server on the list until it receives
a response or cycles through the list.
■ Do Not Use Recursion for This Domain. Select this option to configure the server as
a forwarding-only slave, preventing the server from attempting to resolve queries on its
own if the forwarder cannot resolve the query. Leave this option deselected (the default)
to enable the local server to attempt resolution if the forwarders cannot respond to
the query.
Configuring advanced settings
The Advanced page of a DNS server’s property sheet enables you to set several advanced options
that control the way the server functions. To configure the following settings, open the DNS
console, right-click the server, choose Properties, and click the Advanced tab:
■ Disable Recursion. Select this option to prevent the server from performing recursive
queries. With this option selected, the server replies with referrals instead of recursively
querying until a resolution is reached.
■ BIND Secondaries. To optimize zone transfer speed, Windows Server 2008 DNS servers
(by default) use compression and submit multiple resource records in a single TCP message whenever performing zone transfers. This method is compatible with servers running
BIND (Berkeley Internet Name Domain) version 4.9.4 and later, but is incompatible with
earlier versions of BIND. To optimize performance, leave this option deselected if your
server is not going to be performing zone transfers with these earlier systems. Select this
option to have the Windows Server 2008 DNS server perform slower, uncompressed zone
transfers to ensure compatibility with these older systems.
■ Fail on Load if Bad Zone Data. The Windows Server 2008 DNS service, by default,
continues to load a zone even when it detects errors in the zone data, logging the errors
but not failing. Select this option if you want the DNS service to stop loading the zone
when the zone data contains errors.
■ Enable Round Robin. The Windows Server 2008 DNS service, by default, rotates and
reorders a list of host records if a given host name is associated with multiple IP addresses.
This round-robin behavior enables an administrator to perform load balancing, directing
traffic to multiple computers with the same host name but different IP addresses (such as
multiple servers hosting www.mcity.us). With this option selected, the server responds
to queries with each address in turn. Deselect this option if you want to disable round
robin and have the server return the first match in the zone.
■ Enable Netmask Ordering. If a given zone contains multiple host records that map the
same host name to multiple IP addresses, the Windows Server 2008 DNS service can
order the response list according to the IP address of the client. Windows Server 2008
DNS checks the IP address of the client against the addresses of the host records and if a
record falls in the client’s subnet, the DNS service places that host record first in the list.
201
Page 201
5
Shapiro
Part I
c05.tex
V2 - 06/13/2008
2:09pm
Core, Configuration, Networking, and Communication Services
This directs the client to the requested host that is closest and typically fastest for the client
to access, which is very important for Active Directory services. This option is selected by
default. Deselect this option to prevent the DNS service from reordering responses based
on subnet. Netmask ordering supersedes round-robin ordering, although round robin
is used for secondary sorting if enabled, and it is useful where subnets are in different
geographical locations.
■ Secure Cache Against Pollution. The Windows 2003 DNS service does not add unrelated resource records added in a referral from another DNS server to the Windows Server
2008 server’s cache. It caches referrals that might not match the queried host name, however, such as caching a referral for www.sillycity.com if querying for www.mcity.us.
Selecting this option prevents the DNS service from caching nonrelated referrals.
■ Name Checking. Internet host names were originally limited to alphanumeric characters and hyphens. Although this limitation was maintained after DNS was developed, it
posed a problem in some situations, particularly for supporting international character
sets. This option controls how the DNS service performs name checking. By default, Windows Server 2008 uses the UTF8 (Unicode Transformation Format) character set, which
provides the broadest and least restrictive character set support. Select Strict if you need to
limit names to the standard format. Use Non-RFC to permit names that do not follow the
RFC 1123 specification. Use Multibyte to recognize characters other than ASCII, including
Unicode.
■ Load Zone Data on Startup. By default, the Windows Server 2008 DNS service loads
zone data from the Active Directory (for AD-integrated zones) and from the registry.
You can configure the server to load only from the registry or from a BIND 4 boot file.
This latter option enables you to essentially duplicate a BIND server under Windows
Server 2008, importing all the zone data. Notice that the boot file — typically called
Named.boot — must use the BIND 4 format, rather than the newer BIND 8 format.
■ Enable Automatic Scavenging of Stale Records. Stale records typically are those
that point to hosts no longer on the network. Accumulation of stale records can lead to
decreased storage space, degradation of server performance, incorrect name-to-address
resolution, and no capability for a host to have the DNS service create its resource record
(through Dynamic DNS). Scavenging, which is turned off by default, enables the DNS
server to use timestamps and other properties to determine when a resource record is
stale and automatically remove it from the zone. Records added automatically through
DDNS are subject to scavenging, as is any record manually added with a timestamp that
you have modified from its default of zero. Resource records with a timestamp of zero
are not subject to scavenging. Select this option and configure the associated scavenging
period. Notice that scavenging must be enabled for individual zones in their properties as
well. For additional information on scavenging, see the section ‘‘Dynamic DNS’’ later in
this chapter.
■ Reset to Default. Select this option to reconfigure all advanced settings to their defaults.
202
Page 202
Shapiro
c05.tex
V2 - 06/13/2008
2:09pm
Windows Name Services
Setting root hints
Root hints direct a name server to the root servers for domains at a higher level or in different
subtrees of the DNS namespace and, in effect, provide a road map for a DNS server to resolve
queries for domains outside of its area of authority. For DNS servers connected to the Internet,
the root hints should point to the Internet root name servers. For DNS servers that provide
services only to a private network, the root hints should point to the root server(s) for your
domain or organization. Servers that function as forwarders for local clients requesting resolution
of Internet names should have their root hints point to the Internet root servers, while the other
name servers in the organization should point to the local root server for the organization’s
private network.
By default, the Windows Server 2008 DNS service uses a cache.dns file that contains the
list of Internet root servers. You find cache.dns located in \%systemroot%\System32\Dns.
Browsing the file in Notepad or WordPad shows you that the file contains entries for NS and
A records for the Internet root servers. If you’re connecting a name server to the Internet, use
the cache.dns file to ensure that you have the appropriate root hints. If you’re creating a
name server for your internal network, however, you should instead use a cache.dns file that
contains the NS and A records of the name servers higher in your local namespace, rather than
the root Internet servers.
You can edit the cache.dns file directly by using Notepad or WordPad if you need to modify its entries. If you prefer, you can use the interface provided by the DNS console to modify
the cache.dns file. To do so, open the DNS console, right-click the server for which you want
to modify the cache.dns file, and then choose Properties. Click the Root Hints tab to display
the Root Hints page. Use Add, Edit, and Remove to add, modify, and remove entries from the
cache.dns file, respectively.
Entries in the cache.dns file consist of an NS record and a corresponding A record
for each name server, located on two separate lines. The first line specifies the NS
record. This line begins with an @ symbol, followed by a tab, and then NS, another tab, and then
the FQDN of the root server. On the next line, specify the FQDN of the server, a tab, and then A
to indicate an A record, another tab, and finally the IP address of the server.
If you are running internal name servers that don’t need root hints to servers higher in the local
area, you should eliminate root hints altogether. The easiest way to do this is to rename or
delete the cache.dns file and then stop and restart the DNS server.
Although the root name servers change infrequently, the root servers can change for
a variety of reasons. You can acquire a new list of root server records via FTP from
Network Solutions by downloading the file ftp.rs.internic.net/domain/named.root. You
can use the file directly as your cache.dns file without modifications. You can also click Copy
from Server on the Root Hints page to copy the root hints from another server. (You specify the
IP address of the other server.)
203
Page 203
5
Shapiro
Part I
c05.tex
V2 - 06/13/2008
2:09pm
Core, Configuration, Networking, and Communication Services
Configuring logging
By default, the DNS service does not perform extensive logging because the number of potential
queries in a relatively small amount of time can be quite large, particularly for servers that serve
a large portion of the namespace or a large number of clients. You can configure logging for reasons related to troubleshooting, security, and so on through the properties for the DNS server.
The service provides two types of logging: event logging and debug logging, described in the following sections.
Configuring basic logging
Basic logging (or event logging) is useful for identifying potential problems and basic troubleshooting. You configure basic logging through the Event Logging page of the DNS server’s
properties. Open the DNS console, right-click the server, choose Properties, and click the Event
Logging tab. Select the items to be logged and click OK. The DNS service stores log entries in
\%systemroot%\System32\Dns\Dns.log. If yours is a busy server, however, understand that
logging even a few items can consume a lot of server time and create a potentially very large
log file.
Using debug logging
If basic logging fails to help you identify the cause of a DNS server problem, you can enable
debug logging, which records packets sent and received by the DNS server. Debug logging
generates a very significant amount of log traffic and corresponding server overhead, so you
should use debug logging only if basic logging does not provide the information that you need
to address the problem at hand.
To configure debug logging, open the DNS console, right-click the server, and choose Properties.
Click the Debug Logging tab to display the Debug Logging page of the server’s property
sheet (see Figure 5-10). Use the Packet Direction group of controls to log incoming packets,
outgoing packets, or both. Use the Transport Protocol options to choose which protocol(s)
to log.
The Packet Contents and Packet Type groups of controls enable you to choose the types of
packets that the DNS service logs. Enable the Details option if you want the entire contents of
the packets logged, rather than a subset of the contents.
If you’re having problems with certain servers or clients, you can enable the Filter Packets by
IP Address option, which causes the DNS service to log the IP addresses of the source and
destination servers. You can then click Filter to specify a list of servers (by IP address) that
are logged.
Finally, use the File Path and Name field to specify the path and filename for the log file, and
the Maximum Size field to specify the maximum log file size.
204
Page 204
Shapiro c05.tex
V2 - 06/13/2008
2:09pm
Windows Name Services
FIGURE 5-10
Configure extended logging on the Debug Logging page.
Monitoring and testing
The Monitoring property page for a DNS server enables you to issue test queries against the
local server and recursive queries against other name servers. This helps you test the server
and its capability to communicate successfully with other name servers. This is an extremely
useful tool, because most other methods for this type of testing typically use a cumbersome
command-line interface. To display the Monitoring page to perform testing, open the DNS
console, right-click the server, choose Properties, and click the Monitoring tab, as shown in
Figure 5-11.
The following list explains the options on the Monitoring page:
■ A Simple Query Against This DNS Server. Choose this option to perform an iterative
test against the local server.
■ A Recursive Query to Other DNS Servers. Choose this option to perform a recursive
query against other DNS servers (which start with the DNS servers defined in the local
server’s TCP/IP properties).
205
Page 205
5
Shapiro
Part I
c05.tex
V2 - 06/13/2008
2:09pm
Core, Configuration, Networking, and Communication Services
■ Perform Automatic Testing at the Following Interval. Select this option to perform
periodic, automatic testing by using the preceding two testing options.
■ Test Interval. Specify the frequency of automatic tests.
■ Test Results. This list shows the results of tests and includes the test date, time, and
results.
FIGURE 5-11
Use the Monitoring page to issue test queries.
Applying security
Windows Server 2008 provides the capability to restrict access to a DNS server and/or selected
zones, enabling you to control who can modify the server, add records, remove records, and so
on. You can configure security for a server overall only if the server is a domain controller participating in the Active Directory. You can’t configure security on member servers that host the
DNS service or on standalone DNS servers. In addition, you can configure security on individual
zones only when the zones are stored in the AD (set up as AD-integrated zones).
To apply security to a server overall, open the DNS console and connect to the server.
Right-click the server and choose Properties to display its property sheet. In addition to the
property pages discussed in the preceding sections is a Security tab. Click the Security tab
to display the Security page, where you can define the permissions that groups or users have
206
Page 206
Shapiro
c05.tex
V2 - 06/13/2008
2:09pm
Windows Name Services
within the DNS server. Security at the server level acts as the first line of defense in protecting
the server in general and the zones housed on the server.
You also can configure security for individual zones as a second layer of security, giving specific
users or groups the capability to manage a given zone. Open the DNS console, right-click the
zone in question, and choose Properties. Use the Security page in the zone’s property sheet to
configure security for the zone.
Managing the server and cache
You use the DNS console to manage the DNS server in addition to managing individual zones.
The following list describes common administrative tasks and explains how to accomplish them
using the DNS console:
■ Update data files. The DNS service automatically stores changes to the data files at set
intervals, and whenever the service shuts down, writes changes in memory to disk. A good
practice is to update the data files manually whenever you add several records or make
other changes to ensure that those changes are written to disk in the event of a problem
with the server that would otherwise prevent the updates from occurring. To update the
data files within the DNS console, right-click the server and choose Update Server Data
Files.
■ Stop, start, pause, resume, or restart the DNS service. You can control the DNS service on the local computer through the Services branch of the Computer Management
console (which you access by right-clicking My Computer and choosing Manage). You
might find using the DNS console easier, however, particularly in managing a remote DNS
server. In the DNS console, right-click the server, choose All Tasks from the context menu,
and choose the desired action (Start, Stop, and so on).
■ Clear the cache. If a server’s cache becomes polluted with bad records or you’re having
problems correctly resolving queries, clearing the cache can fix the problem if the problem
is related to the cached queries. In the DNS console, right-click the server and choose
Clear Cache to clear the contents of the cache. Note that this command does not affect
the root hints defined by the cache.dns file.
Configuring Subdomains and Delegation
If yours is a small organization, you’re likely to have only a single domain. Larger organizations,
however, often segregate services and delegate responsibility and administration for different
parts of the organization’s namespace, or you may simply be hosting the DNS records for
another organization. You accomplish these tasks through subdomains and delegation.
A subdomain is a child of an existing domain. The domain west.mcity.us, for example,
is a subdomain of mcity.us. The domain west.west.mcity.us is a subdomain of
west.mcity.us. The mcity.us domain serves as the primary domain for all of these. The
mcity.us name server could host the resource records for all its subdomains, providing
207
Page 207
5
Shapiro c05.tex
Part I
V2 - 06/13/2008
2:09pm
Core, Configuration, Networking, and Communication Services
centralized management of the organization’s namespace. Queries for hosts in the subdomains
would be handled by the mcity.us name server(s). The mcity.us domain, however, could
also delegate the subdomains to other name servers, such as name servers hosted at the subdomain location. The domain mcity.us — located in Florida — may, for example, delegate
west.mcity.us to the name servers for the support group located on the West coast. In this
case, queries directed to the mcity.us name server would be referred to the west.mcity.us
subdomain. The only real difference is that in the former example, all the zones and data reside
on the mcity.us server, and in the latter, they are parceled out to other servers as required by
the domain structure.
Setting up subdomains
Whether you’re hosting a subdomain on the primary name server for the organization or delegating it, the first step is to create the subdomain. You accomplish this task through the DNS
console. In the console, open the server on which you want to create the subdomain; then open
the parent domain. To create the subdomain west.mcity.us, for example, open the mcity.us
zone. Right-click the parent zone and choose New Domain. Windows Server 2008 prompts you
for the subdomain name. Enter the single-part name (west in this example) and click OK. The
subdomain appears as a sub-branch under the parent domain. After you create the subdomain,
you can begin adding records to it. Just right-click the subdomain and choose the type of record
that you want to create. As in creating records for a parent domain, you can specify only the
single-part name for the host. If you’re creating a host record for jane.west.mcity.us, for
example, you would create a host record for jane in the west.mcity.us subdomain.
Before creating resource records in a subdomain, verify that you have created the
reverse-lookup zone for the subdomain. This enables the DNS service to automatically create pointer records for hosts that you define in the subdomain.
Delegating a subdomain
Rather than host a subdomain’s records under the parent domain’s name server, you may prefer
to delegate the subdomain to another server. Assume, for example, that the Support group hosts
its own DNS records on its own servers. In this case, you need to perform the following steps to
delegate support.mcity.us:
1. On the Support group’s name server, create the zone support.mcity.us and support
reverse-lookup zone, as explained in the section ‘‘Reverse Lookup’’ earlier in this
chapter; then populate the zone with the appropriate resource records for the hosts in
support.mcity.us.
2. On the parent name server hosting mcity.us, open the DNS console and then open the
mcity.us zone. Right-click the zone and choose New
Delegation to start the New Delegation Wizard.
3. In the wizard, specify the delegated domain name (in this example, support). The wizard
automatically assembles the FQDN for the delegated domain by using the parent domain
as a postfix. Click Next.
208
Page 208
Shapiro
c05.tex
V2 - 06/13/2008
2:09pm
Windows Name Services
4. On the Name Servers page, click Add to add the FQDN and IP address of the server(s) on
which the subdomain’s records are hosted. In this example, you’d specify the name and
address of the server that hosts support.mcity.us.
5. Repeat Step 4 to add other name servers that host the subdomain’s records, click OK, and
then click Finish to complete the process.
DNS and Active Directory
The Windows Server 2008 DNS service provides integration with the AD to provide to the DNS
service the advantages inherent in the AD’s security, ease of management, replication, and so
on. In fact, DNS integration with the AD is required for domain controllers (DCs) because the
Windows Server 2008 Netlogon service uses DNS for locating DCs. A DC can run the DNS
service itself or rely on other servers in the domain to provide DNS services, but a name server
that supports dynamic updates and that is authoritative for the domain must be present. (See
the section ‘‘Dynamic DNS’’ later in this chapter for more information on DDNS and dynamic
updates.)
Integrating DNS in the AD provides a measure of fault tolerance for DNS. Because the DNS
data for integrated zones is replicated throughout the DCs for the domain, any DC running the
DNS service can handle client requests for resolution of names in the hosted domains. This
means that you have no single point of failure for a given domain as long as it is hosted in an
AD-integrated zone. One server can go offline, and others can continue to process requests
for the domain. Changes to records in an AD-integrated zone are automatically replicated
to other DCs running the DNS service, simplifying administration. If you bring a new DC
online that is running the DNS service, the zone records are automatically replicated to the
new DNS server. Synchronization of AD-integrated zones is also potentially more efficient than
a standard zone transfer, because data is selectively transferred, rather than transferring an
entire zone.
Security, discussed in the section ‘‘Applying Security’’ earlier in this chapter, is another important
advantage to AD integration. You can apply access control lists (ACLs) to a server and to
individual zones to define which users or groups can modify the server and records in the
secured zones.
Only primary zones are supported for AD-integration. Secondary zones must be
stored in standard zone files. By migrating all zones to the AD, however, you
effectively eliminate the need for secondary zones, because the zones are replicated to other
servers for redundancy and fault tolerance, the main purpose of secondary zones. If you maintain
Windows NT-based DNS servers, however, you still need to rely on secondary zones.
Whenever you create a zone by using the DNS console, the wizard gives you the option
of creating three types of zones: AD-integrated, standard primary, and standard secondary.
Choose AD-integrated if you want to take advantage of the benefits offered by the AD
for DNS.
209
Page 209
5
Shapiro
Part I
c05.tex
V2 - 06/13/2008
2:09pm
Core, Configuration, Networking, and Communication Services
The AD is a complex topic that requires quite a bit of explanation in its own right.
Refer to Part III for a detailed explanation of the AD’s structure, function, replication,
and administration.
Dynamic DNS
Dynamic DNS (DDNS) enables a Windows Server 2008 DNS server to automatically update
resource records for clients if their host names or IP addresses change. Host name changes can
occur when the remote computer changes computer name or becomes a member of another
domain (which implicitly changes its FQDN). The use of DHCP is another argument for
DDNS. As DHCP leases expire, a client computer’s address can, and is likely to, change. This
makes maintaining accurate DNS records for hosts on the network that use DHCP for address
allocation difficult. DDNS resolves the problem.
DDNS functions through a client-server mechanism. Windows 2000, 2003, and XP DHCP
clients support DDNS and can directly request that a Windows Server 2008 DNS server
update their host resource (A) records whenever the clients’ IP addresses or host names
change. Windows Server 2008 DHCP servers can also submit requests on behalf of clients,
although a DHCP server can request an update to both the clients’ host and pointer (PTR)
records.
A Windows Server 2008 DHCP server also can act as a proxy for non-DDNS-capable DHCP
clients to perform dynamic DNS updates. A Windows Server 2008 DHCP server can, for
example, perform updates for Windows 9x and Windows NT clients, which do not natively
support Dynamic DNS and, therefore, cannot submit requests to either the DHCP server
or DNS server to update their resource records. Figure 5-12 shows how DHCP and DNS
interact.
For a detailed discussion of configuring a Windows Server 2008 DHCP server to support DNS, see Chapter 4.
Configuring DDNS
Most of the configuration to support DDNS occurs on the client side. You do, however, have
some configuration steps to take on the server side to implement DDNS. You enable dynamic
updates on a zone-by-zone basis, and the types of updates permitted depend on whether the
zone is stored in the AD. AD-integrated zones give you the additional option of permitting only
secured updates, which use the ACL for the zone to determine who can perform an update.
Standard zones not stored in the AD can be configured only for unsecured updates or no
updates.
Windows Server 2008 clients, by default, attempt to perform an unsecured update;
failing that, they attempt a secured update. If you’re having problems getting client
records to update from servers or clients outside of a domain, make sure you haven’t configured
the zone for secured updates only. For optimum security, avoid using a DC as a DHCP server,
because updates from the DHCP server always succeed, even if the zone is configured for secure
updates only.
210
Page 210
Shapiro
c05.tex
V2 - 06/13/2008
2:09pm
Windows Name Services
FIGURE 5-12
DHCP supports automatic updates to DNS if host name or IP address changes occur.
Request to
update A and
PTR records
Windows 2008 DHCP Server
Windows 9x Client
A
te
da
Up
rd
co
Re
DHCP Server
requests updates
for W2K and W9x
clients
Windows 2000
or Later Client
No update
requests
Windows 2008 DNS Server
You configure a zone’s DDNS behavior through the zone’s properties. Open the DNS console,
right-click the zone, and choose Properties. The Dynamic Updates option determines whether
the server accepts dynamic updates for records in the zone. You can choose one of the following
three options:
■ None. Select this option to prevent DHCP clients or servers from updating resource
records in the zone.
■ Nonsecure and Secure. Select this option to enable DHCP clients and servers, including
those outside the domain, to perform unsecured updates to the zone’s resource records.
DHCP servers can also update pointer records for dynamically updated host records.
■ Secure Only. Select this option to require the DHCP client or server to authenticate in the
domain in order to be capable of performing dynamic updates of host or pointer records.
See Chapter 4 for information on how to configure a client for DDNS.
Configuring scavenging
As explained in the section ‘‘Domain Records and Zone Files’’ earlier in this chapter, records can
become stale in a zone. A notebook user’s computer, for example, may update its host record in
its zone, but then the user disconnects from the network without shutting down. The computer
remains off the network for an extended period, but the computer’s host record still remains in
the zone. As a result, the record becomes stale and potentially points to the wrong IP address
(or the user might change her computer’s host name). You can configure Windows Server 2008
DNS to scavenge records, removing those that are stale.
211
Page 211
5
Shapiro
Part I
c05.tex
V2 - 06/13/2008
2:09pm
Core, Configuration, Networking, and Communication Services
Windows Server 2008 uses a timestamp to determine whether a record is stale. The server
scans the data at an administrator-defined interval, checking the resource records’ timestamps
to determine whether they have exceeded the refresh interval. If so, the server scavenges the
record (removes it from the zone). Scavenging, by default, applies only to dynamically created
records and has no effect on records that you create manually. The DNS server, however, applies
a timestamp to resource records that you create manually, setting the timestamp to zero to
indicate that the record is not subject to scavenging. You can modify the value to enable the
DNS service to scavenge these records as well.
You configure scavenging in two places: at the server level and at the zone level. At the server
level, you enable scavenging globally for the server and set the scavenging frequency, how
often the server performs scavenging. The default value is seven days, and the minimum is
one hour. To configure scavenging at the server level, open the DNS console, right-click the
server, and choose Properties. Click the Advanced tab to display the Advanced property page.
Select the Enable Automatic Scavenging of Stale Records option and then use the Scavenging
Period control to specify how often the server should perform a scavenging operation. The more
dynamic the network, the more frequently you should have the server perform scavenging.
Choose a value that fits your network needs.
You also need to configure scavenging on a zone-by-zone basis. Scavenging can be applied only
to primary zones. Open the DNS console, right-click the zone for which you want to configure
scavenging, and choose Properties. On the zone’s General property page, click Aging to open the
Zone Aging/Scavenging Properties dialog box (see Figure 5-13).
FIGURE 5-13
Configure the zone’s scavenging properties in the Zone Aging/Scavenging Properties dialog box.
212
Page 212
Shapiro
c05.tex
V2 - 06/13/2008
2:09pm
Windows Name Services
The dialog box contains the following two controls:
■ No-Refresh Interval. This property essentially specifies the timestamp’s time-to-live.
Until this period expires, the record’s timestamp can’t be refreshed.
■ Refresh Interval. This property defines the period of time that the timestamp can remain
unrefreshed before the server scavenges the record.
Scavenging occurs automatically at the interval defined in the server’s general scavenging properties. You can also manually initiate a scavenge. Open the DNS console, right-click the server,
and choose Scavenge Stale Resource Records.
Windows Internet Name Service (WINS)
NetBIOS, described in Chapter 3, is a legacy API that has for many years served as the means by
which you connect to file systems and network resources on corporate local area networks. Then
along came TCP/IP and crashed the NetBIOS party, spiked the punch, and became the protocol
of choice everywhere, not asking permission from authority higher up the OSI stack. As a result,
many clients on a network cannot see the IP-flavored host names that map to IP addresses;
instead, they can see only NetBIOS-flavored names. The solution’ maps the NetBIOS names to IP
addresses.
Windows Internet Name Service (WINS) was developed by Microsoft to provide a DNS-like NetBIOS Name Service (NBNS) to map NetBIOS names to IP addresses. The ‘‘Internet’’ in WINS is
a little misleading, because a NetBIOS name on the Internet is like a goldfish trying to breathe
in olive oil. In essence, it also signifies taking a NetBIOS name and turning it into a neo-host
name that can be mapped to an IP address, and as long as IP rules supreme and you take the
input/output out of NetBIOS, it is nothing more than a label, even at the functional or application levels of the network.
WINS is more than just a name-IP address resolver, however. It enables centralized management
of NetBIOS namespace data and eliminates the need to remotely manage multiple LMHOSTS
files (which perform the same function for NetBIOS lookup that Hosts files perform for DNS
lookup).
WINS also helps reduce NetBIOS broadcasts on the network to maximize bandwidth utilization,
because clients can query the WINS server for a name-to-address mapping, enabling them to
communicate directly with remote hosts, rather than generate broadcast traffic on the network.
WINS is needed on old Windows networks because the only way that the down-level operating
systems flag their presence is via NetBIOS; and in many respects, it has been convenient even
since the days that TCP/IP first showed up. Imagine a Windows network on which every server
were listed under only its IP address.
213
Page 213
5
Shapiro
Part I
c05.tex
V2 - 06/13/2008
2:09pm
Core, Configuration, Networking, and Communication Services
WINS is also essential for getting those NetBIOS names resolved over TCP/IP subnets. NetBIOS
is not routable, and it was never intended to be; nor are the primary protocols that carry NetBIOS names, such as NetBEUI (although they can be encapsulated in TCP/IP communication
packets that can be routed, a practice often used to route SNA traffic over TCP/IP). The only
way, then, for NetBIOS to coexist in the routable world of IP addresses and IP internetworks is
via WINS.
WINS communications take place in datagrams over the UDP port 137, which is
reserved for NBNS.
Microsoft’s strategy, in line with all the other Internet builders, is to abolish reliance on NetBIOS
and to support TCP/IP and its successors as the only routable protocol on all networks. This
strategy enables network administrators to gradually abolish NetBIOS from their networks as
they replace down-level or NetBIOS-named computers and devices, and enables them to switch
to native mode Windows Server 2008 deployment, which is more secure and rich.
However, for many companies, expect WINS and NetBIOS to be around for many years. In fact,
we predict that the last vestiges of NetBIOS, and thus WINS, are not going to vanish for a few
years yet. Change is not an overnight phenomenon in large corporate environments, where huge
investments in corporate intranets are also underway. In fact, had it not been for Y2K, many
companies would have kept Windows NT 3.51 around. The reasons to keep WINS around are
patent if you consider the following two inescapable facts:
■ Investment in legacy systems. NetBIOS has been the driving force on Windows networks since the advent of the networkable personal computer. In all those years, Windows
has become the pervasive desktop operating system, and it is now poised to become the
dominant server operating system.
■ Our guess is that no one really knows how many copies of Windows are running in the
world. Estimates range from tens of millions to hundreds of millions, so a huge investment
in legacy, or so-called down-level, Windows operating systems still exists, from simple
clients to mega-servers, and is likely to remain so for many years to come. Insofar as these
systems, especially the servers, still use NetBIOS names, WINS is needed to resolve
these names into IP addresses. In short, the best of both worlds — an entrenched
namespace coexisting with an indispensable protocol.
■ Investment in legacy applications. Many applications still use NetBIOS names in their
code, so NetBIOS remains a fact on these networks until all applications no longer depend
on NetBIOS or they can be removed from your network and information systems.
How WINS Works
All Windows 9x and later operating systems can request services of WINS. To request a name-IP
address resolution, the client queries any WINS server designated to it on the network. It tries to
contact WINS servers in the order assigned in the WINS address list in its TCP/IP configuration.
214
Page 214
Shapiro
c05.tex
V2 - 06/13/2008
2:09pm
Windows Name Services
The client tries to connect to the WINS server three times before giving up and moving on to
the next WINS server in the list.
After the client boots and authenticates on the network, it registers its name and IP address with
the designated WINS server. If the client does not register automatically, the registration takes
place whenever the client next makes a query or targets a folder on a remote server.
The process to connect to a NetBIOS name by using TCP/IP is as follows:
1. Computer MCSQL01 logs on to the network and makes a registration request with WINS.
The NetBIOS name and IP address are thus recorded to the WINS database.
2. You come along and you need to connect workstation SQLCLIENT (at 10.5.4.132) to
\\MCSQL01\SHARE1 (at 100.50.2.32), which you see in the browse list. SQLCLIENT
needs to make a request of the WINS server for the IP address of MCSQL01 to effect a connection to the server via TCP/IP. In other words, the client needs to turn the target address
\\MCSQL01\MYSHARE into \\100.50.2.32\MYSHARE because the only way to connect to
the remote server, via several routers, is TCP/IP.
3. If the WINS server is unavailable, then SQLCLIENT tries two more times before trying the
next WINS server in its list. Assuming that MCSQL01 happens to register with WINS and
an IP address exists, the resolve is successful and the connection can be established.
4. Finally (and we are not being cheeky because we have needed to do this on many occasions with the old WINS), if you cannot see or connect to the share, you can phone the
owner or admin of the server and ask for the IP address. For network administrators to do
this to troubleshoot connections is okay. For users to do this every time that they need a
file or a printer, however, is not okay.
WINS registration
The WINS architecture is very different from that of DNS. WINS maintains a database of
name-IP address mappings. It is not hierarchical. After a client registers a mapping, the WINS
server issues a successful registration message to the client. Encapsulated in that message is a
time-to-live (TTL) value, which is like a ‘‘lease’’ on the name, held in trust by WINS for a certain
period of time.
What if the name is already registered with WINS and the client makes a new registration
attempt, or another client tries to register with the same NetBIOS name? WINS does not ignore
the request; it sends out a verification request to the currently registered owner of the mapping.
The request goes out three times at 500-millisecond intervals. If it has more than one IP address
for the client, which is often the case on Windows NT, Windows 2000 Server, or Windows
Server 2003/2008, WINS tries each address that it has for the registered owner. This verification
regimen continues until all IP addresses are ‘‘called’’ or the owner responds.
If the owner responds, the client requesting the registration gets a polite decline. If the owner
does not respond, however, the client requesting registration gets free passage.
215
Page 215
5
Shapiro
Part I
c05.tex
V2 - 06/13/2008
2:09pm
Core, Configuration, Networking, and Communication Services
Mapping renewal
WINS mappings are not persistent, and the WINS database is in a constant state of change.
Leases on mappings are assigned on a temporary basis to enable other computers to claim
the mapping later. The short-term lease method also enables clients with DHCP-assigned IP
addresses to register their new addresses with WINS.
If the WINS client remains online, it needs to renew its lease before expiration on the WINS
server. The client achieves this task by renewing automatically after one-eighth of the TTL
has elapsed. If the client does not receive a renewal notification from the server, it continues
to attempt renewal every two minutes, until half the TTL has elapsed. After that, the client
moves on to the next WINS in its list and begins the renewal attempt with that server. WINS
is a multimaster replication architecture, and which of the WINS servers honors the WINS
registration request doesn’t matter as far as the client and the networking-resolving process are
concerned. If the next WINS in the list fails to honor the request, however, the client ‘‘hits’’ the
leading server again.
On a successful registration renewal, the client attempts to renegotiate the next lease renewal
after 50 percent of the TTL has elapsed.
If WINS clients are powered down normally — that is, by issuing the shutdown command —
they send a message to WINS requesting release of the mapping. The message includes the
entire mapping NetBIOS-IP address. The WINS server honors the request as long as the records
check out. In other words, the mapping must exist or the values for IP address and name must
be the same as in the message. If the request checks out, the record is tombstoned (marked for
deletion); otherwise, it remains in the database.
WINS Forever
As important as WINS has been for many diverse Windows-based networks, the WINS service
on NT 4.0 is not something that we look back on fondly, and for many with thousands of users
spread over dozens of subnets, it has been more a case of WINS and ‘‘LOSSES.’’
Although WINS offered a measure of fault-tolerance on small intranets, it often let us down on
large networks, losing connections, missing replication with its peers, and collecting garbage that
needed to be manually deleted from the database. Often, intra-domain communications between
sites would break down because records were not updated and the clients could not succeed
with connections to critical services in other domains. Many network managers pleaded with
Microsoft to rebuild the WINS service, and Microsoft did so with Windows 2000 Server. Thus
WINS continues to be an integral and important ‘‘feature’’ of Windows Server 2008.
WINS features do not mean much to new administrators working with WINS, but they are welcome news for the old and the brave among you. Two important features are worthy of mention
in this chapter: persistent connections and manual tombstoning, discussed in the following sections.
216
Page 216
Shapiro
c05.tex
V2 - 06/13/2008
2:09pm
Windows Name Services
Persistent connections
WINS should never be implemented as a single-server solution unless a very small collection of
users depends on the service and the business can afford the downtime and collapse of service
level. For networks serving a lot of users or small offices that need to maintain critical connections across the intranet, WINS should be implemented in groups of two or more servers. Not
all servers need to be on the same subnet, however, because should a local WINS fail, the client
can hit a secondary on another subnet because it already knows the static address (via DHCP) of
the secondary WINS server.
WINS servers thus coexist as loose clusters. (They interoperate but do not really function as a
single logical unit.) After a client registers with WINS or whenever WINS tombstones a record,
the information is replicated to WINS servers that are configured as replication partners. Often,
replication on the old WINS on NT 4.0 would fail because requests to reestablish wouldn’t
occur. This would result in widely dispersed WINS databases being inconsistent and out of
touch with each other.
Users on the intranet depend on the maintenance of connections between clients and servers
placed at opposite ends of the intranet. If WINS servers cannot comply with requests, the user
usually gets the ‘‘Network Path Not Found’’ error message, and the attempted connection fails.
This message may seem to suggest that the host is down, but often it is WINS that is at fault, so
first try to ping the host by name to rule out a WINS problem.
Always keep a database of your static IP addresses handy. If you can ping the host
that is not being resolved by WINS and you can manually map to a known share on
the host, such as \\192.168.4.8\shares, you can be almost certain that WINS is in trouble.
Windows Server 2003 and 2008 WINS can be configured to request a permanent connection
across the intranet with any or all replication partners. Persistent replication offers two major
advantages.
Significant overhead associated with starting and stopping connections is reduced. Legacy WINS
would need to reestablish connections with replication partners every time that it needed to
replicate. A chance always exists on a very large intranet that a connection cannot be established
automatically and requires human intervention.
The speed of replication has also been greatly increased, because updates can be sent directly to
the replication partner, obviating the need to first establish connections.
Manual tombstoning
You can manually mark records for deletion by using the manual tombstoning feature in Windows Server 2008 WINS. This means that manual deletion requests get orderly and consistent
propagation to replication partners. On Windows NT WINS, manual deletes on one server were
problematic, because a chance existed that a replication partner could reestablish the previously
deleted record.
If you manually tombstone a record, the information is propagated to all replication partners
(which occurs quickly with the persistent connection option). Tombstoned records are deleted
217
Page 217
5
Shapiro
Part I
c05.tex
V2 - 06/13/2008
2:09pm
Core, Configuration, Networking, and Communication Services
from all servers after the propagation and after all partners have received the tombstoned
records.
WINS Installation and Configuration
WINS does not require a dedicated server or your most powerful CPU. The service can also be
installed on a DNS, DHCP, or DC server — even on a Remote Access Service (RAS) server.
Installing WINS
To install WINS, the server needs a static IP address — preferably one dedicated to WINS traffic. You can either multi-home the machine (that is, install more than one NIC) or assign another
IP address to a single interface.
If you did not install WINS with the operating system, follow these steps:
1. Open Server Manager; right-click the root node and select Add Features. The Add Features Wizard appears.
2. Click Start, and then click Server Manager. You will now see the left pane of Server Manager. Click the Features option, which brings up the Features Summary. Now click the
Add Features label. The Add Features Wizard now opens.
3. Scroll down the Select Features list, select WINS Server, and click Next. Click Install.
4. Review your installation results, and click Close.
Configuring WINS
WINS, like DNS and many other services in Windows Server 2008, now uses the Microsoft
Management Console (MMC) for configuration and management. To launch the WINS snap-in,
go to Administrative Tools and select the WINS option or (easier) open the Run dialog box and
run the winsmgmt.msc shortcut. The WINS snap-in is shown in Figure 5-14.
One of the perks of WINS is that clients register themselves with the service, and for the most
part, you do not need to manually enter mappings. One exception is non-WINS clients and
static entries.
Static entries
By entering static mappings, you ensure that WINS clients can resolve the IP addresses of
non-WINS clients. Non-WINS clients include machines running under other operating systems,
networks, network devices, domains, and so on. You can even insert a static IP address for
another WINS server, if the connection to that WINS server is unreliable and you cannot afford
to have the server lose a lease and not be capable of renewing it.
218
Page 218
Shapiro c05.tex
V2 - 06/13/2008
2:09pm
Windows Name Services
FIGURE 5-14
The WINS MMC snap-in.
To create a static mapping, open the WINS console as explained in the preceding section and
follow these steps:
1. Right-click the Active Registrations node on the WINS tree. Choose New Static Mapping
from the context menu.
2. In the New Static Mapping dialog box, type the name of the target to be resolved in the
Computer Name field.
3. Although you can add a scope name in the optional NetBIOS Scope field, this field should
not be used because NetBIOS scopes are not recommended. The support is included for
advanced NetBIOS solutions and applications.
4. From the Type drop-down list, select the type of name to be resolved. The following list
explains the static entry types:
■ Unique. This is a unique name that can be mapped to a single IP address. Use this type
if you need to add a static mapping for a server — usually another WINS server.
■ Group. Choose this type for a name that maps to a group. A group is a logical unit
on the intranet. Group members, regardless of their nature, usually have their own IP
addresses, but these do not need to be stored in WINS.
■ Domain Name. Choose this type to map an IP address to a domain name.
219
Page 219
5
Shapiro
Part I
c05.tex
V2 - 06/13/2008
2:09pm
Core, Configuration, Networking, and Communication Services
■ Internet Group. Choose this type to group resources, such as routers, hubs, and
printers. You can store up to 25 members in an Internet group.
■ Multihomed. Choose this type for the name of a host that has more than one
IP address. (Multi-homed usually refers to a host with more than one network
interface card, but Windows Server 2008 can assign multiple addresses to a single
interface.)
5. In the IP Address field, enter the IP address of the client and click OK to store the entry.
The proxy agent
The WINS proxy agent extends the WINS services to non-WINS clients by listening for their
name-registration requests and broadcast-resolution requests and then forwarding them to the
WINS server. To set up this service, you need to tinker in the registry.
Open the Registry Editor and go to the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
Under the Parameters key, you find the entry for EnableProxy. Change this value to 1
(enabled). Unfortunately, you must then restart the server.
After it’s enabled, the proxy agent forwards the non-WINS client’s broadcasts, requesting name
registration to the WINS server. The name does not get registered; the intention of the proxy is
to verify that the name is not already registered.
Whenever the agent detects a name-resolution broadcast, it checks its NetBIOS name cache and
attempts to resolve the name to an IP address. If the name is not cached, the agent forwards the
broadcast as a resolve request to the WINS server. The WINS server responds to the agent, and
the agent then responds to the non-WINS client.
Configuring Windows Clients
for DNS and WINS
Configuring Windows clients to use DNS and WINS is a relatively simple task. It primarily
means configuring the clients with the appropriate DNS and WINS server IP addresses. If you’re
using DHCP, you can configure the DHCP server to provide the DNS and WINS server data to
the DHCP clients automatically.
To learn more about DHCP and how to configure both DHCP servers and clients, see
Chapter 4.
If you’re not using DHCP or need to configure the DNS or WINS settings separately from
the dynamically assigned IP address on the client, you can configure the client’s DNS/WINS
220
Page 220
Shapiro
c05.tex
V2 - 06/13/2008
2:09pm
Windows Name Services
settings manually. To do so, log on to the client computer and open the properties for the
client’s TCP/IP connection. On the General page, locate the TCP/IP protocol in the list of
installed components and choose Properties to display the TCP/IP property page, shown in
Figure 5-15.
FIGURE 5-15
Configure DNS and WINS settings through the connection’s property page.
If you select the Obtain an IP Address Automatically option, you can select the Obtain
DNS Server Addresses Automatically option to receive the DNS server address list from
the DHCP server. If you prefer, you can specify the addresses explicitly by choosing the
Use the Following DNS Server Addresses option and then filling in the IP addresses of
the preferred and alternate server. The client resolver attempts to resolve through the preferred server first; and if the preferred server fails to respond, the client tries the alternate
server.
To configure additional DNS properties, click Advanced and then click the DNS and WINS tabs
to display the DNS and WINS property pages, shown in Figure 5-16. You can specify more than
two DNS servers if you want and change the order of DNS servers in the list. The resolver tries
the DNS servers in order from top to bottom.
221
Page 221
5
Shapiro c05.tex
Part I
V2 - 06/13/2008
2:09pm
Core, Configuration, Networking, and Communication Services
FIGURE 5-16
Use the DNS page to configure additional DNS options.
