W2008 WNWCSample

Windows
Server 2008
WHAT’S NEW| WHAT’S CHANGED
Greg Shields
841 Latour Ct Ste D

Napa, CA 94558
www.SAPIENPress.com
Windows Server 2008: What’s New | What’s Changed
Contents
About the Author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv

Acknowledgements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Introduction to Windows Server 2008. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
The Intent of this Book…. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Who Should Read this Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
What You Should Get out of This Book. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Windows Server Editions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Hardware Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Windows Server 2008 Standard Edition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Windows Server 2008 Enterprise Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Windows Server 2008 Datacenter Edition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Windows Web Server 2008. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Windows Server 2008 Core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Compelling Reasons to Upgrade to Server 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Manageability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Flexibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Installing Windows Server 2008. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
What’s New & What’s Changed?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Manual Installations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Automated Installations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Windows Deployment Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
WDS’ Transport Server & Deployment Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Server Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Initial Configuration Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Computer Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Update this Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Customize this Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Server Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Server Roles, Role Services, & Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Adding New Roles & Role Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Server Manager Command Line. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Event Viewer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Event Log Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Event subscriptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Reliability & Performance Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Task Scheduler. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Windows Server Backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Disk Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Windows PowerShell. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Memory Diagnostics Tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Windows Remote Management & Windows Remote Shell. . . . . . . . . . . . . . . . . . . . . . . . . 50
vi
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Group Policy Central Store. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
ADMX & ADML Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Converting ADM to ADMX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Group Policy Preferences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Starter GPOs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Filtering and Commenting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Network Location Awareness. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
GPMC Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
New and Updated GPO Categories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Group Policy Logging & Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Group Policy Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Group Policy Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Userenv Debug Log Redux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
GPLogView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Multiple Local Group Policy Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Fine-Grained Password Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Windows Server Core. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
What it is…. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
What it isn’t…. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Installing Server Core. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Initial Configuration Tasks Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Unattended Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Server Core Roles & Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
The ADDS Role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Roles & Usage Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Remotely Managing Server Core. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Terminal Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Windows Remote Shell. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
PowerShell. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Customizing Server Core. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Schema & Functionality Changes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Snapping an Offline DC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
ADPREP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
DCPROMO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Creating a New Domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Installation From Media. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Selecting “Helper” DC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Restartable Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
AD Object Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Auditing Changes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Read-Only Domain Controllers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
vii
Creating an RODC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Creating an RODC on Server Core. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
AD Snapshots. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
FRS / DFS-R. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Backup & Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
The Other Active Directory Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Active Directory Lightweight Directory Services (AD LDS). . . . . . . . . . . . . . . . . . . . 121
NTDSUTIL & AD LDS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Active Directory Federation Services (AD FS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Active Directory Rights Management Services (AD RMS). . . . . . . . . . . . . . . . . . . . . 123
Active Directory Certificate Services (AD CS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Terminal Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Remote Desktop Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Network Level Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Client Consolidation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Installing & Administering Terminal Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
(Terminal) Server Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Licensing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
TS RemoteApp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
TS Web Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
TS Session Broker. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
TS Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Configuring TS Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Easy Print. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Other Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Parallel Session Creation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Terminal Server Drain Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
New WMI Providers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Security & the Windows Firewall with Advanced Security . . . . . . . . . . . . . . . 151
Security Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
User Account Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Hot Patching. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Security Configuration Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Windows Firewall with Advanced Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
WFAS for the Incredulous Administrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Server & Domain Isolation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Domain Isolation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Server Isolation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Network Access Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
BitLocker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Web Server (IIS) Role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Installing IIS v7.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
IIS Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
viii
Command-Line Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Remote Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Security & Delegation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
File-based Configuration Storage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
IIS on Server Core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
IIS v7.0 Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
HTTP Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Security Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Content Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Compression Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Caching Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Caching Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Managed Support Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Other MN&C Features (You Might Not Know About) . . . . . . . . . . . . . . . . . . 191
Windows Server Failover Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Cluster Quorum Models. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Hyper-V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Hypervisors, a definition…. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Microkernelized Hypervisor Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Management Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
File Services & Storage Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
iSCSI Initiator & iSCSI Remote Boot. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Transactional & Self-Healing NTFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Windows Service Changes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Windows PowerShell Seven-Step Speed Start. . . . . . . . . . . . . . . . . . . . . . . . . . 217
1. Installing Windows PowerShell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Framework First . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Download and Install the Shell. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
2. Customizing the Shell. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
3. Performing Some Familiar Tasks in the New Shell. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
4. Working with More Drives than C: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
5. Finding Help at Your Fingertips. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
6. Performing Real Administrative Tasks Without Scripting. . . . . . . . . . . . . . . . . . . . . . . . . 220
7. Taking a Peek at the Pipeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Ready for More?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Windows PowerShell Architecture and Overview. . . . . . . . . . . . . . . . . . . . . . . 223
What Is PowerShell, and Why Should I Care?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
How Do I Use PowerShell? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Aliases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Backward-Compatible . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Navigation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Scripting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
ix
Variables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Built-in Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Object Oriented. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Danger! Danger! Danger!. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Bottom Line: Do I Need to Know All This?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Is PowerShell a Good Investment of My Time?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Where Do I Go from Here?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Help and Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
PowerShell Drives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Navigating a Hierarchical Object Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
More Stores than Just the File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Mapping Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
More Providers!. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
PSDrives = Ease of Use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Key Cmdlets for Windows Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Cmdlets for Navigating Your System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Listing Child Items. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Changing Location. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Cmdlets for Working with Items. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Cmdlets for Working with Text Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Cmdlets for Working with Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Cmdlets for Working with PowerShell. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Creating Output. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Clearing the Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Accepting Input. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Working with Variables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Working with Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Working with Command-Line History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Working with PSDrives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
The PowerShell Pipeline. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Piping Objects from Cmdlet to Cmdlet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Finding Cmdlets That Accept Pipeline Input. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
The Pipeline Enables Powerful One-Liners. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
The Pipeline Enables Simple Output Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
The End of the (Pipe)line. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Cmdlets to Group, Sort, Format, Export, and More . . . . . . . . . . . . . . . . . . . . . 261
Formatting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Format-List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Format-Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Format-Wide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Format-Custom. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Formatting Rules Overview: When Does PowerShell Use a List or Table? . . . . . . . . . 268
GroupBy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Sort-Object: Sorting Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Where-Object: Filtering Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
ForEach-Object: Performing Actions Against Each Object. . . . . . . . . . . . . . . . . . . . . . . . . . 275
Select-Object: Choosing Specific Object Properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Exporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Export-CSV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Export-CliXML. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
ConvertTo-HTML. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Comparing Objects and Collections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Practical Tips and Tricks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Using the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Command History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Line Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Copy and Paste . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Tab Completion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Instant Expressions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Pausing a Script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Displaying a Progress Meter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Keeping a Transcript. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
PowerShell Command-Line Parsing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Quotation Marks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Parsing Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Line Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Working with the PowerShell Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Culture Clash. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Using the UI and RawUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Reading Lines and Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Changing the Window Title. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Changing Colors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Changing Window Size and Buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Nested Prompts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Quitting PowerShell. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Prompting the User to Make a Choice. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Security Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Why Won’t My Scripts Run?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
When Scripts Don’t Run. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Trusted Scripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Execution Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Signing Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Alternate Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Is PowerShell Dangerous?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Safer Scripts from the Internet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Passwords and Secure Strings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Introduction to Windows Server 2008
Chapter 1
Have five years passed already? It feels like only yesterday that I was staring down the pipe at this
brand new operating system called Windows 2003. Remember those days? Clustering got a makeover
that made it actually useable. IIS and Terminal Services had a fresh look and feel with new security
functions. Heck, even Group Policy got that much easier with the introduction of the Group Policy
Management Console and all the new policies and settings that came with the O/S. I remember drool-
ing over Group Policy’s new WMI Filtering feature and thinking, “I can’t wait!”
Well, that time is here again. Though the feature sets are different, the excitement associated with a new
server operating system should be enough to simultaneously scare you and make you giddy with delight.
Scary, because any major update like Windows Server 2008 is going to cause plenty of late nights and
early growing pains. Giddy, because that same major update adds so much more to your network envi-
ronment in terms of security, stability, and terrific new management features.
The Intent of this Book…