The following list explains the options on the DNS page:
■ Append Primary and Connection Specific DNS Suffixes. Select this option to append
the primary DNS suffix and connection-specific DNS suffix to unqualified host names for
resolution. You define the primary DNS suffix for the computer through the computer’s
Network Identification property page (which you access by right-clicking My Computer,
choosing Properties, and clicking Network Identification). The primary DNS suffix applies
globally to the system unless overridden by the connection-specific DNS suffix, which
you set in the field DNS Suffix for This Connection. Assume, for example, that your primary suffix is mcity.us and your connection-specific DNS suffix is west.mcity.us.
You query for the unqualified host name tia. This option then causes Windows Server
2008 to attempt to resolve tia.mcity.us and tia.west.mcity.us. If you have no
connection-specific DNS suffix specified, Windows Server 2008 attempts to resolve only
tia.mcity.us.
■ Append Parent Suffixes of the Primary DNS Suffix. This option determines whether
the resolver attempts resolution of unqualified names up to the parent-level domain
for your computer. Assume, for example, that your computer’s primary DNS suffix
is west.mcity.us and you attempt to resolve the unqualified host name jane.
222
Page 222
Shapiro
c05.tex
V2 - 06/13/2008
2:09pm
Windows Name Services
The resolver would attempt to resolve jane.west.mcity.us and jane.mcity.us
(attempting to resolve at the parent level as well as the computer’s domain level).
■ Append These DNS Suffixes (in Order). Use this option to append only the specified
DNS suffixes for resolving unqualified names.
■ DNS Suffix for This Connection. Use this option to specify a DNS suffix for the connection that is different from the primary DNS suffix defined in the computer’s Network
Identification property page.
■ Register This Connection’s Addresses in DNS. Select this option to have the client
submit a request to the DNS server to update its host (A) record when its host name
changes or IP address changes. The client submits the full computer name specified in the
Network Identification tab of the System Properties sheet, along with its IP address, to
the DNS server. You can view the System properties through the System object in the
Control Panel, or you can right-click My Computer and choose Properties.
■ Use This Connection’s DNS Suffix in DNS Registration. Select this option to have
the client submit a request to the DNS server to update its host record whenever the host
name changes or IP address changes. This differs from the preceding option in that this
option registers the client by using the first part of the computer name specified in the
System properties, along with the DNS suffix specified by the DNS Suffix for This Connection option on the DNS page. You can use this option along with the preceding option
to register two different FQDNs for the host.
Configuring Windows NT and Windows 9x clients for DNS is very similar to configuring
Windows 2000/XP/Server 2003/2008 clients. Right-click Network Neighborhood and
choose Properties, or open Network in the Control Panel. Locate and double-click TCP/IP
and then click DNS to set the DNS properties.
Using Hosts and LMHOSTS Files
for Name Resolution
DNS servers resolve host names to IP addresses, and WINS servers primarily resolve NetBIOS
names to IP addresses. In some cases, however, the capability to resolve host names to addresses
without contacting a DNS or WINS server is helpful. You may, for example, have several hosts
on the local network with host names and addresses that don’t change, so you have no real need
to put a load on the local name server for resolution if you can avoid it. Or you may not have
a name server available for some reason but still need to enable an application to resolve host
names.
Windows Server 2008 offers two methods for resolving host names to addresses that you
can use in conjunction with or in place of name servers to provide name resolution. These
two methods rely on ASCII files to store a database of host-to-address entries, just as the
original ARPANET relied on the Hosts file for name resolution. You can use a local Hosts file in
conjunction with or in place of DNS and a local LMHOSTS file in conjunction with or in place
of WINS.
223
Page 223
5
Shapiro c05.tex
Part I
V2 - 06/13/2008
2:09pm
Core, Configuration, Networking, and Communication Services
Using a Hosts file for name resolution
A Hosts file maintains a host table that maps host names to IP addresses. Windows
can look up entries in the Hosts file to resolve names without needing to query a
DNS server for resolution. Windows Server 2008 creates a file named Hosts in the
\%systemroot%\system32\drivers\etc folder. Hosts is an ASCII file that you can
edit in Notepad or any other word processor. The file uses the same format as the Hosts file on
4.3 BSD Unix (stored in /etc/hosts) and by default includes an entry that maps localhost
to 127.0.0.1 (which is used for loopback testing and troubleshooting).
Make a backup copy of the Hosts file before modifying it in case you experience
any problems modifying the file. Do not change or remove the entry for localhost.
Entries in the Hosts file take the format IP Address <tab> host name. You can specify more
than one host name for a given IP address, but you must use multiple entries for hosts in different domains, each entry on its own line. Entries in Hosts are case-sensitive, so in the following
example, the first two entries enable a correct resolution if the user specifies the host name in
either uppercase or lowercase:
192.160.0.124
192.160.0.124
192.168.0.203
joe.mcity.us
JOE.MCITY.US
jane.west.mcity.us
You can include a single host name for each entry or specify multiple host names for a single IP
address if they fall in the same domain. The following, for example, are valid entries:
192.168.0.224
192.168.0.198
me
you
tarzan
jane
jim.west.mcity.us
jane.east.mcity.us
Each of the entries in this example specify three host names for each IP address.
Windows Server 2008 parses the entries in the Hosts file in sequential order until it finds a
match. You can speed up lookup time by placing the most frequently used host-name entries at
the top of the file.
Using the LMHOSTS file for name resolution
Windows Server 2008 automatically resolves NetBIOS names for computers running TCP/IP on
a local network. You can use an LMHOSTS file to resolve IP addresses of computers on other networks to which yours is connected by a gateway when a WINS server isn’t available.
LMHOSTS is an ASCII file, with the entry format similar to entries in a Hosts file. In addition,
LMHOSTS supports special keywords, explained later in this section. Windows Server 2008
includes a sample LMHOSTS file in \%systemroot%\system32\drivers\etc. As with the
Hosts file, you should make a backup copy of LMHOSTS before modifying it.
Windows Server 2008 parses each line in LMHOSTS sequentially at startup, so you should place
frequently accessed names at the top of the file for best performance. Following are a few rules
for structuring an LMHOSTS file:
224
Page 224
Shapiro
c05.tex
V2 - 06/13/2008
2:09pm
Windows Name Services
■ Each entry must include the IP address in the first column, with the NetBIOS name in the
second column. Additional keywords, if any, appear in subsequent columns. Columns are
separated by at least one space or tab character. Some LMHOSTS keywords follow entries,
while others appear on their own lines (discussed later in this section).
■ Each entry must reside on a separate line.
■ Comments begin with the pound (#) character, and special LMHOSTS keywords also begin
with the # character. Keep comments to a minimum to improve parsing performance.
Place frequently accessed entries near the top of the file for best performance.
■ The LMHOSTS file is static. As with the Hosts file, you must manually update the file to
create new entries or modify existing ones.
Windows Server 2008 TCP/IP reads the LMHOSTS file at system startup, and entries designated
as preloaded by the #PRE keyword are read into the name cache at that time. Other entries are
read only after broadcast name-resolution queries fail. Remember to place frequently used names
near the top of the file and to keep comments to a minimum to improve performance.
You can include the following special keywords in an LMHOSTS file:
■ #PRE. Preloads the entry into the name cache at startup. If you want names stored in a
remote LMHOSTS file to be added to the name cache at startup, use the #INCLUDE and
#PRE statements in combination, as in the following example:
#INCLUDE
\\srv1\public\lmhosts
#PRE
■ #DOM:<domain>. Designates remote domain controllers located across one or more
routers. Entries that use the #DOM keyword are added to a special Internet workgroup
name cache that causes Windows Server 2008 TCP/IP to forward requests for domain
controllers to remote domain controllers as well as local domain controllers. The following example identifies a domain controller named server1 in the domain west.mcity.us
and preloads the entry into the name cache at startup:
192.168.0.212
server1
#PRE
#DOM:west.mcity.us
■ #INCLUDE<filename>. Includes entries from separate LMHOSTS files. Use #INCLUDE to
include entries from a common, shared LMHOSTS file or your own set of entries stored on
your own computer. If you reference a remote LMHOSTS file on a server outside of your
network in an #INCLUDE statement, you must also include an entry for the IP address of
the remote server in the LMHOSTS file before the #INCLUDE statement that references it.
Do not use #INCLUDE to reference an LMHOSTS file on a redirected network drive unless
your drive mappings remain the same from one session to another. Otherwise, use the
UNC path for the file. The following example includes an LMHOSTS file from a network
server:
#INCLUDE
\\server1\public\Lmhosts
#Includes shared Lmhosts file
■ #BEGIN_ALTERNATE. Signals the beginning of a block inclusion, a block of multiple
#INCLUDE statements. The statements within the block designate primary and alternative
locations for the included file; the alternative locations are checked if the primary file is
225
Page 225
5
Shapiro
Part I
c05.tex
V2 - 06/13/2008
2:09pm
Core, Configuration, Networking, and Communication Services
unavailable. Successful loading of any entry in the block causes the block to succeed, and
subsequent entries in the block are skipped. You can include multiple block inclusions
within an LMHOSTS file. Following is an example of a block inclusion:
#BEGIN_ALTERNATE
#INCLUDE
\\server1\public\lmhosts
#INCLUDE
\\server2\public\lmhosts
#INCLUDE
\\netserv\shared\lmhosts
#END_ALTERNATE
#Primary source
#Alternate source
#Alternate source
Addresses of servers specified in a block inclusion must be preloaded through entries earlier
in the file. Entries not preloaded are ignored.
■ #END_ALTERNATE. This signals the end of a block of multiple #INCLUDE statements.
■ \0xnn. Use this keyword to specify nonprinting characters in NetBIOS names. Enclose the
NetBIOS name in quotation marks and use the \0xnn keyword to specify the hexadecimal
value of the nonprinting character. The hexadecimal notation applies to only one character
in the name. The name must be padded to a total of 16 characters, with the hexadecimal
notation as the sixteenth character. The following is an example:
192.168.0.89
‘janetrs
\0x14’
#Uses special character
Summary
This chapter described how DNS provides the primary means through which Windows Server
2008 clients resolve host names to IP addresses. The client’s computer uses a resolver to request
resolution of a name from one or more DNS servers. The client can also use a Hosts file to statically map names to addresses and bypass the need to access a DNS server for name resolution.
DNS in Windows Server 2008 is dynamic, enabling clients and DNS servers alike to request
that a DNS server that is authoritative for the client’s zone update the client’s host and pointer
records. A client can directly request an update of its host record, and a DNS server can request
an update of both the host and associated pointer record on behalf of the client. Zones that
are stored in Active Directory can be secured through ACLs to require authentication before
dynamic updates are permitted.
WINS provides the same capabilities for resolving NetBIOS names to addresses that DNS provides for host names. Windows Server 2008 includes a WINS server service that enables a Windows Server 2008 server to function as a WINS server and integrates DNS and WINS to provide
additional capabilities. Although WINS is not always an optimum solution, it nevertheless offers
several advantages for name resolution where NetBIOS names are still used.
226
Page 226
Shapiro
c06.tex
V2 - 06/12/2008
4:16pm
Routing and Remote
Access
T
his chapter covers the remote access services provided with
Windows Server 2008 that enable dial-up and IP access (client
and server) for remote connectivity, including dial-up connections
to the Internet. It also covers the many features in Routing and Remote
Access Service (RRAS) that enable Windows Server 2008 to function as a
router.
Windows Server 2008 RAS
and Telephony Services
IN THIS CHAPTER
Windows Server 2008 Remote
Access Services (RAS)
RAS connection types and
protocols
Configuring RAS
Configuring a router
Configuring a VPN server
Using Multilink and BAP
RAS stands for Remote Access Services. In Windows Server 2008, RAS
enables Windows Server 2008 clients to dial or directly connect to other
systems for access to remote networks, including the Internet, and enables
Windows Server 2008 computers to act as network and dial-up access
servers to route remote clients into a network. The Routing and Remote
Access Service (RRAS) enables Windows Server 2008 to function as a
router. RAS and RRAS are integrated into a single service in Windows
Server 2008. This chapter examines the dial-up networking features in
RRAS that enable a Windows Server 2008 computer to function as both a
dial-up server and dial-up client.
The following sections provide an overview of these RRAS features. Later
sections explain protocol, security, and configuration issues.
227
Using RADIUS
Applying a Network Policy
Server policy
Examining security issues
Configuring dial-up networking
connections
Troubleshooting RRAS
installations
Connecting to the Internet
Page 227
Shapiro c06.tex
Part I
V2 - 06/12/2008
4:16pm
Core, Configuration, Networking, and Communication Services
Overview of Windows Server 2008 RRAS
Remote access enables a client computer to connect to a remote computer or network and access
the resources of the remote computer or network as if they were local. For example, users who
are frequently on the road can access the company file server(s), printers, mail system, and other
resources from remote locations. Clients also can use remote access services to connect to public
networks such as the Internet. Figure 6-1 illustrates one implementation of remote access.
FIGURE 6-1
RRAS enables remote users to connect to the local computer or network and supports dial-out connections from Windows Server 2008 clients.
Remote user
accesses network
shares and printers
RRAS Server
The Routing and Remote Access Service in Windows Server 2008 provides three primary
functions:
■ Dial-up client. You can use RRAS to create and establish dial-up connections to remote
networks, including the Internet, through a variety of media such as a modem, ISDN,
infrared, parallel ports, serial connection, X.25, and ATM. Windows Server 2008 dial-up
clients support a wide range of authentication protocols and other connectivity options,
which are discussed in depth later in this chapter. Support for tunneling protocols enables
clients to establish secure connections to remote networks through public networks such
as the Internet.
228
Page 228
Shapiro
c06.tex
V2 - 06/12/2008
4:16pm
Routing and Remote Access
■ Dial-up server. A Windows Server 2008 can function as a dial-up server, enabling remote
clients to connect to the local server, and optionally to the local network, through the
same types of media support for dial-out connections. You can also use RRAS to support
Terminal Services client sessions because RRAS issues an IP address to the connecting
clients and binds the necessary protocols to the RAS connection.
Windows Server 2008 supports several authentication protocols and can authenticate
users against local or domain user accounts, or it can use Remote Authentication Dial
In User Service (RADIUS), an industry standard authentication mechanism. Once connected, a remote user can browse, print, map drives, and perform essentially all other
functions possible from either the local server or local area network.
■ Routing services. The routing components of RRAS enable Windows Server 2008 to
function as a unicast and multicast router. Windows Server 2008 provides for routing,
packet filtering, connection sharing, demand-dial routing, and several other features that
make it a good choice for LAN and WAN routing. Windows Server 2008 also adds limited
firewall capability.
Although Windows Server 2008 RRAS integrates dial-up networking and routing into a single
service, they are treated as separate issues in this book because of the different focus for each.
One of the key benefits of Windows Server 2008 RRAS is its integration with the Windows
Server 2008 operating system. On the client side, integration means that once a remote connection is established, the client can access resources on the server transparently as if they were
local resources. The client can map remote shares to local drive letters, map and print to remote
printers, and so on. Except in very rare circumstances, applications can use remote resources
seamlessly without modification to make them RAS- or network-aware.
On the server side, integration means that Windows Server 2008 can use a single authentication
mechanism to authenticate users both locally and from remote locations. RRAS can authenticate
against the local computer’s user accounts or accounts in the domain, or it can use an external
authentication mechanism such as RADIUS. Through its support for RADIUS, Windows Server
2008 RRAS enables a Windows Server 2008 to function as a gateway of sorts to the network
while offloading authentication to another server, which could be any RADIUS platform, including a Unix server.
Remote Authentication Dial-In User Service (RADIUS) is a standard, cross-platform
protocol for authentication commonly used for dial-in authentication.
Windows Server 2008 RRAS also provides close integration with Active Directory (AD). This AD
integration provides users with the replication of remote access settings, including access permissions, callback options, and security policies, among others. AD integration also means simplified administration with other AD-related services and properties.
As you learn later in the section ‘‘RAS Connection Types and Protocols,’’ Windows Server
2008 RRAS supports a wide range of connection protocols, including Point-to-Point Protocol
(PPP), Serial Line Internet Protocol (SLIP), and Microsoft RAS Protocol. Windows Server 2008
229
Page 229
6
Shapiro c06.tex
Part I
V2 - 06/12/2008
4:16pm
Core, Configuration, Networking, and Communication Services
RRAS supports multiple authentication methods, including Microsoft Challenge Handshake
Authentication Protocol (MS-CHAP), Extensible Authentication Protocol (EAP), Challenge
Handshake Authentication Protocol (CHAP), Shiva Password Authentication Protocol (SPAP),
and Password Authentication Protocol (PAP). Network protocols supported include TCP/IP,
IPX/SPX, and AppleTalk to support Microsoft, Unix, NetWare, and Macintosh resources
and clients.
New features of Windows Server 2008 RRAS
If you’re familiar with RAS or RRAS in Windows NT or Windows 2000, you’ll find all of those
same features in Windows Server 2008 RRAS. You’ll also find several enhancements to existing
features, along with many new features, including those described in the following sections.
AD integration
As mentioned previously, Windows Server 2008 RRAS integrates with the Active Directory (AD).
AD integration enables client settings to be replicated throughout the organization to provide
expanded access by clients and easier administration. Integration with the AD also can simplify
administration by enabling you to browse and manage multiple RRAS servers through the
AD-aware RRAS management console snap-in, providing a single point of management for RRAS
services in an organization.
Bandwidth Allocation Protocol and Bandwidth Allocation Control Protocol
The Bandwidth Allocation Protocol (BAP) and Bandwidth Allocation Control Protocol (BACP)
enable Windows Server 2008 RAS to dynamically add or remove links in a multilink PPP
connection as bandwidth requirements for the connection change. When bandwidth utilization
becomes heavy, RAS can add links to accommodate the increased load and enhance performance. When bandwidth utilization decreases, RAS can remove links to make the connection
more cost efficient. You configure BAP policies through a Network Policy Server (NPS) policy
that you can apply to individual users, groups, or an entire organization.
MS-CHAP version 2
Previous versions of RAS supported Microsoft Challenge Handshake Authentication Protocol
(MS-CHAP) to authenticate remote clients. MS-CHAP v2 provides stronger security and is
designed specifically to support Virtual Private Network (VPN) connections, which enable
remote clients to establish secure connections to a private network through a public network
such as the Internet. MS-CHAP v2 provides several security enhancements:
■ LAN Manager coding of responses, formerly supported for backward compatibility with
older remote access clients, is no longer supported. This provides improved security.
MS-CHAP v2 no longer supports LAN Manager encoding of password changes for the
same reason.
■ Mutual authentication, which provides bi-directional authentication between the remote
client and the RAS server, is supported. Previously, MS-CHAP provided only one-way
authentication and did not provide a mechanism for the remote client to determine
whether the remote server actually had access to its authentication password for
230
Page 230
Shapiro
c06.tex
V2 - 06/12/2008
4:16pm
Routing and Remote Access
verification. Version 2 not only enables the server to authenticate the client’s request, but
also enables the client to verify the server’s ability to authenticate its account.
■ Stronger encryption is provided in MS-CHAP v2. The 40-bit encryption used in previous versions operated on the user’s password and resulted in the same cryptographic key
being generated for each session. Version 2 uses the remote client’s password, along with
an arbitrary challenge string, to create a unique cryptographic key for each session, even
when the client password remains the same.
■ Better security for data transmission is provided by using separate cryptographic keys for
data sent in each direction.
Extensible Authentication Protocol
The Extensible Authentication Protocol (EAP) enables authentication methods to be added to
RAS without redesigning the underlying RAS software base, much like new features in NTFS 5.0
enable new functionality to be added to the file system without redesigning the file system. EAP
enables the client and server to negotiate the mechanism to be used to authenticate the client.
Currently, EAP in Windows Server 2008 supports EAP-MD5 CHAP (Challenge Handshake
Authentication Protocol), EAP-TLS (Transport Level Security), and redirection to a RADIUS
server. Each of these topics is covered in more detail later in this chapter.
RADIUS support
Windows Server 2008 RRAS can function as a RADIUS client, funneling logon requests to
a RADIUS server, which can include the Internet Authentication Service (also included with
Windows Server 2008) running on the same or a different server. The RADIUS server doesn’t
have to be a Windows Server 2008 system, however, which enables RRAS to use Unix-based
RADIUS servers or third-party RADIUS services you might already have in place. One of the
advantages to using RADIUS is its capability for accounting, and several third-party utilities have
been developed to provide integration with database backends such as SQL Server to track and
control client access.
See the section ‘‘Using RADIUS’’ later in this chapter for detailed information on
configuring and using RADIUS.
Network access policies
Windows Server 2008 improves considerably on the flexibility you have as an administrator to
control a user’s remote access and dial-up settings. Earlier versions gave you control only over
callback options, and settings were assigned on a user-by-user basis. Although Windows Server
2008 still lets you assign remote access permissions through a user’s account, as with Windows
Server 2008 RRAS, you also can use an NPS policy to define the remote access settings for one
or several users. This is achieved using the Network Policy Server policy service (NPS). NPS
access policies give you a fine degree of control over the users’ settings, controlling options such
as allowed access time, maximum session time, authentication, security, BAP policies, and more.
See the section ‘‘Policy Server’’ later in this chapter for additional information on
configuring and using NPS policies. See the Windows Server 2008 Security chapter
(Chapter 16) for security aspects of NPS policy.
231
Page 231
6
Shapiro
Part I
c06.tex
V2 - 06/12/2008
4:16pm
Core, Configuration, Networking, and Communication Services
Account lockout
Windows Server 2008 RAS enhances security by supporting account lockout, which locks an
RRAS account after a specified number of bad logon attempts. This feature helps guard against
dictionary attacks in which a hacker attempts to gain remote access by repeatedly attempting to
log on using a dictionary of passwords against a valid account. You can configure two settings
that control lockout — the number of bad logon attempts before the account is locked out and
how long the account remains locked before the lockout counter is reset.
The Routing and Remote Access management console
The Routing and Remote Access service is installed using Server Manager using the Network Policy and Access Services role. Please refer to Chapter 2.
Microsoft has integrated most administrative and management functions into Microsoft Management Console (MMC) snap-ins, and RRAS is no exception. The Routing and Remote Access
console snap-in enables you to configure and manage an RRAS server. Figure 6-2 shows the
Routing and Remote Access console.
FIGURE 6-2
The Routing and Remote Access console.
232
Page 232
Shapiro
c06.tex
V2 - 06/12/2008
4:16pm
Routing and Remote Access
The RRAS console serves as a central control center for managing most RRAS properties. In
addition to configuring ports and interfaces, you can configure protocols, global options and
properties, and RRAS policies through the RRAS console. Later sections of this chapter explain
how to use the RRAS console to perform specific configuration and administration tasks. Open
the console by choosing Start All Programs Administrative Tools Routing and Remote
Access.
RAS Connection Types and Protocols
Windows Server 2008 supports several connection types and network protocols for remote
access. The following sections explore these connection types and network protocols.
The NetBEUI, NetBIOS, NWLink, IPX/SPX, and NetBIOS protocols are not included
with Windows Server 2008, so Windows Server 2008 does not support them for
routing and remote access. Serial Line Internet Protocol is also removed and SLIP configuration
automatically gets converted to the Point-to-Point protocol.
Point-to-Point Protocol
The Point-to-Point Protocol (PPP) was developed as a standardized alternative to SLIP
that offered better performance and reliability. Unlike SLIP, PPP is designed around
industry-designed standards and enables essentially any PPP-compliant client to connect
to a PPP server. Windows Server 2008 supports PPP for both dial-in and dial-out connections. On a Windows Server 2008 RAS server, PPP enables remote clients to use TCP/IP.
Windows-based clients, including Windows Server 2008, Windows NT, Windows 9x,
and Windows 3.x, can use any TCP/IP client. Macintosh clients can use TCP/IP. PPP no longer
supports authentication protocols CHAP and PAP.
Point-to-Point Multilink Protocol and BAP
The Point-to-Point Multilink Protocol (PPMP, or simply Multilink) enables multiple PPP
lines to be combined to provide an aggregate bandwidth. For example, you might use Multilink
to combine two analog 56 Kbps modems to give you an aggregate bandwidth roughly equivalent to 112 Kbps. Or, you might combine both B channels of an ISDN Basic Rate Interface
(BRI) connection to provide double the bandwidth you would otherwise get from a single
channel.
The Bandwidth Allocation Protocol (BAP) works in conjunction with Multilink to provide
adaptive bandwidth. As bandwidth utilization increases, BAP enables the client to aggregate
233
Page 233
6
Shapiro
Part I
c06.tex
V2 - 06/12/2008
4:16pm
Core, Configuration, Networking, and Communication Services
additional connections to increase bandwidth and improve performance. As bandwidth
utilization decreases, BAP enables the client to drop connections from the aggregate link to
reduce connection costs (where multiple connections incur their own charges).
See the section ‘‘Using Multilink and BAP’’ later in this chapter for information on
configuring and using multilink connections.
Point-to-Point Tunneling Protocol
The TCP/IP protocol suite by itself does not provide for encryption or data security, an obvious concern for users who need to transmit data securely across a public network such as the
Internet. The Point-to-Point Tunneling Protocol (PPTP) provides a means for encapsulating and
encrypting IP for secure transmission. PPTP is an extension of PPP that enables you to create a
Virtual Private Network (VPN) connection between a client and server.
PPP frames in a PPTP session are encrypted using Microsoft Point-to-Point Encryption (MPPE),
with the encryption keys generated using the CHAP authentication process. PPTP by itself
does not provide encryption, but rather encapsulates the already encrypted PPP frames. In
order to provide a secure connection, the client must use either CHAP or EAP authentication.
Otherwise, the PPP frames are encapsulated unencrypted (plain text). Figure 6-3 illustrates
how PPTP encapsulates data. PPTP is installed by default when you install Windows Server
2008 RRAS.
FIGURE 6-3
PPTP and L2TP use different methods for encapsulation and encryption.
IP
Header
GRE
Header
PPP
Header
PPP Payload including IP datagram,
IPX datagram, NetBEUI frame
Encrypted by MPPE
PPTP
IP
Header
IPSec
ESP
Header
UDP
Header
L2TP
Header
PPP
Header
PPP Payload including IP datagram,
IPX datagram, NetBEUI frame
IPSec
ESP
Trailer
IPSec
Auth.
Trailer
Encrypted by IPSec
L2TP
PPTP is a good choice for creating secure connections to a private network through
a public network, such as the Internet, when the remote network isn’t configured to
support IPSec.
234
Page 234
Shapiro
c06.tex
V2 - 06/12/2008
4:16pm
Routing and Remote Access
Layer Two Tunneling Protocol
Layer Two Tunneling Protocol (L2TP) is a protocol that combines the features of PPTP with support for IP Security (IPSec) to provide enhanced security. Unlike PPTP, which relies on MPPE
for encryption, L2TP relies on IPSec to provide encryption. Therefore, the source and destination
routers must support both L2TP and IPSec. Figure 6-3 illustrates how L2TP encapsulates data.
L2TP is installed by default when you install Windows Server 2008 RRAS.
L2TP provides better security than PPTP by supporting IPSec. L2TP is a better choice
for creating VPN connections than PPTP when the remote network is configured to
support IPSec.
Transport protocols
As mentioned previously in this chapter, RRAS basically supports TCP/IP. When you install
RRAS, Windows Server 2008 enables all currently installed protocols for incoming and outgoing
RAS connections. As you learn later in the section ‘‘Configuring RAS for Inbound Connections,’’
you can configure the supported protocols to enable clients to access only the RAS server or the
LAN. You configure access on a protocol-by-protocol basis.
TCP/IP
As a dial-out protocol, TCP/IP enables you to connect a Windows Server 2008 client to nearly
any TCP/IP-based network, including the Internet. You can statically assign the IP address,
subnet mask, default gateway, and other settings for the dial-out connection or allow the remote
server to assign the connection properties. As a protocol for incoming connections, TCP/IP
enables essentially any client that supports TCP/IP and PPP to connect to a Windows Server
2008 RAS server. As you learn later in the section ‘‘Configuring RAS for Inbound Connections,’’
you can allocate addresses from a static pool or use DHCP to allocate addresses and other
connection properties to remote clients. In addition, clients can request a predefined IP address
(defined on the client side through the connection properties).
Enabling and Configuring RRAS
Although RRAS is installed by default when you install Windows Server 2008, you still need
to enable the service in order to configure and use it. To do so, choose Start All Programs Administrative Tools Routing and Remote Access to open the RRAS console. Right-click the
server in the left pane and choose Configure and Enable Routing and Remote Access to start
the RRAS Setup Wizard. You can use the wizard to automatically configure RRAS for specific
applications or configure the service manually.
If you enable RRAS and choose to configure it manually and then later decide you’d
like to run the wizard, you can do so, but you will lose the current configuration
settings. To reconfigure the service through the wizard, open the RRAS console, right-click the
server, and choose Disable Routing and Remote Access. After the service stops, right-click
the server again and choose Configuring and Enabling Routing and Remote Access.
235
Page 235
6
Shapiro
Part I
c06.tex
V2 - 06/12/2008
4:16pm
Core, Configuration, Networking, and Communication Services
The wizard provides five basic options for configuring RRAS:
■ Remote access (dial-up or VPN). Sets up the server to accept incoming remote access
connections, whether dial-up or VPN.
■ Network address translation (NAT). Sets up the server to provide NAT services to
clients on the private network that need to access the Internet.
■ Virtual private network (VPN) access and NAT. Sets up the server to support incoming VPN connections from the Internet and NAT-protected client connections from the
local network out to the Internet.
■ Secure connection between two private networks. Establishes a demand-dial or persistent connection between networks, with the server acting as a router.
■ Custom configuration. Enables you to choose individual services you want RRAS to
offer, such as NAT, LAN routing, and VPN access.
If the Windows Firewall service is running, you cannot enable and configure RRAS.
Open the Services console, stop the Windows Firewall service, and configure it to
Disabled startup. Then, try running the RRAS wizard again.
The following sections explain how to use the wizard and the custom configuration option to set
up RRAS to perform specific functions.
IP Routing
Except in self-contained private networks, routing plays an important role in TCP/IP. Routing
enables packets destined for external subnets to reach their destinations, and for traffic from
remote networks to be delivered to your network. Windows Server 2008 includes a service
called Routing and Remote Access (RRAS) that enables a Windows Server 2008 to function as a
dedicated or demand-dial router (establishing connections only as needed). This section of the
chapter discusses IP routing in general and the routing elements of RRAS in particular.
IP routing overview
A router works in concert with other network hardware to direct network traffic to its intended
destination. For example, when you open your Web browser at the office and connect to
www.foxnews.com to check the current news, your network router directs the traffic out
to the Internet. At that point, other routers take care of getting the traffic to the site and back
again with the responses. Another example is when you dial into your ISP from home. The
ISP’s router(s) connects its network to the Internet and processes traffic going to and from your
computer and to and from the computers of other connected customers.
A typical router essentially sits on the fence between two or more subnets. This fence is typically
known as a hop, and each time a packet traverses a router, its hop count is incremented. The
router exists on all subnets to which it is connected and therefore has connectivity to each
236
Page 236
Shapiro
c06.tex
V2 - 06/12/2008
4:16pm
Routing and Remote Access
subnet. When traffic comes into the router from a particular interface, the router directs the
traffic to the appropriate interface. Figure 6-4 illustrates a typical routing scenario. If the number
of hops a packet takes to reach a destination is determined to be excessive by a router, the
packet will be terminated and a message will be sent back to the sender indicating that
the packet expired in transit. This is a safeguard that prevents data that cannot be routed to an
interface from eternally moving around the Internet. The typical hop limit is 30 for most routers.
FIGURE 6-4
Several networks connected to the Internet through a router.
Internet
Router performing NAT
205.219.129.1
192.168.2.1
192.168.0.1
192.168.1.1
192.168.2.2
Router
192.168.0.2
192.168.1.2
192.168.3.1
Router
192.168.5.1
192.168.4.1 Router
Network A
Network B
Network C
A router examines each packet that comes in to determine the destination network for the
packet. It does this by examining the destination address stored in the packet’s header.
The router then decides which of its interfaces to use to route the traffic (based on its knowledge of adjacent routes) and sends it on its way. For example, assume that a router has four
interfaces as shown in Figure 6-4: one for each of the local networks and one that connects
to the Internet. A packet comes into the router from subnet A with the destination address
192.168.4.99. The router routes the packet out through the interface connected to subnet B, and
the adjacent router at 192.168.1.2 routes the packet on to network (B). Another packet comes
from network (A) with the destination address 205.135.201.130. The router sends that packet
out through the interface connected to the Internet because it doesn’t belong in any of the
local subnets.
237
Page 237
6
Shapiro
Part I
c06.tex
V2 - 06/12/2008
4:16pm
Core, Configuration, Networking, and Communication Services
Routers use routing tables containing routes to determine where to send packets. Routes help the
router know where different networks are located relative to its interfaces so that it can send
packets out on the appropriate interface and have them delivered to the proper destination. Each
route in the routing table falls into one of the following types:
■ Network route. These provide a route to a specific network ID and therefore to all host
addresses within that network.
■ Host route. These provide a route to a specific host, defining not only the network but
also the address of the host.
■ Default route. The default route is used to route all traffic for which there is no specific
network route or host route. For example, a router connecting a local network to the Internet would have a default route pointing all traffic to the Internet interface.
Each route in the routing table has certain general properties:
■ Network ID/host address/subnet mask. These properties identify the destination network ID or host address and the destination subnet. The router checks the destination
addresses in the packets against these entries to determine a match. If the packet address
matches the criteria, the router uses the forwarding address and interface data associated
with the route to process the packet.
■ Forwarding address. The router forwards matching packets to this address. The address
could be that of another router or the address of a network interface on the local router
(directing the traffic out a specific port on the router).
■ Interface. This is a port number or other logical identifier of the port through which the
traffic is routed for the given route.
■ Metric. The metric specifies the relative price of the route based on cost, available bandwidth, and so on. Where multiple routes exist to a given network or host, the route with
the lowest metric is used.
When a packet comes in to the router, the router checks the destination address in the packet’s
header against the routing table to determine which route applies to the packet. If the router
matches the destination address with a route, it forwards the packet using the forwarding
address associated with the route. If the router finds no matching route, it forwards the packet
using the default route (if one is configured on the router). The default route is used to handle
any traffic for which a specific route is not indicated.
How do routers learn their routes? One method is to learn routes dynamically from other
routers and propagate them to other routers. Routers communicate with one another using routing protocols, with the two most common protocols for IP routing being Routing Information
Protocol (RIP) and Open Shortest Path First (OSPF). Windows Server 2008 supports both (and
can support additional protocols). RIP and OSPF are explained shortly.
238
Page 238
Shapiro
c06.tex
V2 - 06/12/2008
4:16pm
Routing and Remote Access
A second method is for routers to use static routes. When you configure the router, you create
the static route, which creates the static route entry in the routing table. A router can use static
routes to handle all its traffic, a common situation for small to mid-size organizations. For
example, if you only connect a few local subnets to the Internet, you can use static routes to
handle all traffic, with a default route handling traffic to the Internet. You can read more about
static routes later in the section ‘‘Configuring Static Routes.’’
RIP
RIP for IP, one of the two routing protocols included with Windows Server 2008 for routing IP
traffic, offers the advantage of being relatively easy to configure. RIP is appropriate mainly for
small to mid-size businesses because it is limited to a maximum hop count of 15. RIP considers
any address more than 15 hops away to be unreachable.
When a router using RIP first boots, its routing table contains only the routes for physically connected networks. RIP periodically broadcasts announcements with its routing table entries so
that adjacent routers can configure their routes accordingly. After a router starts up, it uses RIP
announcements from adjacent routers to rebuild its routing table.
RIP also uses triggered updates to update routing tables. Triggered updates occur when the
router detects a network change, such as an interface coming up or going down. The triggered
updates are broadcast immediately. Routers that receive the update modify their routing tables
and propagate the changes to adjacent routers.
Windows Server 2008 supports RIP v1 and v2. RIP v2 adds additional features such
as peer security and route filtering.
OSPF
OSPF offers an efficient means of handling routing for very large networks such as the
Internet. OSPF uses an algorithm to calculate the shortest path between the router and adjacent
networks. OSPF routers maintain a link state database that maps the inter-network. The link state
database changes as each network topology change occurs. Adjacent OSPF routers synchronize
their link state databases and recalculate their routing tables accordingly.
Because of its scalability, OSPF is geared toward large networks. It’s also more complex to configure. If yours is a very large network, OSPF may be a good choice for your routing needs. For
smaller networks, consider using RIP. In situations where you’re only connecting a few networks
together, static routes could be the best and easiest solution of all.
Routing with RRAS
In addition to providing remote access services to enable a Windows Server 2008 to act as
both a dial-up server and client, RRAS enables a Windows Server 2008 to function as a router
for persistent connections and as a demand-dial router, connecting only when requested
by a client to do so. For example, you might have two divisions of a company that need to
239
Page 239
6
Shapiro c06.tex
Part I
V2 - 06/12/2008
4:16pm
Core, Configuration, Networking, and Communication Services
transfer data between networks only occasionally. Maintaining a leased line or a direct Internet
connection between the two isn’t feasible because of the cost involved. Instead, you can set up a
demand-dial router that will call the other router (over a dial-up connection, for example) when
any traffic needs to be routed to the other network.
All of the functions supported by Windows Server 2008 RRAS require routing. When you use
the wizard to configure a RRAS server, routing is enabled on the server. In this section of the
chapter, we limit RRAS specifically to functioning as a router to explain how to configure routes,
protocols, and other components. Later sections explain how to configure a RRAS server to function in other ways (such as a VPN server).
Configuring a basic router
As mentioned previously, RRAS can use static routes, dynamic routes, or a combination thereof
to provide routing services. This section of the chapter explains how to set up a simple router
that uses static routes, rather than dynamic routing. Most of the steps in this section also apply
to a dynamic router, so even if you won’t be using static routes, you should read this section
before moving on to ‘‘Dynamic Routing,’’ later in this chapter.
At this point, assume that you have yet to enable RRAS. To configure a LAN router, open the
RRAS console by choosing Start All Programs Administrative Tools Routing and Remote
Access. Right-click the server and choose Configure and Enable Routing and Remote Access to
start the wizard. Then, choose Custom Configuration and click Next. Choose LAN routing, click
Next, and click Finish. Click Yes when asked if you want to start the RRAS service.
Configuring the router address
By default, the router uses the first IP address bound to an interface to process routing tasks on
that interface. An interface that has only one address assigned therefore doesn’t require configuration of its address. You might, however, have multiple addresses assigned to each interface
for other purposes. In such a case, you need to configure which address the router interface
will use.
To do so, open the RRAS console, expand the IP Routing branch, and click General. In the right
pane, right-click the interface you want to configure and choose Properties to display its property sheet. Set the IP address, subnet mask, and gateway (if required) for the interface on the
Configuration page. Click Advanced if you need to specify a metric for the interface.
Configuring static routes
After you set up RRAS for routing, you need to either add static routes or configure the router to
use RIP or OSPF. The exception is when you have only two networks connected by a router. In
this situation, the router can route the traffic without a specific route.
To add a static route, open the RRAS console and expand the IP Routing branch. Click Static
Routes, right-click the right pane (or Static Routes), and choose New Static Route to display the
Static Route dialog box (see Figure 6-5).
240
Page 240
Shapiro c06.tex
V2 - 06/12/2008
4:16pm
Routing and Remote Access
FIGURE 6-5
Use the Static Route dialog box to add a static route.
The following list explains the options in the Static Route dialog box:
■ Interface. Select the network interface to be used to forward packets that fit the criteria
for the route. For example, to route traffic destined for the Internet, select the network
interface on the server that is connected to the Internet.
■ Destination. Specify the address criteria for matching packets. RRAS will check the destination address in the packet header against this address to determine whether the route
applies to the packet. You can specify a network address, a host address, or a default route
of 0.0.0.0. For a network address, use the low broadcast address for the network. For
example, for the class C network 205.219.128.x, use 205.219.128.0. For a host, specify
the actual IP address of the host.
Creating a default route using 0.0.0.0 causes all traffic for which there is no other applicable
route to be forwarded through the interface defined by the default route entry.
■ Network Mask. Specify the network mask for the destination network or host. For a
default route, enter 0.0.0.0.
■ Gateway. Specify the address to which the packets will be forwarded for this route. It
must be an address directly reachable on the router’s external network segment (interface
for the route). For example, you might specify the address of the router port on the same
subnet for the next adjacent router.
■ Metric. Specify a value to define the relative cost for the route. A lower metric indicates a
lower cost. In many cases, administrators use the number of hops to the destination as the
metric. When multiple routes apply to a given packet, the route with the lowest metric is
used unless it is unavailable.
241
Page 241
6
Shapiro c06.tex
Part I
V2 - 06/12/2008
4:16pm
Core, Configuration, Networking, and Communication Services
■ Use This Route to Initiate Demand-Dial Connections. Select this option to cause the
router to initiate a demand-dial connection when it receives packets applicable for
the selected route. This option is available only if at least one demand-dial interface is
configured for the router.
Create static routes to accommodate each specific network segment in your network. Create a
default route to handle all other traffic.
Adding and configuring a demand-dial interface
You need to add a demand-dial interface if you’re installing RRAS to include the capability to
function as a demand-dial router as well as a LAN router. A demand-dial router automatically
dials a connection to a remote network when traffic from the local network needs to be routed
to the remote network reachable through the demand-dial connection as defined by the route
for that network.
To install a demand-dial interface, open the RRAS console and expand the server on which you
want to install the interface. Right-click Network Interfaces in the left pane and choose New
Demand-Dial Interface to start the Demand-Dial Interface Wizard. The wizard prompts for the
following information:
■ Interface Name. Specify a friendly name for the interface. By default, RRAS suggests
the name Remote Router. Keep in mind that if you configure the demand-dial interface
to allow remote users (routers) to connect to this interface, the interface name is automatically used as the local account name. Using the suggested name Remote Router, for
example, causes Windows Server 2008 to create a user account named Remote Router.
■ Connection Type. Select between physical devices such as modems, ISDN, network
adapters, and so on, or specify that the connection will use a virtual private networking
(VPN) connection. Selecting the VPN option will cause the wizard to prompt you for
the tunneling protocol to use (PPTP or L2TP). You can also choose PPP over Ethernet
(PPPoE).
■ Phone Number or Address/Alternates. For a dial-up device, specify the phone number of the remote interface. Specify the IP address of the remote interface if connecting
through a non-dial-up device (such as a physical network connection).
■ Route IP Packets on This Interface. Select this option to enable IP routing on this
demand-dial connection. TCP/IP must already be installed on the server.
■ Add a User Account So a Remote Router Can Dial In. Select this option if you want
to create a user account remote routers can use to dial in to this demand-dial connection. When the remote router receives a packet that needs to be forwarded to the local
demand-dial interface, the remote router uses the account and password stored in its
dial-out credentials to connect to the local router. The credentials at the remote router
must match the account and password you create through the wizard. See ‘‘Dial-Out Credentials’’ at the end of this list to configure the local account and password that the local
router will use when connecting to remote routers.