The first thing you’re probably thinking as you flip through this book is probably an incredulous gasp at
how slim it seems. Slim compared with many of the doorstops you’re used to seeing in the IT book aisle
at your hometown book store. Those 1500-page tomes provide you with step-by-step instructions on
every teeny, tiny detail. But more often than not I’ll bet you’ve never read them from cover to cover—
simply because IT books aren’t all that titillating. For me, 1500 pages of step-by-step instructions makes
me feel like I’m reading a cookbook. Educational, but not all that exciting…
The intent of this book is not to provide you with the absolute step-by-step instructions for how every-
thing works in Windows Server 2008. My guess is that you really don’t need that anyway. These days,
more than ever, the tools and technology are changing faster than the publications cycle. So authoring
1
one of those behemoths means that something will likely have changed on page 127 by the time I get to
page 1270. Plus, the bloggers and community Web sites all around the net do a much better (and more
searchable) job anyway.
No, this book is slim for two reasons. One, my job as I see it is to give you some detail on specifically
what’s new and what’s changed between Windows Server 2003 and Windows Server 2008. Hence the
title What’s New/What’s Changed. For a few of the really important or complicated topics, I’ll include
step-by-step instructions to get you through the hard parts. But for the most part, this book is designed
to give you an overview of what to expect when you consider your move to Server 2008.
In the following pages, I’ll be spending a few minutes on each of dozens of topics that you need to know
before you start using Server 2008 in your production environment. You’ll come to understand the new
technologies in Server 2008 and how others have changed from what you’re used to seeing in Server
2003.
The second reason for the thickness of this book, as well as my light-hearted, conversational style is to
make reading it fun (I’ll apologize in advance for all the bad jokes). If those other books are heavy on
the step by step, then let’s here be heavy on helping you understand and getting you excited about fit-
ting these technologies into your environment. I’ll be giving you the straight scoop on which new and
updated features are compelling (Terminal Services!) and which ones may not be all that exciting (AD
Snapshots!). Being published through SAPIEN Press and not through Microsoft means I can be com-
pletely honest and, in some cases, brutal about my impressions. I hope you’ll appreciate and respect the
candor.
After you’ve read this book, if you’re still looking for the step by step, may I suggest a trip to the
Internet. In my day job, I serve as Resident Editor for a community of people (OK, it’s a blog) dedi-
cated to the topics, trends, and technology associated with Windows Server of all editions. That Web
site, located at http://www.realtime-windowsserver.com includes daily commentary and regular pod-
casts on up-to-the-second information in the world of Windows Server. I encourage you to check it
out.
Who Should Read this Book

This book is patterned off a similar one produced back in 2002 by my good friend Don Jones called the
Windows Server 2003 Delta Guide. In that book, Don used the same “What’s new and what’s changed”
format to help people understand how the world changes when you move from Server 2000 to Server
2003. It was actually Don who asked me to write the 2008 version of that book and I thank him for the
opportunity.
That being said, because I’ll be reviewing lots of topics in a short period of time, I will assume that you,
the reader, are generally familiar with the major functionality and terminology associated with Server
2003. If you understand how Group Policy works, you’ve created and/or administered a Windows
Active Directory domain or two in your time, and you have a good understanding of Microsoft’s imple-
mentation of various network services, then you’ll do just fine with this book.
If, on the other hand, you’re completely new to the world of Windows Server, there’s value in picking
up this book anyway. While you may not understand some of the terms and terminology in the text,
this book can be a good starting point for your learning of Microsoft’s newest server operating system.
Through this book you’ll get a good overview of the feature sets and technologies associated with Server
2008. You can then expand on what you’ve learned here through other resources.
You’ll notice that there are a number of places in the text where I will explain some critical step-by-step
processes. These are the cases where a new process needs detailed explanation for you to reproduce it
carefully. I’d suggest that for those sections you boot up a virtual machine and try out the process on
2
your own. Since Server 2008’s installation is so easy (especially with virtual machines), that it’ll be
worth the few minutes of effort to see how it works with your own eyes.
With Server 2008 only barely past RTM upon the release of this book, you’ll find that some informa-
tion available on the Internet is sparse at best. So in those cases, I’ve done my best to piece together a
usable step-by-step process so you don’t have to do the same level of digging I’ve had to do. Oh, and
you’re welcome!
What You Should Get out of This Book

As you read through the next series of chapters, you should begin to see an order in the way this infor-
mation is presented. I’ve first tried to break apart the information into its disparate elements as best as
possible. Some feature sets (Read-Only Domain Controllers!) are components of multiple chapters, but
for the most part each chapter stands alone.
My intention is also to work you through each chapter in order of what is (1) Most Neat & Cool (or
what I like to call MN&C for short) and, (2) What you’ll use first. So you’ll see a logical progression from
Installing Windows Server 2008, to post-installation tasks, to managing Server 2008, to Group Policy,
etc.
Let’s take a quick look at each of the upcoming chapters and give you a quick gut check of what’s
MN&C within each:
• Chapter 1: This chapter. I’ll talk about what I’m talking about right…now. (har!) Then, I’ll talk
about the versions of Server 2008, the feature sets associated with each one, and what would com-
pel you to upgrade from one version to another.
• Chapter 2: Installing Windows Server 2008. As the name suggests, I’ll discuss the various ways
to get Server 2008 onto a computer. I’ll talk about the manual and unattended installation pro-
cess. I’ll go into detail on the new WinPE-based installation environment and introduce you to
Microsoft’s Windows Automated Installation Kit and the Windows Deployment Services tools
that make the process of server rapid deployment easy.
• Chapter 3: Server Management. Once installed, you’ve got to manage that server. Server 2008
consolidates many of the disparate management consoles of previous O/S versions into a single
MMC console called Server Manager. This new tool will quickly become your best friend when
managing Server 2008 instances. In this chapter, I’ll discuss the componentization of Server 2008,
improving its security and reducing points of exposure by turning virtually everything into a Role
or Role Service. I’ll also talk about some of the great management tools you get right out of the
box, like the Windows Reliability & Performance Monitor, Windows Remote Management, and
Disk Management changes.
• Chapter 4: Group Policy. Why manage the configuration of one system when you can use Group
Policy to manage them all centrally through a single policy? In Chapter 4, I’ll dig deep into what’s
new with Group Policy (there is a lot!). You may find that the new policies, preferences, and policy
troubleshooting and logging capabilities alone may drive you to upgrade sooner than later. Oh,
and put on your programmer’s hat because the custom policy change to an XML-based format will
at the same time impress, excite, confuse, and annoy you until you figure it out.
• Chapter 5: Server Core. Everybody’s waiting for Server Core, but is it really all that exciting? In
many cases, yes. Server Core is the continuation of Microsoft’s attempts to reduce the attack sur-
face area of Windows by essentially cutting all the fat out of its diet. Server Core’s limited roles
and slimmer waistline mean it only works in a few specific scenarios. But, you may find that for at
least some of those scenarios you’ll like the secure result you get.
3
• Chapter 6: Active Directory. Not another schema update! Yup. Server 2008’s Active Directory
Domain Services Role has some schema changes to make. But with those changes come some
great features and functionality. Read-Only Domain Controllers mean branch office DCs are now
much better protected. Changes to the auditing subsystem mean you can actually track changes
to AD. The DCPROMO process gets much less complex. And some new capabilities with AD
backup and restore should help you sleep a little better at night. Don’t fret that schema change.
It’ll only hurt a little.
• Chapter 7: Terminal Services. In my opinion, this is one of the greatest improvements you get
with Server 2008 and arguably the feature that’s most likely to drive an upgrade: Terminal Services
sees a big facelift in this upgrade. Much of the stuff you lusted after in Citrix Presentation Server
is now available for no extra charge in Server 2008 Terminal Services. You get remote applications
in addition to full desktops, an integrated Web interface for launching those applications, (much!)
better printing, and even encryption and security for Internet-based RDP sessions. Wow.
• Chapter 8: Security & the Windows Firewall with Advanced Security. Combining the topics
of security with the Windows firewall, I’ll talk about the improvements to the overall security of
Windows Server itself. I’ll discuss, at length, how the Vista/Server 2008 combo enables some
very MN&C security as well as systems health verifications through technologies like Server &
Domain Isolation and Network Access Protection. Our old friend/nemesis User Account Control
also returns in Server 2008 and BitLocker drive encryption is also available.
• Chapter 9: The Web Server (IIS) Role. IIS v6.0 is arguably one of Microsoft’s least hackable
subsystems. To date it hasn’t seen a single vulnerability in its code. With IIS v7.0, Microsoft has
made it even more secure by splintering it into over forty separate pieces. In this chapter, I’ll talk
about those individual components, how to enable, disable, and manage them both locally and
remotely.
• Chapter 10: Other MN&C Features (you might not know about). The catch-all chapter for those
features I couldn’t fit anywhere else. Chapter 10 will review a few additional new or updated fea-
tures like Windows Clustering, enhanced support for iSCSI, the improved DNS Server and File
Services Roles, as well as some nifty low-level improvements to the NTFS file system itself that
enhances the overall stability of your server system—and therefore your critical data.
Windows Server Editions

When Vista released to the consumer markets in early 2007, there were eight different editions to
deal with. Figuring out the differences between Vista Home Premium, Vista Enterprise N, and Vista
Ultimate took some fancy slide rules and cheat sheets. Server 2008 doesn’t disappoint either, arriving
with an equal number of editions to deal with. The good news with Server 2008, however, is that the
differences between editions are a lot easier to understand. Vista’s editions were complicated because
what made them different were in many ways features that many people didn’t even want.
For the most part, with Server 2008 there are only three editions you’ll really need to concern yourself
with—two more wait in the wings, but you would only use them for very specific purposes. Server 2008
Standard Edition, Server 2008 Enterprise Edition, and Server 2008 Datacenter Edition are the three
major, feature-complete versions of the Server 2008 operating system. Adding to that are Server 2008
Web Edition and Server 2008 for Itanium-based Systems. Similar to Server 2003, you would only use
these two in specific situations.
Also available as separate SKUs from Standard, Enterprise, and Datacenter Editions are SKUs that
don’t include licensing for Microsoft’s Hyper-V virtualization features. As you can expect, there are
only two differences between these and their “regular” counterparts: They cannot support Hyper-V and
they’re a teensy bit cheaper.
4
Hardware Requirements
No matter what the edition, few in the past have really believed Microsoft’s recommendations for
minimum hardware resources. Their recommended minimums historically got the system to boot and
possibly see the Start bar. Actually getting a Server 2003 instance to run an application usually involved
more resources than the stated minimums suggested.
That being said, Server 2008’s minimums appear to be quite a bit more lodged in reality. In fact, during
the writing of this book I’ve successfully run a number of virtual machines with acceptable performance
at processor and memory levels below these stated minimums. Obviously, your mileage will vary.
The following are Microsoft’s recommendations for minimum hardware requirements. I’ve also
included what Microsoft calls their recommended and optimal settings, as well as maximum capabilities
for each version:
Server 2008 Hardware
Component Recommendations
Processor Minimum: 1 GHz (x86), 1.4 GHz (x64)
Speed Recommended: 2 GHz
Optimal: 3 GHz or faster
Max Number of 4 for Standard (x86 & x64), 8 for Enterprise (x86 & x64), 32 for Datacenter
Sockets (x86), 64 for Datacenter (x64)
Memory Minimum: 512 MB RAM
Recommended: 2 GB RAM
Optimal: 2 GB RAM for Full installation, 1 GB RAM for Server Core installa-
tion
Maximum: 4 GB for Standard (x86), 32 GB for Standard (x64), 64 GB for
Enterprise & Datacenter (x86), 2 TB for Enterprise, Datacenter, & IA64 (x64)
Disk Space Minimum: 10 GB
Recommended: 40 GB for Full installation, 10 GB for Server Core installation
Optimal: 80 GB for Full installation, 16 GB for Server Core installation
Peripherals Required: SVGA (800x600), Keyboard & Mouse
The numbers above are quite telling, especially those for memory. Maximum RAM
changes drastically as a server moves between the three major editions. Substantially
more RAM is available for 64-bit systems if their hardware supports PAE extensions.
Interestingly enough, the total number of supported processors for any edition remains
unchanged. All that being said, I’m quite a bit more willing to trust these minimum and
recommended numbers than was I for Server 2003.
To give you some idea of how the new requirements stack up against the old, compare
those requirements above for Server 2008 with these below for Server 2003 R2:
5
Server 2003 R2 Hardware

Component Recommendations
Processor Minimum: 133 MHz for Standard or Enterprise, 400 MHz for Datacenter
Speed Recommended: 550 MHz for Standard or Enterprise, 733 MHz for Datacenter
Max Number of 4 for Standard (x86 & x64), 8 for Enterprise (x86 & x64), 32 for Datacenter (x86),
Sockets 64 for Datacenter (x64)
Memory Minimum: 128 MB RAM for Standard or Enterprise, 512 MB RAM for
Datacenter
Recommended: 256 MB RAM for Standard or Enterprise, 1 GB RAM for
Datacenter
Maximum: 4 GB for Standard (x86 & x64), 32 GB for Enterprise (x86), 64 GB
for Enterprise (x64) & Datacenter (x86), 512 GB for Datacenter (x64)
Disk Space Minimum: 1.2 GB for network install, 2.9 GB for CD install
Peripherals Required: SVGA (800x600), Keyboard & Mouse
In addition to the level of resources supported by each edition, there are certain features
and capabilities that are only available at each level. Let’s take a look now at each edition
and talk about what you get when you move from edition to edition.
Windows Server 2008 Standard Edition

Standard Edition is Microsoft’s Ford Taurus. It includes all the basic functionality of each of the edi-
tions, but none of their flashy features. This “basic functionality” for the most part includes everything
you probably need to operate your network environment. With Standard Edition, nearly all server capa-
bilities are available with a few exceptions I’ll note in a second.
Server 2008 Standard Edition includes Server Core. Though selecting to install a Server Core instance
is done alongside the other editions, Microsoft considers Server Core to be an installation option rather
than a fully fledged edition of Windows Server. I’ll talk more about Roles and what they mean in
Chapter 2. But for now, know that a license for Server 2008 Standard Edition includes the rights to
build the system as a Server Core instance.
In terms of features, what you don’t get with Standard Edition are Windows Server Failover Clustering
support or support for Remote Differential Compression. Standard Edition cannot support Active
Directory Federation Services (AD FS), and although you can install Active Directory Certificate
Services (AD CS), it is limited to creating basic Certificate Authorities only. Microsoft relegates the
more advanced features of AD CS to higher-level editions. Standard Edition can only support a single
standalone DFS root. It is limited to 250 RRAS connections, 250 connections through TS Gateway,
and 50 IAS connections.
All of these missing capabilities are available in both the Enterprise and Datacenter Editions. So if you
need them, that decision is made for you.
Lastly, in what will be a boon to administrators in small environments, Microsoft has changed with
Server 2008 the rules for the hosting of virtual servers atop physical instances. With each license of
Standard Edition, it is acceptable to host a single additional virtual copy on the same physical host.
Though this doesn’t provide much in the way of systems consolidation, it does ensure that a very small
need and/or testing environment will remain legal.
6
Windows Server 2008 Enterprise Edition