242
Page 242
Shapiro
c06.tex
V2 - 06/12/2008
4:16pm
Routing and Remote Access
■ Send a Plain-Text Password if That Is the Only Way to Connect. Select this option to
allow RRAS to transmit its credentials using plain text rather than encryption if the remote
router doesn’t support encryption or doesn’t support the types of encryption supported by
the local router.
■ Use Scripting to Complete the Connection with the Remote Router. Use this option
to specify a script RRAS will use when connecting to the remote router. Scripts can be used
to automate the logon process and other connection tasks. Scripts are most applicable to
dial-up connections that require menu-based selections to authenticate and log on.
■ Dial-Out Credentials. Specify the user name and password the local router will use to
authenticate its access to the remote router. On a remote Windows Server 2008 router,
you would use the option ‘‘Add a User Account So a Remote Router Can Dial In’’ discussed
previously to configure the associated account on the remote router.
Setting demand-dial filters
By default, RRAS allows all IP traffic through the demand-dial interface. However, you can create
filters to restrict the type of traffic allowed. For example, you might want to restrict TCP port
80 to block Web browser traffic through the interface. You can create filters to restrict traffic
going to or from specific networks, or you can create a filter that blocks specific packets to or
from all addresses. The demand-dial interface will establish a connection to the remote router
only if the packet is not blocked by the configured filters.
To configure filters, open the RRAS console and open the server on which you want to configure filters. Drill down the IPv4 or IPv6 nodes and select the General node. In the right pane,
right-click the interface where you want to configure filters and choose Properties. Then choose
the Inbound or Outbound filter options. The dialog box shown in Figure 6-6 loads.
FIGURE 6-6
Use filters to restrict traffic through the interface.
243
Page 243
6
Shapiro
Part I
c06.tex
V2 - 06/12/2008
4:16pm
Core, Configuration, Networking, and Communication Services
Click New . . . to set the new filters. Configure the filter using the following list as a guide,
click OK, and repeat the process to add any other required filters:
■ Source Network. Select this option to base the filter on the network from which the
packet was sent. Specify an IP address and subnet mask to define the source network
or host.
■ Destination Network. Select this option to base the filter on the destination address in
the packet’s header (where the packet is going). Specify the address and subnet mask of
the destination network or host.
■ Protocol. Specify the protocol type to filter. Select Any to filter all the traffic or select a
given protocol type and specify the accompanying information, such as the source and
destination ports.
Setting permitted dial-out hours
You might want to restrict a demand-dial connection to specific hours to limit the times at
which the router will forward traffic on the interface. For example, you might want to disable
the demand-dial interface during the weekend. To configure dial-out hours, open the RRAS
console and then open the server you want to configure. Click the Network Interfaces branch,
right-click the demand-dial interface, and choose Dial-Out Hours. Use the Dial-Out Hours dialog
box to specify the hours at which the interface can be used. The options in the dialog box are
self-explanatory.
Changing dial-out credentials
You can modify the credentials the router uses to connect to the remote router when it initiates
a demand-dial connection. You might have entered it incorrectly when you set up the router,
the remote administrator may have changed the account at the other end, or you might need to
change the account and password for other reasons. Open the RRAS console and the server you
want to modify. In the RRAS console, right-click the demand-dial interface you want to change
and click Set Credentials. Specify the new user name, domain, and password as needed.
Setting dialing properties
In some situations, such as when you’re using a modem connection, you’ll want to configure
dialing properties such as redial attempts, redial interval, idle time before disconnect, and so on.
To configure dialing properties, open the RRAS console, open the Network Interfaces branch,
right-click the demand-dial interface, and choose Properties. Use the controls on the General
and Options property pages to configure the dialing properties. The options are self-explanatory.
Configuring security methods
RRAS gives you the capability to configure the security/authentication methods that RRAS uses
for authenticating with the remote router for a demand-dial connection. To configure authentication methods, open the properties for the demand-dial connection and click the Security
tab. The settings you can configure here for the authentication methods are the same as those
244
Page 244
Shapiro
c06.tex
V2 - 06/12/2008
4:16pm
Routing and Remote Access
you can configure for incoming RAS connections. For a detailed description of authentication
methods, see ‘‘Configuring RRAS for Inbound Connections,’’ later in this chapter.
Modifying network settings
RRAS uses the protocols and other network properties configured for an interface when you
add the interface. You might need to remove or add a protocol or make other network property
changes for a routing interface. For example, you might want to add the capability to route
IPX as well as IP, requiring that you install IPX on the interface. You can do so through the
RRAS console. Open the property sheet for the routing interface, choose Properties and click the
Networking tab. You can configure dial-up server settings, network protocols and bindings, and
other network properties.
Enabling or disabling routing
On occasion, you might need to enable or disable a router, such as taking the router down for
maintenance. You can stop or pause the RRAS service to stop routing on all interfaces, or you
can take down a specific interface. To stop, pause, or restart RRAS, open the RRAS console,
right-click the server you want to manage, and choose the task you want to perform (stop, start,
and so on) from the All Tasks menu.
To take down a specific interface, open the RRAS console and then open the IP Routing branch.
Click General to display the routing interfaces, right-click the interface to bring the menu down,
and choose Properties. Deselect the option Enable IP Router Manager and click OK to take
down the interface. Reselect the option and click OK to bring it back up.
Dynamic routing
If yours is a more complex network than the one described in this section, you might want to
use a routing protocol such as RIP or OSPF to provide dynamic route table creation and management. The following sections explain how to add and configure RIP and OSPF. This section
assumes that you have some knowledge of RIP or OSPF and primarily need to know where to
go to add and configure routing protocols in Windows Server 2008 RRAS.
Adding and configuring RIP
Before you can configure RIP on an interface, you need to add it. In the RRAS console, open
the server you want to manage and then expand the IP Routing branch. Right-click General
and choose New Routing Protocol. Select RIP Version 2 for Internet Protocol from the list and
choose OK. A new node labeled RIP appears under the IP Routing branch.
Next, you need to specify the interface on which RIP will run, because by default no interfaces
are configured when you add RIP. Right-click RIP and choose New Interface. RRAS displays the
available interfaces. Select the one on which you want to run RIP and click OK.
The next step is to configure RIP. RRAS presents a property sheet for RIP when you add the
interface. You can also display the RIP properties by double-clicking the interface in the right
245
Page 245
6
Shapiro
Part I
c06.tex
V2 - 06/12/2008
4:16pm
Core, Configuration, Networking, and Communication Services
pane with RIP selected in the left pane. The following sections describe the options you can
configure for RIP.
General
Use the General page to configure how RIP handles updates, to enable or disable authentication,
and for other general properties, as explained in the following list:
■ Operation Mode. Choose the method RIP uses to update routes. You can choose the
auto-static update mode or periodic update mode. With auto-static mode, RRAS sends
out RIP announcements only when other routers request updates. Any routes learned
through RIP when in auto-static mode are treated as static routes and remain in the
routing table until manually deleted, even if RRAS is restarted or you disable RIP. This
is the default mode for demand-dial interfaces. The periodic update mode generates RIP
announcements automatically at the interval defined by ‘‘Periodic announcement interval’’
on the Advanced property page. Routes learned through RIP with this mode are treated
as RIP routes and are discarded if the router is restarted. This is the default mode for
LAN interfaces.
■ Outgoing Packet Protocol. Select the protocol RIP should use for outgoing RIP
announcements. Select RIP version 1 broadcast if no other adjacent routers support
RIP version 2. Select RIP v2 broadcast in a mixed environment with adjacent routers using
RIP v1 and RIP v2. Select RIP v2 multicast to send RIP announcements as multicasts, but
only when all adjacent routers are configured to use RIP v2 (RIP v1 doesn’t support RIP
v2 multicast announcements). Select Silent RIP to prevent the router from sending
RIP announcements and to function in listen-only mode, listening for announcements
from other routers and updating its routing table accordingly, but not announcing its own
routes.
■ Incoming Packet Protocol. Specify how you want the router to handle incoming
RIP announcements. Select Ignore Incoming Packets to have the router function in the
announce-only mode and not listen to announcements from other routers. Otherwise,
select the required mode depending on the mix of adjacent routers and their support for
RIP v1 and/or v2.
■ Added Cost for Routes. This number is added to the hop count for a route to increase
the relative cost. Increase the number to help limit the traffic on the route if you have
other, less costly routes that can be used if they are available. The default is 1, and the
maximum number of hops for IP and RIP can’t exceed 15.
■ Tag for Announced Routes. You can use this value to assign a tag number to be included
with all RIP v2 announcements.
■ Activate Authentication/Password. Select this option to enable the inclusion of a
plain-text password for incoming and outgoing RIP v2 announcements, and then specify
a corresponding password in the Password field. If this option is enabled, all routers
connected to this interface must be configured for the same password. This option serves
only as a means of identifying routers and doesn’t provide security or encryption of RIP
traffic.
246
Page 246
Shapiro c06.tex
V2 - 06/12/2008
4:16pm
Routing and Remote Access
Security
The Security tab enables you to specify which routes to accept or reject that come in via RIP
announcements from other routers. You can accept all routes, accept only routes that fall
within a specified network range, or ignore all routes in a specified range. For outgoing RIP
announcements, you can configure RRAS to announce all routes, announce only those routes
that fit a specified network range, or exclude routes that fit a specified range.
Neighbors
The Neighbors tab enables you to define how the router interacts with neighboring routers. The
options are as follows:
■ Use Broadcast or Multicast Only. Select this option to issue RIP announcements only
using the outgoing packet protocol specified on the interface’s General property page.
■ Use Neighbors in Addition to Broadcast or Multicast. Select this option to define
specific routers to which RRAS sends unicast RIP announcements as well as to issue RIP
announcements using the outgoing packet protocol specified on the General page.
■ Use Neighbors Instead of Broadcast or Multicast. Select this option to define specific
routers to which RRAS sends unicast RIP announcements and not issue RIP announcements through the broadcast or multicast protocol specified on the General page. Use this
option in networks that don’t support RIP broadcasts.
Advanced
You can use the Advanced tab to set several advanced options for RIP on the selected interface,
including the interval between RIP announcements, the route expiration period, and other settings. The following list summarizes the settings:
■ Periodic Announcement Interval. Specify the interval in seconds at which RIP
announcements are issued from the local router. You can specify a value between 15
seconds and 24 hours (86,400 seconds), and this setting is only applicable if you’ve
selected periodic update mode on the General tab.
■ Time Before Routes Expire. This value defines the time-to-live of routes learned through
RIP. Routes that do not update in the specified time are marked as invalid. You can specify
a value between 15 seconds and 72 hours (259,200 seconds). This setting only applies if
the interface uses periodic update mode.
■ Time Before Route Is Removed. Specify the number of seconds a route learned through
RIP remains in the routing table before it expires and is removed. Valid values range from
15 seconds to 72 hours. This setting applies only if the interface uses periodic update
mode.
■ Enable Split-Horizon Processing. Select this option to prevent routes learned on a network from being announced on the same network. Deselect the option to allow those
routes to be announced.
247
Page 247
6
Shapiro
Part I
c06.tex
V2 - 06/12/2008
4:16pm
Core, Configuration, Networking, and Communication Services
■ Enable Poison-Reverse Processing. Select this option to assign a metric of 16 (marking
them as unreachable) to those routes learned on a network that are announced on the
same network.
■ Enable Triggered Updates. Select this option to allow the router to generate triggered
updates when the routing table changes. Set the maximum time between triggered updates
through the option Maximum Delay on the General page of the global RIP property sheet.
To view this property sheet, right-click the RIP node in the IP Routing branch of the RRAS
console and choose Properties.
■ Send Clean-Up Updates When Stopping. Select this option to have RIP announce all
routes with a metric of 15 to adjacent routers when the local router is going down, indicating to the other routers that the routes are no longer available. When the router comes
back up, RIP will announce the routes again with their appropriate metrics, making those
routes available again.
■ Process Host Routes in Received Announcements. Host routes in RIP announcements
are ignored by default. Select this option to include them in received announcements.
■ Include Host Routes in Sent Announcements. Host routes are not included by default
in outgoing RIP announcements. Select this option to include host routes in outgoing
announcements.
■ Process Default Routes in Received Announcements. Default routes received in RIP
announcements are ignored by default. Select this option to add them to the local routing
table. Note that this could have the consequence of disabling routing if the default route is
not applicable to the local router.
■ Include Default Routes in Sent Announcements. Default routes are not included by
default in outgoing RIP announcements. Select this option to include them. In most situations, you should not include default routes unless those default routes are applicable to
all other networks on the selected interface.
■ Disable Subnet Summarization. Select this option to have subnet routes summarized
by class-based network ID for outgoing announcements on networks that are not part of
the class-based network. Subnet summarization is disabled by default and requires RIP v2
broadcast of RIP v2 multicast support on all applicable routers.
General RIP properties
You can set a handful of general properties for RIP in addition to those described in the
previous sections. To set these properties, open the IP Routing branch in the RRAS console,
right-click RIP, and choose Properties. Use the General tab to configure logging, and the Security
tab to define the routers from which the local router will process RIP announcements.
DHCP relay agent
A DHCP relay agent (BOOTP relay agent) functions as a sort of DHCP proxy, enabling DHCP
clients on a given IP subnet to acquire IP leases from DHCP servers on other subnets. The
248
Page 248
Shapiro
c06.tex
V2 - 06/12/2008
4:16pm
Routing and Remote Access
DHCP relay agent relays messages between DHCP clients and DHCP servers. The DHCP relay
agent component provided with Windows Server 2008 RRAS serves that function. Figure 6-7
illustrates a Windows Server 2008 functioning as a DHCP relay agent.
FIGURE 6-7
A Windows Server 2008 operating as a DHCP relay agent
DHCP Server
Network B
RRAS
DHCP Relay Agent
Network A
The DHCP relay agent can’t run on a Windows Server 2008 that also is running the
DHCP Server service or network address translation (NAT) with automatic addressing
enabled.
Setting up a DHCP relay agent is fairly simple. In the RRAS console, select the server you want
to function as a DHCP relay agent. Open the IP Routing branch, right-click General, and choose
New Routing Protocol. Select DHCP Relay Agent from the list and click OK to add it to the IP
Routing branch.
Next, add the interface(s) on which the DHCP relay agent will function. Right-click in the
right pane or on DHCP Relay Agent and choose New Interface. Select the appropriate network
249
Page 249
6
Shapiro
Part I
c06.tex
V2 - 06/12/2008
4:16pm
Core, Configuration, Networking, and Communication Services
interface and click OK. RRAS displays a property sheet for DHCP Relay that includes the
following options:
■ Relay DHCP Packets. Select this option to enable DHCP relay or deselect it to disable
DHCP relay.
■ Hop-Count Threshold. Specify the maximum number of DHCP relay agents to handle
DHCP relayed traffic. The default is 4; the maximum is 16.
■ Boot Threshold. Specify the interval the server waits before forwarding the DHCP
messages. Use this option to enable a local DHCP server to have a chance to respond to
requests before forwarding the message to a remote DHCP server.
The final step is to define the list of DHCP servers to which the local relay agent relays messages. In the RRAS console, right-click DHCP Relay Agent under the IP Routing branch and
choose Properties. RRAS displays a dialog box you can use to specify the IP addresses of the
remote DHCP servers.
IGMP – multicast forwarding
Most IP traffic is unicast, or directed to a single destination. A Windows Server 2008 running
RRAS can function as a multicast router, broadcasting Internet Group Management Protocol
(IGMP) traffic to multiple hosts. Multicasting is most often used for audio or video conferencing
to enable multiple hosts to receive the same data. Clients configured for multicast listen for the
multicast traffic, and all others ignore it. Chapter 4 discusses how to configure multicast scopes
for a DHCP server, enabling it to assign multicast addresses to clients that request them. This
chapter explains how to configure RRAS to function as a multicast forwarder.
Windows Server 2008 does not include any multicast routing protocols. Multicast
routers exchange group membership information with one another to help determine
how multicast traffic is routed. Windows Server 2008 only provides limited multicast routing, but
does function as a multicast forwarder, forwarding multicast traffic to listening clients. Windows
Server 2008 can be configured as a multicast router through the addition of third-party protocols.
Overview of multicast forwarding
A Windows Server 2008 multicast forwarder listens for multicast traffic on all attached networks
and forwards the traffic (based on its multicast destination address) to attached networks where
listening clients reside or to other routers for networks where participating clients reside. A
Windows Server 2008 multicast forwarder also listens for IGMP Membership Report packets
and updates its multicast forwarding table accordingly, enabling it to forward traffic to those
destinations requesting it.
The IGMP routing protocol included with Windows Server 2008 is not an IGMP routing
protocol per se, but enables a Windows Server 2008 to function as a forwarder. After you add
the protocol to Windows Server 2008, you configure one or more interfaces to handle IGMP.
You can configure the interface to function in either IGMP router mode or IGMP proxy mode, as
explained in the following sections.
250
Page 250
Shapiro c06.tex
V2 - 06/12/2008
4:16pm
Routing and Remote Access
IGMP router mode
An IGMP interface running in router mode sets the network adapter for the interface in
multicast-promiscuous mode, which passes all multicast packets received on the interface to the
higher networking layers for processing.
Not all network adapters support multicast-promiscuous mode. If you’re setting up a
multicast forwarder, verify with the NIC manufacturer that the adapter supports this
mode.
The interface also tracks multicast group membership, querying periodically for IGMP Membership Report messages and updating its forwarding table accordingly. Each entry in the table
specifies the network ID in which multicast clients are listening and the multicast address on
which those clients are listening. The table does not reference individual hosts, but rather the
interface forwards traffic to any networks where at least one client is listening for multicast
traffic.
When multiple routers in a network function as IGMP routers, one is automatically
elected to be the querier and performs all membership queries.
IGMP proxy mode
IGMP proxy mode enables a local intranet router to pass IGMP traffic to and from
multicast-capable clients and routers on the Internet (referred to as multicast backbone, or
MBone).
An interface running in IGMP proxy mode functions as a proxy for IGMP Membership Report
packets. RRAS listens on the selected interface for IGMP Membership Report packets and
retransmits them on all other interfaces running in IGMP router mode. This enables IGMP
multicast groups connected to the proxy mode router to have upstream routers update
their multicast tables.
The interface running IGMP proxy mode also serves as a gateway of sorts for IGMP traffic coming to the local network from the upstream multicast router, forwarding that traffic to the appropriate clients. Traffic from local clients to the Internet also passes through the interface. For both
incoming and outgoing traffic, TCP/IP itself handles the forwarding.
Setting up a multicast forwarder
The first step in configuring a multicast forwarder is to add the IGMP protocol to the router.
In the RRAS console, open the IP Routing branch of the designated server, right-click General,
and choose New Routing Protocol. Select IGMP from the list and click OK to add it to the IP
Routing branch.
Next, add at least one interface for IGMP. Right-click IGMP in the left pane and choose New
Interface. Alternatively, select IGMP in the left pane and right-click anywhere in the right pane
and choose New Interface. Select the interface on which you want to run IGMP and click OK.
RRAS displays the IGMP Properties sheet. The General tab enables you to choose between router
mode and proxy mode for the interface. Select the protocol version using the IGMP Protocol
Version drop-down list if you select router mode.
251
Page 251
6
Shapiro
Part I
c06.tex
V2 - 06/12/2008
4:16pm
Core, Configuration, Networking, and Communication Services
The Router tab contains several options that control how IGMP functions on the interface:
■ Robustness Variable. This variable indicates the relative robustness of the subnet to
which the interface is attached.
■ Query Interval. Specify the interval at which IGMP queries are broadcast on the interface.
■ Query Response Interval. Specify the maximum amount of time the router should wait
for a response for General Query messages.
■ Last Member Query Interval. Specify the time, in milliseconds, the router waits
for a response to a Group-Specific Query message, and the time between successive
Group-Specific Query messages.
■ Startup Query Interval. Specify the time, in seconds, between successive General Query
messages sent by the router during startup. The default value is one-quarter of the query
interval.
■ Startup Query Count. Specify the number of General Query messages to send at startup.
■ Last Member Query Count. Specify the number of Group-Specific Query messages sent
with no response before the router assumes there are no more members of the host group
on the interface being queried.
■ Automatically Recalculate Defaults. Select this option to have RRAS automatically
recalculate values for the Startup query interval, Startup query count, and Last member
query count at startup. The default for the Startup query interval is one-quarter the query
interval. The default for Startup query count and Last member query count is the same as
the Robustness variable.
■ Group Membership Interval. This read-only property displays the calculated group
membership interval, which is the period of time that must pass before the router decides
that there are no more members of a multicast group on a given subnet. The value is calculated as (Robustness variable) × (Query interval) + (Query response interval).
■ Other Querier Present Interval. This read-only property displays the calculated querier
present interval, which is the amount of time that must pass before the router decides that
there are no other multicast routers that should be the querier. The value is calculated as
(Robustness variable) × (Query interval) + (Query response interval) ÷ 2.
Network address translation
Windows Server 2008’s RRAS provides full-featured network address translation (NAT) services.
Network address translation is not new, and was born out of the high demand for IP addresses.
With the Internet growing the way it is, it is virtually impossible to obtain a large range of IP
addresses, especially for a small company. The most an ISP will assign to a small company is
less than one-sixteenth of a class C subnet, and you have to be spending a lot of money on dedicated Internet services to get that many addresses.
252
Page 252
Shapiro
c06.tex
V2 - 06/12/2008
4:16pm
Routing and Remote Access
Most small businesses are deploying asymmetric digital subscriber lines (ADSLs), which are
cheaper and often faster than dedicated Internet access connections, such as Frame Relay or dedicated ISDN. However, an ISP will usually only assign you a small range of addresses (sometimes
just a single IP address). If you plan to install several hosts on your internal network, such as
DNS, mail, Active Directory, Web, and FTP services, and need to route Internet traffic to these
hosts, you will need a NAT.
NAT services in Windows Server 2008 are typically aimed at small or home
businesses. A larger company would most likely use a firewall, which has NAT
built into its packet inspection technology. Most routers, even for small offices, now come with
NAT support.
NAT alleviates the demand for a larger number of IP addresses by mapping externally assigned
IP addresses to internally or privately assigned private addresses (translating from one IP address
to another). This means that one IP address can typically be used to target a whole range of IP
addresses on the concealed network.
Windows Server 2008 NAT and the RRAS service takes NAT further. NAT can inspect inbound
packets to host names and query the internal IP address of the host from an internal DNS. It
will then route the packets that have arrived at the public address to the internal hosts, and
route the packets to the correct service via the ports it has been configured to use.
Configuring NAT
As described earlier, you might typically assign a private address range to an internal network
in a small company and use NAT to connect your network to the Internet. Armed with the IP
addresses of your internal hosts and the IP addresses assigned to you by your ISP, run the RRAS
Setup Wizard to configure the server for NAT (right-click the server in the RRAS console and
select Configure and Enable Routing and Remote Access). Select the option Network Address
Translation, click Next, and provide the following information:
You can also manually add NAT, as explained a little later in this section.
■ Use This Public Interface to Connect to the Internet. Select the network interface that
is connected to the Internet. This might not actually be a public interface — a firewall or
other private network segment might sit between the interface and a public presence on
the Internet.
■ Create a New Demand-Dial Interface to the Internet. Select this option if you want to
create a new demand-dial interface for the Internet connection.
■ Enable Security on the Selected Interface by Setting Up a Basic Firewall. Select this
option to enable a firewall on the interface.
253
Page 253
6
Shapiro
Part I
c06.tex
V2 - 06/12/2008
4:16pm
Core, Configuration, Networking, and Communication Services
You can also manually add NAT if you have already enabled RRAS for another function. The
following steps not only add NAT manually, but also take you through the configuration steps
for NAT:
1. First add NAT as a routing protocol, which you do by right-clicking the General node and
selecting New Routing Protocol. Select the server in the console tree and expand its node
down to NAT. The interfaces (NICs) appear in the details pane on the right.
2. Add the interface to the protocol. Right-click NAT and select New Interface. You will have
the option to configure the interface for the internal network or the external network
(Internet). Select an interface and click OK to display the Network Address Translation
Properties dialog box. Specify whether the interface is connected to the Internet or the
private network and click OK.
3. Select the interface to configure and right-click. Then select Properties. The Local Area
Connection Properties dialog box will appear.
4. On the Address Pool tab, enter the IP address assignment provided by your ISP. In many
cases with ADSL, you will be given a dynamically assigned address, which should remain
persistent, meaning the same IP address is renewed every time the DHCP lease expires.
You can ask an ISP to reserve the number for you as well.
5. On the Services and Ports tab, place a check beside a service that you want translated. The
Edit Service dialog box will load.
6. In the Private Address field, enter the IP address of the server hosting the specified service
and click OK.
7. If you need to add a service not listed, click Add to open the Add Service dialog box. Enter
a name for the service in the Description of Service field.
8. In the Incoming Port field, type the Well-Known port number typically assigned to the IP
service in question: for example, port 21 for FTP or port 25 for SMTP.
9. In the Outgoing Port field, type the private port you wish to assign to the same service.
It could be a Well-Known port of the outgoing IP service or any port used by your internal resources. (Using high port numbers, such as 5000, provides additional security; this
makes it more difficult for hackers to focus on unknown ports.)
10. In the Private Address field, type the private address of the TCP/IP service (typically, the
host).
11. Enter the public IP address to be translated (as opposed to the interface) in the field for
this address pool entry.
That’s all there is to configuring NAT; however, you should plan the deployment carefully. To
point clients to the Internet for browsing and other services, you would configure the private
outgoing IP address on the NAT as your gateway to the Internet. NAT will translate this address
to the correct public address.
254
Page 254
Shapiro
c06.tex
V2 - 06/12/2008
4:16pm
Routing and Remote Access
You can also configure services and ICMP behavior for the interface. The Services tab enables
you to configure NAT translation to allow external requests coming from the Internet to be
mapped to servers on the internal LAN. The ICMP tab contains settings that determine how
the server reacts to ICMP messages it receives on the interface. You can configure these settings
without enabling the firewall on the interface, but it’s likely you’ll do both.
Configuring Services and Ports
The next step in setting up NAT on an interface is to specify the services and port traffic that are
allowed in or out. For example, if there is an FTP server on the internal network and you want
external users to be able to access it, you need to enable FTP. In the RRAS console, click NAT
and open the properties for the network interface in question. Click the Services and Ports tab
(see Figure 6-8).
FIGURE 6-8
Use the Services and Ports tab to add or remove services allowed through the network.
255
Page 255
6
Shapiro
Part I
c06.tex
V2 - 06/12/2008
4:16pm
Core, Configuration, Networking, and Communication Services
FIGURE 6-9
Configure the service settings on the Edit Service dialog box.
Adding a standard service is as simple as selecting the checkbox beside the service. Windows
Server 2008 displays the Edit Service dialog box (see Figure 6-9), in which you can configure
the settings for the service, such as the address of the server on the private network that
provides the service. Using the FTP example, this would be the IP address of the internal FTP
server.
You can only specify the IP address of the server for the standard services listed in the Services
and Ports tab. You can configure additional properties by creating a custom service. To do so,
click Add to open the Add Service dialog box (see Figure 6-10).
Enter a name for the service, and then select either TCP or UDP to specify the protocol for the
service. In the Incoming Port field, type the port number to which the packets are targeted.
For example, this would be port 80 for a Web server. In the Private Address field, enter the
IP address of the server on the internal LAN. In the Outgoing Port field, enter the port on
the server to which the packets will be directed. In most cases, the Incoming Port and Outgoing
Port values will be the same. However, you can use different port numbers to remap the traffic.
For example, you might map incoming port 80 traffic to port 8080 on the server if the server
uses that port for HTTP traffic.
256
Page 256
Shapiro
c06.tex
V2 - 06/12/2008
4:16pm
Routing and Remote Access
FIGURE 6-10
Define the settings for a custom service on the Add Service dialog box.
Configuring RAS for Inbound Connections
RRAS in Windows Server 2008 takes three distinct directions: routing, inbound connections
(RAS server), and outbound connections (RAS client). This section explains how to configure
a Windows Server 2008 as a RAS server. When you install Windows Server 2008, Setup
by default installs RRAS, so you don’t need to install it separately. You do, however, need
to configure it. The following sections explain how to configure modems, ports, protocols,
encryption, and other properties to set up and manage a RAS server.
Enabling RRAS
As explained earlier in this chapter, RRAS installs when you set up Windows Server 2003, but
you need to enable and configure the service. The wizard offers a handful of options to help you
automatically configure the service.
257
Page 257
6
Shapiro
Part I
c06.tex
V2 - 06/12/2008
4:16pm
Core, Configuration, Networking, and Communication Services
Remote access (dial-up or VPN)
Select this option to configure the RRAS server to enable remote access clients to connect
through the server to access resources on the server or on the local network through a dial-up
or VPN connection. You can choose either or both. The wizard prompts for the following:
■ Public interface. For VPN connections, choose the public interface through which
remote VPN clients connect to the RRAS server. You also have the option of enabling a
basic firewall on the interface.
■ Network interface. The wizard prompts for the network interface to assign to remote
clients, which determines from where the addresses and other access properties come. In
a multi-homed server, select the network interface where the DHCP server is located, if
allocating addresses through DHCP.
■ IP address assignment. You can choose to assign addresses through DHCP (see the previous option) or from a static address pool. If you choose to use a static pool, the wizard
prompts you for the range of addresses to use. See the section ‘‘Configuring Protocols’’
later in this chapter for detailed information regarding address assignment.
You can enable remote clients to request a preassigned IP address configured at the client
side. See the section ‘‘Configuring Protocols’’ later in this chapter for a detailed explanation.
■ RADIUS. You can configure the RRAS server to use RADIUS for authentication and
accounting. Specify the IP address or host name for the primary and alternative RADIUS
servers, along with the RADIUS shared secret, which essentially is a password the RRAS
server uses to authenticate its right to access the RADIUS servers. Windows Server
2008 includes a RADIUS server called Internet Authentication Service (IAS) that you
can use for RRAS and other applications requiring RADIUS authentication, or you can
use any RADIUS server. See the section ‘‘Using RADIUS’’ later in this chapter for more
information.
Network address translation
This option helps you set up a network address translation (NAT) server. Configuring NAT was
covered earlier in this chapter.
Virtual Private Network access and NAT
Select this option to configure RRAS as a Virtual Private Network (VPN) server, enabling clients
to use PPTP or L2TP to dial in from a public network such as the Internet (or direct dial-up)
and to establish a secure connection to the local network. This option also sets up the server as
an Internet gateway with NAT, enabling internal users to access the Internet through the server.
By default, RRAS configures 128 ports each for PPTP and L2TP, but you can add or remove
ports as desired. The settings prompted by the wizard are the same as those settings explained
previously in the section ‘‘Remote Access (Dial-Up or VPN).’’ The server also prompts for the
network interface through which the RRAS server connects to the Internet. The VPN server must
have a second network interface for the internal LAN.
258
Page 258
Shapiro
c06.tex
V2 - 06/12/2008
4:16pm
Routing and Remote Access
Secure connection between two private networks
Select this option to configure the RRAS server to function as a router. The wizard prompts you
to choose whether or not you want to use demand-dial connections to access remote networks.
If you choose No, the wizard completes the configuration and terminates. If you answer Yes,
the wizard asks whether you want to assign IP addresses through DHCP or a static address
pool (if IP is installed on the server). Choosing Yes does not cause the wizard to configure
any demand-dial connections; you configure those through the RRAS console after the wizard
finishes. The wizard adds NAT/Basic Firewall to the configuration automatically.
Custom configuration
Select this option if you want to choose which functions the RRAS server will perform. You can
run the wizard again if desired to automatically configure the server, although you’ll lose the
current configuration settings. See the previous section, ‘‘Enabling RRAS,’’ to learn how to restart
the wizard.
The following sections assume you are configuring the server manually rather than
using the wizard, or you are fine-tuning settings after running the wizard.
Configuring modems and ports
One of the first steps to take in setting up a Windows Server 2008 RAS server is to install
and configure the hardware and ports that will handle the incoming calls. You configure a
standard modem through the Control Panel. If the modem is not already installed, open the
Control Panel and double-click the Phone and Modem Options icon. Click the Modems tab,
and then click Add to start the Add/Remove Hardware wizard. You have the option of selecting
the modem manually or letting Windows Server 2008 search for it. Repeat the process for any
additional modems you are installing on the system.
Other types of dial-up equipment require different installation and configuration steps that vary
from one item to the next. It isn’t practical to cover every type in this chapter, so refer to the
manufacturer’s documentation to learn how to properly install the hardware. If you’re setting up
a server connected to the Internet to act as a VPN server for your local network, install the network hardware, connect the system to the Internet, and verify that the server has connectivity to
both the LAN and the Internet.
You configure ports for incoming access through the RRAS console. When you click the Ports
node, the console displays the installed RAS ports. Windows Server 2008 by default installs both
the PPTP and L2TP protocols for VPN support and adds ports for each protocol (one incoming
connection per port of each type). You can view the status of a given port by double-clicking
the port in the list or right-clicking the port and choosing Status. Windows Server 2008 displays
a Port Status dialog box for the port that shows line speed, errors, and protocol-specific data
such as IP address.
To configure ports, right-click Ports in the right pane of the RRAS console and choose Properties. Windows Server 2008 displays a Ports Properties dialog box listing each of the port types.
For example, all PPTP ports appear under a single item in the list, as do all L2TP ports and
259
Page 259
6
Shapiro
Part I
c06.tex
V2 - 06/12/2008
4:16pm
Core, Configuration, Networking, and Communication Services
individual modems. Select the port type you want to configure and click Configure. Windows
Server 2008 displays the Configure Device dialog box shown in Figure 6-11.
FIGURE 6-11
The Configure Device dialog box.
The following list explains the options in the Configure Device dialog box:
■ Remote Access Connections (Inbound Only). Select this option to enable the selected
port to handle incoming connections only and not function as a demand-dial router for
outgoing connections.
■ Demand-Dial Routing Connections (Inbound and Outbound). Select this option to
enable the port to handle incoming calls and function as a demand-dial router to service
local clients for outgoing calls.
■ Phone Number for This Device. This option is used for Called-Station-ID and
BAP-enabled connections and to identify the IP address for PPTP and L2TP ports.
Some devices support the automatic recognition of the device’s phone number for
Called-Station-ID, so you need to add the number manually only if the device doesn’t
support automatic recognition. The number must match the number defined in the
Called-Station-ID attribute of the NPS policy that is in effect, or the call is rejected. For
BAP, this property is passed to the client when it requests an additional connection so it
knows what number to dial for the new connection. For PPTP and L2TP ports, enter the
IP address, in dotted decimal format, you are assigning to the VPN interface of the server.
■ Maximum Ports. Use this control to specify the maximum number of ports enabled on a
multiport device or protocol (such as PPTP or L2TP).
Configuring protocols
In addition to configuring the ports used by the RRAS server, you also need to configure the
protocols to be used by remote access clients. Verify that you have the necessary protocols
260
Page 260
Shapiro
c06.tex
V2 - 06/12/2008
4:16pm
Routing and Remote Access
installed prior to attempting to configure the protocols for RRAS. The following sections explain
the options you have for each of the supported RRAS protocols.
TCP/IP
You can assign IP addresses to remote access clients using one of three methods: DHCP, a static
address pool, or by allowing the client to request a preassigned IP address.
Assigning addresses through DHCP
When the RRAS service starts, it checks for the availability of a DHCP server (if configured to
use DHCP for address assignment) and obtains 10 leases from the DHCP server. The RRAS
server uses the first lease for itself and assigns the remaining addresses to RAS clients as they
connect, recovering and reusing addresses as clients disconnect. When the pool of 10 addresses
is exhausted, the RRAS server obtains 10 more, and the process repeats as needed. When the
RRAS service stops, it releases all the addresses, making them available for other DHCP clients
on the network.
The RRAS service will use Automatic Private IP Addressing (APIPA) if it is unable to locate a
DHCP server at startup. APIPA enables Windows Server 2008 to assign addresses in the class
B address range 169.254.0.1 through 169.254.0.254 (subnet mask of 255.255.0.0). APIPA is
designed to allow automatic IP configuration when no DHCP server is available. Because APIPA
is intended for use in internal, single-segment networks, it does not allocate settings for default
gateways, DNS servers, or WINS servers.
By default, RRAS selects a network interface at random from which to obtain the DHCP leases
for RAS clients. You can, however, specify the interface to pull addresses from a specific network
segment/server when the RRAS server is multi-homed (multiple network interfaces). You do so
through the IP page of the server’s properties. In the RRAS console, right-click the server and
choose Properties, and then click the IP tab (see Figure 6-12). Use the Adapter drop-down list
at the bottom of the property page to select the adapter, or choose Allow RAS to Select Adapter
if you want RRAS to automatically select an adapter.
The Adapter drop-down list appears only on multi-homed systems.
Using a static address pool
You can assign addresses to RAS clients from a static pool if you have no DHCP server on the
network or simply prefer not to use DHCP for the RAS server. In previous versions of RRAS
(Windows NT), you could configure included and excluded address ranges. In Windows Server
2008, however, you create included ranges only. You can achieve the same effect as an excluded
range by creating multiple included ranges that don’t include the address range you want to
exclude.
You configure the static address pool through the IP property page for the server. In the RRAS
console, right-click the server, choose Properties, and then click the IP tab. Select the option
261
Page 261
6
Shapiro
Part I
c06.tex
V2 - 06/12/2008
4:16pm
Core, Configuration, Networking, and Communication Services
Static Address Pool and click Add to display the New Address Range dialog box. You specify a
starting address for the range, and then either the ending address or the number of addresses to
include in the pool. Windows Server 2008 determines the ending address for you if you specify
the number of addresses; it also determines the required subnet mask based on the selected
address range. Click OK to add the range, and then repeat the process if you need to add other
ranges.
FIGURE 6-12
The IP tab.
When defining static address pools for RRAS, make sure you don’t use addresses already
allocated to other systems or to DHCP servers on the network. If the static address pool is in a
different subnet from the local network, you must either enable IP routing on the RRAS server
(configured through the IP page of the server’s global properties) or add static routes for the
subnet.
Allowing clients to use preassigned IP addresses
In some situations, it’s advantageous for clients to be able to use the same IP address for each
remote session. For example, users might work with applications that expect remote users to be
at specific IP addresses. Arbitrarily allowing clients to request preassigned IP addresses could
262
Page 262
Shapiro
c06.tex
V2 - 06/12/2008
4:16pm
Routing and Remote Access
lead to address havoc and potential routing problems, but Windows Server 2008 overcomes
that problem by allocating the remote client’s IP address through his or her account properties.
Enabling a client to request a preassigned IP address requires two steps. First, you must configure the applicable NPS policy to allow the user to request a preassigned IP address. Second, you
must specify the address in the user’s account properties.
You configure the NPS policy through the RRAS console. See the section titled ‘‘Policy Server’’ later in this section for detailed information on configuring and managing
NPS policies.
Where you modify the user’s account properties depends on the network configuration. On a
standalone server (no domain), you modify the user’s properties through the Local Users and
Groups node of the Computer Management console. Open the account’s properties and click
the Dial-In tab. Select the option Assign a Static IP Address and specify the desired address in
the associated text box. For information on other properties on the Dial-Up page, see the section
‘‘Policy Server’’ later in this chapter. You’ll find the same properties for users in a domain in the
Active Directory Users and Computers console. Configure properties as you would on a standalone server.
Enabling/disabling IP for RRAS
By default, Windows Server 2008 RRAS enables for RRAS all protocols installed on the server.
You can selectively disable a protocol if you don’t want to allow that protocol to be used
for remote connections. To enable or disable IP for RAS, open the RRAS console, right-click
the server, and choose Properties. On the IP property page, select or deselect the option
‘‘Allow IP-based remote access and demand-dial connections’’ to enable or disable IP for RAS,
respectively.
IP routing and restricting access to the RAS server
By default, the RRAS server allows remote clients access not only to the local server, but also to
the network (subject to permissions and policies applied to the remote client or local resources).
As such, the RRAS server provides IP routing to the remote clients, routing traffic between the
remote client and the LAN. You can prevent remote clients from accessing the LAN by disabling
IP routing on the RRAS server. To do so, open the RRAS console, right-click the server, and
choose Properties. On the IP page, deselect the option Enable IP Routing to prevent remote
clients from accessing the LAN and to restrict their access only to resources on the RRAS server.
IP routing must be enabled if you’re using the RRAS server to provide LAN or
demand-dial routing. See the section titled ‘‘IP Routing’’ earlier in this chapter for a
detailed discussion of Windows Server 2008 routing through RRAS.
Configuring authentication
After you have configured protocols on the RRAS server, you need to turn your attention to
authentication and encryption, configuring the server to suit your needs.
263
Page 263
6
Shapiro
Part I
c06.tex
V2 - 06/12/2008
4:16pm
Core, Configuration, Networking, and Communication Services
Configuring PPP
Windows Server 2008 offers a few options you can configure that control PPP connections to
the server. In the RRAS console, right-click the server, choose Properties, and click the PPP tab.
The PPP page offers the following options:
■ Multilink Connections. Select this option to allow remote clients to request and use
multilink connections. This option enables multilink connections but does not explicitly enable dynamic link management through BAP or BACP, which is controlled by the
following option. See the section ‘‘Using Multilink and BAP’’ later in this chapter for additional information.
■ Dynamic Bandwidth Control Using BAP. This option enables the server and client
to use Bandwidth Allocation Protocol and Bandwidth Allocation Control Protocol to
dynamically multilink connections, adding links when bandwidth utilization increases
and removing links when bandwidth utilization decreases.
■ Link Control Protocol (LCP) Extensions. LCP extensions enable LCP to send
Time-Remaining and Identification packets, and to request callback during LCP
negotiation. Deselect this option only if the remote clients don’t support LCP extensions.
■ Software Compression. Select this option to have the RRAS server use Microsoft
Point-to-Point Compression protocol (MPPC) to compress data transmitted to remote
clients. Deselect this option if the remote clients don’t support MPPC.
Configuring authentication
As mentioned earlier in this chapter, Windows Server 2008 RRAS supports several authentication standards. You can configure RRAS to accept multiple authentication methods, and the
server will attempt authentication using the selected protocols in order of decreasing security.
For example, RRAS attempts EAP first if EAP is enabled, then MS-CHAP version 2, then
MS-CHAP, and so on.