Nudging the capabilities meter up a notch is Server 2008 Enterprise Edition. As shown above, bump-
ing to Enterprise Edition gains a substantial increase in the amount of RAM that the system can
address, especially when run on 64-bit hardware. This limitation is a function of dollars and cents.
Enterprises that have need for low-performance servers will likely do well with Standard Edition. But
when memory requirements grow large, an upgrade purchase is in order. Where you see a need for more
memory, Microsoft sees an opportunity for more profit!
Enterprise Edition comes with two new hardware capabilities not seen in Standard Edition: The ability
to hot add memory, which enables you to add RAM on-the-fly without requiring a reboot, and fault-
tolerant memory synchronization, which increases the availability of onboard memory.
The extra cost for Enterprise Edition comes in extremely handy when you consider it for use as a pool
for additional virtual machine licenses. Purchasing Enterprise Edition adds licenses for four virtual
machines atop each physical license purchased. In most cases, the cost for Enterprise Edition is not
excessively greater than the cost for Standard Edition. So, if you plan to move to virtualization, you
immediately gain some benefits in terms of license cost savings by buying Enterprise Edition.
Virtual Licenses
There is an important distinction in terms of physical vs. virtual when it comes to
Windows Server licenses. When you purchase a physical license for Windows Server
2008 Enterprise Edition, you gain the ability to run four additional virtual servers on
that physical server. Pooling your licenses in this way means that you’ll need to purchase
additional physical licenses if you go beyond the four-license limit. The same goes with
Standard Edition if you go above its one-extra-license limit. Furthermore—and this is a
great benefit—the licensing rules state that you only consume virtual licenses when the
virtual machine is actually running. This means that you’re welcome to store as many
non-running instances of Windows Server you want as long as only four are operational
at a time.
Windows Server 2008 Datacenter Edition

Server 2008 Datacenter Edition. It has a nice “supercomputer” ring to the name, eh? Designed specifi-
cally for high-resource utilization, Datacenter Edition is tuned for number crunching and detuned for
things like file serving.
Where Datacenter really shines is in systems virtualization. Because of its ability to support greater
hardware resources, it can support more concurrent virtual machines than other versions. Every physi-
cal license of Datacenter Edition also includes licenses for an unlimited number of virtual machines
atop that host. This is particularly effective when considering large virtualization environments where
machines may regularly migrate from host to host. If you choose Enterprise Edition, you must
mind the four virtual-machine limit. Should you upgrade to Datacenter Edition, you have no such
limitations.
Although Microsoft doesn’t add new Roles or software features upon the move to Datacenter, there are
a number of hardware advancements that these servers benefit from. In addition to Enterprise Edition’s
fancy memory features, Datacenter Edition servers gain the ability to hot replace memory. It can also
support the hot addition and replacement of processors, which is great for servers sporting upwards of
64 sockets. With that many concurrent sockets and that much RAM in one box, there’s a much greater
chance for a failure of any individual piece. Being able to replace them on the fly only increases the total
7
uptime of these behemoths.
Check tech spec.

Remember that with all of these nifty hardware capabilities that the hardware itself must
also support the capability as well. So, don’t start hot swapping anything until you check
your technical specifications for that hardware first!
Windows 2000 required that you purchase Datacenter as part of a hardware purchase, but with
Windows 2003 they eventually lifted that requirement. You can purchase Datacenter as a separate SKU
and install it anywhere where it is supported.
Windows Web Server 2008

Raise your hand if you currently have a Web Server Edition of Windows Server 2003. Hold them
high! To be honest, I’ve seen only very few instances of Web Server Edition in Server 2003 specifically
because of its limitation on capabilities. Server 2008’s Roles and Role Services componentization exac-
erbates that limitation. The more formal codification of roles makes it harder to “cheat” with what you
can run on an instance of Server 2008’s Web Server Edition.
In Windows Web Server 2008, the only two roles that you can enable are the Web Server and
Application Server roles. The other roles simply are not available to be installed. Web Server 2008 also
cannot utilize Server Core. Microsoft similarly limits individual features to just those dedicated to sup-
porting its use as a Web server. Interestingly enough, with the addition of the IIS Role to Server Core,
it is likely that Windows Web Server 2008 will—like earlier versions—see a very limited installation
base.
Windows Server 2008 Core

Windows Server 2008 Core is not technically an Edition, but is instead a separate installation from any
of the other editions noted above. A component of Standard, Enterprise, and Datacenter Edition alike,
you install Server Core as you install the operating system to the computer. Short of dual-booting your
system you cannot collocate a Server Core installation with a full installation.
I’ll talk more about Server 2008 Core in Chapter 5. But, I include it here so you know that the pur-
chase of a license for any of the three major editions noted above includes the ability to install that
instance as Server Core.
8
RTM = SP1?
Here’s a funny story. From the command prompt of any Server 2008 instance, enter the
command winver to bring forward O/S version information. You’ll immediately notice
that Server 2008 RTM is actually listed as Server 2008 Service Pack 1! The reasoning for
this nomenclature is due to the closeness in the codebase between Server 2008 and Vista,
which released its SP1 at the same time of Server 2008’s release. I’ll admit that seems like
a little “cheating” on the part of Microsoft. Or, maybe genius!? Isn’t the rule of thumb in
many organizations to wait on deploying any new Microsoft operating system until after
it hits SP1? Well, you’re already there, so what are you waiting for! Snark!
Compelling Reasons to Upgrade to Server 2008

As I’ve said before, there are plenty of benefits associated with Server 2008. I’ll talk about them in
greater detail through the rest of this book. However, as you’re going through your reading, con-
sider three general areas of compelling reasons that will drive you to upgrade sooner than later:
Manageability, Flexibility, and Protection. Server 2008’s most compelling features derive from these
three focuses.
Manageability
In the next chapter, I’ll talk about the new Server Manager that combines the functionality of many
previously-separated MMC consoles into a single, unified point of control for many Roles and their
functions. Integration of Windows PowerShell into the operating system adds scripting support to
nearly all manageable objects within the operating system. Post-installation initial tasks also enable
all necessary security and server customizations, like naming and firewalls, as soon as the installation is
complete so you don’t forget steps.
Flexibility
In addition to the manageability features, Server 2008’s componentization of Roles and the services
associated with those roles makes it highly flexible in production operations. Dependencies between
Roles and Services are identified during Role installation, and any dependencies are marked for non-
removal should you remove a Role. Integrated and improved virtualization and Terminal Services
components also ensure that the same Windows Server that can perform one function can also perform
others with a minimum of feature bloat—and that bloat’s associated security problems.
Protection
Lastly, in the area of protection, Microsoft has continued its work in ensuring the safety and security
of the Windows operating system. They’ve configured services to operate within their own session to
prevent interactive sessions from conflicting or corrupting service operation. Microsoft also removed
automatically started services to trim down unnecessary components from operating at risk. Features
like Server 2008’s “hot patching” capability that enables non-kernel patching to occur without need-
ing a restart increases server uptime. And, new and more manageable features like Network Access
Protection and the Group Policy-manageable Windows Firewall with Advanced Security mean indi-
vidual servers start up automatically protected from attack using firewall technology that you won’t want
to turn off.
9
Summary
So, we’re off! As you can see here, there are a lot of options for choosing what kind of Server 2008
instance you want to create in your own environment. But when you really look between the lines, the
options really haven’t changed from the previous version. For the most part, you’ll likely be looking at
the same Standard, Enterprise, and Datacenter Editions you’re used to seeing in Server 2003, albeit with
a few small changes.
In the next Chapter, I’m going to talk about the new setup environment, WinPE, that makes building
servers a much more enjoyable process than in previous versions. You’ll get a glimpse of how WinPE
makes the installation process much easier and I’ll talk about some of the rapid deployment options that
Microsoft freely makes available to help you quickly get new servers deployed.
10
Server Management
Chapter 3
Server Management
Years ago I worked as a Windows systems administrator for a large defense contractor. Like many
computer networks, I was responsible for the daily care and feeding of hundreds of Windows Servers.
Keeping them straight was difficult, made even more so since this was back in the days of Windows NT.
Need to work on a server? Off to the server room you go. Bring a jacket…it’s cold in there...
These days, whether your servers are hosting your company’s Web site or keeping satellites in orbit, the
process of doing server management has gotten quite a bit easier. Need to manipulate the configuration
of a server? Use your MMC console or TermServ to the box. Need access to the console for a software
installation? Log in to your IP KVM or connect to the console session using RDP. You’re off to the
races.
The processes for server management haven’t changed all that much from Server 2003 to Server 2008.
As an administrator, you’ll still be doing most of your configuration remotely using Remote Desktop
and MMC consoles. What’s different in Server 2008 are the mechanisms and tools to automate and
ease the sheer number of administration tasks that you do on a daily basis.
What, you say? You mean I’ll have less time doing repetitive and uninspiring administrative tasks and
more time for playing golf? Count me in!
What’s New & What’s Changed?