You configure the authentication methods for RRAS through the Security page of the RRAS
server’s properties (accessed from the RRAS console). Click Authentication Methods on the
Security page to access the Authentication Methods dialog box, shown in Figure 6-13. Select
the authentication methods you want to allow and click OK. The following sections provide an
overview of each method and where applicable, and how to configure and enable them.
You can require a specific authentication method for a client through a NPS policy.
The following sections don’t cover configuring authentication through a remote policy for each authentication protocol, but you will find coverage of that topic in the section ‘‘Policy
Server’’ later in this chapter.
EAP
Extensible Authentication Protocol (EAP) enables the client and server (or IAS, if used for RAS
authentication) to negotiate an authentication method from a pool of methods supported by
the server. Windows Server 2008 EAP provides support for two EAP types: EAP-MD5 CHAP
264
Page 264
Shapiro
c06.tex
V2 - 06/12/2008
4:16pm
Routing and Remote Access
and EAP-TLS. Both the client and authentication server must support the same EAP type for
authentication through EAP, and you can install additional EAP types from third parties on a
Windows Server 2008.
FIGURE 6-13
You can configure multiple authentication methods through the Authentication Methods dialog
box, and RRAS attempts them in decreasing order of security provided.
EAP-MD5 CHAP functions much the same as standard CHAP, but challenges and responses are
sent as EAP messages. EAP-MD5 CHAP authenticates with user names and passwords. EAP-TLS,
conversely, uses certificates to authenticate remote clients, using a secured private key exchange
between client and server. EAP-TLS provides the most secure authentication of all the methods
supported by Windows Server 2008.
Windows Server 2008 supports EAP-TLS only in domain environments (either mixed
mode or native). RRAS on a standalone server does not support EAP-TLS.
Enabling RRAS to support EAP requires three steps. First, enable EAP as an authentication
method in the Authentication Methods dialog box through the RRAS server’s properties. Then,
if necessary, configure the remote client’s NPS policy to allow EAP, as explained later in the
section ‘‘Policy Server.’’ Finally, configure the client to use the appropriate EAP type. See
the section ‘‘Configuring Outgoing Dial-Up Networking Connections’’ for a detailed explanation.
Configuring EAP-RADIUS
In addition to supporting the two EAP types described previously, Windows Server 2008
also enables authentication messages for any EAP type to be relayed to RADIUS servers (such
as Windows Server 2008 systems running IAS). EAP-RADIUS encapsulates and formats the
messages going from the RRAS server to the RADIUS server as RADIUS messages. The RADIUS
server encapsulates the EAP response as a RADIUS message and passes it to the RRAS server,
265
Page 265
6
Shapiro c06.tex
Part I
V2 - 06/12/2008
4:16pm
Core, Configuration, Networking, and Communication Services
which relays it to the client. In this way, the RRAS server functions as a relay and doesn’t
actually perform the authentication, nor does it require the EAP type used to be installed on the
RRAS server. Instead, the EAP type must be installed on the RADIUS server.
In addition to configuring the client to use EAP and the appropriate EAP type, you must enable
EAP authentication on the RRAS server, configure it to point to the appropriate RADIUS server,
and install the required EAP type on the RADIUS server. You configure the RRAS server to
accommodate EAP through the Authentication Methods dialog box for the server, as explained
previously. To point the RRAS server to the RADIUS server, open the server’s Security property
page and select RADIUS Authentication from the Authentication Provider drop-down list. Click
Configure Add to display the Add RADIUS Server dialog box, shown in Figure 6-14.
FIGURE 6-14
The Add RADIUS Server dialog box.
Use the following list as a guide to configure RADIUS server options:
■ Server Name. Specify the FQDN or IP address of the RADIUS server.
■ Shared Secret. Enter the secret string used by the RADIUS server to authenticate access
to the RADIUS server. You can use any alphanumeric characters and special characters in
the string, up to 255 characters. The shared secret is case-sensitive.
■ Time-Out (Seconds). This is the period of time the RRAS server will wait for a response
from the RADIUS server before timing out and failing the authentication.
■ Initial Score. This value indicates the overall responsiveness of the RADIUS server. This
number changes dynamically as the responsiveness of the RADIUS server changes. RRAS
266
Page 266
Shapiro
c06.tex
V2 - 06/12/2008
4:16pm
Routing and Remote Access
queries the servers in order of highest to lowest score (the higher the score, the better the
responsiveness). Use this option to specify an estimated initial score.
■ Port. Specify the UDP port used by the RADIUS server for incoming authentication
requests. The default is 1812 for newer RADIUS servers and 1645 for older RADIUS
servers.
■ Always Use Message Authenticator. Select this option to force the RRAS server to send
a digital signature with each RADIUS message. The signature is based on the shared secret.
Ensure that the RADIUS server supports and is configured for receipt of digital signatures
before enabling this option. If you’re using IAS and the client for this server is configured
to require the RRAS server to always send a digital signature, you must select this option.
See the section ‘‘RRAS Logging and Accounting’’ later in this chapter to configure the
RRAS server for RADIUS authentication.
Repeat the process described previously to add other RADIUS servers as required.
Storing passwords with reversible encryption is similar to storing passwords in clear
text and can therefore be a security risk. Only enable this policy if you have a specific need to do so.
You need to modify the default domain policy if you want to apply reversible encryption for all
users in the domain. On a domain controller, choose Start All Programs Administrative
Tools Domain Security Policy. Open the branch Security Settings/Account Policies/Password
Policy and enable the option ‘‘Store password using reversible encryption.’’ On a standalone
server, choose Start All Programs Administrative Tools Local Security Policy to
modify the password policy to enable reversible encryption.
Each user for which reversible encryption has been enabled needs to modify his or her password
so that the new password will be stored with reversible encryption. Configuring the user’s
account or the domain or local policy for reversible encryption does not automatically change
the way the passwords are stored. You can reset the users’ passwords yourself or have the users
change passwords during their next logon session. Because the users can’t change passwords
through CHAP authentication, they must either log on to the LAN to change their passwords
or use MS-CHAP through the remote connection to change their passwords, and then switch to
CHAP for future remote sessions. The alternative for those users who can’t log on to the LAN or
use MS-CHAP is for the administrator to reset the password.
The final step is configuring the remote client to use CHAP. See the section ‘‘Configuring Outgoing Dial-Up Networking Connections’’ to learn how to configure remote
access clients.
SPAP
SPAP stands for Shiva Password Authentication Protocol. Shiva is a corporation that develops
and markets several remote access solutions, including the Shiva LAN Rover. Clients connecting
267
Page 267
6
Shapiro
Part I
c06.tex
V2 - 06/12/2008
4:16pm
Core, Configuration, Networking, and Communication Services
to a Shiva LAN Rover use SPAP for authentication, as do Shiva clients connecting to a Windows
Server 2008 RRAS server. SPAP is disabled by default for a Windows Server 2008 RRAS server.
SPAP offers a lower degree of security than the methods described previously, so you should
enable SPAP only if you need to support Shiva clients. You can enable SPAP through the
Authentication Methods dialog box in the RRAS server’s properties.
SPAP is no longer supported for PPP connections.
PAP
Password Authentication Protocol (PAP) uses plain text to transmit passwords, making it susceptible to compromise. Therefore, only use PAP to support clients that don’t support any of the
other authentication methods, or when security is not an issue. Enable PAP for the RRAS server
through the Authentication Methods dialog box in the RRAS server’s properties.
Unauthenticated access
You can configure a Windows Server 2008 RRAS server to allow unauthenticated remote access,
enabling any user to log on regardless of whether he or she provides a valid username and password. Though unauthenticated access can pose a security risk, it nevertheless has some uses.
Because unauthenticated access is applicable in few situations, it is not covered in detail here.
To learn more about unauthenticated access, open the RRAS console, select Help, and open the
topic Remote Access/Concepts/Remote Access Security/Unauthenticated Access.
Disabling routing (Remote Access Server only)
If you’re using RRAS only to provide dial-in remote access and don’t require routing, you can
disable routing and allow the server to function as a remote access server only. This reduces
some of the overhead in the RRAS server and can improve performance somewhat. You also
might want to disable routing for security reasons that might be applicable to your network.
To disable routing, open the RRAS console and then open the properties for the server on which
you want to disable routing. On the General page, deselect the Router option and leave the
Remote Access Server option selected. Click OK and allow Windows Server 2008 to restart
RRAS for the change to take effect.
RRAS logging and accounting
Windows Server 2008 RRAS, like many other services, logs events to the Windows Server 2008
System log, which you can view and manage with the Event Viewer console. You configure
logging options on the Event Logging page of the RRAS server’s property sheet. Open the
RRAS console, open the property sheet for the server, and click the Logging tab. The Logging
page offers a handful of options that control the amount of information logged to the System
event log; the options are self-explanatory. You also can enable logging of PPP events for
troubleshooting purposes — just enable the option Log Additional Routing and Remote Access
Information.
268
Page 268
Shapiro c06.tex
V2 - 06/12/2008
4:16pm
Routing and Remote Access
By default, a Windows Server 2008 RRAS server uses Windows Server 2008 accounting, which
means that certain aspects of remote sessions are logged to the log file designated by the entry
in the Remote Access Logging branch of the RRAS console. Windows accounting is applicable
when you are using IAS to provide authentication. If you’re using a RADIUS server, however,
you’ll probably want to configure RADIUS to perform the accounting for you. The following
sections explain both options.
Using Windows accounting
By default, Windows Server 2008 RRAS does not log remote sessions, but you can enable
logging for security and troubleshooting. To use Windows accounting, open the RRAS console,
right-click the server, choose Properties, and click the Security tab. Select Windows Accounting
from the Accounting Provider drop-down list, and then click OK to close the property sheet.
In the RRAS console, open the Remote Access Logging branch. You’ll find an item in the right
pane labeled Local File. Double-click Local File, or right-click it and choose Properties, to display the Local File Properties sheet. The Settings page contains the following options:
■ Accounting Requests. Select this option to log accounting requests from the RRAS server
to the accounting server to indicate that it is online and ready to accept connections or go
offline, and to start and stop accounting for a user session.
■ Authentication Requests. This option logs authentication requests sent by the RRAS
server to IAS on behalf of the client, along with responses from IAS to the RRAS server
indicating the acceptance or rejection of the remote client’s authentication request.
■ Periodic Status. This option enables you to log periodic status requests for a session sent
by the RRAS server to IAS, although this option is generally not recommended because of
the potentially large log file that usually results.
The Local File page of the Local File Properties sheet determines the format for the local log file
as well as the log’s location, filename, and how often a new log file is created. The options are
self-explanatory.
Using RADIUS accounting
You configure RADIUS accounting through the Security tab of the RRAS server’s properties.
Open the RRAS console, right-click the server, choose Properties, and click the Security tab.
Select RADIUS Accounting from the Accounting Provider drop-down list, and then click
Configure. In the RADIUS Accounting dialog box, click Add to add a RADIUS accounting server
and configure its properties. The following list explains the options:
■ Server Name. Specify the FQDN or IP address of the RADIUS server.
■ Shared Secret. Enter the secret string used by the RADIUS server to authenticate access.
You can use any alphanumeric characters and special characters in the string, up to 255
characters. The shared secret is case-sensitive.
■ Time-Out (seconds). This is the period of time the RRAS server will wait for a response
from the RADIUS server before timing out and failing the accounting request.
269
Page 269
6
Shapiro
Part I
c06.tex
V2 - 06/12/2008
4:16pm
Core, Configuration, Networking, and Communication Services
■ Initial Score. This value indicates the overall responsiveness of the RADIUS server. This
number changes dynamically as the responsiveness of the RADIUS server changes. RRAS
queries the servers in order of highest to lowest score (the higher the score, the better the
responsiveness). Use this option to specify an estimated initial score.
■ Port. Specify the UDP port used by the RADIUS server for incoming authentication
requests. The default is 1813 for newer RADIUS servers and 1646 for older RADIUS
servers.
■ Send RADIUS Accounting On and Accounting Off Messages. Select this option to
have the RRAS server send Accounting-On and Accounting-Off messages to the accounting server when the RRAS service starts and stops.
Configuring a VPN Server
A secure Virtual Private Network (VPN) connection enables remote access clients to establish
secure connections to the RRAS server or to the local network to which the RRAS server is
connected from a nonsecure network such as the Internet. Once connected by a VPN connection, the remote user has the same capabilities and security that he or she would have when
connected locally to the network. A common use for VPN is to allow remote users to access
files, printers, and other resources on the office LAN when they are on the road or working from
other locations.
In a VPN connection, the data packets are encapsulated with additional header data that provides routing data to enable the packet to reach its destination. The segment of the connection
in which the data is encapsulated is called a tunnel.
Data is encrypted before it is encapsulated to make the data secure as it travels through the
public network. Tunneling protocols manage the traffic flow between the client and server. By
default, Windows Server 2008 supports two tunneling protocols: Point-to-Point Tunneling
Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP). These protocols are described earlier
in this chapter in the section ‘‘RAS Connection Types and Protocols.’’ All previous operating
systems and Vista and Windows Server 2008 clients support PPTP; Windows Server 2008
clients in fact support both PPTP and L2TP. Non-Microsoft clients that support PPTP or L2TP
can also connect to a Windows Server 2008 VPN server.
When you set up a Windows Server 2008 RRAS server manually as a remote access server,
Windows Server 2008 automatically installs both PPTP and L2TP and configures five ports for
each protocol, meaning you can connect five remote VPN clients with each protocol. If you use
the wizard to configure the server as a VPN server, the wizard creates 128 ports each for PPTP
and L2TP. In either case, you can change the number of virtual ports available for connections
through the Ports branch in the RRAS console.
To easily configure a VPN server, run the configuration wizard and select the desired VPN
option. See the section ‘‘Configuring RRAS for Inbound Connections’’ earlier in this chapter for a
270
Page 270
Shapiro c06.tex
V2 - 06/12/2008
4:16pm
Routing and Remote Access
description of the options offered by the wizard. The following sections explain changes you can
make after installation and how to configure the server for VPN manually.
Don’t forget to enable the remote clients’ accounts for remote access — either
through the individual account properties or the NPS policy. This is required for VPN
connections just as it is for standard RAS connections.
Configuring VPN ports
You use the RRAS console to make all changes to the VPN server’s configuration. One of the
changes you’ll surely want to make at some point is the port configuration. Open the RRAS
console, open the server to be changed, right-click the Ports branch, and choose Properties.
The Ports Properties sheet shows the available ports, port type, and limited other information.
Click a port type, and then click Configure to display the Configure Device dialog box, shown
in Figure 6-15.
FIGURE 6-15
The Configure Device dialog box.
Use the Configure Device dialog box to configure port properties, which vary somewhat from
one type to another.
Use the following list as a guide to configure port options:
■ Remote Access Connections (Inbound Only). Select this option to enable the port type
for incoming remote access connections. Deselect the option to prevent incoming connections on the selected port type.
■ Demand-Dial Routing Connections (Inbound and Outbound). Select this option to
enable incoming and outgoing demand-dial routing on the port type. Deselect to disable
routing for the selected port type.
271
Page 271
6
Shapiro
Part I
c06.tex
V2 - 06/12/2008
4:16pm
Core, Configuration, Networking, and Communication Services
■ Demand-Dial Routing Connections (Outbound Only). Select this option to allow only
outbound demand-dial connections.
■ Phone Number for This Device. For PPTP and L2TP ports, specify the IP address
assigned to the VPN interface on the server through which the incoming connections
arrive.
■ Maximum Ports. Change the number of ports of the selected type with this control.
Enabling L2TP for VPN
By default, Windows Server 2008 configures five L2TP ports when you install RRAS for remote
access and 128 ports when you install RRAS for VPN. You need to take some additional steps,
other than configuring ports that you need, to ensure that L2TP provides a secure connection, as
explained in the following sections.
Obtaining and installing a certificate
L2TP uses IPSec to provide encryption, which requires that you install a computer certificate
on the RRAS server as well as the client to provide encryption/decryption capability for IPSec.
You must have a Windows Server 2008 running Certificate Services on your network (or
locally on the RRAS server) from which to obtain the certificate. This certificate server is called
a Certificate Authority (CA). An enterprise root CA can be configured to allocate computer
certificates automatically to computers in the domain, or you can use the Certificates console to
request a certificate from an enterprise CA. You also can connect to http://server/cersrv,
where server is the address or name of the CA, to request a certificate. Use this last option if
your RRAS server is not a member of a domain or if you need to request the certificate from a
standalone CA.
Configuring L2TP over IPSec filters
Unlike PPTP, which uses Microsoft Point-to-Point Encryption (MPPE), L2TP relies on IP
Security (IPSec) to provide encryption to secure the VPN connection. You therefore need to
configure IPSec filters accordingly on the RRAS server’s public interface to restrict all but
L2TP traffic. This will ensure that only secure L2TP traffic moves through the RRAS server.
To configure the filters, first note the IP address of the RRAS server’s public interface (the one
connected to the Internet). Then, open the RRAS console, open the IP Routing branch, and click
General. Right-click the interface on which you want to set the filters and choose Properties.
On the General page of the interface’s property sheet, click Inbound Filters to display the
Inbound Filters dialog box, as shown in Figure 6-6. Click Add to display the Add IP Filter
dialog box. Select the option Destination Network. Then, in the IP Address field, specify
the IP address of the server’s Internet network interface. In the Subnet Mask field, enter
255.255.255.255. Select UDP from the Protocol drop-down list, enter 500 in both the Source
Port and Destination Port fields, and click OK.
Back on the Inbound Filters dialog box, click Add again and add another Destination Network
entry for the same IP address and subnet mask as the first entry, but add UDP port entries of
272
Page 272
Shapiro c06.tex
V2 - 06/12/2008
4:16pm
Routing and Remote Access
1701 for both the Source Port and Destination Port fields. Click OK. Then, in the Inbound
Filters dialog box, select the option ‘‘Drop all packets except those that meet the criteria below,’’
and click OK.
Next, you need to add filters to restrict traffic for outgoing packets to the appropriate ports for
L2TP. On the General page of the interface’s property sheet, click Output Filters. Just as you did
for the input filters, add two output filters for the server’s public network interface IP address,
subnet mask 255.255.255.255, with the first filter using UDP port 500 for Source Port and Destination Port, and a second filter using UDP port 1701 for Source Port and Destination Port.
Using Multilink and BAP
As mentioned earlier in this chapter, Windows Server 2008 supports the use of multilink
connections, which enables a client to connect to the RRAS server using multiple, aggregated
links. Bandwidth Allocation Protocol (BAP) provides a means for the bandwidth utilization
to be dynamic. As bandwidth usage increases, the client can request another connection to
improve performance. As bandwidth usage decreases, connections can be dropped to make them
available to other clients or reduce connection costs. Enabling multilink and BAP requires a few
steps: enable multilink, configure network access policies, configure the ports, and configure
the clients.
First, open the RRAS console, expand the server node, then right-click and select Properties. On
the PPP page, select Multilink Connections to allow clients to request multilink connections.
Select ‘‘Dynamic bandwidth control using BAP or BACP’’ to enable clients to use BAP/BACP to
dynamically manage aggregation. Click OK to close the property sheet.
The second step is to enable multilink in the appropriate network policy. The default policy
allows all clients to use the settings defined globally for the RRAS server, so enabling multilink
and BAP for the server enables it for all remote clients unless modified by a network policy.
If you want to restrict the use of multilink and BAP to selected users, modify the policies
accordingly. Apply one policy for those who require multilink support and a different policy for
those who do not.
In the RRAS console, open the Servers branch and click Remote Access Logging & Policies.
Double-click the policy you want to modify (or create a new one). Select the Settings tab for the
Multilink policy (see Figure 6-16).
You can configure the settings based on the following list:
■ Server Settings Determine Multilink Usage. Select this option to use the global settings
defined by the RRAS server.
■ Do Not Allow Multilink Connections. Select this option to disable multilink for remote
clients covered by the policy and limit them to a single connection.
273
Page 273
6
Shapiro
Part I
c06.tex
V2 - 06/12/2008
4:16pm
Core, Configuration, Networking, and Communication Services
■ Allow Multilink Connections. Select this option to allow remote clients covered by the
policy to use multiple connections.
■ Percentage of Capacity/Period of Time. Specify the utilization threshold value and
duration the server uses to determine when to drop a link.
■ Require BAP for Dynamic Multilink Requests. Select this option to require the client
to use BAP to manage multiple links. If the client doesn’t use BAP, multilink connections
are refused and the client is limited to a single link.
FIGURE 6-16
The PPP page.
Next, specify the phone number for each port used for multilink connections to enable the
server to pass that data to the client when the client requests another link. The client uses
the link number to dial the next link. In the RRAS console, open the server, right-click the
Ports branch, and choose Properties. Double-click the port for which you need to set the dial-in
number, or select the port and click Configure. Specify the phone number in the field Phone
Number for This Device and then close the dialog box and the Ports property sheet.
See the section ‘‘Configuring Outgoing Dial-Up Networking Connections’’ later in this
chapter to learn how to configure Windows Server 2008 clients to use multilink and
BAP.
Policy Server
Although you can rely on global settings on the RRAS server to provide security and
enable/disable access, you have much greater control over remote clients through the use of
Network Policy Server (NPS). Like other group policies, NPS policies enable you to configure
274
Page 274
Shapiro c06.tex
V2 - 06/12/2008
4:16pm
Routing and Remote Access
access on a user, group, or global basis. By default, Windows Server 2008 RRAS creates a single
NPS policy. You can modify this policy and/or create additional policies to suit your needs.
You manage NPS policies through the NPS console. In the console, open the server to be
managed and then open the Remote Access Logging & Policies branch. Right-click the node and
choose Launch NPS. Then select the option to manage Network Access Policies.
Connections to RRAS and ‘‘other access servers’’ are actually configured to deny access to all
dial-up users. Click the policy and note that the option Deny Remote Access Permission is
selected. This setting applies unless overridden by per-user settings in each user’s account,
which effectively disables access for all users unless their accounts are configured to allow access.
Selecting the option Grant Remote Access Permission for This Policy enables all users to gain
remote access.
You can use the default NPS policies as-is, add other conditions to them, or create new policies
to fit specific users, groups, or situations. For example, assume you want to grant remote access
to a sales group but limit the group’s members to one link (disable multilink). You want to also
enable your Administrators group to gain access but allow them to use multilink. Therefore, you
need to create two policies. We’ll use this example to illustrate how to create and configure policies. First, create the policy for the Sales group.
Creating a new policy
In the RRAS console, open the server, and then open the Remote Access Logging & Policies
branch. Right-click the right the Network Policy node and choose New to start the New
Network Policy Wizard. You have two options in the wizard: create a typical policy for specific
uses or create a custom policy. If you choose the former, Windows Server 2008 lets you choose
from VPN, Dial-Up, Wireless, and Ethernet access methods (depending on configuration), which
sets the policy condition NAS-Port-Type Matches type, where type specifies the appropriate
connection type, such as Ethernet. You can open the policy and view the NAS-Port-Type
setting for the policy. All policies that you create in this way are set to deny access based on the
specified condition(s).
For each of the four typical policy options, you specify the policy name, which identifies the
policy in the console. In addition to specifying the connection type, you must also specify the
user or group to which the policy applies, as well as the authentication and encryption options.
If you choose the option to create a custom policy, the wizard prompts for the following information as you progress through the screens:
■ Policy Name. This is the policy name as it appears in the RRAS console. Specify a name
that identifies the purpose of the policy or affected users. In this example, use Sales as the
friendly name.
■ Conditions. Use the Specification Conditions page of the wizard to specify the
criteria by which the policy grants or denies access. In this example, click Add, select
Windows-Groups, and click Add. Select the Sales group OK Next. (This example
assumes a Sales group in the Active Directory, used by your Sales department.)
275
Page 275
6
Shapiro
Part I
c06.tex
V2 - 06/12/2008
4:16pm
Core, Configuration, Networking, and Communication Services
■ Specify Access Permission. Click Next, and then select which action is applied to the
selected criteria. In this example, we want the Sales group granted access, so select Access
Granted. If you wanted to explicitly prevent the Sales group from using remote access, you
would instead select Access Denied.
■ Configure Authentication Methods. Click Next and then select the authentication
methods use on this access server. You can choose the more secure EAP authentication
types or the less secure methods such as MS-CHAP or CHAP.
■ Configure Constraints. Click Next and then select the constraints to configure. This
screen gives you the option to set times of access, idle time out, and NAS port types.
■ Configure Settings. Click Next and then select the RADIUS integration or general
routing and remote access settings. The latter lets you set Multilink options, IP filters,
encryption, and IP settings. Click Next to review all the options or go back to change
settings. When you are happy with the policy, click Finish.
If you double-click a policy, NPS displays your new policy Properties page to allow you to
make changes or add stuff as needed. This is shown in Figure 6-17.
This sheet contains several tabs, which were described in the previous sections. After you configure the Sales group’s policy to deny multilink, you run the wizard again to create another policy
for the Administrator’s group, this time granting multilink permission. Some of the options you
have are further explained in the next section.
Dial-In Constraints
Dial-In Constraints determines when the user can connect, for how long, and other properties
that define the user’s connection in general. Use these options to specify which dial-in media
types are available to users to whom the policy applies. For example, you might select Virtual
Private Networking (VPN) to allow the remote users to connect through a VPN connection only.
IP
The options of the NPS policy’s properties determines how the client IP address is assigned and
which input/output filters, if any, apply to the connection. You can force the server to assign
an IP, allow the client to request a specific IP, or let the global server settings define how the
address is assigned (the default).
You can apply a filter to incoming packets to limit them to specific protocols or ports. See the
section titled ‘‘Configuring L2TP over IPSec Filters’’ earlier in this chapter for more information
on creating filters.
Multilink
The Multilink option determines whether or not the remote client can use multilink, the maximum number of ports, and criteria that determine when BAP drops a link if bandwidth usage
276
Page 276
Shapiro
c06.tex
V2 - 06/12/2008
4:16pm
Routing and Remote Access
drops. These options are generally self-explanatory. See the section titled ‘‘Using Multilink and
BAP’’ earlier in this chapter for additional information.
FIGURE 6-17
The Policy Properties dialog box for a new policy.
For our example, the Sales group needs to be denied the use of multilink. Select the option ‘‘Do
not allow Multilink connections’’ to prevent anyone in the Sales group from using a multilink
connection.
Authentication
The Authentication option determines the authentication method(s) allowed for remote clients
covered by the policy. Through this page, you can enable EAP or other authentication methods
277
Page 277
6
Shapiro
Part I
c06.tex
V2 - 06/12/2008
4:16pm
Core, Configuration, Networking, and Communication Services
allowed for the remote clients. You can select multiple methods or select a single method if you
need to ensure that the selected group always uses the same authentication method.
The option ‘‘Allow clients to connect without negotiating any authentication protocol’’ enables
remote clients to establish a connection without authenticating. Although this capability is useful
in a limited number of situations, it presents a security risk because you have no control over
who can gain remote access. Use this option sparingly.
For more information on authentication methods, see the section titled ‘‘RAS Connection Types and Protocols’’ earlier in this chapter.
Encryption
The Encryption option defines the levels of encryption that can be used by clients covered by
the policy:
■ No Encryption. Select this option to enable remote clients to connect without using
encryption. If no other encryption options are selected, remote clients are prevented from
using encryption.
■ Basic Encryption. Select this option to enable remote clients to use IPSec 56-bit DES or
MPPE 40-bit encryption.
■ Strong Encryption. Select this option to enable remote clients to use 56-bit DES or MPPE
56-bit encryption.
■ Strongest Encryption. Select this option to enable remote clients to use IPSec Triple DES
(3DES) or MPPE 128-bit encryption.
RADIUS
The RADIUS option enables you to configure additional RADIUS connection properties for
remote clients covered by the network policy access policy. Because there are so many, it isn’t
practical to cover all of them in this chapter. Click Add on the Advanced page and browse the
list to determine which, if any, you require for the selection policy.
Prioritizing policies
As soon as you have configured a policy, you can manage the polices from the Network Policy
Server console. As mentioned earlier the NPS console can be accessed from the RRAS console.
The NPS console is shown in Figure 6-18. Each NPS policy has a unique order number, and
policies are evaluated and applied in order of priority. You can change the order to define
the way policies are applied, which determines the final applied result. To change the order,
right-click a policy and choose either Move Up or Move Down to change its position and order
number. You can also use the up and down arrows on the toolbar.
278
Page 278
Shapiro
c06.tex
V2 - 06/12/2008
4:16pm
Routing and Remote Access
FIGURE 6-18
The Network Policy Server console.
Using RADIUS
Windows Server 2008 uses the NPS to enable a Windows Server 2008 to function as a RADIUS
(Remote Authentication Dial-In User Server) server. In addition to providing authentication services, RADIUS also performs accounting and keeps track of user logon, session duration, logoff,
and so on. You can use NPS to provide authentication for RRAS, IIS, or other services, including
279
Page 279
6
Shapiro
Part I
c06.tex
V2 - 06/12/2008
4:16pm
Core, Configuration, Networking, and Communication Services
providing authentication for non-Microsoft dial-up servers. Any dial-up modem pool that
supports RADIUS, for example, can authenticate clients through a Windows Server 2008
running IAS.
The NPS service does not have to be installed on the same server as RRAS. In fact,
the NPS server could be located not only on a different server, but also in a different subnet. You specify the IP address or FQDN of the NPS server when you configure the RRAS
server to enable RRAS to locate it.
Configuring RADIUS
NPS uses certain security measures to restrict which services can connect to RADIUS for
authentication. Services that use NPS to authenticate remote users are called clients. You need
to configure RRAS and NPS to allow specific clients — such as your RRAS server — to connect
to a RADIUS server to authenticate users. To enable a client to connect, open the NPS console
and then open the policy. On the Properties dialog box click the Settings tab to manage RADIUS
clients. You can choose Standard clients or Vendor Specific clients.
Configuring accounting
NPS performs logging of accounting requests, authentication requests, and periodic status. You
can configure NPS to use one of two file formats: NPS-compatible or database-compatible. Both
options create a delimited text file. The latter is useful for importing the log file into a database
such as Access or SQL Server. You can also configure NPS to log to a SQL Server directly (covered next).
You configure logging through the NPS console. In the console, click the NPS node, and then
click the Local File item in the right pane to display its properties. Use the Settings page to configure which events are logged. Use the Log File page to control the size of the log, how often
the log is replaced, and its location.
You can configure NPS to log to SQL Server database. To enable SQL Server logging, click the
SQL Server option in the right pane to open the SQL Server Properties dialog box. As with local
file logging, you specify the types of events you want NPS to include in the log. Also specify
the maximum number of concurrent client connections to the logging server, and then click
Configure to open the Data Link Properties dialog box, where you specify the target SQL Server,
database name, authentication credentials, connection permissions, and initialization variables for
the database.
Configuring Outgoing Dial-Up
Networking Connections
In addition to using RRAS to support dial-in users, you can also configure dial-out connections.
For many users, this means creating a dial-up connection to the Internet, although with
280
Page 280
Shapiro
c06.tex
V2 - 06/12/2008
4:16pm
Routing and Remote Access
Windows Server 2008, it’s more likely that you’ll be creating demand-dial router or client
connections to another server or to a router. Network address translation (NAT) and routing
are covered in detail earlier in this chapter. This section of the chapter assumes you need to
configure Windows Server 2008 dial-up connections to a RAS server or the Internet.
Creating a connection
As with nearly every configuration issue, Windows Server 2008 provides a wizard to automate
creation of dial-up connections. Click Start Network and open the Network console. Then
right-click the Network node and click Properties. This will open the Network and Sharing
Center. Under the Tasks option click ‘‘Set up a connection or network’’ option. You are now
presented with several options to establish persistent connections to remote networks. If the OS
detects a modem, you will be able to specify the connection method (modem, broadband, and
so forth), authentication credentials, phone number, and other applicable information.
Configuring connection properties
After you create a connection, you can modify its properties. Most of the properties are
self-explanatory, and you can configure such properties as the server’s phone number or, in
the case of a VPN server, the IP address, or FQDN. Other options configure such properties as
redial attempts, idle time before hang-up, and so on. You should have no trouble configuring
these settings. The following sections explain a handful of configuration issues that are perhaps
not as intuitive as the others.
Security and authentication
The security option for a connection enables you to specify the authentication method used
for the connection. By default, Windows Server 2008 sets up the connection to allow unsecured
passwords, which means the client can send the password in plain text, making it susceptible to
interception. This is shown in Figure 6-19.
After your connection is created, simply click the Connect to a Network option. This loads the
Connect to a network panel, which contains a list of connections you have created. To edit the
connection right-click the connection and select Properties. You can select Require Secured Password from the ‘‘Verify my identity as follows’’ drop-down list to force the connection to require
encryption for the password. The method used for encryption depends on the authentication
method negotiated with the remote server. The following two options work in conjunction with
the Require Secured Password option:
■ Automatically Use My Windows Logon Name and Password (and Domain if Any).
Select this option to have the connection automatically use your current logon name, password, and domain for logon to the remote server.
■ Require Data Encryption (Disconnect if None). Select this option to force data encryption for the connection and disconnect if the server doesn’t offer a supported encryption
method. You can prevent encryption through the Advanced properties (explained next).
281
Page 281
6
Shapiro c06.tex
Part I
V2 - 06/12/2008
4:16pm
Core, Configuration, Networking, and Communication Services
FIGURE 6-19
Specify user credentials to connect to a network.
You also can use a smart card for authentication. Select the option Use Smart Card
from the Validate drop-down list to use a smart card for authentication. This option
must be supported by the remote server in order for the connection to succeed.
Select Advanced on the Security page and click Settings if you want a finer degree of control
over authentication settings (such as configuring EAP or other protocols). Use the Data Encryption drop-down list to specify whether encryption can be used or is required for the connection.
The options are self-explanatory.
If you choose any protocols other than EAP, you simply need to select which protocol(s) you
want the connection to attempt. You can select multiple protocols. If dialing a Windows Server
2008 RRAS server, the server will attempt authentication based on the security offered by each
method, choosing the most secure whenever possible.
Configuring EAP
Configuring a client to use EAP takes a little more effort. Select the option Use Extensible
Authentication Protocol (EAP), and then select either MD5-Challenge or Smart Card or Other
Certificate from the associated drop-down list. If you select Other Smart Card or Other Certificate, click Properties to display the Smart Card or Other Certificate dialog box. Select options
using the following list as a guide:
■ Use My Smart Card. Select this option if you have a smart card reader attached to your
system and a smart card to use for authentication.
282
Page 282
Shapiro
c06.tex
V2 - 06/12/2008
4:16pm
Routing and Remote Access
■ Use a Certificate on This Computer. Select this option to use a certificate installed on
your computer to provide authentication.
■ Validate Server Certificate. Select this option to have your computer verify that the certificate provided by the server is still valid (not expired). Deselect the option to have the
client accept the server’s certificate without checking it.
■ Connect to These Servers. Use this option to limit connections to servers that reside in a
specified domain. For example, enter mcity.us if you only want to connect to servers in
the mcity.us domain (server1.mcity.us, ras.mcity.us, and so on).
■ Trusted Root Certificate Authorities. Select the trusted root certificate authorities for
the server.
■ Use a Different User Name for the Connection. Select this option if the username
stored in the smart card or associated with the certificate you’re using is not the same as
the username you need to use to log on in the remote domain.
Configuring protocols
Just as you can with a LAN connection, you can configure a dial-up connection for more than
one protocol, or perhaps you have more than one protocol enabled for a connection and want to
turn off the protocol for dial-up but leave it enabled for the LAN. To change your protocol settings, click the Networking tab and click the Properties button. You can also remove a protocol,
but keep in mind that removing it removes it from the computer altogether, and other connections won’t be able to use it.
For more information on configuring network protocols, see Chapter 3.
Multilink and BAP Revisited
As explained earlier in this chapter, some dial-up servers support multilink connections that
enable you to connect to the RRAS server with multiple links (two or more modems, for
example) to create an aggregate connection with a total bandwidth equal to the sum of all connected links. Windows Server 2008 dial-up networking supports multilink dial-out connections
and can optionally use Bandwidth Allocation Protocol (BAP) to dynamically add and drop links
as needed to accommodate changes in bandwidth usage. The remote server you connect to must
support multilink and must also support BAP if you use BAP on the client side.
Most ISPs that support multilink also charge you for the capability to use multiple
connections. Paying for multiple user accounts won’t work for multilink, because
Windows Server 2008 treats the individual connections as a single one and uses a single username/password pair for establishing all links. Moreover, the server needs to support multilink
to enable bandwidth to be aggregated on the server side for your connections. Just dialing two
separate accounts would give you two non-aggregated connections.
Before configuring multilink for a dial-up connection, you need to first install the multiple
devices you’ll be using to dial out. If you only have one device installed, the multilink options
are not shown. If multiple devices are installed but only one is selected for the connection, the
multilink options are dimmed.
283
Page 283
6
Shapiro
Part I
c06.tex
V2 - 06/12/2008
4:16pm
Core, Configuration, Networking, and Communication Services
After installing all connection devices, open the NPS console (from RRAS) and double-click the
policy to edit. This action will open the Properties for the policy. You can then select the settings page, and click the Multilink option. If you need to configure different numbers for each
one, or need to make sure that all devices call the same numbers, or if you need to hunt groups
to distribute calls, and so on, you would do this in RRAS itself.
Windows Server 2008 does not automatically reinitialize dropped multilink links
unless you’re using BAP. Selecting the option Dial All Devices might get you an
aggregate link, but there is nothing to prevent the connection from suffering attrition as links
are dropped and not reestablished. You can force links to reinitialize by setting relatively low
usage conditions. Select Dial Devices Only as Needed from the Options page of the connection’s
properties and then set automatic dialing to low values, such as 1 percent for five seconds.
Configuring dial-up networking
to connect to the Internet
In most cases, you can re-run the Network and Sharing Center Wizard to create a new dial-up
connection to the Internet and use it as-is without problems. However, you might want or need
to fine-tune some of your settings for cost or performance reasons. The following sections examine common properties you might want to modify.
Controlling disconnects
Most ISPs implement an idle-disconnect period, causing a connection to be dropped when no
activity is detected for a specified amount of time. In most cases, the idle-disconnect works well,
but some ISPs don’t implement it and others that are configured for idle-disconnect seem to
work sporadically. If you’re paying for your connection by the hour, idle-disconnect can save
you a lot of money if you forget to disconnect or want the system to disconnect after a long,
unattended download.
You’ll find the option ‘‘Idle time before hanging up’’ on the Options property page for the connection. If your ISP doesn’t use idle-disconnect or you want to ensure that your connection disconnects even when the ISP doesn’t drop you, select the idle time that can occur before your
system automatically ends the connection.
The other side of the disconnect issue is the fact that you might want your system to stay
connected past the ISP’s idle-disconnect period. For example, you might be performing a long,
unattended download, but the remote server occasionally is idle for too long and the ISP drops
your connection. In this situation, you can download and use one of the many connection
utilities that maintains minimal traffic on your connection to ensure that it won’t be dropped.
You’ll find several such utilities at www.tucows.com. Alternatively, simply open your e-mail
client and configure it to check your e-mail every few minutes. The traffic going to the mail
server will be sufficient to keep your connection alive.
284
Page 284
Shapiro
c06.tex
V2 - 06/12/2008
4:16pm
Routing and Remote Access
Online security
Another potential problem is that in some cases, other users on the Internet can see your
local folders and potentially gain access to your files. You can prevent that from occurring by
disabling the File and Printer Sharing service from the dial-up connection. The default condition
has this service disabled. Open the Network page of the connection’s property sheet and deselect
the File and Printer Sharing service. In addition, deselect any protocols other than TCP/IP if they
are enabled and you don’t need them for a specific reason.
You should also consider enabling ICF on the interface. You’ll find ICF on the Advanced tab of
the connection’s properties.
Summary
Windows Server 2008 RRAS integrates routing with remote access into a single service. Remote
users can connect to a Windows Server 2008 RRAS server to gain access to resources on the
server or the network. Users can authenticate against the server’s local accounts, against domain
accounts, or against a RADIUS server. Windows Server 2008 includes the Network Policy Server
Service, which you can use to configure a Windows Server 2008 computer as a RADIUS server,
providing full authentication and accounting services. Windows Server 2008 supports several
authentication methods offering varying degrees of security for both Windows and RADIUS
authentication.
Virtual Private Networking support in RRAS enables remote clients to establish a secure
connection to a Windows Server 2008 or its network through a public network such as the
Internet. In addition to supporting PPTP, Windows Server 2008 RRAS also adds support for
L2TP, which provides additional security over PPTP. Demand-dial router connections can also
use PPTP and L2TP, making Windows Server 2008 RRAS a good solution for establishing secure
network-to-network connections over the Internet.
Dial-up networking in Windows Server 2008 enables all versions of the operating system to
function as a remote access client. Though RRAS dial-out is more prevalent on workstations, the
same capabilities are available in Windows Server 2008. You can create dial-up connections to
private networks, the Internet, or individual computers.
285
Page 285
6
Shapiro
c06.tex
V2 - 06/12/2008
4:16pm
Page 286
Shapiro
c07.tex
V2 - 06/12/2008
4:18pm
Backup and Restore
E
very MIS or network administrator has a horror story to tell
about backing up and restoring systems or data. One organization
for which we manage more than a dozen backup servers has
data processing centers spread all across the United States, and all are
interconnected via a large, private wide-area network. Not long ago, a
valuable remote Microsoft SQL Server machine just dropped dead. The IT
doctor said it had died of exhaustion . . . five years of faithful service and
never a day’s vacation. After trying everything to revive it, we instructed
the data center’s staff to ship the server back to HQ for repairs.
The first thing we asked the IT people at the remote office was: ‘‘You’ve
been doing your backups everyday right?’’ ‘‘Sure thing,’’ they replied.
‘‘Every day for the past five years.’’ They sounded so proud that we were
overjoyed. ‘‘Good, we need to rebuild your server from those tapes, so
send them all to us with the server.’’ To cut a frustrating story short, the
five years’ worth of tapes had nada on them — not a bit nor a byte. Zilch.
We spent two weeks trying to make sense of what was on that SQL Server
computer and rebuild it. We refuse to even guess the cost of that loss.
We have another horror story to relate later, but this example should
make clear to you that backup administration, a function of disaster
recovery, which we discuss in more depth in the next chapter, is one of
the most important IT functions you can have the fortune to be charged
with. Backup administrators need to be trained, responsible, and cool
people. They need to be constantly revising and refining their practice and
strategy; their companies depend on them.
This chapter serves as an introduction to backup-restore procedures on
Windows Server networks, the Backup-Restore utility that ships with the
287
IN THIS CHAPTER
Understanding backup practice
and procedure
Introducing removable storage
and media pools
Using the backup tools that
come with Windows Server
2008
Working with shadow copies
Page 287
Shapiro
Part I
c07.tex
V2 - 06/12/2008
4:18pm
Core, Configuration, Networking, and Communication Services
operating system, and the Windows Server 2008 Removable Storage Manager. Before we get
into all of this, however, let’s consider several angles on the backup/restore functions expected
of administrators.