In this chapter, I’ll be talking about the new tools you’ll immediately see when you complete your first
Windows Server 2008 installation. I’ll discuss the Initial Configuration Tasks that the system prompts
you to complete once it finishes the installation. I’ll talk about the new Server Manager and how it
makes administering your servers easy by consolidating many of the disparate management consoles
21
into a single location. And, I’ll finish with some of the other features in Server 2008, like shrinking disk
volumes on the fly and using the Reliability & Performance Monitor that helps you find out why your
server is slow today. In just about every case, I predict you’re going to like what you see.
Initial Configuration Tasks

I’ve already talked in the last chapter about the changes to the installation process. That process,
especially when done manually, has matured to become quite a bit more streamlined than in previous
versions. Microsoft has offloaded many of the tasks originally done through the installation procedure
to what they now call Initial Configuration Tasks. Almost immediately upon completing the installation
process, you will be greeted with this new wizard that asks you to complete a series of tasks that are nec-
essary to configure the machine’s name, domain, license, networking, security, and role information.
Initial Configuration Password

As an aside, there is one configuration that you’ll be required to complete before you gain
access to the console: Assigning the Administrator password. An interesting difference
from previous O/S’s that you’ll immediately notice is that after the installation the system
will automatically attempt to log in using the Administrator account. Because the con-
figuration of the password for that account is no longer a part of the initial installation,
the very first piece of information the system asks you for upon installation is to provide
a password for Administrator. Once you complete this, you’ll then be given access to the
console and be able to start Initial Configuration Tasks.
Thinking back to my days at the defense contractor, at one point my team built this huge procedure
document. Its purpose was to help us remember all the steps necessary when building a new server.
That document, dozens of pages long, went step by step to remind us to name the computer, give it
an appropriate IP address and netmask, and then begin the patching process. Now, with the Initial
Configuration Tasks wizard shown in Figure 3-1, much of that old document is obsolete. Rather than a
document, Microsoft designed this wizard to remind you of all the things you must do to initially con-
figure and secure your server as it begins its service lifecycle.
22
Server Management
Figure 3-1: The Initial Configuration Tasks screen.

What’s ingenious about the wizard is that it is little more than a skin for all the other configura-
tion screens used throughout the system. When you click the link to Set Time Zone, the Initial
Configuration Tasks screen merely opens the time zone control panel rather than any special screen of
its own. By doing the initial configuration in this way, you use the screens you’re familiar with.
Computer Information
Virtually no systems configuration is done at the completion of a manual installation. So as some of the
first initial tasks, you’ll be requested to set the time zone, networking configuration, computer name, and
domain. As discussed in the last chapter, this speeds up the installation process and eliminates the need
to actually sit in front of the installation for the occasional mouse click responding to Are you Sure?
23
Figure 3-2: Server 2008 now gets up to three clocks.

One very interesting addition is the ability to configure the server for up to three different clocks as seen
in Figure 3-2. If your company spreads over multiple time zones or if you have a requirement to keep
servers at Coordinated Universal Time (a.k.a. Greenwich Mean Time or GMT), you can now configure
one clock to operate at UTC and another in your local time zone. Keeping servers at UTC is a really
good idea if your network spans global operations or the concerns about changing time zone schemas
keeps you up at night. So, this addition will be a boon for administrators who want to have their time
and watch it too.
The second configuration involves networking. A change you’re not used to seeing natively in Server
2003 is the concurrence of IPv6 networking alongside our traditional IPv4. An example of this is seen
in Figure 3-3. Upon installation, Microsoft has configured Windows in both Vista and Server 2008 to
run IPv6 along with traditional IPv4. This is likely due to Microsoft’s desire to move networks to IPv6.
But, if you’re like me, your network is not there yet and you have no plans to get there in the near future.
24
Server Management
Figure 3-3: IPv6 and Link Layer Topology Discovery protocols.

Like with Windows Vista, IPv6 can cause some conflict with routers that rely on symmetric Network
Address Translation. Because Microsoft has prioritized IPv6 traffic above IPv4 traffic, any time Server
2008 receives an IPv6 address from a DNS query it will choose that address over the IPv4 address. My
advice: If you’re not using IPv6, disable the protocol as part of your initial configuration. Then, as you
elevate your network to IPv6 at some point in the future, you can re-enable it.
IPv6 Go Away!
There is currently no pre-built Group Policy setting for disabling IPv6 in Server 2008.
However, Microsoft Knowledge Base article 929852 discusses the necessary registry con-
figuration if you’d like to build your own.
Also in Local Area Connection Properties, you may notice two new protocols called the Link Layer
Topology Discovery Mapper I/O Driver and Link Layer Topology Discovery Responder. Microsoft created
these two new protocols to aid in the troubleshooting of network connections. In both Vista and Server
2008, the Network and Sharing Center includes a graphical representation of that system’s connection to
the network and ultimately the Internet (Figure 3-4).
25
Figure 3-4: The Network and Sharing Center gets info from Link Layer Topology.
When problems occur between the system and any of its upstream connections, they will appear visually
in the graphic. These two Link Layer Topology Discovery protocols create and populate the troubleshoot-
ing information in this graphic . Make sure not to disable these two protocols if you and your users
want to be able to use the Network and Sharing Center to help troubleshoot networking issues as they
occur.
For the last component of this section of Initial Configuration tasks, you’ll ensure that your computer
has the proper name and is entered into the correct Active Directory domain.
Update this Server