Why Back Up Data?
You back up data for the following two reasons, and even Windows Server 2008, with its fancy
tools, rarely highlights the differences:
■ Record-keeping (such as annual backups performed every month)
■ Disaster recovery (DR) or system recovery
You should make an effort to determine whether a file is no longer valuable to the
disaster-recovery period, and then it should be archived for record-keeping. Depending
on your company’s needs, this period may vary from a week to a couple of weeks or from a
month to a couple of months — and even years. There is no point to buying media for annual
backups for a site you know is due to close in six months.
What to Back Up
Often, administrators back up every file on a machine or network and dump the whole pile into
a single backup strategy. Instead, they should be dividing files into two distinct groups:
■ System files comprise files that do not change between versions of the applications and
operating systems.
■ Data files comprise all the files that change every day, such as word-processing files,
database files, spreadsheets files, media files, graphics files, and configuration files (such
as the registry, and the DHCP, WINS, DNS, and Active Directory databases). Depending
on your business, data files can change from 2 percent per day on the low side to 80
percent per day on the high side. The average across many of the businesses for which we
have consulted is around 20 percent of the files change every day. You must also consider
the new files that arrive.
Understanding the requirements makes your life in the admin seat easier, because this is one of
the most critical of all IT or network admin jobs. One person’s slip-up can cause millions of dollars in data loss. How often have you backed up an entire system that was lost for some reason
only to find out that in order to restore it, you needed to reinstall from scratch? ‘‘So why was I
backing up the system,’’ you may have asked yourself. And how often have you restored a file
for a user who then complained that he or she lost five days’ worth of work on the file because
the restore was so outdated? It’s happened to us on many occasions and is very disheartening
when you are trying so hard to keep your people productive.
Nothing is worse than trying to recover lost data, knowing that all on Mahogany Row are sitting
idle, with the IT director standing behind you in the server room, and discovering that you
288
Page 288
Shapiro c07.tex
V2 - 06/12/2008
4:18pm
Backup and Restore
cannot recover. The thought of your employment record being pulled should be enough to
make you realize how important it is to pay attention to this function.
We delve into these two subjects in depth in this chapter and explore how Windows Server
2008 can help you better manage your recovery and record-keeping processes. We start by
focusing on the data side of the backup equation before leading this discussion into system
backup/restore.
Understanding Backup
Before you can get started using the Windows Server 2008 backup program or any other backup
program, you need to know how backing up works and have a basic backup strategy in mind.
Understanding archive bits
The archive bit is a flag, or a unit of data, indicating that the file has been modified. When we
refer to the setting of the archive bit, we mean that we have turned it on or that we have set it
to 1. Turning it off means that we set it to zero (0). If the archive bit is turned on since we last
backed up the file, the file has been modified since it was last backed up.
Trusting the state of the archive bit, however, is not an exact science by any means, because it
is not unusual for other applications (and developers) and processes to mess with the archive
bit. This is the reason we recommend that a full backup be performed on all data at least once
a week.
What is a backup?
A backup is an exact copy of a file (including documentation) that is kept on a storage medium
(usually in a compressed state) in a safe place (usually at a remote location) for use in the event
that the working copy is destroyed. Notice that we placed emphasis on ‘‘including documentation,’’ because every media holding backups must include a history or documentation of the files
on the media. This is usually in the form of labels and identification data on the media itself, on
the outside casing, and in spreadsheets, hard catalogs, or data ledgers in some form or another.
Without history data, restore media cannot locate your files, and the backup is useless. This is
why you can prepare a tape for overwriting by merely formatting the label so that the magnetic
head thinks the media is blank.
Various types of backups are possible, depending on what you back up and how often you back
it up, as the following list describes:
■ Archived backup. A backup that documents (in header files, labels, and backup records)
the state of the archive bit at the time of copy. The state (on-off) of the bit indicates to the
backup software that the file has been changed since the last backup. When Windows
Server 2008 Backup does an archived backup, it sets the archive bit accordingly.
289
Page 289
7
Shapiro
Part I
c07.tex
V2 - 06/12/2008
4:18pm
Core, Configuration, Networking, and Communication Services
■ Copy backup. An ad hoc ‘‘raw’’ copy that ignores the archive bit state. It does not set the
archive bit after the copy. A copy backup is useful for quick copies between DR processes
and rotations or to pull an ‘‘annual’’ during the monthly rotation. (We discuss this in the
section ‘‘Setting Up Schedules’’ later in this chapter.)
■ Daily backup. This does not form part of any rotation scheme (in our book, anyway). It
is just a backup of files that have been changed on the day of the backup. We question the
usefulness of the daily backup in Backup, because mission-critical DR practice dictates the
deployment of a manual or automated rotation scheme (described later in the ‘‘Performing
a Backup’’ section). In addition, Backup does not offer a summary or history of the files
that have changed during the day. If you were responsible for backing up a few million
files a day . . . well, this just would not fly.
■ Normal backup. A complete backup of all files (that can be backed up), period. The term
normal is more a Windows Server 2008 term, because this backup is more commonly
called a full backup in DR circles. The full backup copies all files and then sets the archive
bit to indicate (to Backup) that the files have been backed up. You would do a full backup
at the start of any backup scheme. You would also need to do a full backup after making
changes to any scheme. A full backup, and documentation or history drawn from it, is the
only means of performing later incremental backups. Otherwise, the system would not
know what has or has not changed since the last backup.
■ Incremental backup. A backup of all files that have changed since the last full or incremental backup. The backup software sets the archive bit, which thereby denotes that the
files have been backed up. Under a rotation scheme, a full restore would require you to
have all the incremental media used in the media pool, all the way back to the first media,
which contains the full backup. You would then have the media containing all the files
that have changed (and versions thereof) at the time of the last backup.
■ Differential backup. This works exactly like the incremental, except that it does not
do anything to the archive bit. In other words, it does not mark the files as having been
backed up. When the system comes around to do a differential backup, it compares the
files to be backed up with the original catalog. Differential backups are best done on a
weekly basis, along with a full, or normal, backup, to keep differentials comparing against
recently backed up files.
What is a restore?
A restore is the procedure you perform to replace a working copy of a file or collection of files to
a computer’s hard disks in the event that they are lost or destroyed. You often perform a restore
for no reason other than to return files to a former state (such as when a file is mangled, truncated, corrupted, or infected with a virus).
Restore management is crucial in the DR process. If you lose a hard disk or the entire machine
(for example, it is trashed, stolen, lost, or fried in a fire), you need to rebuild the machine and
have it running in almost the same state (if not exactly) that its predecessor was in at the time of
the loss. How you manage your DR process determines how much downtime you experience or
290
Page 290
Shapiro
c07.tex
V2 - 06/12/2008
4:18pm
Backup and Restore
the missing generation of information between the last backup and the disaster — a period we
call void recovery time.
Understanding how a backup works
A collection of media, such as tapes or disks, is known as a backup set. (This is different from a
media pool, which we discuss in the following section.) The backup set is the backup media containing all the files that were backed up during the backup operation. Backup uses the name and
date of the backup set as the default set name. Backup enables you to either append to a backup
set in future operations or replace or overwrite the files in the media set. It enables you to name
your backup set according to your scheme or regimen.
Backup also completes a summary or histories catalog of the backed-up files, which is called a
backup set catalog. If your backup set contains several media, the catalog is stored on the last
medium in the set, at the end of the file backup. The backup catalog is loaded whenever you
begin a restore operation. You can select the files and folders you need to restore from the
backup catalog.
Removable Storage and Media Pools
Removable Storage (RS) was introduced in Windows 2000, so it’s had nearly a decade to prove
itself. It removes a lot of the complexity of managing backup systems. This service also brings
network support to Windows for a wider range of backup and storage devices.
Microsoft took the responsibility of setting up backup devices and management of media away
from the old Backup application and created a central authority for such tasks. This central
authority, Removable Storage, is one of the largest and most sophisticated features of the operating system, worth the price of the OS license alone, and a welcome member on any network. If
you are not ready to convert to a Windows Server 2008 network, you might consider raising a
Windows Server 2008 Backup server just to obtain the reliable services of Removable Storage on
a Windows Server 2008 platform.
Removable Storage is like an iceberg; in this chapter we can show you only the tip. Exposing the
rest of this monster service and everything you can do with it is beyond the scope of this treatise, and a full treatment of the subject would run into several chapters. To fully appreciate this
service — and if you need to get into some serious disaster-recovery strategies, possibly even
custom backup and media handling algorithms — refer to the Microsoft documentation covering
both the Removable Storage Service and its API and the Tape/Disk API. The following section
provides an introduction to the service.
The Removable Storage Service
Removable Storage comprises several components, but the central nervous system of this technology is the Removable Storage Service and the Win32 Tape/Disk API. These two components,
respectively, expose two application programming interfaces (APIs) that any third party can
291
Page 291
7
Shapiro
Part I
c07.tex
V2 - 06/12/2008
4:18pm
Core, Configuration, Networking, and Communication Services
access to obtain removable storage functionality and gain access to removable storage media
and devices. The Backup program that ships with the OS makes use of both APIs to provide a
usable, but not too sophisticated, backup service.
By using the two services, applications do not need to concern themselves with the specifics of
media management, such as identifying cartridges, changing them in backup devices, cataloging,
numbering, and so on. This is all left to the Removable Storage Service. All the application
requires is access to a media pool created and managed by Removable Storage. The backup
application’s responsibility is identifying what needs to be backed up or restored and the source
and destination of data; Removable Storage handles where to store it, what to store it on, and
how to retrieve it. Essentially, the marriage of backup-restore applications and Removable
Storage has been consummated along client-server principles.
The interface to Removable Storage is the Removable Storage Snap-in. The interface runs in
Microsoft Management Console, which can be configured as explained in Chapter 2. Before you
can use the snap-in, the Removable Storage service first has to be installed. This can be done
using the Add Features Wizard in Server Manager (see Chapter 2).
The Removable Storage Service can also be accessed directly by programming against the
API. You can also work with it interactively (albeit not as completely as programming
against the API) in the Removable Storage node found in the Computer Management snap-in
(compmgmt.msc). Before we begin with any hard-core backup practice, we need to look at
Removable Storage and how it relates to backup and disaster recovery.
Removable Storage is also briefly discussed in Chapter 13.
The service provides the following functionality to back up applications, also known as backup
or data moving and fetching clients:
■ Management of hardware, such as drive operations, drive health and status, and drive
head cleaning.
■ Mounting and dismounting of cartridges and disks (media).
■ Media inventory.
■ Library inventory.
■ Access to media and their properties.
Access to the actual hardware is hidden from client applications, but the central component
exposed to all clients is the media pool. To better understand the media pool concept in
Removable Storage, you should first understand media.
Backup media ranges from traditional tape cartridges to magnetic disk, optical disk CD-ROM,
DVD, and so on. More types of media are becoming available, such as ‘‘sticks’’ and ‘‘cards’’ that
you can pop into cameras and pocket-sized PCs, but these are not traditional backup media formats, nor can they hold the amount of data you would want to store. DVD, a digital-video standard, however, is a good choice for backing up data, because so much can be stored on a single
DVD disk.
292
Page 292
Shapiro
c07.tex
V2 - 06/12/2008
4:18pm
Backup and Restore
Like the dynamic disk-management technology discussed in Chapter 13, Removable Storage
hides the physical media from the clients. Instead, media is presented as a logical unit, which
is assigned a logical identifier or ID. If a client needs to store or retrieve data from media, it
does not deal with the physical media but with that media’s logical ID. The logical ID can thus
encapsulate any physical media, the format of which is of no concern to the client application.
Although the client need not be concerned about the actual media, you (the backup
administrator) have the power to dictate onto which format or media type your
backups should be placed, by configuring media pools.
Media formats can be extremely complex. Some media enable you to write and read to both
sides; others enable access to only one side. How media is written to and read from differs from
format to format. Removable Storage handles all those peculiarities for you. Just as the Print
Spooler Service can expose the various features of thousands of different print devices, so can
Removable Storage identify many storage devices and expose their capabilities to you and the
application.
Finally, and most important from a cost/benefit perspective, Removable Storage enables media to
be shared by various applications. This ensures maximum use of your media asset.
The Removable Storage database
Removable Storage stores all the information it needs about the hardware, media pools, work
lists, and more in its own database. This database is not accessible to clients and is not a catalog
detailing which files are backed up and when they were backed up. Everything that Removable
Storage is asked to do or does is automatically saved in this database.
Physical locations
Removable Storage also completely handles the burden of managing media location, a chore
once shared between the client applications and the administrator, but the physical location
service deals with more than knowing in which cupboard, shoebox, vault, or offsite dungeon
you prefer your media stored; it is also responsible for the physical attributes of the hardware
devices used for backing up and restoring data. Understanding the information in this section is
worthwhile, because you need such knowledge to perform high-end backup services that protect
a company’s data.
Removable Storage splits the location services into two tiers: libraries and offline locations. When
a storage medium is online, it is inside a tape device of some kind that can at any time be fired
up to enable data to be accessed or backed up. When a medium is offline, you have taken it
out of its drive or slot and sent it somewhere. As soon as you remove a medium from a device,
Removable Storage makes a note in its database that the medium is offline.
Libraries can be single tape drives or highly sophisticated and very expensive robotic storage
silos comprising hundreds of drive bays. A CD-R/W tower, with 12 drives, is also an example
of a library. Media in these devices or so-called libraries are always considered online and are
marked as such in the database. Removable Storage also understands the physical components
that make up these devices.
293
Page 293
7
Shapiro
Part I
c07.tex
V2 - 06/12/2008
4:18pm
Core, Configuration, Networking, and Communication Services
Library components comprise the following:
■ Drives. All backup devices are equipped with drives. The drive machinery consists of the
recording heads, drums, motors, and other electronics. To qualify as a library, a device
requires at least one drive.
■ Slots. Slots are pigeonholes, pits, or holding pens in which online media are placed in an
online state. If the medium is needed for a backup, a restore, or a read, the cartridge or
disk is pulled out of the slot and inserted into the drive. After the medium is no longer
needed, the cartridge is removed from the drive and returned to its slot. The average tape
drive is not equipped with a slot, but all high-end, multidrive robotic systems are. The
basic slot-equipped machine typically comes equipped with two drives and 15 slots. Slots
are usually grouped into collections called magazines. Each magazine holds about five cartridges, and one magazine maintains a cleaning cartridge in one of the slots. You typically
have access to magazines so that you can populate them with the cartridges you fetched
from offline locations.
■ Transports. These are the robotic machines in high-end libraries that move cartridges
and disks from slots to drives and back again.
■ Bar code readers. Bar coding is discussed in the section ‘‘Labeling Media’’ later in this
chapter. It is a means by which the cartridges can be identified in their slots. You do not
need a bar-code reader-equipped system to use a multidrive or multislot system, because
media identifiers can also be written to the media, but bar code reading enables much
faster access to the cartridges because the system does not need to read information off the
actual media, which requires every cartridge to be pulled from a slot and inserted into a
drive — a process that could take as long as five minutes for every cartridge.
■ Doors. Doors differ from device to device and from library system to library system. In
some cases, the door looks like the door to a safe, which is released by Removable Storage whenever you need access to slots or magazines. Many systems have doors that only
authorized users can access. Some doors are built so strong that you would need a blowtorch to open them. On cheaper devices, especially single-drive/no-slot hardware, the
door is a small lever that Removable Storage releases so that you can extract the cartridge.
Other devices have no doors at all, but after Removable Storage sends an ‘‘open sesame’’
command to the ‘‘door,’’ the cartridge is ejected from the drive bay.
■ Insert/eject ports. IE ports are not supported on all devices. IE ports provide a high
degree of controlled access to the unit in a multislot library system. In other words, you
insert media into the port and the transport finds a free slot for it. By way of analogy, you
can think of the IE port function as a valet service. You hand your car keys to the valet,
who finds parking space for you.
If the hardware you attach supports any or all of these sophisticated features, Removable Storage
can ‘‘discover it’’ and use it appropriately.
You have dozens, if not hundreds, of devices from which to choose for backing up and storing
data. Removable Storage, as we discussed in the preceding sections, can handle not only traditional tape backup systems, but also CD silos, changers, and huge multidisk readers. If you want
294
Page 294
Shapiro c07.tex
V2 - 06/12/2008
4:18pm
Backup and Restore
to determine whether Removable Storage supports a particular device, follow the steps to create
a media pool discussed in the section ‘‘Performing a Backup’’ later in this chapter.
Media pools
A relatively new term in the Windows operating system is the media pool. If you are planning to
do a lot of backing up or have been delegated the job of backup operator or administrator, you
can expect to interact with media pools in your future backup-restore career.
A media pool, in the general sense of the term, is a collection of media organized as a logical
unit. Conceptually speaking, the media pool contains media that belong to any defined storage
or backup device, format, or technology assigned to your hardware, be it a server in the
office or one located on the WAN somewhere, 15,000 miles away. Each media pool can only
represent media of one type. You cannot have a media pool that combines DVD, DAT, and ZIP
technology, but you can back up your data to multiple media pools of different types if the
client application or function requires it.
Thinking of the media pool in terms of the hardware devices that are available to your system
(such as a CD-R/W or a DLT tape drive) may be easier for you. Try not to work with media
pools from dissimilar devices, especially in backing up zillions of files. For example, avoid
creating media pools that consist of Zip drives, DLT tape drives, and a CDR-R/W changer. It
would make managing your media, such as offsite storage, boxing, and labeling, very difficult,
much like wearing a sandal on one foot and a hiking boot on the other and then justifying
walking with both at the same time because they both represent ‘‘pools’’ of walking attire.
Removable Storage separates media pools into two classes: system pools and application pools.
The Removable Storage Service creates system pools as it is first installed. By default, the
Removable Storage Service is enabled and starts up after you boot your system. If you disable it
or remove it from installation, any devices installed in your servers — or attached on external
busses — are ignored by Windows Server 2008 as if they did not exist. After Removable Storage
is activated, it detects your equipment; if compliant, they are used in media pools automatically
created by the service or applications.
System pools
System pools hold the media that are not being used by any application. After you install new
media into your system, the first action that Removable Storage takes is to place the media into
a pool for unrecognized media. Then, after you have identified the media, you can make it available to applications by moving it to the free pools group. The system pools are built according
to the following groups:
■ Free pools. Free pools enable any application to access the media pools in this group. In
other words, these media pools can be made available to any application requiring free
media. Applications can draw on these media pools if they need to back up data. After
media pools are no longer required, they can be returned to this group.
295
Page 295
7
Shapiro
Part I
c07.tex
V2 - 06/12/2008
4:18pm
Core, Configuration, Networking, and Communication Services
■ Unrecognized pools. Media in these pools are not known to Removable Storage. If the
service cannot read information on a cartridge, or if the cartridge is blank, the media pool
supporting it is placed into this grouping.
■ Import pools. This group is for media pools that were used in other Removable Storage
systems, on other servers, or by applications that are compatible with Removable Storage
or that can be read by Removable Storage. Media written to by the Microsoft Tape Format
(MTF) can thus be imported into the local Removable Storage system.
Application pools
If an application is given access to a free media pool, either it creates a special pool into which
the media can be placed or you can create pools manually for the application by using the
Removable Storage snap-in, shown in Figure 7-1.
FIGURE 7-1
The Removable Storage snap-in.
A very useful and highly sought-after feature of Windows Server 2008 media pools is the fact
that permissions can be assigned to pools to enable other applications to use the pools or
to protect the pools in their own sets.
Multilevel media pools
Media pools can be organized into hierarchies, or nests. In other words, you can create media
pools that hold several other media pools. An application can then use the root media pool
296
Page 296
Shapiro
c07.tex
V2 - 06/12/2008
4:18pm
Backup and Restore
and gain access to the different data storage formats in the nested media pools. Expect to see
sophisticated document storage, backup, and management applications using such media pools.
An example of using such a hierarchy of media pools can be drawn from a near disaster that
was averted during the writing of this chapter. One of our 15-tape DLT changers went nuts
and began reporting that our tapes were not really DLT tapes but alien devices that it could not
identify. The only way to continue backing up our server farm was to enlist every SCSI tape and
disk device on the network into one large pool. After the DLT library recovered, we could go
back to business as usual.
Work Queue and Operator Requests
Note the nodes for both Work Queue and Operator Requests in the Removable Storage tree.
These services provide a communications and information-exchange function between the
operator (the backup operator or administrator or the backup operator group) and Removable
Storage, respectively.
Work queue
Working backup applications and the RSS (Remote Storage Service) post their work requests to
the Removable Storage Service. To manage the multitude of requests that result from applications and services, each request for work from the RSS is placed into the work queue. The work
queue is very similar in concept to the print queue.
The work queue provides information on queue states on a continual basis, which is reported
to the details pane in the Work Queue node. For example, if an application is busy backing up
data, then an In Process state is posted to the details pane identifying the work request and its
state. Table 7-1 describes the work queue states reported to the Work Queue details pane.
TABLE 7-1
Work Queue States
State
Explanation
Queued
The work item has been queued. It is waiting for the RS service to examine
the request.
In Process
RS is working on the work item.
Waiting
The request is waiting for a resource, currently being used by another
service, before work on the item can continue.
Completed
RS has handled the work item successfully. The request has been satisfied.
Failed
RS has failed to complete the work item. The request did not obtain the
desired service.
Cancelled
The work item has been cancelled.
297
Page 297
7
Shapiro
Part I
c07.tex
V2 - 06/12/2008
4:18pm
Core, Configuration, Networking, and Communication Services
Operator requests
No matter how sophisticated Removable Storage is, it just does not do some things. These
items are marked for the ‘‘human’’ work queue. For example, Removable Storage cannot fetch
cartridges from the cabinet or the storeroom. This is something you must do. The details pane
in the Operator Requests node is where Removable Storage posts its request states for you,
the operator. Removable Storage can also send you a message via the messenger service or the
system tray, just in case you have the habit of pretending the Operator Requests node does not
exist. Table 7-2 lists the possible Operator Request states.
TABLE 7-2
Operator Request States
State
Explanation
Submitted
The described request has been submitted, and the system is waiting for the
operator’s input.
Refused
The operator has refused to perform the described request.
Completed
The operator has complied and has completed the described request.
Labeling media
Removable Storage can read data written to the labels on the actual tape or magnetic disk as
well as external information supplied in bar code format. The identification service is robust
and highly sophisticated and ensures that your media is not overwritten or modified by other
applications.
You need to provide names for your media pools; and if you can afford a bar code reader, organize them according to serial numbers (represented as bar codes) for more accurate handling. If
you are planning to install a library system, get one that can read the bar codes from the physical labels on the cartridge casing. This information is critical in locating a few files that need
restoring from 5 million files stored on 120 30GB tapes. (The bigger the enterprise, the more
complex is the backup and restore regimen and management.)
Another reason we prefer a numbering or bar code scheme for identifying media, as opposed
to labeling it according to the day of the week, is that a cartridge can often be inadvertently
written to on the wrong day. If that happens, you may have a cart named Wednesday but with
Tuesday data on it, which can get confusing and create unnecessary concern. With a bar code or
serial number, you can easily ensure that the Wednesday cart is returned to the Wednesday box
without needing to scratch out or change the label.
Practicing scratch and save
Although Windows Server 2008 does not cater to the concept of scratch and save sets, such
sets are worth a mention because you should understand the terms for more advanced backup
298
Page 298
Shapiro
c07.tex
V2 - 06/12/2008
4:18pm
Backup and Restore
procedures. Simply put, a save set is a set of media in the media pool that cannot be overwritten
for a certain period of time. A scratch set is a set of media that is safe to overwrite. A backup
set should be stored and cataloged in a save set for any period of time during which the media
should not be used for backup. You can create your own spreadsheet or table of media rotating
in and out of scratch and save sets.
The principle behind scratch and save is to protect data from being overwritten for predetermined periods.
A monthly save set is saved for a month, for example, while a yearly set is saved for a year. After
a ‘‘safe’’ period of time has elapsed, you can move the save set to the scratch set. In other words,
after a set is moved out of the save status into the scratch status, you are tacitly allowing the files
on it to be destroyed. A save set becomes a scratch set if you are sure, through proper media
pool management, that other media in the pool contain both full and modified and current and
past files of your data and that destroying the data on the scratch media is safe.
Fully understanding the concept of save and scratch sets is important because they are the only
way you can ensure that your media can be safely recycled. The alternative is to make every
set a save set, which means that you never recycle the tapes . . . making your DR project a
very costly and risky venture because tapes that are being constantly used stretch and wear out
sooner.
Establishing Quality of Support Baselines
for Data Backup/Restore
Windows Server 2008 provides the administrator with backup and recovery tools previously
seen only on midrange and mainframe technology (such as the capability to mark files for
archiving). For the first time, Windows network administrators are in a much better position
to commit to service level agreements and quality of service or support levels than before.
Unfortunately, the new tools and technologies result in a higher and more critical administrative
burden. (The service level shifts to the Windows administrator as opposed to being [typically]
the domain of the midrange, Unix, or mainframe administrative team.) Let’s consider some of
the abstract issues related to backups before we get into procedures.
No matter how regularly you back up the data on your network, you can restore only up to
the point of your last complete backup and then the subsequent incremental or differential
backups. Unless you are backing up every second of the day, which is highly unlikely and
impractical, you can never fully recover the latest OS data up to the point of meltdown (unless
you had a crash immediately after you backed up) using standard backup software. Only
advanced backup/restore systems that store data in specialized databases (such as the SQL Server
transaction log) can do that. You need to decide how critical it would be for your business to
lose even one hour of data. For many companies, any loss could mean serious setback and
costly recovery, often lasting long after the disaster occurs.
299
Page 299
7
Shapiro
Part I
c07.tex
V2 - 06/12/2008
4:18pm
Core, Configuration, Networking, and Communication Services
Therefore, it’s important to consider the numerous alternatives for backup procedures and
various strategies. Decide on a baseline for backup/restores: What is the least acceptable recovery
situation? You also need to take into account the quality of support promised to staff and the
departments and divisions that depend on your systems, plus the service level agreements (SLAs)
in place with customers.
Service level and quality of support are discussed fully in Chapter 25.
Before you consider other factors, decide what you would consider adequate in terms of the
currency of backed-up data. Then, after you have established your tolerance level, you need to
determine how to cater to it and at what cost. Starting with cost, consider the following list:
■ Data restored is one month or more old.
■ Data restored is between one and four weeks old.
■ Data restored is between four and seven days old.
■ Data restored is between one and three days old.
■ Data restored is between six and twelve hours old.
■ Data restored is between two and five hours old.
■ Data restored is between one and 60 minutes old.
Depending on how the backups were done and the nature of your backup technology, just
starting up the recovery process could take up to ten minutes (such as reading the catalog),
depending on the technology. Therefore, level 7 wouldn’t be an option for you as a tape backup
solution. In cases where backup media is offsite, you would need to consider how long the
media takes to arrive at the data center after you place a call to the backup bank. This could be
anything from 30 minutes to six hours, and you may be charged for ‘‘rush’’ delivery.
Now refer to the preceding list and consider your options. How important (mission-critical) is it
that data is restored, if not in real time, almost in real time? Many situations require immediate
restoration of data. Many applications in banking, finance, business, science, engineering,
medicine, and so on require real-time recovery of data in the event of a crash, corruption of
data, deleted data, and so on.
You could and should be exploring or installing clustered systems, mirrors, replication sets,
and RAID-5 level and higher storage arrays, as described in Chapter 13, but these so-called
fault-tolerant and redundant systems typically share a common hard-disk array or a central
storage facility. Loss of data is thus system wide and mirrored across the entire array. A mirror is
a reflection — no more, no less.
This brings us to another factor to consider: the flawed backup. You consider this factor if
your data is continuously changing. The question to ask is, ‘‘How soon after the update of
data should I make a backup?’’ You may decide, based on the preceding list, that data even
five minutes old is damaging to system integrity or the business objectives. A good example
300
Page 300
Shapiro
c07.tex
V2 - 06/12/2008
4:18pm
Backup and Restore
is online real-time order or delivery tracking. Backing up data with such narrow intervals
between versions brings us to the subject of quality and integrity of backed-up data. (In the
section ‘‘Establishing Quality of Capture’’ later in this chapter, we discuss versioning and how
technology in Windows Server 2008 facilitates it.) What if the file that just got hit by a killer
virus is quarantined and you go to the backup only to find that it is also infected or corrupt?
What if all the previous files are infected, and now just opening the file renders it useless? It’s
something to think about.
Earlier this year, we rushed to the aid of our main SQL Server group, which had lost a valuable
database on the customer ordering system (on our extranet). Every hour offline was costing
the company six figures as customers went elsewhere to place their orders. Four-letter words
were flying around the server room. We had to go back three days to find a clean backup of the
database that showed no evidence of corrupt metadata.
Figure 7-2 illustrates data backed up on a daily basis; and in this case, bad data is backed up
for three days in a row. You may consider some of the gray area as safe, where backup data is
bound to have all the flaws of its source (corruption, viruses, lack of integrity, and so on), if
you have other means of assuring quality or data integrity. Such assurances may be provided
by means of highly sophisticated anti-virus software, quality of data routines and algorithms,
versioning, and just making sure that people check their data themselves. Backing up bad data
every ten minutes may be a futile exercise depending on the tools that you have to recover or
rebuild the integrity of the data.
FIGURE 7-2
The narrower the interval between backups, the greater the chance that backed up data is also corrupted, infected, or lacks integrity.
A
1
2
3
4
5
6
Backing up once a day
B
10
20
30
40
50
60
Backing up at 10-minute intervals daily
Most companies back up data to a tape drive. The initial cost is insignificant in relation to the
benefit: the capability to back up and recover large amounts of data. A good tape drive can run
anywhere from $500 for good Quarter-Inch Cartridge (QIC) systems to $3,000 to $4,000 for the
301
Page 301
7
Shapiro
Part I
c07.tex
V2 - 06/12/2008
4:18pm
Core, Configuration, Networking, and Communication Services
high-speed, high-capacity Digital Linear Tape (DLT) systems, and a robotic library system can
cost as much as $80,000. Now consider minimum restore levels, keeping the quality of backup
factors described earlier in mind, as follows:
■ Restore is required in real time (now) or close to it. Data must be no longer than a few
seconds old and immediately accessible by users and systems even in the event that the
primary source is offline. In the case of industrial or medical systems, the secondary source
of data must be up-to-date, and latency can be measured in milliseconds, not seconds.
Your SLAs may dictate that 24-7 customers can fine you if data is offline longer than x
seconds or minutes. We call this the critical restore level.
■ Restore is required within ten minutes of the primary source going offline. We call this
emergency restore.
■ Restore is required within one hour of the primary source going offline. We call this
urgent restore.
■ Restore is required within one to four hours of the primary source going offline. We call
this important restore.
■ All other restores that can occur later than the previous ones can be considered
casual restores.
Figure 7-3 shows this in a visual hierarchy.
FIGURE 7-3
The data-restoration pyramid.
= data integrity
Critical
Emergency
Urgent
Important
Casual
The pyramid in Figure 7-3 illustrates that the faster the response to a restore or recall of data
request, the higher the chance of retrieving poor data. Each layer of the pyramid covers the
critical level of the restore request. This does not mean that critical restores are always going to
be a risk and that the restored data is flawed. It means that the data backed up closest to the
point of failure is more likely to be at risk compared to data that was backed up hours or even
days before the failure. If a hard disk crashes, the data on the backup tapes is probably sound,
but if the crash is due to corrupt data or virus infection, then the likelihood of recent data being
infected is high.
302
Page 302
Shapiro
c07.tex
V2 - 06/12/2008
4:18pm
Backup and Restore
Another factor to consider is that the ‘‘cleanest’’ backup data is often the furthest away from the
point of restoration or the most out-of-date.
If the level of restore you need is not as critical or the quality of the backup not too important,
you could consider a tape drive system either to a backup server or local to the hosting
machine. You could then set up a scheme of continuous or hourly backup routines. In the event
that data is lost (usually because someone deletes a file or folder), you could restore the file. The
worst-case scenario is that the data restored is one hour out of date and at such a wide interval
that a replacement of a corrupt file with another corrupt file is unlikely. Consider the following
anecdote: We recently lost a very important Exchange-based e-mail system. Many accounts on
the server could be considered extremely mission critical. Thousands of dollars were lost every
minute the server was down. (The fallout from downed systems compounds damages at an
incredible rate. The longer a system is down, the worse it becomes.)
The last full backup of the server was performed on the weekend. The system went down on
Wednesday. Because we were backing up only the files that changed on Monday and Tuesday,
we could restore the e-mail server to the state that it was in the night before. This was good
news to the MIS director but not very good news to people who felt that losing six to eight
hours of e-mail was unacceptable. (For many, that would mean losing an entire day of work and
a lot of wasted time rewriting and resending e-mail.)
The good news was short-lived, however, after we discovered that the transaction logs covering
the Monday and Tuesday backups were corrupt on both the system and the tapes. The result
was that we could restore the entire system to the state it was in on Friday, essentially losing
everything between Friday night and Wednesday afternoon. For backup administrators, this was
unacceptable. In the section ‘‘Backup Procedure’’ later in the chapter, we discuss how to prevent
this from happening.
If you have several servers that need this level of protection, you must install some expensive
backup equipment and advanced third-party software. Having a hot ‘‘clone’’ mirroring the entire
system would be the way to go. Both disk and system mirroring, striping, and redundancy are
discussed in Chapter 13. Full-blown redundant systems are required if applications need to continue, oblivious of the switch to alternative media and hardware. To summarize: Considering
the checklists and matrices described previously, for a restore service level of five and up, you
would be looking at regular tape backup systems. Anything more critical would require online
libraries and a hierarchical storage management system — a service provided by Remote Storage
Services (RSS), covered in Chapter 14.
Establishing Quality of Capture
In planning backup procedures and establishing quality of support levels for backups, it’s vital
to consider the quality of your backups before you begin designing rotation schedules and
schemes and backup/restore procedures. Every business is different. Even businesses in like
industries do things differently, so what you decide on may work for you but not for anyone
303
Page 303
7
Shapiro c07.tex
Part I
V2 - 06/12/2008
4:18pm
Core, Configuration, Networking, and Communication Services
else. What we suggest in the following sections are guidelines for establishing procedures. Before
you get stuck in here, however, remember the following: Devise a plan, and if it works (after
tests work under strict analysis), stick to it. If backup media get out of sync or lost or damaged,
you may have a disaster on your hands when trying to restore critical data.
Best backup time of the day
Suppose that you decide to back up your data every night. One of the first items to consider is
when to start your backups. If staff work late or your systems are accessed late into the night,
you might wait until the early hours of the morning to begin backing up. In other words, the
best time to start doing backups is whenever the files are least likely to be open and changing
or whenever you are most likely to be getting the last possible version change before people go
home for the night and systems become idle again.
You may run into problems backing up earlier in the evening or even late at night if, for
example, a process or department swings around near midnight and updates 20 percent of the
critical data you need to back up (such as night order processing). It can be especially tough to
decide when to start backing up e-mail systems and database management systems because they
typically are in use around the clock, especially if your organization is a national or global entity.
Some organizations restrict access to systems at certain times to ensure that the best backups are
achieved at that time. This would naturally need to be coordinated with other departments and
change control, because making a system unavailable could crash other processes that may be
running at the same time, or they may need access to the data. We believe that systems should
never be taken offline, even for backups. Moreover, in the age of the Internet, who would want
to restrict access to systems? That’s tantamount to closing shop in the middle of the day for
international Web sites, which consider ‘‘after hours’’ to be an obsolete term.
Length of backup
You should also determine how long your backups take. Starting your backups at one minute
to midnight may be prudent, but if morning swings around and your backups are still churning away, you have hardly performed a backup, and the file may become locked or substantially
changed after systems and people log in and seize control again.
If your backup devices are backing up multiple servers, you may not get to the last machines
until the next day. There’s not much sense in a Thursday incremental backup that is part of a
rotation scheme that takes place only on Saturday.
You have a number of options to consider in striving to ensure that the best quality backups
take place in as little time as possible:
■ Files that do not change. Repeatedly backing up system and application files is a waste
of time. Many administrators, either from lack of time to plan their backups or ignorance,
waste an incredible amount of time and resources backing up files that seldom change.
System files are a good example, as are temp files and noncritical log files. Consider
dividing your backups into the categories described in the next paragraph.
304
Page 304
Shapiro
c07.tex
V2 - 06/12/2008
4:18pm
Backup and Restore
■ Long-term system and system state files. These files include program files and system
state files that never change or change very seldom. As explained in the section ‘‘Rotation
Schemes,’’ later in this chapter, incremental and differential backup functions ignore these
files after a full backup has occurred, but tying up time and media even on a weekly or
monthly full routine that can often run into two or more days of continuous backup still
makes no sense.
■ Short-term state files. These files include system or application state files that change
often. Such files include configuration files, registry files, the Active Directory files, and
so on. On servers, both registry and Active Directory files can change every day, whenever new users or resources are added or changed, so if short-term state files change daily
on your servers, they need to be included in backups. Noncritical short-term state files,
including .pagesys files, event log files, and temp files (.tmp), are not needed to restore
downed systems, nor are they critical or useful to data.
■ Data and resource files. These files include word-processing files, graphics-related files,
database files, transaction logs, e-mails and other communications files, spreadsheets,
voice and audio recordings, and so on. These files (and they can often be listed or categorized by their extensions) change often, are almost always critical, and should always be
backed up or included in all backup routines.
If you intelligently include or exclude certain groups of files, you can control and keep backup
times to a minimum. You also save on media (at $30 to $50 a pop for DLTs and not much less
for small packs of DAT cartridges); you can save a lot of money and wear and tear on systems,
media, and backup devices.
Redundant systems that use replication services in products such as Active
Directory, SQL Server, Exchange, and so on are more effective, in many cases,
than fancy backup technology for high-availability initiatives.
Backup of servers and workstations
If you have not by now separated your backup procedures into backup of systems and backup
of data, now is the time to do it. Often, system administrators repeatedly back up Windows
servers and workstations in their entirety for absolutely no reason. We cannot count how many
full versions or backups of our systems we have in storage. This has a lot to do with the lack of
thought that goes into backup practice and little to do with the inflexible backup technology of
earlier versions of the Windows server platform.
In some cases, we have several years of system backups for which the only files on the media
that are different are the data files. From the get-go, you could probably recover 10 to 20 cartridges and put them back into the rotation without affecting your quality of service and backup
integrity levels. (That could be worth a lot of money to you in media costs and time.)
How then do you deal with the backup of systems? If you have not already done so, consider
taking an ‘‘image’’ of the system and saving it either on tape media, compact disk, DVD, or a
305
Page 305
7
Shapiro
Part I
c07.tex
V2 - 06/12/2008
4:18pm
Core, Configuration, Networking, and Communication Services
remote storage volume. We don’t recommend storing archival or version-based images on any
remote storage volume or disk, which could fail or allow someone to delete the file, even if you
secure it (although Windows Server 2008 security provides more protection than Windows NT
4.0, Windows 2000 and even Windows Server 2003).
Instead, burn the system image onto a CD or use a product that specializes in so-called bare
metal capture of all data. Several popular products specialize in bare metal recovery. The Stac
Replica system, for example, boasts the capability to back up a server and then restore it to any
other machine with zero reinstallation required.
Workstations are viable candidates for image storage because they are usually never backed up.
Most system administrators tell their users to put their data into server sharepoints where they
are accessible to groups that have an interest in the files, and the data is backed up every day
when the rotation sweeps around. Windows Server 2008 now offers such advanced control over
the user’s workspace that a policy dictating the storage of user’s files on a server share is entirely
enforceable. See Chapter 15 for information on how to redirect users’ data folders to backup
sharepoints.
Many users experience a considerable loss of computing time and inconvenience if they lose a
workstation and no backup exists. Restoring such a system to its prior state before a hard disk
crash, fire, or theft can take more than a day, and many critical processes take place from workstations.
To restore a system from an image is relatively simple, and in many cases, recovery can take
place in a morning. Images can also be kept in a safe place at work for quick access.
The upshot of this method is that when a system is blown away, you need only to set up identical or very similar hardware and restore from the image to get a machine that is in the same
state it was in when the image was burned. You would then restore the data and any files that
have changed since the image was burned.
Naturally, you need to ensure that you install the necessary service packs that were installed
on the system from the time of the last image burning, or reburn the image after a new service
pack, application software, or new system libraries are applied.
The best candidates for the image burning and bare metal backup techniques are servers on
which the majority of files are static system files. A print server is a good example, and the
Windows Server 2008 Resource Kit includes such a utility (printmig) to back up logical
printer shares. It may not be much of a savings to burn an image of a server for which 89
percent of the storage space is dedicated to databases or e-mail files. Conversely, a Remote
Access Server, one of a group of WINS servers, and volumes that have no changing data on
them are ideal candidates for image burns.
The open files dilemma
Open files have always been the backup administrator’s nightmare on Windows NT Server,
and this is still very much the case on Windows 2000 and Windows Server 2008 volumes and
306
Page 306
Shapiro
c07.tex
V2 - 06/12/2008
4:18pm
Backup and Restore
Windows Server volumes. What are these open files? Any resource file on a system needs to be
opened for exclusive or shared use by a user or device that is exploiting or updating its contents.
Backup software, backup schemes and rotations, and backup administrators hate open files for
the following reasons:
■ Open files cannot be backed up.
■ Open files trash automated backup jobs.
■ Open files cause the backup schedules to slow down and even grind to a halt.
■ Forcing open files closed or shutting down services and systems causes headaches, inconveniences, missed deadlines, crashes and, worse, the Blue Screen of Death (although the
latter is the least likely to occur).
Many relational database applications, for example, place ‘‘locks’’ on files while they are in use.
The system also places locks on files. These files can range from simple configuration files, the
registry and Active Directory files (their databases, for example), SQL servers, WINS servers,
DHCP servers, and so on. E-mail applications are a good example of an open-files nightmare.
These files are often huge and are almost always open and in use by the applications. Microsoft
Exchange is a good case in point.
If a file is open or an exclusive lock is on the file, your backups are in trouble. On a mail server
such as Exchange, the result of the open-files problem could be catastrophic for you. The information stores, the registry, the Exchange directory, the Active Directory, WINS, DNS, DHCP,
and so on, are always open. If the backup fails because these huge files could not be backed up,
you may be talking about hundreds if not thousands of users inconvenienced, at incredible cost.