Once you’ve entered the computer information, you’ll then configure the local Windows Update Agent to
connect either to Microsoft or your local WSUS server for updates. If you have a Group Policy already
configured to populate the Windows Update configuration, the system will populate this information
for you once you connect to your Active Directory domain. Otherwise, the system will prompt you
to Enable Windows automatic updating and feedback. Selecting this option will opt-in for all automatic
update and feedback options. Or, you can select Manually configure settings to bring forward the wizard
as shown in Figure 3-5.
26
Server Management
Figure 3-5: Configuring Windows Update, Windows Error Reporting, and CEIP.
What’s different here from before is the integration of Windows Error Reporting and the Windows
Customer Experience Improvement Program settings into the usual Windows Update settings wizard.
You’ve seen both of these settings before, but in slightly different places. Windows Error Reporting is the
Server 2008 version of Server 2003’s Error Reporting. Server 2008 uses this tool to forward Windows
crash dump and Dr. Watson information to Microsoft for analysis. When the problem occurs, the tool
queries Microsoft’s Online Crash Analysis database for information relating to the crash. If it finds a
match, it returns that information to the user. This information is particularly helpful for finding infor-
mation about application conflicts with Server 2008’s operating system.
Four options are available when enabling Windows Error Reporting: Yes, Automatically send detailed
reports, Yes, automatically send summary reports, Ask me about sending reports every time an error occurs, and I
don’t want to participate and don’t ask me again. Each of these defines the level of opt-in you want.
In addition to error reporting, this screen also allows you to enable your participation in Windows’
Customer Experience Improvement Program. According to Microsoft, the CEIP records:
• Configuration. This reports items like the number of processors in your computer, how many
network connections you use, which version of Windows is running, and if you’ve turned on some
features such as Bluetooth wireless technology or high-speed USB connections.
• Performance and reliability. This records how quickly a program responds when you click a but-
ton, how many problems you experience with a program or a device, and how quickly the network
sends or receives information.
27
• Program use. This reports on items like the features that you use the most often, how often you
use the Help and Support Center, and how many folders you typically create on your desktop.
The system encrypts and automatically submits information to Microsoft via CEIP when you close each
CEIP-enabled application. You configure CEIP-enabled applications individually by the application, so
your Office Experience Improvement Program settings will not affect the settings at this location. This
particular version of the CEIP handles submission of Windows usage characteristics.
When you’ve completed the wizard, the final step in this section is to Download and install updates. This
link connects you to the Windows Update Wizard which begins the process of downloading and install-
ing approved updates.
Customize this Server

Where the real fun begins is in the final section of Initial Configuration Tasks. Here, you’re given the
option to configure your server Roles and Features, Enable Remote Desktop, and Configure the Windows
Firewall. Like with the settings above, if you’ve linked Group Policies to this server’s Organizational
Unit, then the wizard may pre-populate some of this information as the server enters its domain. I’ll
talk about Roles & Features in the next section on Server Manager.
When configuring Remote Desktop, be aware of the three potential options available:
• Don’t allow connections to this computer
• Allow connections from computers running any version of Remote Desktop (less secure)
• Allow connections only from computers running Remote Desktop with Network Level
Authentication (more secure)
The configuration options shown here are similar to those in Remote Desktop on Windows Vista.
Remote Desktop with Network Level Authentication is a functionality available in the Remote Desktop
Client v6.0 (and greater). This version is available natively in Windows Vista and is a separate down-
load from the Microsoft Web site for Windows XP SP2.
I’ll talk in detail about the security features associated with Network Level Authentication in Chapter 7
on Terminal Services. But, for now, know that if you select the option requiring NLA, the system will
require you to use v6.0 or greater of the Remote Desktop Client on any clients that connect to your
server via Remote Desktop.
Lastly is the configuration of the Windows Firewall. Like with Vista and XP SP2, Server 2008
enables the Windows Firewall by default. Server 2008’s firewall, similar to Vista but unlike XP SP2,
includes the ability to block inbound and outbound connections as well as leverage Group Policy-based
Connection Security Rules. These new features enable the protection of traffic both inbound and out-
bound from the server as well as the easy creation of Isolation Groups to protect Windows machines
from traffic initiating outside the Active Directory domain. Network Access Protection is another new
natively-available feature.
Server 2008’s firewall configuration using Group Policy has been improved significantly. So much so in
fact, that it is likely you will rarely configure the firewall for each individual system. In Chapter 8, I’ll
talk in great detail about the Windows Firewall with Advanced Security and how to use Group Policy
for its central configuration.
Server Manager
Once you’ve completed and closed the Initial Configuration Tasks wizard, you’re greeted with a new
MMC console similar to Figure 3-6 called Server Manager. Server Manager is Server 2008’s consoli-
28
Server Management
dation of many of the previously-separated administrative consoles into a single location. This unified
console can manage all the Roles, Role Services, and Features configured for your server. Additionally,
many of the items previously found in the Manage context menu for My Computer are now found
within Server Manager. Heck, you even get to Server Manager by right-clicking on Computer and
choosing Manage.
Figure 3-6: Server Manager.

Other than Roles and Features, which I’ll discuss in a minute, you’ll also see here many of the common
tasks you typically perform on a Windows Server, now aligned into three categories:
• The Diagnostics category includes Event Viewer, Services, Reliability and Performance Monitor,
and Device Manager.
• The Configuration category includes Task Scheduler, local settings for the Windows Firewall with
Advanced Security, Services, WMI Control, and Local Users & Groups.
• The Storage category includes Windows Server Backup and Disk Management.
By clicking the top-level node in Server Manager, you can access much of the configurations done in the
Initial Configuration Tasks if you need to make later changes.
29
Locals Only
You cannot retarget Server Manager to another server. You use it in managing the local
server only. The same holds true with the command-line version of Server Manager,
which I’ll discuss in a moment.
Server Roles, Role Services, & Features

The most important of these new nodes are those for Server Roles and Features. In previous versions of
Windows Server, you typically installed server capabilities through Add/Remove Programs | Add/Remove
Windows Components. In Server 2008, this no longer exists. To add new components into the operating
system, they are added as a new Role, a Role Service, or a Feature.
So the next thing you’re probably asking is, “How do I know if something’s a Role, a Role Service, or a
Feature?” Good question, because the answer is not immediately obvious.
The help files in Server 2008 refer to Roles as those components that “describe the primary function,
purpose, or use of a computer.” Role Services are, “software programs that provide the functionality of a
role.” The collection of a set of Role Services is what makes up a Role.
So, for example, installing the File Services Role will automatically install the File Server Role Service.
You can optionally install nine additional Role Services that augment the File Services Role:
• Distributed File System
o DFS Namespaces
o DFS Replication
• File Server Resource Manager
• Services for Network File System
• Windows Search Service
• Windows Server 2003 File Services
o File Replication Service
o Indexing Service
Each of these optional Role Services provides additional functionality to what I think of as the File
Services Role. All these linkages between Roles and Role Services seem complex, but don’t fret. Server
2008 already knows the dependencies between each Role and Role Service and will not allow you to
install a component without also installing its requisite components. Easing the configuration even
more, when a Role or Role Service requires initial settings for its installation, Server Manager will
request that information prior to beginning the installation. So when you decide that you want to aug-
ment your server with new functionality, you need only know your Role of interest. Server 2008 will ask
you all the necessary questions to get it set up properly.
Features are the third new piece in Server Manager’s componentization of the operating system.
Features may not necessarily require that you install a Role or Role Service nor may they directly impact
a Role or Role Service. Though, sometimes, they do.
For example, the BitLocker Drive Encryption Feature can stand alone to support encrypting of system
drives. There is no related Role or Role Service that it directly impacts. On the other hand, SMTP
Server requires eight different Roles, Role Services, and Features for you to install it. Like with Roles
and Role Services, if a Feature requires a prerequisite, the wizard will instruct you which ones it needs
30
Server Management
and automatically include them as part of the installation.
Telling them Apart

But the big question still remains: How do you tell the difference between the three?
To be honest, it’s not immediately obvious. It will take you a while to remember where
Microsoft has relocated each element of interest.
I guess my personal explanation for telling them apart would be the following: If Roles
describe jobs to be done like “mowing the yard,” then Role Services are the items that you
use to get that job done, like “the lawn mower” and “the weed whacker.” Features, then,
must be “Other, Semi-Related Jobs” like “scooping the doggy doo from the yard”.
Adding New Roles & Role Services

Here is a really quick example of installing a Role and Role Service. To add the Print Services Role
to your server, right-click the Roles node in Server Manager. You’ll see a screen like the one in Figure
3-7. Select the Print Services Role and click Next. Click Next twice more and you’ll see a screen like the
one in Figure 3-8. There, you’ll be given the option to select the additional Role Features for the LPD
Service and Internet Printing. The system has already selected the Print Server Role Service as the Print
Server Role requires it. Click Next, and then click Install to complete the installation.
Some installations require a reboot with a post-reboot configuration. When required, the system will
prompt you for the reboot. Upon completing it, the Post-Reboot Configuration Wizard will immediately
restart and complete the installation.
Once the system completes the installation, under the Roles node in Server Manager, the Print Server
Role will be available. It is from this location where you’ll do any further administration of the Role.
31
Figure 3-7: Configuring a new Role for a server.

Be aware that sometimes when installing a new Role, Role Service, or Feature, the Server Manager GUI
may not immediately update itself with the full functionality of the new component. You may need to
restart Server Manager after adding a new component in order to see all of its new pieces.
32
Server Management
Figure 3-8: Configuring that new Role’s associated Role Services.
Server Manager Command Line

If you’re more comfortable using the command line or would like to script the installation of any
of these elements, Server Manager has a command-line tool called servermanagercmd.exe. This tool
can install new components, remove them, and query for existing components. Because many Roles
have prerequisites and configuration settings needed for their installation, servermanagercmd.exe also
includes a –whatif switch to show the operations that it would perform if you actually did the operation
for real. This switch helps you understand the impact that installation or removal will do to the server
before you actually have to do it.
Let’s look at an example that will come in handy for managing Group Policy in your domain. Once
you’ve created a Windows Server 2008 Domain Controller, managing Group Policy requires the use of
the Group Policy Management Console. The system automatically installs that console by default onto
any Domain Controller, but you’ll need to add it separately to any other server where you want to man-
age Group Policy. To do this from the command line using servermanagercmd.exe, enter the command:
C:\> servermanagercmd.exe –install gpmc
Conversely, if you want to remove a component, you can do so with the –remove switch. To remove the
Telnet client from your server, use:
C:\> servermanagercmd.exe –remove Telnet-Client
33
As you can see, using servermanagercmd.exe to install and remove components is relatively easy—if you
know the proper names of the components you want. You can figure out this information by using the
–query switch. This switch not only gives us the list of Roles & Role Services currently installed on the
server, but also provides a tree view of all possible components and their subcomponents. This tree view
goes far in helping you understand where all the new components reside.
Below is a sample of the output when running the –query switch. The list is actually much, much
longer, so I’ve truncated the list just to give you an idea of what it looks like. You’ll see on this server
that the system has already installed the Active Directory Domain Services Role as well as the Active
Directory Domain Controller Role Service:
C:\> servermanagercmd.exe -query

Starting discovery
.................
Discovery complete.
----- Roles -----
[ ] Active Directory Certificate Services [AD-Certificate]

[ ] Certification Authority [ADCS-Cert-Authority]
[ ] Certification Authority Web Enrollment
[ ] Online Certificate Status Protocol [ADCS-Online-Cert]
[ ] Microsoft Simple Certificate Enrollment Protocol
[X] Active Directory Domain Services
[X] Active Directory Domain Controller [ADDS-Domain-Controller]
[ ] Identity Management for UNIX [ADDS-Identity-Mgmt]
[ ] Server for Network Information Services [ADDS-NIS]
[ ] Password Synchronization [ADDS-Password-Sync]
[ ] Active Directory Federation Services
XML-based Answer Files

It is also possible to script the installation of multiple components. Doing this involves
the creation of XML-based answer files as input for the servermanagercmd.exe command.
To use these files, add the -inputPath switch to the command, followed by the name of
the answer file. For example: servermanagercmd.exe -inputPath answer.xml
Note that creating files in the XML format can be challenging. The XML format is both
case-sensitive and, in many ways, more complicated than we’re used to using with our old
.INI file friends.
Now that you’ve looked at how Roles, Role Services, and Features are administered within Server
Manager, here’s a look at a few of the other new features you’ll find located in Server Manager.
Event Viewer
The new Windows Event Viewer is another major feature upgrade from Server 2003. Potentially one
of the most used tools in troubleshooting Windows problems; it’s surprising how few capabilities it has
sported until recently. The new Event Viewer, which first saw the light of day in Windows Vista, now
sports some great new functionality.
• Preview Pane. No longer do you need to double-click events to read their specifics. The preview
pane gives you the ability to browse events in the list much faster.
34
Server Management
• Custom sorting. Whereas with the old Event Viewer you were given only the option of sorting
the list by clicking the title bars at the top of each column, you now gain rich capabilities in sorting
data. Most exciting is the combination of the Date and Time columns into a single Date/Time
column for chronological sorting of events.
• Views. Taking the idea of sorting a step further is the ability to create permanent Views based
on predetermined characteristics. If you’ve always wanted to create a separate Event Log just for
viewing Spooler errors, you can do that by creating and saving it as a View.
• Log Segregation. Though the System, Application, and Security event logs are still around,
Server 2008 now stores events from many Windows subcomponents in their own event logs. One
excellent example of this segregation is Group Policy events, which Server 2008 now stores in a
separate Group Policy log.
• Copy to Clipboard. Ever hated having to retype event log information into a help desk ticket?
Event log now includes Copy Table and Copy Details as Text to copy that information in its entirety
to the Clipboard for you.
• Time-based Event Summary. By clicking the top-level node in Event Viewer, you’ll be greeted
with a list of event categories and a number showing how many of each type has occurred in the
last hour, last 24 hours, last 7 days, and total. This rollup view helps you get an easy understanding
if event traffic has spiked recently.
• Event tasking. A component of Task Scheduler, the new event log can automatically complete a
task when event conditions occur. This gives you the ability to proactively notify yourself or com-
plete a remedial action when an event occurs rather than having to actively review the logs.
• Event subscriptions. One of the best new features, event subscriptions allows for the aggrega-
tion of event log data from multiple systems into a single log. Similar to UNIX’s Syslog, event
subscriptions and event forwarding allow you to align multiple systems’ event information for a
time-based analysis of those systems.
Event Log Tasks