Suppose that you face such a disaster: You do a full backup of Microsoft Exchange every
weekend. Then, one day, your silent pager vibrates your hip joints with the message that the
Exchange Server crashed. You try to revive the system but it doesn’t respond, but that’s okay
because you have been diligently making full backups of Exchange every weekend. Unfortunately, after you do your backup, you find that the backup software was skipping exactly those
files from which you need to do the backup. Career killer?
Database servers can cause even bigger headaches. Many, such as SQL Server, are self-contained
domains of users and login mechanisms. From the outside world, you see only a huge database
blob. In the case of SQL Server, it’s the files with the .mdf extension, such as hello.mdf. In
fact, any huge file that has a .dat or a .?db extension is likely to be a database.
Many high-end systems, such as SQL Server, now ship with their own built-in backup
services.
You have several ways to deal with this bugbear, from the cheapest to the most expensive
solution.
First, you can shut down the open application’s services prior to backup or force closure of the
files by requesting users to close applications and even log off. (Incidentally, any restore of SQL
Server requires the database to be placed into single-user mode so that the restore agent has
307
Page 307
7
Shapiro
Part I
c07.tex
V2 - 06/12/2008
4:18pm
Core, Configuration, Networking, and Communication Services
unrestricted access to the databases.) This is by far the cheapest method (software cost), and you
can force closure of services and files prior to backup with several batch files and scripts. If you
have the budget, buy the backup agents for products like SQL Server and Exchange that enable
you to back up open files while these systems are still running.
The second solution is to install an open-files utility that provides the backup software with
a ‘‘window’’ to the data in the open files. The advantage of this solution is that your backup
software has access to open files across the board. One such product is the Open File Manager
(OFM) from St. Bernard software (www.stbernard.com). You can install this tool on your
systems and never worry about open files not getting backed up. So important to backup and
recovery is this utility that it is worth a special mention here. Thoroughly test it on your systems
before going live. As important as it is, the product tinkers with files deep in the abyss of the
file system, as does anti-virus software. OFM and NetShield from Network Associates have been
known to collide, so test your implementation before going into production.
The third and most expensive solution is an agent or API that works with the backup software
you are using. Products such as Backup Exec and ARCserve provide their own technologies that
enable the Microsoft Server products to be backed up while they are online and in use.
Notice that, in this short list, we list the solutions in order of cheapest to most expensive, but
that expense is only in terms of what buying the solution costs. In other words, if you think that
you are saving money going for the option to shut down services, think again. This could be
your most expensive solution. For example, just as you think you’re being clever and shutting
down services by using the nifty little batch files and scripts that we are about to create, the
batch file breaks. For some reason, the service does not shut down, and the next day, your
system crashes and you don’t have a backup.
The open-files agents are not airtight technology. We run nightly backups of several huge SQL
Server databases, Oracle, Lotus Notes, and more. Often, we notice that the open-files agent
stopped for some reason, and the backup of critical data did not go through. You must watch
the services like a cat sitting between a mouse and a hole in the wall.
The fact that Microsoft provides some limited open-file support for Exchange is worth mentioning here. Whenever you install Exchange, the installation updates the NT Backup utility to
enable it to back up Exchange’s directory and information store.
Never ever mix backup technologies on the same files. For starters, each backup job
changes the state of the files to some degree, from changing the archive bit on one
end to causing the applications to do housekeeping on the other end. Your restores may not work
if a second backup application has altered the file system. In addition, if a restore job fails, you
can forget about getting support from a vendor if another product has interfered.
Shadow Copy technology on Windows Server 2008, however, presents a whole new ball game
with respect to open-file issues. See the section ‘‘Working with Shadow Copies’’ later in this
chapter.
308
Page 308
Shapiro
c07.tex
V2 - 06/12/2008
4:18pm
Backup and Restore
Backup Procedure
The path to Windows Server Backup’s (WSB) door is Start All Programs Administrative
Tools Server Manager Storage Windows Server Backup. Alternatively, just run the
command-line shortcut wbadminmsc or server for Windows Server Backup in Search under
All Programs.
For most uses of your computer, the WSB utility is sufficient to archive and store data, and to
recover it in the event of a disaster, but that’s as far as it goes. You certainly want to stick with
the third-party products for enterprise-wide disaster recovery and data protection.
Before we get into the highs and lows of backup and restore, first we need to look at the limitations of the utility that ships with Windows Server 2008. It is a vast disappointment over the
NTBackup that was bundled with earlier versions, but it still has some uses.
Basically, backup is not really useful for managing a mission-critical DR project from a single
server devoted to DR. If you manage a server farm, performing backups on each machine is a
huge waste of time and resources and a drain on the IT budget. The only advantage is better
bandwidth, as described in the section ‘‘Backup Bandwidth’’ later in this chapter. You need to
upgrade to a third-party suite if you want to devote to one server the job of backup system.
The most that WSB promises you is the capability to back up a server’s volumes with limited
source selection ability. You can’t really do much with it. For example, many mail and groupware administrators want the capability to back up multiple Exchange Servers across the enterprise from a single DR location. If you use good equipment and sensibly manage an Exchange
Server, you’re unlikely ever to need to restore the machine and the databases in their entirety.
Any good Exchange administrator can confirm that 99 percent of all requests for restores to
Exchange come from users who stand in your doorway drooping like basset-hound ears and say,
‘‘I can’t find my Inbox folder. I think it got deleted somehow.’’
Pro-backup utilities enable you to expand and collapse a mailbox tree in the backup software
like an unfolding deck of cards. Trust us. If you have more than a handful of users (we manage
about 3,000 on just one of our 67 domains), your Exchange DR is mostly about restoring
a folder. Backing up and restoring folders piecemeal is often referred to as a brick-level or
object-level backup and recovery.
Database servers are also an example of specialist applications where machines are almost
entirely devoted to the database. Backing up a SQL Server, such as Oracle or SQL Server,
while it is in use is virtually impossible. The leading backup vendors have special agents that
can attach to these servers as actual ‘‘users’’ (not domain accounts) created inside the database
environment. If you have only a handful of users on a server or face no chance that anyone
is using the server at certain times at night, you can probably get away with shutting down
the database and all related services and backing up the closed files. In an enterprise-level DR
project, this would be a practice unbecoming of the backup administrator, unless the entire
domain were offline for maintenance.
309
Page 309
7
Shapiro
Part I
c07.tex
V2 - 06/12/2008
4:18pm
Core, Configuration, Networking, and Communication Services
Some advanced software suites come with ‘‘push’’ agents that send the files to the backup server.
ARCserve, for example, provides backup agents that pump files to the server. The agents connect to the servers across IP or IPX, and any open files that cannot be pushed or that are in use
are marked for later transmission after they are no longer being used.
So far we have really discussed only backups. Restoring files on running systems can be even
trickier because you are attempting to replace a file, not make a copy of it. High-end software
suites enable you to restore by session, media, objects in a tree, and so on.
As a rule of thumb, you need something a lot more robust than Windows Server Backup in a
heterogeneous, mixed version, multivendor/OEM, chock-full-of-nuts environment. However, you
always have a need to use Backup. We know of one sad case where the Exchange administrator
of a Fortune 500 company got so tired of waiting for the backup operator to get around to
doing a mailbox restore on her server that she went with Backup and ‘‘the heck with mailboxes.’’
The next day, the CIO came over to whine about recovering his deleted mailbox, which he
swore was more valuable than his 401(k). It was the Backup administrator who was relocated to
an oil rig in the North Sea, not the Exchange administrator.
Performing a Backup
In this section, we show you how to actually perform a backup using the Windows Server
Backup. The whole thing starts with creating a media pool. Throughout this example, we
assume that you’re using a simple media pool composed of 4 mm DAT cartridges.
You also use Backup to create an emergency repair disk (ERD).
Creating a media pool
Attach your DAT drive or whatever removable storage device you have to the computer. If you
have not already done so, go to Add Hardware in the Control Panel and install the device. If the
device was installed at the time you installed Windows Server 2008, the Backup media pool is
probably using it already. If not, you must manually create the pool and allocate it to Backup or
nest the new pool in the Backup media pool.
In Computer Management or Remote Storage, expand the Removable Storage option and select
Media Pools. Right-click Media Pools and choose Create Media Pool from the pop-up list that
appears. The Properties page for the media pool is presented, enabling you to select from dozens
of supported media formats and technologies, as shown in Figure 7-4.
Understanding rights and permissions
As with all Windows Server platforms, you need certain rights and privileges to work with files.
Windows Server 2008 does not permit you to back up or restore files that you cannot claim
rights to by virtue of your membership in a group, or ownership.
310
Page 310
Shapiro
c07.tex
V2 - 06/12/2008
4:18pm
Backup and Restore
FIGURE 7-4
The Removable Storage media selection list.
Here are the rules: If you are the owner of a file or folder, you can back up and restore the file
on your domain or local computer, as long as you have logged on at the machine to restore to
or have direct ownership. You must have access to the files in the form of one or more user
permissions, such as read, write, or full access. You cannot back up files if they are not yours.
Backup software services must use the account of a backup operator to access and back up files,
regardless of the rights associated with these files. If you are the administrator or a member of
the Backup Operator’s group in a local group, you can sign on and perform backup and restores
to the local machine.
To perform backup and restores from and to any machine on the network, you must be either
the administrator (signed on as) or a member of the domain’s Backup Operator’s group. As a
domain Backup Operator, you can also do backups and restores in another domain if a trust
exists between the domains.
Remember that you cannot back up the system state of another computer with NT Backup even
if you are the Angel of Administration. The advanced evolution of the Windows Server 2008
subsystem must have a lot to do with such a restriction.
311
Page 311
7
Shapiro
Part I
c07.tex
V2 - 06/12/2008
4:18pm
Core, Configuration, Networking, and Communication Services
Understanding source and destination
We refer to sources and destinations when talking about backing up . . . on any system. Open
WSB and click the Backup Once or Backup Schedule Options. Note that if a tape drive is not
installed, you can back up to a file. You can also back up to the media pool you created.
Now click the wizard to choose your options as illustrated in Figure 7-5.
FIGURE 7-5
Selecting a source and destination in Backup.
Verifying backups is not a bad idea, but it adds a lot of time to the length of a backup; in many
cases, it can take almost as long to verify a backup as the backup itself. If you have a lot of files
and servers to back up, by the time you get to verify a file (compare the original against the
backup), the original may have changed. This is a problem in many data centers where about
30 percent of the files backed up (usually during a 15-hour process) are changed before the
verification starts. Many professional packages offer various levels of verification. On several, for
example, you can confirm that the label and catalog information is intact or reliable and then
make the assumption that the rest of the tape is okay.
If you have the time to verify your backups, by all means do it, but backup algorithms are so advanced today it is highly unlikely that a target file on the tape may
not be the same as the source. Instead, set aside a day every so often (we do this once a month)
to test restore the most critical data to a development server (even a special folder). You should
also run disaster simulations, testing the restoration of the most valuable servers and their data.
312
Page 312
Shapiro
c07.tex
V2 - 06/12/2008
4:18pm
Backup and Restore
Setting up schedules
Your next option is to start the backup now or schedule it to run later. Later may be whenever
the computer is sure to be idle with no one logged on. On a Windows Server 2008 server, users
can be logged on via terminals, shares, RAS, or via some network connection, such as FTP.
Consider shutting down certain services or denying access for the time the backup is running,
The Backup Schedule option can be used to edit the job schedule.
Rotation Schemes
A rotation scheme is a plan or system by which you rotate the media that you use in your backup
sets. At the most basic level, a rotation scheme may be a daily backup using one medium. You
would not have much of a DR scheme because you would be writing over the medium every
day, but this is a rotation scheme nonetheless. Another consideration in a rotation scheme is the
dividing line between what you consider archiving: data backup, version control, system-state,
and recovery.
Figure 7-6 shows one way to look at your data’s value from a chronological point of view.
The scale is a simple one, but it demonstrates the various stages of usefulness that backups go
through, starting from the left. Data in the archival period need not be located onsite and is kept
for record-keeping (annual backups), and data in the version control period is stored offsite and
onsite for access to full weekly generations of the data. Data in the recovery period is stored
both onsite and offsite and (depending on the critical nature of the data) is either online or
within ‘‘arm’s length’’ of recovery.
FIGURE 7-6
The stages of a backup’s life.
Online recover
Version Control
Offline Backup
Archive
Time
You can now expand your rotation scheme. The first option is to rotate the media every
other day so that you could be backing up to one tape while the alternate is in safekeeping
somewhere. If the worst were to happen — a tape is eaten by the device or something less
common — you would still have a backup from the previous day. If the machine were stolen,
you could restore it, but rotating every other day is useful only in terms of total data loss. You
have a full backup of all your files every day, but what about wear and tear? A tape or a platter
is a delicate device. Inserting it, removing it every other day, and writing to it repeatedly can
put your data at risk. Tapes stretch and they get stuck in tape drives. Tapes should be saved
313
Page 313
7
Shapiro
Part I
c07.tex
V2 - 06/12/2008
4:18pm
Core, Configuration, Networking, and Communication Services
according to the scratch-and-save discussion in the section ‘‘Practicing Scratch and Save’’ earlier
in this chapter.
What about version control? Rotating with multiple media — say a week’s worth — would
ensure that you could roll back to previous states of a file. We could refer to such a concept
of versioning as a generation system of rotation (not sufficient for critical restore, however). In
fact, one such standard generation scheme is widely used by the most seasoned of backup
administrators to achieve both these ideals: versioning, and protecting media from wear and tear
and loss. It is known as the GFS system, or Grandfather, Father, Son system.
You now want to create a GFS scheme to run under Backup. Most high-end backup software
can create and manage a rotation scheme for you, but for now and always with Backup, you
need a legal pad. Put a label on one of your tapes or disks and call it Full, or First, Backup or
Normal # 1 — whatever designates a complete backup of the system and collection of files and
folders.
The first backup of any system is always a full backup, and the reason is simple. Back up and
you need a catalog or history of all the files in the backup list so that you can access every file
for a restore and so that Backup can perform incremental or differential analysis on the media.
Do your backup according to the procedures discussed in the section ‘‘Performing a Backup’’
earlier in this chapter. You should have enough practice by now, and you are ready to go from
a development or trial backup to a production rotation scheme.
As soon as you make a full backup set, label the members as discussed and then perform a second full backup (or copy the first). On the first backup set, add the following information to the
label:
■ Full_First. January Server 2008
■ Retention. G (for Grandfather) or one year — for example, dd-January-2008
■ Serial number. Your choosing, or automatically generated
On the second set, add the following information to your labels:
■ Full_First. Week1-January Server 2008
■ Retention. F (for Father) or one month, Week1y-February-Server 2008
■ Serial number. Your choosing, or automatically generated
The next day, choose a second set of media, but this time only the files that have been changed
are backed up by using differential or incremental options. Suppose that you are doing incrementals here for example’s sake.
On the incremental set, add the following information to the label:
■ I_First (or a day of the week): Monday, or First
■ Retention: Seven days or every Monday
■ Serial number: Your choosing, or automatically generated
314
Page 314
Shapiro
c07.tex
V2 - 06/12/2008
4:18pm
Backup and Restore
The next day, put in a new backup set and perform the next day’s incremental. This time, the
label information is Tuesday or ‘‘Second’’; retain these media in a seven-day save set and store
them in a safe place. On Wednesday, perform the third incremental, and on Thursday, perform
the fourth incremental. Now look at what you are achieving.
You have created a grandfather set that you store for a year. If you started this system in January
2006, you do not reuse these tapes until January 2008; the retention period is one year, the oldest saved data that you have.
The second copy set is the father set of the scheme, and this set is reused in four weeks’ time.
In other words, every four weeks, the set can be overwritten. This does not mean that you make
a full backup only once a month. On the contrary: Notice that you made one full set and four
incremental sets, so you are making a full backup once a week and four incremental backups
Monday to Thursday. You retain the weekly set only for a month, meaning that at the end of
each month, you have five full backup sets, one set for each week, retained for a month, and
one set for each month, retained for a year.
What about the incremental sets? These sets are the grandchildren of your rotation scheme.
You save them for seven days and return them for scratching on the same day the following
week. What you back up on Monday is overwritten next Monday, Tuesday is overwritten
next Tuesday, and so on. This also means that, at any given time, your people can access the
previous day’s data, the previous week’s data, the previous month’s data, and the previous year’s
data. What you have created is a traditional rotation scheme for performing safe and accessible
backups of data.
Variations on this theme are possible, and you need more than just seven of whatever media
you are using. For example, for the full GFS rotation, you would need the following for a single
server that used one DLT tape drive:
■ Daily backups (incremental, rotated weekly): 4+
■ Weekly Full (rotated monthly): 4+
■ Monthly Full (rotated annually): 12+
■ Total tapes: 20+
The best days for such a rotation scheme are Monday through Thursday for incremental, and
Friday for full. Even on big systems, you’re unlikely to be doing an incremental into the following day; and on Friday, you have the whole day and the weekend to do the full backup, at a
time when the system is most idle. You could start after the last person leaves on a Friday, and
you would still have about 48 hours of backup time to play with.
Restoring Data
We left the subject of data restoring until now because it is usually the least time-intensive task
to perform, and it is hoped that you are not asked to restore data too often. WSB has a restore
option, Recover, that enables you to select the source.
315
Page 315
7
Shapiro
Part I
c07.tex
V2 - 06/12/2008
4:18pm
Core, Configuration, Networking, and Communication Services
You also have the option of restoring some or all of the files to their original location or an
alternative. The following checklist thus applies to any restore that you are doing:
■ Always make sure that restoring files to their original locations does not result in loss
of data. This may seem illogical, but restoring files often results in further damage. For
example, if a file is corrupt but up-to-date and you restore a file that is not corrupt but out
of date, how much better off are you? It may be better to investigate saving the contents of
the file that you want to replace or salvaging what you can before overwriting the file. You
could restore to an alternative location or rename the corrupt file. Better to check whether
a ‘‘corrupt’’ file is recoverable before you blow it away with all chances of ever recovering
your data.
■ Consider, too, the consequences of restoring. Windows Server 2008 stores all manner of
information about a file: the folder that it’s in, the volume, EFS, DFS, RFS, quota information, sharepoints, archive information, and so on. Restoring a file restores not only the
contents, but also any attributes and information known about the file at the time it was
backed up. Anything new applied to the file and its relationship with the rest of the universe is not recorded in the restore. A good example is restoring a folder that several new
groups and users were given access to after the last backup. The restore now blocks these
new users, and a critical process may bring things crashing down if you turn your back.
Again, restore to an alternative location if you are unsure of the results.
■ Block user access while performing a restore to original locations. Nothing causes more
problems than having users trying to open files that have not been completely restored.
Blocking access results in calls to the help desk, so make sure that customer service or
help-desk representatives know about the process, and don’t waste your time calling people to tell them about the block. If it is a big sharepoint, you always have someone messing
things up. Conversely, if you are restoring a share that needs to be accessed by a critical
process coming from another machine or software, let the owners of these processes know
before their applications crash.
■ Always check who is connected to the destination computer and what files they have
open. If you restore to files that are open, you at least get access errors; at worst, you could
corrupt the files you are restoring. You can check who is connected to the server by opening the File Management Console (or Computer Management) and expanding the Sessions
node under the Shared Folders leaf. You can also see who is connected to what by running
the NET SESSIONS and NET FILE commands at the Command Console. NET SESSIONS
and NET FILE work for all versions of Windows Server.
One last item before we leave Restore. We spent a lot of time digging in the Remote Storage
Manager looking for a place to erase, format, and catalog media. After all, RSM is where everything’s supposed to happen for media. We guess Microsoft let this one slip by them, and we let
them know. All is not lost. We discovered the missing erase and format utility in Backup. It is
on the Restore tab, of all places. Just right-click the tape icon and format away your precious
media.
316
Page 316
Shapiro
c07.tex
V2 - 06/12/2008
4:18pm
Backup and Restore
Tape Location
Be sure to remove your valuable rotation sets from the premises as soon as the backup job is
done, every day, and as long as online media are available. You can find many reliable media
pick-up companies in all cities in the United States. If you don’t have access to a media pick-up
firm, find a safe place (such as a safe deposit box at a bank) and move your media to this
remote location every day. You could also buy a small fireproof safe and keep that onsite.
Following are two chief reasons for moving the media offsite: First, if a disaster were to take out
your building, it would take out your backups as well. Here in Hurricane Land, Florida, USA,
we move backups to a secure location every day. Second, tapes and backup media grow legs and
may walk out of your offices. Worse, someone may access your tapes and steal sensitive information without you knowing it.
We have a very secure computer room, and some time in the latter part of the last millennium,
we removed a tape and then left the secure environment to fetch a new label. We were gone two
minutes and returned to find the tape gone. We thought we had misplaced it and had to repeat
a five-hour backup all over again. Later, we learned that in those two minutes, another administrator had asked the computer-room staff for a spare tape, who gave them our unlabeled tape,
thinking it was blank. Lesson learned: Never leave your backup media unattended, even for two
minutes.
Backup Bandwidth
Bandwidth is an important item in your Hardware/Media/Support Level equation. From the
get-go, forget about doing any significant backup over a WAN or Internet connection unless you
have upward of a 1.5-Mbit pipe to the source (and even that is a stretch given the size of data
files these days). Anything less (unless it is a very small collection of files) does not provide a
suitable facility for backing up. The only time you should try backing up over a low bandwidth
connection (and for backup, low bandwidth could be considered anything under 10 Mbit) is
when you need to grab a handful of important files. To back up a remote registry over a 64-Kbit
pipe would take several hours.
On the other hand, we routinely back up thousands of server shares over a gigabit Ethernet network; if you have a 1-Gbit backbone (GigE) and have servers sitting directly on that, all the better. Remember, though, that even a 100-Mbit backbone is only as valuable as the speed of the
server bus, network links, hard disk I/O, and the capabilities of the backup devices.
The minimum rate of backup you can expect over a 10-Mbit network is between 15MB and
45MB per minute, depending on the backup device. Local tape drives on fast computers using
SCSI technology, and high-end hardware can even achieve levels of around 200MB per minute,
and even higher on RAID systems and extremely high-speed disk arrays. However, placing a
high-end backup device on every server can be very expensive.
317
Page 317
7
Shapiro
Part I
c07.tex
V2 - 06/12/2008
4:18pm
Core, Configuration, Networking, and Communication Services
Determine how much data needs to be backed up and then figure out how long backing up
all that data is going to take you. If the data is mission critical, you may want to back it up
more often. Remember that data changes every minute of the day. Database applications can
see as much as 20 percent of the data changing on the low end and as much as 80 percent
changing on the high end. E-mail systems change just about every second of the day in busy
organizations.
Here is a very simple formula to determine how long it will take to back up your data. Say that
you want to back up X amount of data to a certain device in Y time. Starting with the desired
unknown Y, you would want to first figure out how much data you are going to try to back up
on the local machine or over the network. After you have calculated this, your equation resembles the following:
Y = S/T
Here, Y = time, S = amount of data in megabytes, and T = transfer time, in minutes, of
hardware (locally or across the network). The data transfer or backup rate of the DLT 7000 is
around 300MB per minute (hauling data off the local hard drives). Thus, for a data store of
2GB, your equation would be Y = 2000, which would take just over six minutes to back up.
Factor in another two minutes or more per 100MB for latency, cataloging, files in use, database
updating, and so on. It would be safe to say that 2GB of data could be backed up in less than
ten minutes. Across the local area network, you would be safe to divide the transfer rate by a
factor of ten. The same 2GB over the network would take more than an hour to back up.
Working with Shadow Copies
In addition to the new design for backing up open files, the Shadow Copy function also goes
a long way toward relieving the administrative burden on backup operators. How many times
have you received a help-desk ticket or a call to retrieve a file that was mistakenly deleted or
corrupted? If you’re nodding your head, you’re sure to be delighted with Shadow Copy’s capability to restore previous copies of documents directly from the shadow copy maintained in the
file system.
Shadow Copy backup/restore enables you to create shadow-copy backups of entire volumes,
which makes exact copies of files, including all open files (that open-file magic again). Even
databases, which are almost always held open exclusively, are backed up. If you are also the
SQL Server administrator, you know how frustrating it is to need to close down database
connections so that maintenance on the database can be conducted and backups taken.
Any files under Shadow Copy management that are opened by an operator or the system are
automatically backed up during a volume shadow-copy backup. Thus, files that have changed
during the backup process are copied correctly. This, of course, does not obviate the need to
back up ‘‘real’’ files to tape or some other media, but it ensures that backing up the shadowed
files means that you have not lost data because of the open-files dilemma. If this isn’t reason
318
Page 318
Shapiro c07.tex
V2 - 06/12/2008
4:18pm
Backup and Restore
enough for you to rush out and buy Windows Server 2008, you’ve been suffering too many long
nights restoring data.
Shadow copy backups have terrific utility in that they ensure the following:
■ Applications can continue to write data to the volume during a backup.
■ Open files are no longer skipped during a backup.
■ Backups can be performed at any time, without locking out users.
Because we do not live in a perfect IT world, some applications and backup systems may not
believe that everything about Shadow Copy is cool. Check with the manufacturer of your software or hardware if you have some doubts that shadow copies on third-party products represent
a reliable record of your data. Of course, you should always experiment with them in the lab
before using them on your actual system.
To enable shadow copies, perform the following steps:
1. Open Computer Management (Local). In the console tree, right-click Shared Folders All Tasks Configure Shadow Copies. You can also right-click the volume in Explorer
and select Properties Shadow Copies. Whichever route you choose, the dialog box tab
shown in Figure 7-7 loads.
FIGURE 7-7
Selecting the volume for configuring shadow copies.
319
Page 319
7
Shapiro
Part I
c07.tex
V2 - 06/12/2008
4:18pm
Core, Configuration, Networking, and Communication Services
2. Select the volume in the list where you want to enable shadow copies and click the
Settings button. This will open the Settings dialog box shown in Figure 7-8.
FIGURE 7-8
Configure your setting for shadow copies.
You can now configure Shadow Copy properties to suit your needs.
The Storage Volume option is for specifying where to store the shadow copies of the selected
volume. The default is to use the same volume. Microsoft recommends that you use a separate
volume on another disk because this approach provides better performance for heavily used file
servers.
You can change the storage volume only if no shadow copies are present. If you need to change
the storage volume for a volume that already is enabled, you must delete all the shadow copies
on that volume before changing the storage volume.
Select the Details button to open a dialog box that lists the shadow copies currently stored. This
dialog also provides information about the total space and available storage space on the disk.
The Storage Limits option enables you to configure the size of the part on the volume that holds
the source files being shadow copied. The default size is 10 percent of the size of the actual volume. If the shadow copies are stored on a separate volume from the source files, change this
default to reflect the amount of the storage volume you are willing to dedicate to shadow copies.
320
Page 320
Shapiro
c07.tex
V2 - 06/12/2008
4:18pm
Backup and Restore
The storage limit must be at least 100 MB, which permits only a single shadow copy to be
retained. If you set a restrictive storage limit, test to ensure that the number of shadow copies
you scheduled can fit within those restraints. If shadow copies are deleted prematurely because
of storage limits, you may be defeating the purpose of enabling shadow copies of shared folders.
The Schedule button launches the Task Scheduler with the information that you need to create
a task schedule for taking shadow copies of shared folders on a regular basis. Before creating the
schedule, look at your current users’ work patterns and design a strategy that schedules shadow
copies at a time of day that works best for your users. The default schedule is Monday through
Friday at 7 A.M. and 12 P.M. Following are some rules to consider in enabling Shadow Copy:
■ Do not enable shadow copies on volumes that use mount points. Any drive mounted into
the volume that is enabled for Shadow Copy is not included as the copies are taken.
■ Shadow copies should not be used as a replacement for regular backups. Keep backing up
as you usually do, but spend less time restoring from backup tapes.
■ Don’t schedule Shadow Copy to copy too often. The default schedule is 7 A.M. and
12 noon, but we went nuts on this feature and shadowed every hour, running out of disk
space very quickly. If you decide that you need copies more often, make sure you allot
enough storage space and don’t take copies so often that server performance degrades.
■ Before deleting a shadowed volume, delete the scheduled task for creating shadow copies.
If the volume is deleted without deleting the Shadow Copy task, the scheduled task fails
and an Event ID: 7001 error is written to the event log. Delete the task before deleting
the volume to avoid filling the event log with these errors.
■ In considering Shadow Copy, think about file permissions: If you’re restoring a file, the file
permissions are not changed. Permissions remain the same as before the restore. If you’re
undeleting a file, permissions are set to the default permissions for the directory.
■ As storage area limits are reached, the oldest shadow copy is deleted and cannot be
retrieved.
■ Shadow copies are read-only. You cannot edit the contents of a shadow copy. You can
work with the copy only after it is restored.
■ Shadow copies are enabled on a per-volume basis. You cannot enable shadow copies on
specific shares.
Summary
This chapter deals more with backup practice and protocol than actual software or technology
because quite frankly the backup software that comes with Windows Server 2008 is only useful
for the most simple volume backup jobs. For peace of mind and ease of use choose a utility
from a third-party software vendor. Most third-party applications perform backups and restores
in the same way. The Microsoft tape and media APIs ensure that at the file backup level, the
321
Page 321
7
Shapiro
Part I
c07.tex
V2 - 06/12/2008
4:18pm
Core, Configuration, Networking, and Communication Services
data state resulting (integrity) from all backup technology is no better or worse from vendor to
vendor.
Some third-party vendors, however, do have software that better manages the backup process.
Backup is a useful utility, but in many respects you are likely to use it for quick and dirty
work or for recovery disks and ASR media. It is not a high-end utility for the application and
data services that Windows Server 2008 is cut out to provide.
This chapter also touched on the Shadow Copy facilities now built into the file system that
comes with Windows Server 2008.
322
Page 322
Shapiro
c08.tex
V2 - 06/13/2008
2:43pm
Disaster Recovery
D
ealing with a failed server is one of the most stressful parts of a
system administrator’s job. You face the pressures of reinstalling
the operating system, recovering valuable data from the backup
media, and then reinstalling all the key services needed for the correct
operation of the server. Planning for disaster recovery involves a lot more
than simply knowing how to operate your restoration software. In this
chapter, we show you how to correctly use Automated System Recovery
(ASR) to recover a base operating system, as well as best practices for
creating and documenting a disaster recovery plan.
Disaster Recovery Planning
Disaster recovery is one of the most important things that you can learn in
system administration. Administering a server doesn’t mean anything if you
can’t bring it back to life should something happen to it, such as a catastrophic disk failure or an Active Directory database corruption.
The fine art of disaster recovery not only includes restoring files from a
backup device, but also locating potential problems that could lead to
a crashed server, restoring services after a reinstallation of the operating
system, and a multitude of other duties.
Policy and protocol
The first step in disaster recovery is to define a policy and protocol. The
policy should define what happens in what order to get things restored
323
IN THIS CHAPTER
Creating documentation
Setting up a response plan
Recovery from backup
Recovery of key services
Page 323
Shapiro
Part I
c08.tex
V2 - 06/13/2008
2:43pm
Core, Configuration, Networking, and Communication Services
to their normal working condition. The protocol should specify the conditions that must be
met to perform certain actions. Under what circumstances, for example, should you reinstall
the operating system, and what determines whether you should merely attempt to repair the
server operating system? These are the issues that need to be resolved.
It doesn’t make sense to lay out a generic policy for disaster recovery, which varies from
company to company. You must take several things into account, such as whether your business
performs 24 × 7 operations. If so, your guidelines to disaster recovery will be much stricter than
a company that operates only eight hours a day. Define the response times for reacting to an
emergency as well as estimates for how long systems should take to be back up and running.
Documentation
Documentation is the cornerstone of any disaster recovery plan. Without documentation, everyone involved in the disaster recovery plan must depend on memory. Considering the number of
steps needed to bring a server back to life as well as to restore all data and ensure that all systems are functioning correctly, memory alone probably isn’t of much use.
In considering a disaster recovery plan, you can take a clue from common household items.
How many of you, for example, have a clock or appliance in your house that always flashes the
ubiquitous 12:00? Many people fail to read an appliance’s documentation — whether it’s for
setting a clock or recovering from a server crash — or don’t understand it. In writing a disaster
recovery plan, ensure that your documentation is read and that it makes sense.
In developing your plan, you need to anticipate budget overruns and time shortages. Typically,
when a disaster recovery plan is running behind, time is taken from the documentation process
to even things out. This obviously is a bad idea, but it is typically not a decision left up to
the project leader in charge of the documentation process. You need to learn how to deal
with a shortage of time and still develop usable documentation. Many technical writers and
administrators suggest using a layered document as a practical approach. The document outline
would contain five headings. Section 1 would be, for example, an overview of the disaster
recovery plan. The sections of the document can be prioritized, which determines what is
completed first. Sections containing nonessential information could be reserved until the end of
the project in case time needs to be cut. Plan on prioritizing document sections according to the
following guidelines (low to high priority):
■ Nonessential informational
■ Important information
■ Necessary information
■ Essential information
Using this approach, you are sure to complete all the essential items before time is taken from
the project.
Before developing a usable plan, you must know how the document will be used. In many organizations, the sales team values the plan because it shows potential clients that your company is
324
Page 324
Shapiro
c08.tex
V2 - 06/13/2008
2:43pm
Disaster Recovery
devoted to providing uninterrupted service. Managers may use the document to support budget
requests for additional staff. Keeping all this in mind, ensure that you don’t try to squeeze everything into the document. Its purpose is to function as the company’s recovery tool in case of
emergency — not as a marketing tool. The portions of the document that marketing and managers find useful are most likely the portions with a lower priority.
Equally important as being clear on the intent of the documentation is knowing who is likely
to read the document. All companies have their own terms that are specific to their organizations. Using technical terms and phrases that your company doesn’t typically use is pointless. If
you are a consultant in an unfamiliar company, try to learn the language and read through other
documentation that it may already have.
Another important aspect of the creation of the documentation is determining who has access
to it. Quite often, these documents contain very sensitive information, such as the administrative password, firewall and router information, or user-account information. These documents,
after they’re developed, are usually stored on a network drive so that many other employees can
proofread them, make corrections, and even add content. This location on a network drive must
be accessible to authorized users only. You also need to determine who can access the documentation outside the directory. This directory is probably being backed up, for example. Find out
who has access to the backup media and can extract the information. If the backups are performed across the network, consider that someone may be intercepting the packets. Extracting
sensitive information this way would prove fairly easy. You may also want to consider that, at
some point, this document may be shown to people who shouldn’t have access to the sensitive
information. Ensure that all the sensitive information is contained in a section that can be easily removed should the need arise — for example, in the appendix of the disaster recovery plan.
Should a salesperson need access to the document, you can then provide it to that person, with
the exception of the section containing the sensitive information.
Most important, keep the document simple. You need to convey very complex information in an
easy-to-read manner. If you can do this, readers of all types should have no problem following
along.
Disaster recovery training and action planning
Before you begin the training process, setting objectives is a must. Without objectives, how can
you know whether you have accomplished what you set out to accomplish? Take these suggestions to heart before you begin training so that you can create a list of the objectives that you
want to accomplish.
In creating a disaster recovery plan, use several layers for tasks and subtasks. Each one must
have an objective, including procedures to follow to accomplish the objective. You can use
Microsoft Word to generate a list like this because it is quite capable of numbering each item
with the correct indentation for denoting levels. If you want a bit more control and the capability to set conditions on the items, sub-items, and even predecessors, consider using Microsoft
Project. Using this type of layout can serve as a road map for the plan you are undertaking.
325
Page 325
8
Shapiro
Part I
c08.tex
V2 - 06/13/2008
2:43pm
Core, Configuration, Networking, and Communication Services
These plans are typically called use cases. A use case is actually a page (or pages) defining a typical scenario. For every possible scenario, you should have a use case.
Identifying Resources
As you are planning for disaster recovery, you need to identify several resources to make your
job easier. If you have multiple people who manage servers, initiate an On-Call schedule — a
schedule of who comes in and performs the necessary steps should a server go down. If
you have fewer than a dozen servers, having just one person respond may work. The more
servers you have, however, the more people you need to involve. Not only should you take
administrators into account, but to effectively get things back up and running, you may also
need a member of your network administration team on hand, as well as those of any other
team that your servers may affect.
After you have created this On-Call schedule, keep a list of hardware vendors that you can call
at a moment’s notice should you need additional hardware. Server administrators aren’t always
the best at actually installing hardware, so you may require a consultant or a vendor’s support
representative to get the necessary hardware installed and configured before you can restore the
server to its normal operating condition.
Although planning for disaster recovery in a company that has one location is pretty tedious,
imagine the additional steps necessary should a remote server go down. Not only do you need
to ensure that someone local to the machine can respond, you also must ensure that this person
has intimate knowledge of the other servers on the WAN so that everything is correctly set up.
A handy tool in this case is a Keyboard, Video, Mouse (KVM) switch that accepts TCP/IP connections. A KVM switch enables you to remotely connect to a server, reboot it, and configure it
and anything else — all from the comfort of your sofa.
Keeping a diagram of your servers handy may help you identify resources. This diagram should
look something like a tree diagram, showing each server and what services and applications each
server hosts. If a server goes down, you can see at a glance which systems it affected. By using
this information, you can make a well-informed decision about who needs to be contacted for
additional support or who should be informed that systems are currently down.
Developing Response Plans
Developing a response plan isn’t something you can do overnight. You need complete knowledge of the servers as well as all the applications they are hosting. To get this kind of information, you more than likely need to interview several dozen people in your organization. After
obtaining a list of all the equipment and people you need to involve in the response plan, make
a rough outline of the plan. Although you could easily spend a month writing it, you can never
326
Page 326
Shapiro c08.tex
V2 - 06/13/2008
2:43pm
Disaster Recovery
make your plan completely foolproof. Some portions are sure to be lacking. Unfortunately, you
generally must use a bit of trial and error to get the plan to work correctly.
Several software packages enable you to inventory your systems, which is a first step
in developing a response plan. These software packages provide an outline that you
can use to begin your planning.
In developing your response plan, be generous with your allotment of response times. Assuming the worst and giving yourself ample time is better than taking 300 percent longer than the
plan assumes to get all systems back up and running. After you have a response plan in place,
the best way to determine whether it suits your needs is to test it.
Testing Response Plans
Disaster recovery planning is a bit like building a bridge with toothpicks. Just when you think
you have the support beams in place, they float away. Disaster recovery planning can be an
enormous task — and proportionally so with a larger network.
You have probably heard the adage ‘‘If you fail to plan, you plan to fail.’’ This clearly applies to
the disaster recovery process. You can develop a very robust plan, but if you never test it, how
can you know how well it works? No matter what technique you choose to test a response plan,
keep the following points in mind:
■ Failures don’t exist. No matter what you do during a test, any results that you receive
are worth something. The only failure is not testing at all. All tests yield results, and these
results help administrators gain a better knowledge of their system and the systems with
which it interfaces.
■ Set objectives. Because most administrators have very limited time, a thorough plan
with objectives can drastically reduce the time necessary to test a system. This plan and its
objectives can usually be performed in steps. Completing all the steps at once isn’t necessary; you can complete a few steps one day and maybe a few more the next week. You can
also quite possibly test the steps out of order, which might suit the schedule of the administrators. In testing a system, make sure that the objectives are well defined. Set time limits
on the tests and compare those times to the actual results. This procedure ensures that
the modifications you make to the test plan in the future accurately reflect the time that
recovery takes for your particular system in its current environment.
■ Action items. Every test should be timed and well documented, and all the steps and the
final outcome should be well documented. This enables you to review all the steps and
provide training material to other employees who may become responsible for portions
of the system. Documenting a system, testing it, and then keeping all the results in your
head doesn’t do anyone any good. (If you should happen to, say, step in front of a bus, all
progress is lost if you failed to document the test results.)
327
Page 327
8
Shapiro
Part I
c08.tex
V2 - 06/13/2008
2:43pm
Core, Configuration, Networking, and Communication Services
■ Frequency. Test often! Creating a plan and testing it once is only good until certain
aspects of your system change enough to make your plan obsolete. Not only should you
schedule regular tests on your system, you should also ensure that you test it whenever
anything major changes. If new routers or servers are added or the network topology
changes, you should automatically begin a new test of your plan. If enough changes in
your system and its surroundings, the plan is quite likely to need updating.
■ Consultants. Some consultants specialize in testing systems. It may be helpful to pick
their brains and gain some insight into the world of testing. Many software packages out
there can also assist you in your testing. To be of any use, however, these software packages must be extremely configurable; some may even contain a scripting language. Look
into these products and try to locate a consultant who specializes in them.
Response plans and their testing is a very large subject that can consume not only a single book
but literally volumes. For many of the sophisticated technologies out there today, you can pick
up a book that can help you narrow your testing and get very specific with it.
Mock Disaster Programs
The best way to ensure that your disaster recovery procedures are adequate is to put them to the
test. Completely document several types of ‘‘disasters’’ and then play them out according to your
disaster recovery plan. Some of these events, especially a particularly catastrophic one, take a bit
more time because they may involve going to a remote location, installing servers, and performing restores of data to get things going. Not only are test procedures for recovering servers and
data necessary, but you also need to take into consideration communication lines and so on. To
simulate simpler problems such as hard-drive failures, you can simply have a co-worker remove
a SCSI cable from your drive array. Table 8-1 shows what you could expect from a number of
disaster situations.
Understanding fault tolerance
The idea of fault tolerance in a computer system revolves around the concept that the computer
(or server, in this case) should have the capability to deal with a hardware or software failure.
Probably the easiest failure to deal with is a power loss. To counter this type of failure, you can
simply use an uninterrupted power supply (UPS), but would using a UPS actually constitute
fault tolerance? A UPS doesn’t have the capability to run forever, so you are actually merely
postponing the inevitable. A better solution is to have two or more power supplies in the server
that are both connected to uninterrupted power supplies. During a power outage, one UPS
can supply power to the server, while the other one is charged offsite. Dual power supplies,
however, brings up a topic all its own.
Having dual components is a must for any server that has to be extremely fault tolerant. To
have a true fault-tolerant system, therefore, you need two network interface cards, two power
supplies, multiprocessors, and two drives. All these items seem to be good ideas, but what
good would two hard drives do? Assuming that all the data from Drive 1 is copied to Drive 2,
a failure would result in you needing to power down the machine and move Drive 2 into the
328
Page 328
Shapiro
c08.tex
V2 - 06/13/2008
2:43pm
Disaster Recovery
Drive 1 position. That’s why the use of a Redundant Array of Independent Disks (RAID) and
hot-swappable drives is important.
TABLE 8-1
Expectations During a Sudden Disaster
Disaster
Expectation
Operating-system drive
failure
Typically a simple recovery, given a recent backup of the
partition. Restore the OS from backup with ASR and force
replication.
Data-drive failure
Loss of the operating system can be dealt with, but a company
works hard to build a large repository of data. This data could
include orders, accounting records, client lists, and so on. With
recent backups, you should still expect to lose some data.
Unknown hardware
failure
An unknown hardware failure takes a fair amount of time to
correct. Before you can check the validity of data or the OS,
you must find the faulty hardware and fix it. This process can
be very time-consuming and may require consultants or
vendors to be onsite.
Fire
Ouch! A fire means that your server may have suffered smoke,
heat, fire, or even water damage. Expect long hours of setting
up new equipment before you retrieve offsite backups to restore
your servers.
Catastrophic event
(tornado, hurricane, and
so on)
Such an event would probably require an offsite restore to get
your system back up and available so that the company can
continue with its day-to-day operations.
Security breach
Your first concern here is securing data. Hackers can destroy
your OS if they want, but corrupting precious data could mean
the death of your company. Secure the data and systematically
shut down the systems to ensure your data’s integrity.
You have several levels of RAID that you can use, but the most common is RAID Level 5. RAID
5 requires at least three drives and provides data-stripping and error-correction information. The
drawback to RAID 5 is that it requires extremely complex hardware to function. A mid-level
RAID 5 controller is now standard on all server motherboards, so cost is no longer a factor.
Hot-swappable drives enable you to remove a failed drive from the server while the system is
still running and replace it with a new drive without losing any data.
If you don’t have a ton of cash to throw around — or maybe you just need a RAID setup for
an individual user and not particularly for a server — you can purchase a motherboard with a
built-in RAID.
329
Page 329
8
Shapiro
Part I
c08.tex
V2 - 06/13/2008
2:43pm
Core, Configuration, Networking, and Communication Services
Many boards contain the UDMA/ATA133 RAID controller functionality, and with most of these,
you can expect the following:
■ RAID 0, 1,0+1 and Span
■ Hot-swapping a failed hard disk in a mirror array
■ Independent use of hard disks
■ Hot spare-disk support
■ Disk-error alarm
Although an IDE RAID configuration isn’t as fast as a SCSI solution, it is very effective and can
save you quite a bit of money.
Identifying the Weak Links
Most of you already know that your system is only as strong as its weakest link. Failing to identify the weakest link in your system almost always leads to a catastrophe. Keeping the weakest
links in mind is also very helpful should you experience problems; knowing the weakest links
helps you identify where to start in the troubleshooting process.
In examining your system for possible points of failure, you should start with the most obvious:
■ Hard-disk drives
■ Power supply
■ Network connection
■ HDD controller card
■ Processor
Ensuring that the preceding components don’t fail is a fairly straightforward process — you double up on everything. Suppose you have a dual-processor system, with a RAID-5 hot-swappable
hard-disk system running with dual power supplies and dual network cards. All this is neatly
bundled and connected to a UPS or possibly a generator system. It almost sounds foolproof,
right? What do you do if your RAMBus RAM dies? What if the video card fails? A memory
problem is easily fixed by ensuring that your system contains more than one stick of memory.
You can even go so far as to use a board that supports hot-swappable memory modules. Having
more than one stick of memory ensures that if one dies, the system doesn’t crash to its knees.
It’s likely to suffer some errors, but at least you should have the opportunity to shut down the
system and fix the problem without losing data.
Normally, you would have a serious problem if your video card died. How could you safely
shut down the system to fix the problem? Fortunately for you, Windows Server 2008 supports a
headless configuration. You can install the OS, configure all your applications, and then remove
the video card, keyboard, and mouse, and the machine still operates. You can do all the
configuration by using a remote desktop or even via Web administration.
330
Page 330
Shapiro
c08.tex
V2 - 06/13/2008
2:43pm
Disaster Recovery
After you have considered all possible points of failure in your system and have taken the
appropriate steps to fix weak links, take a step back and look again. Your system may be
the very definition of redundancy, but what if a router goes out that connects your system to the
WAN? This isn’t a point of failure in the server, but it affects the system’s operation. In planning
your server configuration, keep the network configuration in mind. The more that you look at
and consider, the better off you are when problems arise.
Recovery from Backup
Should the worst happen and a server goes down, one of the most important things that you
must do is restore your system from a backup. Not only is this a time-consuming process, but
you’re probably under stress to get it done as quickly as possible. Without a computer system,
most corporations are generally helpless. In this state, orders generally cannot be placed from
vendors, nor can they be provided to customers. Time is money.
The restore process generally happens in two phases: restoration of the base operating system
and restoration of configuration files such as Active Directory information.
Recovery of base operating systems
Restoration of the base operating system should be the second step that you take in the event
that your server crashes. The first task, obviously, is the repair of the component that brought
the system down in the first place — assuming, of course, that the reason for the crash was
hardware related.
Restoring the operating system is just a four-step process:
1. Boot to the Windows Server 2008 CD and wait for the installation wizard.
2. Click ‘‘Repair your computer.’’
3. At the System Recovery Options page select ‘‘Windows Complete PC Restore.’’ This will
get you to the restore wizard.
4. Now if you have made a server backup, as described in the previous chapter, using Windows Server Backup or another application, choose a suitable backup (the latest available
or another one of your choice). This page on the wizard provides several options you can
choose for the recovery procedure.
These steps assume that you have created a backup set by using the Microsoft-provided
Windows Server Backup application.
Intentionally downing a server just to practice the art of restoration with ASR is
time-consuming and may not be justifiable for your network. A smart approach
should you want the practice is to use VMWare to install Windows Server 2008. You can then
set up the OS, perform a backup, delete the OS from the drive, and perform an ASR for training
purposes.
331
Page 331
8
Shapiro
Part I
c08.tex
V2 - 06/13/2008
2:43pm
Core, Configuration, Networking, and Communication Services
Recovery of configuration
Configuration information for the server — such as screen resolution, folder views, share information, and so on — is all restored during an ASR. You’re highly likely, however, to find that
your Active Directory information is outdated. Backing up Active Directory information doesn’t
make a lot of sense if several servers reside on your network. If additional servers are in place,
all the information is updated after replication takes place. If you have only one server, first and
foremost, shame on you! Second, you can rest assured that all Active Directory information is
backed up during a full backup using the Microsoft Backup application.
Mirrored Services, Data, and Hardware
Mirroring data — that is, copying it to another drive in the same form — can be accomplished by using RAID, as described in the section ‘‘Understanding Fault Tolerance’’ earlier
in this chapter. To have a truly redundant system, you must mirror everything within your
system — dual network cards, multiple processors, redundant power supplies, and so on.
Without this type of hardware, your system is very prone to failure and down time.
Recovery of Key Services
Recovering key services can prove somewhat of a nightmare depending on the topology of
your network. The following sections discuss some of the services that you may need to
recover and what you should expect during the recovery process. Every possible scenario cannot
be explained here, of course, because what you may face depends on how your network is set
up. If we assume that you are running all services on one server, restoring a full backup to
your server would fix everything. We doubt that this is the case, however, and expect that your
services are spread across many machines.
Active Directory
A full backup of a server includes all Active Directory information. Whew! If your full backups
are few and far between, make sure that you capture the system-state on the incremental
backups. The system-state backup includes the Active Directory information. Without this
information, you have a long road ahead in restoring the server to operating order.
If you happen to have more than one server in your forest, a full backup or system-state isn’t
necessary. After you have reinstalled the server OS and the system is somewhat operational, just
add the server to the domain tree again and then kick back and wait for replication. If you can’t
wait around for this to happen, use the tools provided to forcefully start the replication process.
You can find more information on manually starting the replication process in
Chapter 22.
332
Page 332
Shapiro
c08.tex
V2 - 06/13/2008
2:43pm
Disaster Recovery
Because the amount of data in Active Directory can be very large, a full replication may seriously
inhibit your network bandwidth. To make a good decision regarding what route to take, weigh
the amount of time required to restore a backup of this data against that of a full replication of
your server.
DNS
By default, all DNS files are stored in C:\windows\system32\dns. Incremental backups
should catch any changes made to these files. If you have enabled dynamic updates to DNS, you
quite often see this file change. After you have restored the operating system on your server,
ensure that the DNS server is indeed installed. If it wasn’t installed during your last backup, you
can perform a reinstall by using the Configure Your Server Wizard. Accept all defaults on this
wizard, which are of little consequence anyway because you overwrite the configuration files
with backups.
After you have verified that the DNS server is installed and running, you need only restore all
*.dns files from your backup media. After you have restored these files, shut down the DNS
server and restart it to see the configuration changes.
Registry
The registry is probably one of the easiest things to restore after you have recovered from a
server failure. A full backup of a server always includes registry information. Because incremental
backups look at all changed files, the registry is backed up then, too. If your registry does not
appear to have changed since the last backup, something is definitely wrong — the registry is
constantly changing, regardless of anything actually happening on the server.
Crash Analysis
After a crash has occurred, the single most important thing you can do after you have restored
the server and fixed all problems is to analyze the crash. If you don’t fully understand what
brought the system down in the first place, you cannot effectively prevent another crash from
happening in the future.
Never take anything for granted in performing a crash analysis. Just because your RAID-5 array
died doesn’t actually mean that it was the root of the problem — it could be a defective cable or
perhaps even the controller card. Put your CSI hat on for a few days and examine every inch of
the system until you are 100 percent sure that you can explain the cause. After you have come
up with a valid explanation, try to back it up. Assuming, for example, that a cable was to blame,
use the same cable in a new machine and try to get the system to crash. If it does crash, try to
determine whether everything happened in the same order that it did on the other machine. If
so, you have your culprit.
333
Page 333
8
Shapiro
Part I
c08.tex
V2 - 06/13/2008
2:43pm
Core, Configuration, Networking, and Communication Services
Summary
A disaster recovery plan is like a smoke alarm in your house — you know that you need it,
but you don’t really appreciate it until disaster strikes. With the correct documentation and
backups, as described in this chapter, you can quickly restore servers to operating condition
and keep your business running — even after a major server failure. Not only is creating a
disaster recovery plan very important, but practicing it and keeping the documentation up to
date as the need arises is also vital to the health of your system.
334
Page 334
Shapiro
c09.tex
V2 - 06/12/2008
4:22pm
The Registry
T
he registry is the core repository of configuration information
in Windows Server 2008, used for storing information about
the operating system, applications, and user environment on
standalone workstations and member servers (nondomain controllers).
IN THIS CHAPTER
The purpose of the registry
The registry structure
The Purpose of the Registry
Early versions of the Windows operating system family (such as Windows
3.x) stored most of their configuration information in initialization, or .ini
files. These files were text files containing various sections that stored
settings for a variety of properties such as device drivers, application and
document associations, user environment settings, and so on. Windows
applications also used .ini files to store their configuration settings.
Even today in Windows Server 2008 and applications, .ini files are still
sometimes used for storing user, application, and operating system settings.
A quick search of your hard drive for .ini files will illustrate that fact.
I might add that XML-based configuration files have gone a long way to
returning us to the days of text-based configuration files.
Although they provide a simple means of storing and retrieving settings,
.ini files offer some disadvantages, particularly for storing important OS
settings such as device drivers, configuration data, user environment settings, and so on. First, Windows Server 2008 needs a fault-tolerant system
for maintaining its settings to avoid the problem of an unbootable system
caused by a corrupt or missing .ini file. This information also needs to
be secure, something .ini files can’t really provide. Finally, managing all
335
The registry editors
Securing the registry
Page 335
Shapiro c09.tex
Part I
V2 - 06/12/2008
4:22pm
Core, Configuration, Networking, and Communication Services
the settings needed to keep a Windows Server 2008 system up and running, plus applications
and user-related settings, would be overwhelming if .ini files were the only solution. The registry comes to the rescue.
In Windows Server 2008, the registry stores configuration information about the system’s
hardware and software, both operating system- and application-related. The registry also stores
information about users, including security settings and rights, working environment (desktop
properties, folders, and so on), and much more. However, unlike Windows NT, it no longer
stores domain user and computer accounts or information related to network objects. This job
now belongs to the Active Directory, as explained in Chapter 22 and the chapters in Part III.
When you promote a member server to a domain controller, all registry settings that
also apply to a domain controller server (such as the desktop settings) are absorbed
into Active Directory, but when you demote the server, the original registry settings are not
restored, and you are returned to a clean registry. (The Demotion Wizard even asks you for a new
Administrator password because the original account is lost.) Keep this in mind when you demote
a domain controller, because Active Directory can easily outgrow the host machine on which it
was originally installed.
The following list explains some of the ways certain components make use of the registry:
■ Setup. When you install Windows Server 2008, Setup builds the registry based on your
selections (or automated selections) during installation. Setup also modifies the registry
when you add or remove hardware from the system.
■ Application setup. The Setup program for an application typically will modify the
registry to store the application’s settings at installation. It also will typically read the
registry to determine which components, if any, are already installed.
■ Applications. Most applications that store their settings in the registry modify those
settings during program startup, shutdown, or general operation to store changes made
to application settings by the application or the user.
■ Device Manager. The Device Manager console program detects hardware and attached
peripherals, and it stores information in the registry about those items for use in subsequent boot steps to initialize device drivers for identified devices.
■ The kernel. The Windows Server 2008 kernel reads the registry at startup to determine
which device drivers to load and in which order, along with other driver initialization
parameters.
■ Device drivers. Most device drivers store their configuration and operating settings in the
registry, reading the registry at initialization to determine how to load and function.
■ System. The Windows Server 2008 operating system as a whole uses the registry to store
information about services, installed applications, document and Object Linking and
Embedding (OLE) associations, networking, user settings, and other properties.
336
Page 336
Shapiro
c09.tex
V2 - 06/12/2008
4:22pm
The Registry
■ Administrative tools. One of the main functions of utilities such as the Control Panel,
the various Microsoft Management Consoles (MMCs), and standalone administration
utilities is typically to modify the registry. In this context, these utilities provide a user
interface for registry modification.
■ The Registry Editor. Windows Server 2008 provides one tool, regedit.exe, that
enables you to view and modify the registry directly. Though you’ll want to perform most
modification tasks using other utilities, the Registry Editor makes possible tasks such as
direct modification, selected registry backup, and more.
The registry is in many ways the ‘‘brain’’ of the Windows Server 2008 OS. Nearly everything the
OS does is affected by or affects the registry. For that reason, it is important to not only understand the registry’s function and how to modify it, but also how to protect it from catastrophe
or unauthorized access. The following sections explain the structure of the registry and how to
manage it.
The Registry Structure
The registry forms a hierarchical (tree) database with five primary branches called subtrees.
A subtree can contain keys, which function as containers within the subtree for subkeys and
values. Subkeys are sub-branches within a key. Values are the individual settings within a key
or subkey. Perhaps the best way to understand the registry structure is to view it through the
Registry Editor, as shown in Figure 9-1. (You’ll find detailed information about the Registry
Editor later in this chapter in the section ‘‘The Registry Editor.’’)
FIGURE 9-1
The Registry Editor shows the structure of the registry: a hierarchical tree, with each subtree serving
as a primary branch.
There are two physical subtrees in the Windows Server 2008 registry: HKEY_LOCAL_MACHINE
and HKEY_USERS, the former containing system- and hardware-related settings and the latter
337
Page 337
9
Shapiro
Part I
c09.tex
V2 - 06/12/2008
4:22pm
Core, Configuration, Networking, and Communication Services
containing user-related settings. These two physical subtrees are divided into the five logical subtrees you see in the Registry Editor. Organizing the registry into five logical subtrees makes it
easier to navigate and understand the logical structure of the registry. The five logical subtrees
are as follows:
■ HKEY_LOCAL_MACHINE. This subtree, often abbreviated as HKLM, stores settings that
apply to the local machine, defining hardware and operating system settings that are the
same regardless of which user is logged on. The settings in HKLM, for example, define
device drivers, memory, installed hardware, and startup properties.
■ HKEY_CLASSES_ROOT. Abbreviated HKCR, this subtree contains file association data, such as associating a document file type with its parent application
and defining the actions taken on a given document type for various tasks (open,
play, edit, and so on). This subtree is built from HKLM\SOFTWARE\Classes and
HKEY_CURRENT_USER\SOFTWARE\Classes, with the value in HKCU taking precedence. HKCR provides user- and computer-specific class registration, providing
different class registrations for each user. This per-user class registration is different
from previous versions of Windows that provided the same registration data for
all users.
■ HKEY_CURRENT_USER. This subtree (HKCU) stores the user profile for the user
currently logged on to the system locally. Settings include desktop configuration and
folders, network and printer connections, environment variables, Start menu and
applications, and other settings that define the user operating environment and UI. This
subtree is actually an alias of HKEY_USERS\SID, where SID is the security ID of the
current user.
■ HKEY_USERS. This subtree (HKU) stores user profile data for users who log on to the
computer locally, as well as the default user profile for the local computer.
■ HKEY_CURRENT_CONFIG. This subtree (HKCC) stores hardware configuration
data about the local computer identified at startup, and includes settings relating to device assignments, device drivers, and so on. This subtree is an alias of
HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current.
Each of the subtrees listed previously represents a hive. Microsoft defines a hive as a body
of keys, subkeys, and values rooted at the top of the registry hierarchy. An individual hive
comprises two files:
■ A registry file, in most cases stored in systemroot\System32\Config. This file
contains the registry structure and settings for the given hive.
■ A log file, stored in systemroot\System32\Config. This file serves as a transaction
log for modifications to the hive registry file.
Table 9-1 lists the registry hives and their corresponding filenames.
338
Page 338
Shapiro
c09.tex
V2 - 06/12/2008
4:22pm
The Registry
TABLE 9-1
Registry Hive Files
Hive
Files
HKEY_LOCAL_MACHINE\SAM
Sam and Sam.log
HKEY_LOCAL_MACHINE\SECURITY
Security and Security.log
HKEY_LOCAL_MACHINE\SOFTWARE
Software and Software.log
HKEY_LOCAL_MACHINE\SYSTEM
System and System.alt
HKEY_CURRENT_CONFIG
System and System.log
HKEY_CURRENT_USER
Ntuser.dat and Ntuser.dat.log
HKEY_USERS\DEFAULT
Default and Default.log
Windows Server 2008 uses a process known as flushing to ensure a reliable, working copy
of the registry at all times, guarding against attempted registry changes not being completed.
Attempted changes to the registry, after a given number of seconds has passed or the modifying
application explicitly requests it, are flushed or saved to disk. The following steps explain how
flushing occurs for all but the SYSTEM hive (HKLM\SYSTEM):
1. Modified data is written to the hive log file so that the data can be reconstructed if the
system halts or fails before the data is written to the registry file.
2. The log file is flushed upon completion of a successful update to the log file.
3. Windows Server 2008 marks the first sector of the registry file to indicate that it is in the
process of being modified (dirty).
4. The changes are written to the registry file.
5. Upon successful completion of the write operation, the first sector is modified to indicate
successful completion (clean).
When Windows Server 2008 reads the hive files to construct the registry, it checks the status of
each file. If the system failed during a previous registry update operation, the registry file will
still be marked as dirty. In that situation, Windows Server 2008 attempts to recover the registry
file using the log file. The changes identified in the log file are applied to the registry file, and if
successful, the file is marked as clean.
Having a backup of the registry is critical to being able to recover a failed system. Although
Windows Server 2008 provides fault-tolerant management of the registry hive files, you should
339
Page 339
9
Shapiro
Part I
c09.tex
V2 - 06/12/2008
4:22pm
Core, Configuration, Networking, and Communication Services
employ some additional procedures to ensure a valid, working copy of the registry. You’ll find
coverage of backup procedures in Chapter 7, and disaster recovery in Chapter 8.
Registry hive files
As mentioned earlier, the registry is divided into five logical hives. This section looks at each
hive in a bit more detail.
HKEY_LOCAL_MACHINE
As explained earlier, the HKLM root key contains hardware and operating system settings for the
local computer. HKLM contains the following subkeys:
■ HARDWARE. This key stores the physical hardware configuration for the computer. Windows Server 2008 re-creates this key each time the system boots successfully, ensuring
up-to-date hardware detection/configuration.
■ SAM. The Security Account Manager (SAM) key contains security data for users and groups
for the local machine.
■ SECURITY. This key contains data that defines the local security policy.
■ SOFTWARE. This key stores data about installed software.
■ SYSTEM. This key stores data about startup parameters, device drivers, services, and other
system-wide properties.
When corresponding settings are found in the HKCU key, those settings override settings in
HKLM for the current user for certain data. If no corresponding settings exist, those in HKLM
are used. For certain items such as device drivers, the data in HKLM is always used, regardless
of whether the data also resides in HKCU.
HKEY_USERS
The HKU key stores user profile data for users who log on to the computer locally, as well
as the default user profile for the local computer. It contains a subkey for each user whose
profile is stored on the computer, in addition to a key for the default user (.DEFAULT). It’s
virtually impossible to identify a given user from the SID, but you wouldn’t want to try to
modify settings in this key anyway except through the administrative tools that modify the
registry. If you do need to modify settings directly, use the HKCU key instead.
HKEY_CURRENT_USER
As explained earlier in this chapter, the HKCU key is an alias for the KHC\SID key, where SID
is the SID for the current local user. In other words, HKCU points to the registry key in HKU
340
Page 340
Shapiro
c09.tex
V2 - 06/12/2008
4:22pm
The Registry
where the currently logged-on user’s registry data is stored. It contains, among a few others, the
following subkeys:
■ AppEvents. This key contains data about application and event associations such as
sounds associated with specific events. Select the Sounds and Multimedia icon in the
Control Panel to modify settings in this key.
■ Console. This key contains data that defines the appearance and behavior of the
Windows Server 2008 command console (command prompt) and character-mode
applications. Use the application or command console’s Control menu to define settings
in this key.
■ Control Panel. This key contains data normally set through the Control Panel applets.
■ Environment. This key contains environment variable assignments for the current user.
■ Keyboard Layout. This key stores information about the user’s keyboard layout and key
mapping for international settings. Select the Regional Options icon in the Control Panel
to modify these settings.
■ Network. This key stores data about the user’s network connections.
■ Printers. This key stores data about the user’s printer connections.
■ Software. This key stores data about the user’s installed applications.
■ Volatile Environment. This key stores volatile operating environment data such
as the user’s application directory (usually \Documents and Settings\user
\Application Data) and logon server.
Your system might include additional keys depending on the server’s configuration.
HKEY_CLASSES_ROOT
The HKCR key stores data about file associations and is built from HKLM\SOFTWARE\Classes
and HKEY_CURRENT_USER\SOFTWARE\Classes, with the value in HKCU taking precedence. It
contains numerous keys, one for each file/document type. Use the File Types tab of the Folder
Options object in the Control Panel to modify file associations.
HKEY_CURRENT_CONFIG
The HKCC key is an alias of HKLM\SYSTEM\CurrentControlSet\Hardware Profiles
\Current, and it stores hardware configuration data about the local computer relating to device
assignments, device drivers, and so on. It contains two keys: Software and System. The Software
key stores settings for system fonts and a handful of application settings. The System key stores
a partial copy of the CurrentControlSet key in HKLM\SYSTEM\CurrentControlSet.
341
Page 341
9
Shapiro
Part I
c09.tex
V2 - 06/12/2008
4:22pm
Core, Configuration, Networking, and Communication Services
Keys and values
As you’ve read up to this point, keys serve as containers in the registry. Keys can contain other
keys (subkeys). Keys can also contain value entries, or simply, values. These are the ‘‘substance’’
of the registry. Values comprise three parts: name, data type, and value. The name identifies the
setting. The data type describes the item’s data format. The value is the actual data. The following list summarizes data types currently defined and used by the system:
■ Binary Value. This data type stores the data in raw binary format, one value per entry.
The Registry Editor displays this data type using hexadecimal format.
■ DWORD value. This data type stores data as a four-byte number (32-bit), one value per
entry. The Registry Editor can display this data type in binary, hexadecimal, or decimal
formats.
■ QWORD value. This data type stores data as a 64-bit number, one value per entry. The
Registry Editor can display this data type in binary, hexadecimal, or decimal formats.
■ Expandable string value. This is a variable-length string that includes variables that
are expanded when the data is read by a program, service, and so on. The variables are
represented by % signs; an example is the use of the %systemroot% variable to identify
the root location of the Windows Server 2008 folder, such as a path entry to a file stored
in systemroot\System32. One value is allowed per entry.
■ Multi-String value. This data type stores multiple string values in a single entry.
String values within an item are separated by spaces, commas, or other such delimiters.
■ String value. This data type stores a single, fixed-length string, and is the most
common data type used in the registry.
The Registry Editor
Windows Server 2008 provides one Registry Editor (Regedit), regedit.exe, for viewing and
modifying the registry. Windows 2000 and previous versions of Windows NT included an additional Registry Editor, regedt32.exe, which provided a few features that Regedit lacked. These
features have been merged (finally!) into a single editor.
Regedit enables you to connect to, view, and modify a registry on a remote computer. Before
you go tromping through the registry, however, keep two things in mind: You need a good
backup copy of the registry, and you need to be careful with changes you make because you
could introduce changes that might prevent the system from booting. That’s why a backup copy
is so important.
In addition, before you start playing with the Registry Editor, keep in mind that most changes,
whether for the system, user, service, application, or other object, should be made with the
administration tools for that object. Only use the Registry Editor to make changes not available
through other administration tools. In addition, understand that Group Policy can modify the
registry, and in many situations Group Policy is a better alternative for applying modifications
where Active Directory is present.
342
Page 342
Shapiro
c09.tex
V2 - 06/12/2008
4:22pm
The Registry
Regedit.exe
Regedit displays the registry in a single, two-pane window. The registry tree appears in the left
pane, and the results pane on the right shows the object currently selected in the tree. To view a
particular key or setting, expand the tree and select the object you want to view.
Click Start Run, type regedit in the Run dialog box, and click OK to start Regedit.
Modifying the registry
You can use Regedit to perform all registry browsing and modification tasks. You can even
back up the registry by exporting it to a registry script; however, you should use Backup or a
third-party backup utility that backs up other system data along with the registry. The following
sections explain how to accomplish specific tasks in Regedit.
Creating and modifying values
You’re most likely to modify the registry to change existing values rather than create new ones
or modify keys. To change the value of a registry entry, locate the value in the editor and
double-click the value. Regedit displays a dialog box (similar to the one shown in Figure 9-2)
that varies according to the data type you’re editing. Modify the data as needed, and then
click OK.
FIGURE 9-2
Regedit provides a dialog box tailored to the type of data value selected.
You can create a new value in an existing key. You might need to do this, for example, if a given
application feature or property defaults to a hard-coded value in the absence of a registry value.
Creating the value in the registry lets you control the application’s behavior for that feature. To
create a value, first locate and select the key in which you want to create the value. Click Edit New and select the type of value to create. Regedit creates a new value and names it New Value
#n, but highlights the value name so you can type a new one to rename it. Double-click the
newly created value to display a dialog box in which you set its data value.
343
Page 343
9
Shapiro
Part I
c09.tex
V2 - 06/12/2008
4:22pm
Core, Configuration, Networking, and Communication Services
Creating and deleting keys
Although you’ll usually be creating and modifying values, you might need to create a new key.
As you do when creating a value item, first locate the key in which you want the new key created. Select Edit New Key. Regedit creates the key and highlights the name (New Key by
default) so you can quickly change it. Type the desired key name and press Enter.
Deleting a key is even easier than creating one, which may be dangerous. When you delete
a key, all of its contents are deleted as well. There is no undo feature, so be very sure you’ve
selected the right key and really want to delete it before proceeding. Then, choose Edit Delete. Click Yes to confirm the deletion or No to cancel it.
Importing and exporting keys
On occasion, you might find it useful or necessary to copy all or part of the registry to a file.
For example, say you’ve gone through the trouble of installing an application that created its
own registry section to store its settings. Now you want to move the application to a different
computer, but don’t want to go through the whole installation process. Instead, you’d rather
just copy the files over to the other computer. In this case, you can export the application’s
portion of the registry to a text-based registry file. After you copy the application’s files to
the other system, you can import the registry file into the other computer’s registry. A similar
example would be installing an application on several systems remotely. You copy the files
to the computer and then edit each computer’s registry remotely to add the application
settings.
Migrating an application by copying registry values will only work if the application’s
setup process does not perform any other tasks other than copying files to a set of
folders and modifying the registry. Changes such as registering DLLs cannot be duplicated with a
simple registry copy. Therefore, running the installation process on the target servers is, in many
cases, the only way to install an application. Even so, migrating the registry keys could enable you
to duplicate the configuration of an application after installation.
With Regedit, you can save a key and its contents to a binary file that you can later load
into a registry. To do so, select the key and choose File Export, and then specify a filename. From the Save as Type drop-down list, choose Registry Hive Files. Click Save to save
the file.
You also can use Regedit to export a selected branch or export the entire registry to a registry
script. There are other ways to back up the registry, so let’s assume you want to export only a
single branch (you use the same process either way). Locate and select the branch of the registry you want to export. Choose File Export. Regedit displays the Export Registry File dialog
box shown in Figure 9-3. Specify a filename for the registry file and select either All or Selected
Branch, depending on how much of the registry you want to export. Then click Save to create
the file, which will have a .reg extension by default.
344
Page 344
Shapiro
c09.tex
V2 - 06/12/2008
4:22pm
The Registry
FIGURE 9-3
You can export a branch or the entire registry to a text file.
You can use any text editor to view and, if necessary, modify the exported registry
file.
Importing a registry script adds the contents of the file to the registry, creating or replacing keys
and values with the imported values. Using the application installation example described previously, you’d import the registry values for the application you want to add to the computer
without running the application’s Setup program.
In most cases, simply copying registry settings does not fully install an application, so
importing and exporting application registry keys is seldom a replacement for running
the application’s Setup program. Using the registry copy method works only when the application
doesn’t create user-specific settings or perform other, nonregistry modifications during installation.
You have two ways to import a registry file: import it in Regedit or simply double-click a
registry script. To import a key in Regedit, choose File Import and select a registry file.
Locate and select the text file and click Open. Regedit loads the registry file and applies its
345
Page 345
9
Shapiro
Part I
c09.tex
V2 - 06/12/2008
4:22pm
Core, Configuration, Networking, and Communication Services
settings. Changes take effect immediately. In addition, double-clicking a registry script file
causes Windows Server 2008 to incorporate into the registry the settings stored in the file (after
prompting you to confirm).
You also can choose Start Run and enter the name of the registry file to import
the file’s settings into the registry.
Editing a remote registry
You can edit the registry of a remote computer, subject to your permissions and rights on the
remote computer, as well as how the remote system is configured. To open the registry from
another computer in Regedit, click File Connect Network Registry and specify the computer
name or browse for it. The registry for the remote computer appears as a separate branch in the
tree pane. You can view and modify settings just as you would for the local computer, although
the tree includes only the HCLM and HKU keys for the remote computer; the others are not
displayed. When you’re finished, click File Disconnect Network Registry, and the computer’s
registry disappears from the tree. You can connect to multiple remote systems concurrently, if
needed.
Loading and unloading hives
Regedit provides the capability to load and unload individual hives, which is useful for
managing individual hives from another system or managing user registries. For example, you
might use Regedit to edit the hive of a system that won’t boot, repairing the damage so you can
replace the hive on the target system and get it running again. You also can load a user’s copy of
Ntuser.dat to modify the user’s registry settings.
Loading a hive affects only the HKLM or HKU keys, so you must first select one of those keys
before loading the hive. The hive is loaded as a subkey of the selected hive, rather than replacing the existing key of the same name (you specify the name for the new hive). You can modify
the settings in the key, unload the hive, and copy it to the target system, if necessary.
To load a hive, open Regedit and choose File Load Hive. Regedit prompts you for the
location and name of the previously saved hive. Select the file and click Open. Specify a name
for the key under which the hive will reside and click OK. To unload a hive, select File Unload Hive.
Securing the Registry
As you’ve probably surmised at this point, the registry is a critical part of the Windows Server
2008 operating system. It also can present a security risk because virtually every setting for the
346
Page 346
Shapiro
c09.tex
V2 - 06/12/2008
4:22pm
The Registry
OS and applications reside in the registry. For that reason, you might want to apply tighter
security to certain keys in the registry to prevent unauthorized access that could potentially give
a remote user or hacker the capability to change settings that would grant them access or cause
damage. You also can prevent remote administration of a registry and protect the registry in
other ways. This section of the chapter explains your options.
Preventing access to the registry
Perhaps the best way to protect the registry from unauthorized changes is to keep users out
of it altogether. In the case of a server, keeping the server physically secure and granting only
administrators the right to log on locally is the first step. For other systems, or where that isn’t
practical for a given server, you can secure the Registry Editor. Either remove the Registry Editor
from the target system or configure the permissions on Regedit.exe to deny permission to
execute for all except those who should have access. If you’ve removed the Registry Editor from
a system and need to modify its registry, you can do so remotely from another computer that
does contain a Registry Editor. See the section ‘‘Securing Remote Registry Access’’ later in this
chapter if you want to prevent remote editing of the registry.
Simply removing the Registry Editor from a server doesn’t prevent registry changes.
Someone could easily write a script to modify the registry from a command console
or a telnet session.
Applying permissions to registry keys
Another way to protect the registry or portions thereof is to apply permissions on individual
keys to restrict access to those keys. In this way, you can allow certain users or groups access
to certain parts of the registry and deny access to others. However, use this capability sparingly.
Changing the Access Control List (ACL) for a registry key incorrectly could prevent the system
from booting. Either avoid configuring the ACL for preexisting keys and change only those keys
you create yourself, or be very careful with the changes you make.
In Regedit, select the key or subkey on which you want to set permissions. Choose Edit Permissions to access the Permissions dialog box (see Figure 9-4). Add and remove users
and groups as needed, and then set permissions for each. For more information about setting
permissions, see Chapter 17.
Auditing registry access
If you do allow access to a system’s registry, consider auditing registry access to track who is
accessing the registry and what they’re doing. Although you could audit all access to the registry,
that would generate a potentially huge amount of load on the server, so consider auditing only
success or failure in modifying a key or value.
347
Page 347
9
Shapiro
Part I
c09.tex
V2 - 06/12/2008
4:22pm
Core, Configuration, Networking, and Communication Services
FIGURE 9-4
Use the Permissions dialog box to configure access permissions on registry keys.
To enable auditing of the registry, first enable auditing on the target system. You can do this
either through the local security policy or through Group Policy. Open the branch Computer
Configuration\Windows Settings\Security Settings\Local Policies\Audit
Policy. Double-click the policy Audit Object Access and select Success and/or Failure,
depending on which events you want to track.
Enabling auditing of object access doesn’t configure auditing for a particular object, but instead
simply makes it possible (that is, turns on the capability to audit object access). You then need
to configure auditing for each object you want to audit. In the case of the registry, this means
you need to configure auditing for each key you want to track. To do so, open Regedit. Locate
and select the key you want to configure and choose Edit Permissions. Click Advanced,
click the Auditing tab, click Add to select the user or group whose access you want to audit
for the selected key, and click OK. Regedit displays the Auditing Entry dialog box, shown in
Figure 9-5. Select Successful/Failed as desired. Table 9-2 lists audit events you can configure for
registry access.
348
Page 348
Shapiro
c09.tex
V2 - 06/12/2008
4:22pm
The Registry
TABLE 9-2
Registry Access Audit Events
Audit Event
Explanation
Query Value
Log attempts to view the key.
Set Value
Log attempts to set values.
Create Subkey
Log attempts to create subkeys.
Enumerate Subkeys
Log attempts to list subkeys.
Notify
Log attempts to open the key with Notify access.
Create Link
Log attempts to create links to the key.
Delete
Log attempts to delete a key.
Write DAC
Log attempts to determine who has access to a key.
Writer Owner
Log attempts to determine who owns a key.
Read Control
Log attempts to remotely access registry objects.
FIGURE 9-5
Use the Auditing Entry dialog box to configure auditing of the selected key.
349
Page 349
9
Shapiro
Part I
c09.tex
V2 - 06/12/2008
4:22pm
Core, Configuration, Networking, and Communication Services
Securing remote registry access
A good security step to take to prevent hackers and others from making unauthorized changes
to a system’s registry is to prevent remote access to a system’s registry. When a user attempts
to connect to a registry remotely, Windows Server 2008 checks the ACL for the following
registry key:
HKLM\System\ControlSet001\Control\SecurePipeServers\winreg
If this key is missing, all users can access the registry subject to the permissions assigned to
individual keys. If the key exists, Windows Server 2008 checks the permissions on the key to
determine whether or not the remote user can gain access to the registry (and levels of access).
Individual keys then determine what these remote users can do with a given key. Therefore,
winreg is the first line of defense, and individual key ACLs are the second line of defense. If
you want to prevent all remote access to the registry, make sure you set the permissions on the
winreg key accordingly.
Summary
Despite the towering authority of Active Directory at the domain level, the registry still forms
the repository of essentially all data that determines the Windows Server 2008 configuration for
hardware, the operating system, and applications. Although you can modify the registry directly,
most changes can and should be accomplished through the Control Panel or other administration tools for OS- and hardware-related settings, and through applications for each application’s
registry settings.
When you do need to modify the registry, you can use the Registry Editor (Regedit) to do so.
You can use Regedit to view and modify the registry, as well as perform additional tasks such as
loading an individual hive from another computer.
Security on the registry is also important. Restricting registry access is vital to secure a system
from local and remote viewing and modification of the registry. You can apply permissions on
individual keys through Regedit and apply permissions to HKLM\System\CurrentControlSet
\Control\SecurePipeServers\winreg to prevent unauthorized remote access to a system’s
registry. Auditing of registry access enables you to track who is accessing the registry and the
tasks they’re performing on it.
This chapter explored the concept of auditing registry access. Chapter 10 explores auditing in
more detail, including security and object access auditing.
350
Page 350
Shapiro
c10.tex
V2 - 06/13/2008
5:46pm
Auditing Windows
Server 2008
A
uditing provides a means of tracking all events in Windows Server
2008 to monitor system access and ensure system security. It
is a critical tool for ensuring security, but it can overwhelm a
server if not configured and used correctly. This chapter explains how
and why you should implement auditing, and provides some specific
tips on how to configure and use auditing for different situations. As
you read through the chapter, keep in mind that auditing is just one
weapon in your security arsenal. Locking down the server, using firewalls,
and other security-management tools are even more important. This
chapter also covers Active Directory auditing. If you are not familiar with
security policy settings you can also use the Security Configuration Wizard
(SCW), discussed in Chapter 16, to set up auditing. It provides a quick
Wizard-based model for audit configuration. The SCW contains its audit
settings in an audit policy.
Auditing Overview
In Windows Server 2008, auditing provides a means of tracking events.
It is an important facet of security for individual computers as well as
the enterprise. Microsoft defines an event as any significant occurrence
in the operating system or an application that requires users (particularly
administrators) to be notified. Events are recorded in event logs that you
can manage by using the Event Viewer snap-in.
351
IN THIS CHAPTER
Discovering how auditing
works and why to use it
Configuring policies for
auditing
Examining the audit reports
Enabling auditing — effective
strategies for specific scenarios
Page 351
Shapiro
Part I
c10.tex
V2 - 06/13/2008
5:46pm
Core, Configuration, Networking, and Communication Services
Auditing enables you to track specific events. More specifically, auditing enables you to track the
success or failure of specific events. You may, for example, audit logon attempts, tracking who
succeeds in logging on (and when) and who fails at logging on. You may audit object access on
a given folder or file, tracking who uses it and the tasks that they perform on it. You can track
an overwhelming variety of events in Windows Server 2008, as you learn in the section ‘‘Configuring Auditing,’’ later in this chapter.
Windows Server 2008 provides several categories of events that you can audit, as described in
the following list:
■ Account Logon Events. Track user logon and logoff via a user account.
■ Account Management. Track when a user account or group is created, changed, or
deleted; a user account is renamed, enabled, or disabled; or a password is set or changed.
■ Directory Service Access. Track access to Active Directory.
■ Logon Events. Track nonlocal authentication events such as network use of a resource or
a remote service that is logging on by using the local system account.
■ Object Access. Track when objects are accessed and the type of access performed — for
example, track use of a folder, file, or printer. Configure auditing of specific events
through the object’s properties (such as the Security tab for a folder or file).
■ Policy Change. Track changes to user rights or audit policies.
■ Privilege Use. Track when a user exercises a right other than those associated with logon
and logoff.
■ Process Tracking. Track events related to process execution, such as program execution.
■ System Events. Track system events such as restart, startup, shutdown, or events that
affect system security or the security log.
Within each category are several different types of events — some common and some specific to
the objects or events being edited. If you audit registry access, for example, the events are very
specific to the registry. Rather than cover every possible event that can be audited, this chapter
explains how to enable and configure auditing, looks at specific cases, and explains how auditing improves security and monitoring in those cases.
Configuring Auditing
Configuring auditing can be either a one- or two-step process, depending on the type of events
for which you’re configuring auditing. For all but object access, enabling auditing simply
requires that you define the audit policy for the given audit category. You have an additional
step for object-access auditing, however — configuring auditing for specific objects. Enabling
auditing for the policy Audit Object Access, for example, doesn’t actually cause any folders or files
to be audited. Instead, you must configure each folder or file individually for auditing.
352
Page 352
Shapiro
c10.tex
V2 - 06/13/2008
5:46pm
Auditing Windows Server 2008
Enabling audit policies
Before you begin auditing specific events, you need to enable auditing for that event’s category.
You configure auditing through the computer’s local security policy, Group Policy, via the Security Configuration Wizard (SCW), or all three. If domain audit policies are defined, they override
local audit policies. This chapter assumes that you’re configuring auditing through the domain
security policy. If you need to configure auditing through local policies, use the Local Security
Policy console or the SCW to enable auditing. To configure auditing through the domain security policy you can open the Group Policy Management Console (GPMC) and edit the domain
policy. To do this now, follow these steps:
1. Choose Start Administrative Tools Group Policy Management.
2. Expand the GPMC to the Default Domain Policy, right-click the node, and choose Edit.
The Group Policy Management Editor will open. Drill down from the Policies node
through Windows Settings to Security Settings, and open the Local Policies Audit
Policy branch. As Figure 10-1 shows, each audit policy category appears with its effective
setting.
If you want to configure auditing on the Domain Controllers OU for the local domain, open
the Domain Controller Security Policy console from the Administrative Tools folder.
FIGURE 10-1
Use either the local security policy or the domain policy to enable auditing.
3. Double-click a policy in the right pane to display its settings in a dialog box (see
Figure 10-2). You can enable the auditing of both Success and Failure of events in the
selected category. You may, for example, audit successful logons to track who is using
a given system and when. You may also track unsuccessful logons to track attempts at
unauthorized use of a system.
4. Select Success, Failure, or both, as desired, and click OK.
353
Page 353
10
Shapiro c10.tex
Part I
V2 - 06/13/2008
5:46pm
Core, Configuration, Networking, and Communication Services
FIGURE 10-2
Select the types of events (Success or Failure) for which you want to enable auditing.
After you configure each category, close the security policy console. See the following section
if you’re configuring the auditing of object access. Otherwise, audit events begin appearing in
the security log. Make sure that you configure the security log’s size and overflow behavior
to accommodate the audit events. You can configure the log and view it in the Event Viewer,
which is located in the Administrative Tools folder.
Auditing object access
The second step in configuring object-access auditing is to enable auditing on the individual
objects that you want to monitor (such as folders, files, registry keys, and so on). You typically
configure the objects where you find them in the user interface, such as in Explorer for folders
and files, in the Printers folder for printers, and in Regedit for the registry keys. The types of
events that you can audit for a given object depend on the object itself. Events for file access, for
example, are different from events for registry-key access. To configure auditing for a folder or
file, follow these steps:
1. Open Windows Explorer and then locate the folder or file. Right-click the object, and
choose Properties from the context menu to view its property sheet.
2. Click the Security tab and then click Advanced to open the Advanced Security Settings
dialog box.
3. Click the Auditing tab of the Advanced Security Settings dialog box to open the Auditing
page and then click Add. Select a user, computer, or group that you want to audit, and
click OK. Windows Server 2008 displays an object dialog box that lists the events you can
audit for the selected object (see Figure 10-3).
See Chapter 12 for more information on controlling and monitoring printer access.
354
Page 354
Shapiro c10.tex
V2 - 06/13/2008
5:46pm
Auditing Windows Server 2008
FIGURE 10-3
Select the Successful or Failed checkbox as needed to configure auditing for each event type for
the selected object.
4. Select Successful for a given event if you want to record the successful completion of the
event. Select Failed to monitor failed attempts. Selecting the Apply These Auditing Entries
to Objects and/or Containers Within This Container Only checkbox applies auditing to
only the contents of the selected container (such as the files in the selected folder). The
contents of subfolders are audited unless this option is selected. After you’re satisfied with
the audit event selections, click OK.
As you’re defining the audit policy for a selected object, keep in mind that you could
potentially generate a huge number of events in the security log. Unless you have a
specific reason to audit success on a given event, consider auditing only failure to reduce traffic
to the log and load on the computer. Auditing failed access is typically most useful for tracking
attempts at unauthorized access.
Repeat the preceding steps to add other users, groups, or computers to the list. In the Advanced
Security Settings dialog box (see Figure 10-4) are the following two options that control how
auditing entries are affected by the parent object and how they affect child objects:
■ Include Inheritable Auditing Entries from This Object’s Parent. Include these with
entries explicitly defined here. Select this option if you want auditing properties to be
355
Page 355
10
Shapiro
Part I
c10.tex
V2 - 06/13/2008
5:46pm
Core, Configuration, Networking, and Communication Services
inherited by the current object from its parent object. Deselect this option to prevent audit
properties from being inherited.
■ Replace All Existing Inheritable Auditing Entries on All Descendants with Inheritable Auditing Entries from This Object. Select this option to clear and audit properties
configured within child objects (such as subfolders) and to enable the audit properties for
the current object to propagate to child objects.
FIGURE 10-4
Use the Auditing tab of the Advanced Security Settings dialog box to configure auditing for a
selected object.
Close the object’s property sheets after you finish defining the audit policy for the object. Auditing begins immediately.
Examining the Audit Reports
Windows Server 2008 records audited events to the Windows Server 2008 security log. You can
use the Event Viewer snap-in to view the event logs, save logs as log files for future viewing, and
save the logs in either tab- or comma-delimited formats.
Using the Event Viewer
You can use the Event Viewer to view and manage the event logs. In addition to the security
log, you can manage the application and system logs, as well as any additional logs created by
356
Page 356
Shapiro
c10.tex
V2 - 06/13/2008
5:46pm
Auditing Windows Server 2008
Windows 2003 services or applications. By default, the Event Viewer displays the logs dynamically, meaning that new events are added to a log as you’re viewing it. You also can save a log to
disk to use as a benchmark or simply to archive a log before clearing it. Figure 10-5 shows the
security log in the Event Viewer.
For detailed information on the Event Viewer console snap-in, including how to save
logs and configure log behavior, see Chapter 2.
FIGURE 10-5
You can browse the security log (and other logs) by using the Event Viewer.
Using other tools
The Event Viewer provides the means through which you configure and view event logs.
Because you can save a log to a text file, however, you can use other applications to view a
log. You may save a log to a comma-delimited file, for example, so that you can import the file
into Microsoft Access or another database application to create a database that you can easily
organize by event ID, source, and so on. You may also export the data to a text file and import
it into a word processor to create a report. Just make sure that you pick an application that can
import tab- or comma-delimited files and export the log files in the appropriate format.
A handful of other third-party tools exist for viewing a system’s log files. One in particular worth
considering is RippleTech’s LogCaster. Providing a mechanism to manage the event logs is just
a small part of what LogCaster does. It not only provides a unified interface for viewing the
357
Page 357
10
Shapiro
Part I
c10.tex
V2 - 06/13/2008
5:46pm
Core, Configuration, Networking, and Communication Services
event logs, it also serves as an excellent warning system for administrators. LogCaster provides
real-time monitoring of the event logs, services, TCP/IP devices, performance counters, and
ASCII logs. It provides automatic delivery of alerts through a variety of mechanisms, including
paging, e-mail, ODBC, SNMP, and others. Whenever a given event occurs, you can have
LogCaster automatically notify you regardless of where you are. Whether you’re tracking system
performance, want to be notified of audit events, or want to be warned of a possible system
intrusion, you should find LogCaster an excellent resource. You can locate RippleTech on the
Internet at www.rippletech.com.
You can also use several enterprise management tools to go beyond just managing event logs.
Microsoft Operations Manager (MOM), for example, provides the capability to collect information across the enterprise from event logs, Unix syslog files, SNMP traps, and other sources to
help you monitor availability and performance. MOM provides an excellent set of tools for monitoring systems and Microsoft applications such as Exchange Server, SQL Server, and others. For
more information on MOM, check www.microsoft.com/mom.
Several other third-party enterprise-management tools are worth considering if you’re looking
for ways to improve data collection and monitoring. You should also consider CA Unicenter
(at www.ca.com), HP OpenView (at www.hp.com), and the many tools from NetIQ (at
www.netiq.com).
Microsoft Operations Manager is derived from NetIQ Operations Manager. Microsoft
licensed the technology and integrated additional features to target the product to
Microsoft platforms and applications.
Strategies for Auditing
Although you could audit every event, doing so wouldn’t be practical because you’d place an
undue load on the system and either end up with an enormous log file or spend all your time
worrying about archiving the logs. The following sections examine some specific scenarios and
how you might employ auditing.
Leaving auditing off
One option is to leave auditing off altogether, which is not a bad option in some situations.
If you’re not concerned with security, you have no real reason to enable or perform auditing.
Turning off auditing reduces system overhead and helps simplify log management; most
organizations are (or should be) concerned with security at least to some degree, however, so
this option is unlikely to fit your needs.
Turning all auditing on
At the other end of the auditing spectrum is complete auditing. If you’re very concerned about
security or shooting for C2 security certification, this may be an option. Bear in mind, however,
358
Page 358
Shapiro
c10.tex
V2 - 06/13/2008
5:46pm
Auditing Windows Server 2008
that your system is likely to generate a huge number of events requiring very active management
of the security log. As an alternative to full logging, consider logging only failure events and not
success events.
Auditing problem users
Certain users, for one reason or another, can become an administrator’s worst nightmare. In
some cases, it’s through no fault of the user, but instead results from problems with the user’s
profile, account, and so on. In other cases, the user can be at fault, frequently using the wrong
password, incorrectly typing the account name, trying to log on during periods when they are
not allowed, or even trying to access resources for which they have no permissions (or need). In
these situations, you can monitor events associated with the given user. You may even need to
retain the information for counseling or termination purposes.
Which types of events you audit for a given user or group depends on the problem area. Audit
account logon events, for example, if the user has trouble logging on or attempts to log on during unauthorized hours. Track object access to determine when a user or group is attempting to
access a given resource such as a folder or file. Tailor other auditing to specific tasks and events
generated by the user or group.
Auditing administrators
Auditing administrators is a good idea, not only to keep track of what administrators are doing,
but also to detect unauthorized use of administrative privileges. Keep in mind, however, that
auditing affects system performance. In particular, consider auditing account logon events,
account management, policy change, and privilege use of an administrator only if you suspect
an individual. Instead, control administrators by delegating through the wise use of groups and
organizational units.
Auditing critical files and folders
One very common use for auditing is to track access to important folders and files. In addition
to tracking simple access, you probably want to track when users make or attempt to make
specific types of changes to the object, such as Change Permissions and Take Ownership. This
helps you monitor changes to a folder or file that could affect security.
Summary
Auditing enables you to monitor events associated with specific users, groups, and services.
These events are recorded to the security log. The capability to monitor these events is not only
useful for troubleshooting, but also is an important tool for monitoring and managing security.
You learned how you can keep tabs on the actions of specific users or groups and monitor
attempts at unauthorized access to the system or its resources.
359
Page 359
10
Shapiro
Part I
c10.tex
V2 - 06/13/2008
5:46pm
Core, Configuration, Networking, and Communication Services
As the chapter explained, configuring auditing for most types of events is a one-step process.
You configure the policy for Success, Failure, or both in the local or group security policy. Configuring the auditing of object access, such as monitoring access to folders/files, printers, or the
registry, requires the additional step of configuring auditing on each object to be monitored.
Auditing is a useful tool for tracking what is happening in the network and on given computers,
and is one step toward providing a secure and reliable environment. Truly providing reliability
and security requires an understanding of service level, which is covered in detail in Chapter 25.
360
Page 360
Shapiro
c11.tex
V2 - 06/12/2008
4:25pm
.NET Framework
Services
T
he .NET Framework is included with Windows Server 2008 but
like many other features, it needs to be specifically installed before
it can be used. (See Chapter 2, ‘‘Configuring Windows Server
2008.’’) This framework for application developers enables your system
to run very sophisticated programs that are extremely fast and extremely
portable. The .NET Framework also enables many components to
run on the server. A good example is Windows PowerShell, which is built
on the .NET Framework. (Chapter 2 includes a discussion of Windows
PowerShell.)
Along with this power also comes security concerns. Presumably, because
the framework is integrated, applications that run on it can have a great
deal of control over the server. To some degree that’s true, but this is
where security comes into focus.
In this chapter you learn about the components that make up the .NET
Framework. You glimpse at its application programming interface as
well as view how the garbage collection facility works and how you can
monitor it.
The recent versions of the .NET Framework include versions 3.0 and 3.5.
These bring many new features to the platform, for example: the .NET
Framework now includes the XPS Viewer, which lets you view, sign, and
protect XML documents; and Windows Communications Foundation
(WCF) and HTTP Activation Components, which allow applications to
start and stop dynamically in response to inbound requests from the network in general and from HTTP requests in particular, and so on. Another
exciting addition is the Windows Workflow Foundation (WWF), which
allows developers to build advanced workflow and queuing applications.
361
IN THIS CHAPTER
Get to know the Common
Language Runtime
Learn what the .NET
initiative is
Understanding garbage
collection in the .NET
Framework
Page 361
Shapiro
Part I
c11.tex
V2 - 06/12/2008
4:25pm
Core, Configuration, Networking, and Communication Services
To run applications using the .NET Framework on Windows Server 2008, you need to add
the Application Server role (see Chapter 2). Open Server Manager, select Server Roles, and
choose Application Server. As soon as you check this role, the Add Roles Wizard pops up with a
request to confirm what is about to be installed. This is shown in Figure 11-1.
FIGURE 11-1
Adding features required for the Application Server role.
The wizard will now prompt you for more application server bits. These include IIS support
(the Web server), Com+ Network Access, process activation, distributed transactions, and so
on. Click Next and click the Add Required Role Services button. You will go through several
additional screens for settings that are more granular or specific to the services you have chosen.
If all you chose to do was install the Framework, the installation will be quick.
Introduction to the .NET Framework
The average Windows Server 2008 administrator may not have a lot of interest in the .NET
Framework. The .NET Framework is, in a nutshell, an application programming interface that
programmers can use when creating applications. This framework gives the programmer an
extraordinary amount of control over the machine on which it runs, as well as over network
operations as a whole. This may all seem a bit scary at first, but it comes with a very sophisticated toolset for configuring security within the framework and applications that utilize it. The
job of the server administrator is to configure this security and deploy it across the network to
protect network resources from rogue code.
On Windows Server 2008, the .NET Framework is a much more enhanced environment than its
predecessors, versions 1.0 through 2.0. The following support is included.
362
Page 362
Shapiro
c11.tex
V2 - 06/12/2008
4:25pm
.NET Framework Services
64-bit platform support
The new generation of 64-bit computers is here, and its operating system is Windows Server
2008 all the way. This results in the capability to create applications that can run faster and take
advantage of more memory than is available to 32-bit applications. We can now build 64-bit
applications with managed code and write 64-bit unmanaged code on 64-bit computers, without
the limitation of the 4GB memory barrier inherent in 32-bit systems.
Access control list
It is now possible to use an access control list (ACL) to grant or revoke permissions to access a
resource on a computer. A host of new classes has been added to the .NET Framework, enabling
managed code to create and modify an ACL; and new members that utilize an ACL have
been added to the I/O, registry, and threading classes. See Chapter 16 for further discussion
about ACLs.
ADO .NET and LINQ
ADO.NET includes a few new features that support user-defined types (UDT), asynchronous
database operations, XML data types, large value types, snapshot isolation, and new attributes
that enable applications to support Multiple Active Result Sets (MARS) with SQL Server 2005
and 2008.
Some database operations (generally command execution) can take considerable time to
complete. Single-threaded applications must block and wait for the command to finish its work
before continuing their own operations. The SqlCommand class and the BeginExecuteNonQuery, BeginExecuteReader, and BeginExecuteXmlReader methods, paired with the
EndExecuteNonQuery, EndExecuteReader, and EndExecuteXmlReader methods, provide
the asynchronous support.
As for LINQ — language integrated query — this is a new query language extension introduced
with version 3.0 that provides support for data querying in a type-safe way.
Asynchronous processing
To further push the envelope on processing performance, the .NET Framework version 3.5 provides several standard asynchronous operations that enable you to have much more control over
background threading. Such enhancements are ideal to free the user interface from bottlenecks,
or to enable high-priority threads to complete other operations while some background task is
executing.
When coupled with the technologies in ADO.NET, you can perform asynchronous database
operations using an API that is modeled after the asynchronous model of the .NET Framework.
Other areas that have been enhanced include File I/O, Stream I/O, Socket I/O, HTTP, TCP, the
remoting channels (HTTP, TCP), proxies, XML Web services created using ASP.NET, ASP.NET
Web Forms, message queuing using the MessageQueue class, and finally, the asynchronous delegate class.
363
Page 363
11
Shapiro
Part I
c11.tex
V2 - 06/12/2008
4:25pm
Core, Configuration, Networking, and Communication Services
Understanding the .NET Initiative
A clear definition of what the .NET initiative is has been somewhat of a mystery. The .NET
Framework is obviously a framework for application development, but what about Server 2008?
It doesn’t mean that Windows Server 2008 is meant for .NET development, but one distinct
characteristic of the Windows Server 2008 operating system is that it comes with the .NET
Framework already integrated into the operating system; you have no need to install it. Before
we move on with a discussion of the .NET Framework, however, you first need to understand
what brought it about and what Microsoft hopes to accomplish with it.
The .NET Framework is a set of libraries that enable programmers to build applications. The
difference between the .NET Framework and, for example, MFC is that the .NET Framework
enables extremely rapid development of applications that can be integrated very tightly with the
operating system. The amount of time, for example, to build a Windows Service application that
monitors remote Windows Services — or processes, for that matter — is reduced by an order of
magnitude if you use the .NET Framework. This Framework also provides for Web services and
remoting, which act as methods for invoking components on remote systems, over the Internet. This can obviously be a nightmare for network and/or server administrators who need to
maintain the security of their systems. Fortunately for administrators, the .NET Framework has
extensive security built into it.
The Common Language Runtime
The Common Language Runtime (CLR) is an environment that enables .NET application languages
to run while providing each application with the same functionality set. The CLR also manages
memory during program execution, as well as managing thread and other system services.
The CLR also verifies that applications are permitted to run given the current set of security
configurations.
The CLR can grant or deny security to items such as disk access, network access, memory, and
peripherals such as printers. It also implements strict type and code verification by use of the
Common Type System (CTS), which is discussed in the following section.
Unlike interpreted languages, the CLR uses Just-in-Time compilation so that all applications are
compiled into native machine language for the system on which the applications are running.
This offers dramatic performance gains over interpreted languages, ensures less of a strain on the
OS, and limits the chance of memory leaks and the like.
Another definite benefit of the CLR is that it enables applications developed in separate languages to communicate with each other and maintain a high degree of integration. The benefit
to Windows Server 2008 administrators is that they can write code in VB or C# that performs
in exactly the same way and uses the exact same function calls, which means that one language
doesn’t have advantages over another. A benefit of writing scripts with a .NET Framework
364
Page 364
Shapiro
c11.tex
V2 - 06/12/2008
4:25pm
.NET Framework Services
language (such as VB, C#, and so on) would be, for example, importing a list of users and
automatically creating logins for them within Active Directory.
Common Type System
We briefly touched on the Common Type System (CTS) in the preceding section, and now
you’ll look at a few of the details of CTS from a server administrator’s point of view. Figure 11-2
illustrates the CTS.
FIGURE 11-2
The collection of types that make up the Common Type System.
Type
Value Types
Reference Types
Built-In Value
Types
Self Describing
Types
Pointer Types
Interface Types
User-Defined
Value Types
Class Types
Arrays
Enumerations
User-Defined
Classes
Boxed Value
Types
Delegates
CTS ensures that all code within an application is self-describing, which means, for example, that
the value of an integer type can be consumed by a long data type. Not a very thrilling concept
for server administration perhaps, but CTS helps ensure that a programmer cannot insert bogus
code within an application to intentionally cause an error. Why would someone do that, you
ask? Well, suppose you hire a programmer to write a few backend components for your Web
site running on IIS 7.0. This programmer inserts a few lines of code that, if correctly accessed,
cause an error that perhaps drops the user into the system, providing him or her with complete
access, or maybe — even worse — crashes your server.
Keep in mind that the .NET Framework and all its components are very security-centric. The
actual security details and operation of the framework are beyond the scope of this book, but
365
Page 365
11
Shapiro
Part I
c11.tex
V2 - 06/12/2008
4:25pm
Core, Configuration, Networking, and Communication Services
rest assured that any applications on your server that are written with a .NET Framework
language can be configured for the utmost security conscious.
.NET security
.NET security can be configured in three different ways: at the enterprise level, the machine
level, and the user level. This separation of security levels ensures not only that your enterprise
can have a security policy in executing .NET applications, but also that, should your company
hire contractors, a security policy can be applied to them as well so that they can’t take
advantage of your servers and the information they contain.
To drill down even further, each level of security (enterprise, machine, user) can also contain
custom code groups. You could make a code group for enterprise applications that need
Internet access as well as a code group that needs access to corporate print servers. After the
.NET Framework determines security access, it essentially overlaps the three security zones
and examines the privileges. If a privilege has been removed in any level, then the specific
action isn’t permitted. This ensures, for example, that a user security policy doesn’t override an
enterprise policy. (See Chapter 16 for information on security policies.) This kind of granular
control is exactly what is needed for such a powerful programming framework.
Application domains
To better understand application domains, consider an example that many of us have been
through. The corporate mail server has been in desperate need of a way to process automated
help desk tickets. To achieve this, the IT department has created a COM object that watches
the mail go through the mail server and routes the help desk ticket to the correct person for the
job. Several weeks after this COM object is installed, the Microsoft Exchange Server mysteriously
crashes; this hasn’t happened to Exchange since it was installed.
This particular example may not be familiar to all of you, but the circumstances may be. So
what happened to the Microsoft Exchange Server? The key to the mystery was that the COM
object was an in-process object. The term in-process means that the COM object shared process
space with Microsoft Exchange Server. Sharing process space allows the object (in this example,
it is the COM object) to share memory with the host application (Microsoft Exchange Server).
This allows for an incredible amount of integration because both application and COM object
can share all sorts of information. Unfortunately, this also means that if the COM object dies,
the application and all other objects in the process space die as well.
This type of incident is pretty typical on Windows Server 2008 because not all applications are
perfect and quite often applications crash. On Windows 98 and ME, you could expect different behavior, however. These operating systems don’t have protected memory segments, which
means if one application crashes, it could quite possibly kill all running applications, including
Windows! Since Windows 2000, we have been shielded from this because an application dying
within its process space couldn’t harm other applications, nor could it harm Windows.
366
Page 366
Shapiro
c11.tex
V2 - 06/12/2008
4:25pm
.NET Framework Services
Application domains solve this problem of multiple objects in the same process space
threatening the lives of the other objects. Application domains involve a greater level of granularity, enabling multiple objects (or applications) to run within the same process space with
isolation. This isolation means that even though multiple objects are executing, one of them can
error and halt execution and not affect the others.
As a Windows Server 2008 administrator, this means that the pesky programmers can’t bring
your servers to their knees. Application domains are by no means foolproof, but they are a vast
improvement over simple process space and a definite step in the right direction.
Garbage collection
The Garbage Collection (GC) facility within the .NET Framework is in charge of releasing
memory as objects run out of scope and are no longer used within an application. The fact that
programmers have almost always needed to specifically free resources is the number one cause
of memory leaks within an application. Thanks to the .NET Framework, this is all handled
behind the scenes.
If this sounds too good to be true, the truth is that it may be. Although GC does free up
memory, it does so at an undefined interval. Function calls available to the programmer enable
a manual invocation of garbage collection but don’t guarantee when it occurs.
On a positive note, included with the .NET Framework are performance counters that enable
you to monitor garbage collection — when it runs, how long it runs, and the amount of memory it frees up, just to name a few aspects.
.NET vs. the JVM
That Microsoft took a long hard look at the Java Virtual Machine (JVM) or the Java Runtime
Engine ( JRE) during the design phases of the .NET Framework is really no secret, so most of the
useful features that you see in the JVM are also present within the .NET Framework. To avoid a
war and lots of hate e-mail, we don’t recommend one over the other here, but we do outline the
two benefits to using the .NET Framework over the JVM:
■ The .NET Framework has a great deal of support for graphical user interfaces (GUIs).
Those who have ever tried to create a Windows-based application by using a text editor
and the .NET Framework probably don’t agree with us on this, but that’s our story and
we’re sticking with it. Not only can you design Windows applications by using the .NET
Framework, you can also design applications for the Web to be displayed in a browser,
as well as applications for PDAs, cell phones, and many other Wireless Application Protocol (WAP) enabled devices. Java simply doesn’t offer this luxury; a third-party package is
needed for GUI creation within Java.
■ The next obvious benefit of .NET over the JVM is performance gain. .NET simply beats
the JVM in running almost any type of application, whether it is simply a GUI application
with one screen or an n-Tier application accessing a database backend.
367
Page 367
11
Shapiro
Part I
c11.tex
V2 - 06/12/2008
4:25pm
Core, Configuration, Networking, and Communication Services
Configuring the Global Assembly Cache
Configuration of the Global Assembly Cache (GAC) should be done by a developer 99 percent
of the time because developers are most familiar with what their applications do and do not
need. We touch on the GAC briefly here so that you, as a server administrator, have an idea of
what its configuration actually entails.
The .NET Framework is capable of side-by-side DLL execution. Therefore, you can have two
DLLs with the same name on the same machine and in the same folder. This enables applications to use the DLL that fits their needs. Application A may need version 1.0 of a certain DLL,
whereas a newer Application B may require version 3.0 of the same DLL.
Summary
The .NET Framework is a very powerful tool for application developers as well as server administrators. It enables you to create very powerful programs to ease server administration — such
as importing large lists of users and adding them to your network or simply to monitor system
conditions. The framework also allows for side-by-side execution of same-name DLLs, which
typically leads to application crashes. Using the .NET Framework, you can also build components that can communicate across the Internet and through firewalls using open standards and
common protocols to help propel your business.
The .NET Framework is merely just that — a framework. It contains many tools and utilities
that enable specialized applications to run.
368
Page 368
Shapiro
p02.tex
V1 - 06/13/2008
2:58pm
Page 369
File, Print,
and Storage Services
IN THIS PART
Chapter 12
Print Services
Chapter 13
Storage Management
Chapter 14
Windows Server 2008 File Systems
Chapter 15
Sharing and Securing Files
and Folders
Shapiro
p02.tex
V1 - 06/13/2008
2:58pm
Page 370
Shapiro
c12.tex
V2 - 06/13/2008
8:23pm
Print Services
T
his chapter covers everything you need to know about the
Windows Server 2008 printing service. Despite all of our efforts
to create a paperless office, hardcopy and thus printers are not
going away. For all intents and purposes, for good or for evil, printers are
becoming more sophisticated, cheaper, and easier to use; and Windows
Server 2008 isn’t helping to conserve trees. In fact, the operating system
now includes support for more than 4,000 printers, as well as support for
industrial, high-performance, printing supporting devices that would cost a
small island.
In addition, technologies such as e-mail and the World Wide Web have
not done much to alleviate the need for printers. Instead, they have often
succeeded in shifting the burden of hardcopy output from the sender to
the receiver. Today, even attorneys e-mail contracts; and then ask you
to print them out, sign them, and return them.
The network operating system lives and dies by its ability to host access
to printers. The print service is the third leg of the ‘‘stool’’ that makes up
a network operating system. Without it, a network OS simply falls over.
Windows Server 2008 has inherited a rich and robust printing service,
culled from years of research and development and the experiences of
more than 100 million users. It is one of the reasons why Windows Server
2003 has done so well. In Windows Server 2008 the driver model has
been extended to cater to the XML Paper Specification (XPS), which adds
more efficiency and throughput to the print subsystem. We explore this a
little later in the chapter.
For the most part, installing printers and printing is a no-brainer; that is,
until the printer stops printing. In order to troubleshoot problems, a good
understanding of the elements and components of Windows networking
services is vitally important.
371
IN THIS CHAPTER
Installing and managing
printers
Adding, setting up, and
publishing printers
Sharing printers, permissions,
and ownership
Managing and troubleshooting
printer services
Page 371
Shapiro
Part II
c12.tex
V2 - 06/13/2008
8:23pm
File, Print, and Storage Services
As an administrator, you need to understand the logical environment in order to troubleshoot
printer problems effectively. Therefore, this discussion begins with an introduction to the components that make printing actually happen, and then moves on to installing printers. After the
discussion, your properties and parameters setup will mean more to you. After you’re equipped
with the fundamentals, you can explore print-service troubleshooting.
The components described here are extremely complex objects and APIs that make up the
Windows Server print service. This chapter should provide you with enough information to
visualize the components and therefore be able to solve printing problems in Windows Server
environments in an effective manner.
Before you can start setting up printers and printing you first need to set up your server
with the Printer Services role. Do this using the Server Manager console as demonstrated in
Chapters 1 and 2. Once the role is installed you will be able to access Print Management. This
console provides a single interface with which you can administer multiple printers and print
servers, including printers on legacy Windows 2000, Windows XP, Windows Server 2003, and
Windows Vista.
Print Services
In Windows Server 2008, Microsoft has enabled the print administrator to set down policy and
procedures for using printers. This is achieved with the Print Services subsystem. Print Services
and its interface, the Print Management console, were given to us in Windows Server 2003,
so it’s a robust and well-oiled product of the last generation. It is now even better tuned to
the management of printers over wide area networks, as well as printers that reside at branch
offices and remote locations. (The Print Management console is shown later in the chapter in
Figure 12-4.)
The Print Management console gives you a central portal that encapsulates all the printers connected to all the print servers on your network, no matter how remote. You can use the console
to manage printer errors, and assist users in connecting to printers closest to them or at remote
locations. The console also enables you to discover and install printers on local branch office
subnets, and can even execute installation scripts you provide.
Understanding Windows Server
Printer Services
To help you avoid getting hung up on terminology and concepts, look at the printer services
from two different points of view: the logical environment and the physical environment. The
logical environment is an abstraction of the physical device that the user sees. It includes the
software required to interface to the physical environment. The physical environment represents
the devices from which the final printed medium (usually paper) emerges.
372
Page 372
Shapiro c12.tex
V2 - 06/13/2008
8:23pm
Print Services
Printer services: the logical environment
First of all, printers have no user interface other than a cryptic keypad and a small LCD screen.
Their job is to receive data and to convert the data into information that a printer’s electronics
understands. The printer language or software lays out the page according to specifications in
the data and goes about the task of sending this information to the physical parts that print the
images onto a hard medium.
Therefore, if you’re not able to print, and all the logical printer components check out, the only
course of action you can take for a faulty printer is to ship it back to the factory or call a service
technician (assuming you know little about corona wires, drums, and hoppers). For the most
part, you need only know how to turn the printer or plotter on and off, change toner and paper,
connect its interface cables, and clean it.
Windows Server, conversely, is both printer-aware and user-aware. Its task is to provide a logical
printer interface that users can see and managers can manage and troubleshoot, as well as a
holistic printer spooling and pooling environment. The logical printer, represented by the printer
object, its icons, and properties, is representative of the hardware. The printer icon, or the
printer share, is all the knowledge workers need to know about printing.
You can install logical printers on your client computers (local printers), but most of the time
the logical printers are installed on servers dedicated to hosting logical printers (network
printers).
The following list describes the basic user procedure to connect to and use a printer:
1. Install a logical local or remote printer to which you have access (the installation is
persistent).
2. After you are connected, you can manage certain properties of the logical printer, such as
paper size and layout, bins and trays, resolution and color, number of pages and copies,
and so on.
3. You, or at least your users, then print documents and graphics to the logical printer. The
action of printing is often called a job. The job encapsulates printing instructions for the
printer service, telling the logical printer how the job should be printed to the physical
printer. When a client application prints a document or image, the application calls the
Windows graphic device interface (GDI), which loads the driver for the target printer.
(The driver is downloaded from the server if it does not exist on the client machine. On
Windows Server clients, the drivers are downloaded with every print job.)
Using the driver for the target printer, the GDI renders the document in the printer language of the physical printer. After completion, the GDI then calls the local spooler, hands
off the job, and closes. At this point, the GDI’s work is done, and the client computer
sends the job to the print server, via a routing service. The routing service transports
the print job over the network using the remote procedure call service, the NetBIOS
redirector.
373
Page 373
12
Shapiro
Part II
c12.tex
V2 - 06/13/2008
8:23pm
File, Print, and Storage Services
4. After it has received the job from a print router or other interface, the logical printer, also
called the printer service or client spooler, loads the necessary driver, which tells it how
to interface to the physical printer and how to send it the document. This is done via the
services of print providers and processors.
5. The print processor checks the job’s data types and alters them or leaves them alone,
depending on the requirements and the data types received. The print processor ensures
that the job prints correctly.
6. If the data types call for separator page processing, the jobs are handed off to the separator
page processor. The separator page is added to the front of the job.
7. Meanwhile, as printer administrator, you manage the logical printer’s properties (the logical printer is an object), such as where it resides on the network, who has access to it,
when they can use it, and so on.
The printer service, illustrated in Figure 12-1, includes several components and concepts, which
are described in the following sections.
FIGURE 12-1
The Windows Server Print Service, represented as a stack of services.
Remote Print Provider
Win 32 Printing
Non-Windows print clients
Router
Local Print Provider
Spooler
Print Processor
Host Windows
2008 Print Server
Page Processor
Print Monitor
Print routers
Print routers sit between the client application and the print server (which can also be on the
local machine, if printing to the parallel or serial port). The first job of the router is to route
print jobs to the correct servers and print services. The second job of the router, once the target
374
Page 374
Shapiro
c12.tex
V2 - 06/13/2008
8:23pm
Print Services
server is found, is to make sure the client has the correct driver for the job. The router checks
the target server’s driver with the client’s, and if the client’s driver is older or absent, the router
updates the driver on the client machine.
Routers are usually Win32 services. In other words, they cater to Windows printing.
All other network clients, such as Unix, mid-range systems, and the Mac environment, get their jobs to the Windows Server print service via APIs that interface directly with
the server service stack. As mentioned earlier, the XPS support in Windows Server 2008 extends
the printing subsystem to allow XPS documents to print directly to XPS-compatible drives and
devices.
Printer drivers
Printer drivers are the first variable components you provide when setting up logical printers.
They are the software components sent to the user’s software to enable it to create print jobs
according to the capabilities of the target printers.
Printer drivers are built for specific printers or printer families. For example, you need one
printer driver for jobs printed to the Hewlett Packard LaserJet 9000 printers and different drivers
for jobs printed to LaserJet 3050 and LaserJet 21XX printers, respectively. However, LaserJet
4 and 5 drivers can print standard jobs printed to the old LaserJet III printers, but these older
printers may not print a complex job generated by the LaserJet 4 or 5 driver (PCL and later).
Printer drivers are installed when you install and configure logical printing devices. You can also
select alternative drivers after the logical printer has been installed.
Printer drivers are stored in the \system32\spool\drivers\ folder. Information about the
drivers is stored in the registry of the hosting machine.
The drivers are grouped into raster printer drivers, which include the PCL standard and dot
matrix printers and PostScript printer drivers, which are typically used for high-end graphics
and publishing applications, the domain of the Apple/Mac computers and printers.
The spooler service stack
The spooler service is an engine — a collection of libraries — that controls each and every
print job on a machine. It’s best described as a stack, starting with a router service that can
receive jobs handed off from client processes (refer to Figure 12-1). After arriving into the stack,
the job is passed down to the print processor for rendering and then finally passed down to
the Print Monitor for transmission to the I/O ports on the physical interfaces at either local or
remote ports.
The spooler is also the service that controls client and server printer management, installation
and administration of logical printers, and more. From the user’s point of view, it’s the functionality that exists behind the icons to which users send their print jobs. Each Windows Server
machine has one spooler service.
375
Page 375
12
Shapiro
Part II
c12.tex
V2 - 06/13/2008
8:23pm
File, Print, and Storage Services
The spooler is under the control of the service control manager. It can be stopped and started
at any time. You need only shut down the spooler service (using the net stop spooler command) to stop all printing services on a machine. The spooler is part of the Win32 subsystem
and is never deleted or relocated. It’s owned by the local system account, and a number of child
processes and services depend on it.
The spooler service is also responsible for client-side printer management. In fact, when you
stop the service, the machine can’t request or send print jobs to the logical shared printers on
a server machine. In other words, the spooler service acts as either a client or server service, as
needed.
The spooler service creates the files (spool jobs or files) in the directory where it resides. The
service and files are installed by default in the \windows\system32\spool\printers folder,
so if your server hosts a large number of print jobs, you should consider redirecting the print
jobs to a volume dedicated to servicing printers. Changing the path value in the printer’s registry
key does this. The key in question is as follows:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Printers
The XPS Document Writer keys are also located at the preceding registry hive. The value is a
drive letter and subfolder path, not the UNC path. After the value has changed, stop and restart
the print service. You can also set up separate folders for each printer’s job, which is discussed
next.
Spooler output files
These are the files that are generated by the spooler service (specifically, the print provider
component) for each job it handles. After the job has been sent to the printer successfully, the
spooler files are deleted. The spooler output files consist of two types of files — the spool file
and the shadow file. They serve the following purpose:
■ Spool file. This file has the .spl extension and is the print job — what gets sent to the
printer.
■ Shadow file. This file has the .shd extension. It contains the information needed for
the print job, and is useful only to the print service components. It contains information
related to the job’s position in the queue, the job’s owner, the printer’s destination,
and so on.
To redirect the spool files for each printer to a separate volume or folder, change the target
printer’s default spool directory key. The key in question is as follows:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Printers
Drill down to the printer in question and then look for the SpoolDirectory data item. You can
then change the value (the default is blank). Remember that the value must be a drive letter and
folder, not the UNC. This is demonstrated in Figure 12-2. The reason for redirecting these spool
files to custom directories is explained next.
376
Page 376
Shapiro
c12.tex
V2 - 06/13/2008
8:23pm
Print Services
FIGURE 12-2
Changing the spool directory for a printer.
Print queues
Windows print queues are the previously mentioned print files (the collection of .spl files)
waiting in the spool folder to be printed. Each spooled job prints in the order it is received.
You can use the net print command at the command line to manage a job, or you can work
with the document interactively via the respective printer’s management interface (accessing
the printer management interface for both local and remote computers is described later in this
chapter).
If you manage a lot of printers, redirecting each printer’s spool files to a separate folder can
make it easier to manage the printer queue from the command line. If a print job hangs for
some reason, you may begin your diagnostics with the print queue. If the queue receives the file
from the user, the client spooler service process is not the problem. The next diagnostic step is
to determine why the job is sitting in the queue but going nowhere.
The print processor
The print processor is the .dll file (such as Wntprint.dll) that resides in the \system32
\spool\prtprocs\w32x86 folder. This library of functions takes the print job data sent by the
spooler and renders it into data the printer can understand (if the data is already understandable, it isn’t rendered). Most print jobs don’t require any intervention by the print processor,
unless you have peculiar output requirements.
The default data type spooled to printers by the processor is NT EMF, which can be handled
by most printers. EMF stands for Enhanced Metafile Format, and most printers can read it. You
don’t have to intervene and change the print processor libraries very often because the client
applications determine the data type to be sent and because you can’t choose or force a job to
be handled by any particular print processor. This work is handled automatically.
Windows Server comes with built-in print processors. The one installed by default is known as
WinPrint, and it handles the standard data types printed by Windows applications. You can find
377
Page 377
12
Shapiro
Part II
c12.tex
V2 - 06/13/2008
8:23pm
File, Print, and Storage Services
the libraries for the XPS Document Writer at \\system32\spool\tools. Another important
print processor is SFMPSPRT — the Macintosh print processor — which handles jobs sent
to PostScript printers. The Macintosh print processor is installed when you install Macintosh
services on the host machine; however, you can only deploy Macintosh services on Windows
Server 2003. WinPrint can handle the following data types:
■ NT EMF version 1.00x. EMF stands for Enhanced Metafile Format. These files can be
printed to most printers.
■ RAW. This data type job indicates to the print processor that nothing further needs to be
done to print the document.
■ RAW (FF appended). This type forces the print processor to check whether a form feed
has been added to the end of the job — to ensure that the last page exits the printer.
■ RAW (FF auto). This type does not issue a form feed, and the print processor adds it to
the end of the job automatically.
■ TEXT. This data type is usually issued for printers that do not accept direct text. The print
processor renders the text to meet the needs of the target printer.
The Macintosh print processor, SFMPSPRT, on Windows Server 2003 R2 SP1,
renders jobs to non-PostScript printers for the benefit of Mac clients. However,
the output is limited to the very basic ‘‘playout’’ (to use a Mac-DTP phrase for sending a job to
the printer). The default data type is PSCRIPT1, which is a Windows bitmap format that prints to
the non-PostScript printers. The best you can do for Mac clients is to install PostScript printers (or
face the wrath of the Mac maniacs), which provides the high resolution and graphics capabilities
DTP publishers require, regardless of whether the client is Mac or Windows or Linux.
Ports
The term port is loosely used to refer to the hardware connections that enable a data stream to
flow from one device or medium to another. Print servers and printer interface equipment use
ports to represent network and cable connections. Ports are assigned network addresses and
reside between the printer and the spooler service.
Print monitors
Print monitors are important components to understand. They are soft devices that control the
transmission process of the print job to the I/O ports on the devices that interface with the physical printer. Windows Server supports several standard print monitors. Print monitors perform
the following tasks in the print service:
■ They open a connection between the print processor and the port. The connection is then
used to transfer the data to the I/O ports of the physical printer or remote printer interface. In essence, they touch the actual ports at the interfaces on the remote print servers or
printer interface devices.
■ They monitor the print job for error messages, progress, and completion.
378
Page 378
Shapiro
c12.tex
V2 - 06/13/2008
8:23pm
Print Services
The print monitor essentially monitors the entire print job and reports its status back to
the spooler. If a print job times out for some reason, the monitor notifies the spooler, and the
spooler sends a message to the client.
Several print monitors are built into Windows Server 2008. You can see the list when attempting to create a new port for the job data connection. Unfortunately, Windows Server 2008, like
its predecessor, tends to create confusion between the monitor type and the actual I/O port, as
illustrated in Figure 12-3.
FIGURE 12-3
The Ports tab in the Properties dialog box.
Why is it so important to understand the role of the monitor? It’s usually the first component in the print service stack that alerts you to a print problem and its most common
reason — inability to communicate with the local or remote port. If the print monitor reports
that there’s a problem connecting to a remote port, you have a network problem (IP, or lower
on the network stack). Usually, a trip to the printer finds the network cable kicked out of the
network drop or the interface unit.
Various monitors are bundled with Windows Server.
379
Page 379
12
Shapiro
Part II
c12.tex
V2 - 06/13/2008
8:23pm
File, Print, and Storage Services
Local print monitor
The local print monitor (formerly localmon.dll and now built into localspl.dll) manages
the following ports:
■ Parallel interface. This interface caters to print jobs that are sent to the parallel port on
the computer initiating the job. Most machines support parallel port printing. You choose
this monitor when you set up a local printer connected directly to the host. The local
printer can also be shared, which makes it a network printer.
■ Serial interface. This interface provides the same service as the parallel interface. The
data, however, is transmitted through the serial interface, a communications port (such
as COM1 or COM2), instead of the parallel interface. Serial interfacing is not common on
printers.
■ USB, infrared, and wireless (the likes of 802.1X and Bluetooth). Windows Server
2008 supports USB printing, infrared, and various shades of wireless printing. The local
print monitor and its user interface components provide the means to set up these printers
in the same location as the legacy parallel and serial interfaces and the remote ports (such
as LPR and IP).
■ File. This interface enables you to spool the job to a filename. The job is identical to jobs
that are spooled directly to print interfaces, local or network. The option of wrapping up
the data into a file enables you to relocate the file to another system for printing. In other
words, the physical printer does not have to be present or locatable on your network to be
of service.
This option is convenient if you do not actually own or have access to the target physical
printer. If you need to print to very expensive printers, such as the Linotronic typesetters and
heavy-duty PostScript printers run by service bureaus and printing companies, you can print the
job to a file and then send the file to the service via the Internet or on a disk. All you need to
do is install the driver for the target printer. (By the way, PostScript print files are binary.) Print
files are printed using various commands at the command prompts of the target machines from