Many of these features are self-explanatory, but I want to take a detailed look at the last two items in the
list above. First off is the attaching of tasks to an event log.
For example, when an Event ID 7 occurs with a Source of Disk, this usually indicates a bad block or
some other problem with the physical disk on the system. Event ID 7 errors, if left unchecked, can
eventually cause data corruption as the system tries to store data into that location. What I’d rather see
happen is an automatic chkdsk to kick off instead to catch the problem and mark the bad block.
If you wanted to attach a task to this Event ID that would automatically perform a corrective action,
you could right-click the log of interest and choose to Attach a Task to this Log. Give the Task a name
and description and optionally choose the log it should monitor. You have three options for actions
when the event occurs: Start a program, send an e-mail, or display a message. In this case, you want to
Start a Program. The program you’ll start will be a batch file you create with the following contents:
ChkDsk C: /f /r
Shutdown /g /t 300 /d p:1:1 /c “A disk error was detected. Your computer needs to be restarted.”
Give your batch file a name and drop it into an accessible location. Then, enter that batch file’s name
when asked for the program or script to run.
35
Figure 3-9: Event log tasks can fire the launching of a program or script.
Event subscriptions
Though not intended to be an enterprise-ready solution for aggregation of event log data, event sub-
scriptions go far in assisting you when you’re troubleshooting a problem across multiple servers or
between servers and workstations. Event subscriptions require at least two systems to participate. The
forwarder computer is the source for event data and is the computer that forwards selected event log
information to another host. The collector computer is the target for that event data. The collector com-
puter ingests all the forwarded event log information into a preconfigured event log for later reading.
For those times when you’re trying to correlate a problem across multiple devices, this new capability is a
godsend for seeing how different devices interrelate.
Creating an event subscription isn’t hard, but it’s not all that trivial either. There are a number of steps
that you must configure to get a subscription to work:
• From the Collector computer, open the Event Viewer and click the Subscriptions node.
• When prompted, choose to start the Windows Event Collector service. This will also set the service
to start automatically.
• From a command prompt on both the Collector and Forwarder computers, enter the command:
winrm quickconfig. This will start the Windows Remote Management service, set its startup mode
to Automatic, punch a hole in the local firewall, and create a WinRM listener (I’ll talk more about
WinRM in a second).
• Add the computer account of the collector computer to the Administrators group on the forwarder
computer. You may need to reboot for the computer account to pick up the necessary token.
• Create the subscription on the collector computer. This process will involve multiple steps:
o Do this by right-clicking Subscriptions and choosing Create Subscription. In the result-
ing wizard, shown in Figure 3-10, provide a Subscription Name and Description. Also
36
Server Management
here you’ll determine the destination log for incoming data. This defaults to the
Forwarded Events log but you can select any log on the system for storage of remote
events.
o In the box titled Subscription type and source computers, you’ll be given the option to
select which computer will initiate the connection, either Collector initiated or Source
computer initiated. Select your subscription type and click the button next to that type
to enter the computers that will also participate in the subscription. It is possible for
multiple computers to forward events to a Collector computer, but be careful in send-
ing too many events to a Collector computer. Each connection will consume a level of
resources.
o Now you need to select the type of events you’re interested in collecting. Click the
Select Events button and create a Query Filter for the events to collect. This filter can be
as granular as you wish.
o Lastly, click the Advanced button to select the Event Delivery Optimization setting.
Also here, if you want to encrypt event data as it passes between machines, you can
switch the Protocol from HTTP to HTTPS.
Depending on how you plan on using the events in this subscription, there are four options that you
can select for event delivery. By clicking the Advanced button, you’ll see those four options under Event
Delivery Optimization. The Normal option configures the subscription to pull event information five
items at a time with a batch timeout of 15 minutes. The Minimize Bandwidth option increases the
heartbeat interval to 6 hours. You will want to use this option when sufficient bandwidth between
Collector and Forwarder computers is a concern. The Minimize Latency option changes the timeout to
30 seconds.
As you can see, if you’re interested in seeing near real-time data in the Collector’s event log, you’ll want
to choose to minimize the latency in sending events. This option will have an impact on bandwidth. If
you’re merely collecting events for later review, you can slow down the process—and thereby conserve
bandwidth—by minimizing the bandwidth. Your determination will depend on your need for timeli-
ness of seeing subscribed events.
Once you’ve completed the configuration of the subscription, the subscription will automatically start.
If the subscription is set up correctly between the two computers, you’ll see a green check box next to
the newly created subscription and you’ll begin seeing events arriving in the Collector’s configured event
log shortly.
At any point, you can right-click the subscription to delete it, check its status, disable it, or retry it if it
has experienced problems.
37
Subscription Problems
Because of the complicated setup associated between subscribed computers, there are a
number of places where subscription problems can occur. Ensure that both computers
are running the Windows Remote Management service and that firewalls are not block-
ing traffic. Also, ensure that the Collector computer is running the Windows Event
Collector service.
Figure 3-10: Creating an Event Subscription.
Reliability & Performance Monitor

Server 2008 also benefits from the improvements to Task Manager first seen in Windows Vista. Now
called the Reliability and Performance Monitor, this tool provides more and better information than the
old Task Manager. If you click the top-level node for Reliability and Performance Monitor, you’ll see
how the system now breaks apart CPU, disk, network, and memory information into separate sections.
This is illustrated in Figure 3-11. Much of the information you used to get only through external tools
like the Sysinternals (now Microsoft) Process Explorer has been baked right into the native interface.
38
Server Management
Figure 3-11: Resource Overview, a much more powerful Task Manager.

Next down in the tree is the Performance Monitor. To be honest, Performance Monitor arrives almost
completely unchanged from Server 2003. As with previous versions, Performance Monitor still reviews
real-time and historical logs as well as has the ability to save its display to a Web page. Performance
Monitor will remain a major tool in your quiver for troubleshooting performance issues that happen
over time. But, with Server 2008 you’ll also be using another tool to assist with identifying when “bad”
things happen on the system.
39
Figure 3-12: Windows Reliability Monitor.

This new and interesting tool is called the Reliability Monitor. Unlike Performance Monitor, which
focuses strictly on the performance of a system, this tool focuses on “bad” events that have happened to
the system over a period of time. The tool provides a System Stability Index of the system based on a
number of factors. Weighted from a 1 for least stable to a 10 for most stable, the index provides a view
of application uninstalls, application failures and crashes, hardware, windows, and miscellaneous failures.
The monitor plots any of these events along a time-based graph.
The Reliability Monitor weights failures that occurred more recently more heavily than those that
occurred further in the past. As you can see in Figure 3-12 above, this allows the system to show
improvement over time. Though the index itself doesn’t assist directly with identifying problems, the
deconstruction of these events that drive the index number can help the troubleshooter understand what
might have caused the problem and when it occurred. If your users complain that “the system was slow
yesterday” or “my application crashed last week,” now you have the ability to see into the past to translate
their statements into actual problems.
Taking Performance Monitor even one step further is another new construct called Data Collector Sets.
This mechanism for collecting data, based on an old tool called the Server Performance Advisor, allows
you to combine multiple performance and configuration elements into a single “set”. These collections
of data can come from performance counters (most of you are used to these), event trace data (most
of you don’t use these), and system configuration information (which tell you when registry keys have
changed). Creating and starting a Data Collector Set allows you to monitor for performance and con-
figuration changes simultaneously within the system.
For example, right-clicking Data Collector Sets | User Defined | System | System Performance and choosing
40
Server Management
Start will begin a collection interval using the configured collectors. You can set a collection interval
to run for a number of minutes or until the data size reaches a certain level. Once the collection has
completed, you can then review the report associated with this collector set within the Reports node.
Navigate to Data Collector Sets | Reports | System Performance and you will see a report named with
today’s date. Click that report to view it. The report, which looks similar to Figure 3-13 shows a snap-
shot view of the server during the collection period. Scheduling these reports to occur on a regular basis
provides you with a comprehensive look at the utilization of your server.
Figure 3-13: A System Performance Report.

With all of these new capabilities for capturing and storing server performance data there’s got to be a
concern about that data filling up your hard drives. Thankfully, with Server 2008 another new tool is
available to assist with this problem.
Somewhat hidden within Reliability and Performance Monitor is a wizard called Data Manager. With
Data Manager, one can set the minimum amount of disk space that must be available on the disk before
any of these tools will even start to run. It can also enforce a maximum number of folders that the sys-
tem can create, as well as manage the total size of all configured counter data. You can set policies to
remove or relocate old log data as necessary.
To check out Data Manager, right-click any of the configured Data Collector Sets and choose Data
Manager. As is shown in Figure 3-14, you can set minimum free disk, maximum folders, and maximum
root path sizes for this Data Collector Set. Under the Actions tab, it is possible to create tasks to delete
data files or reports once they have reached a certain age. The Rules tab allows for the import of new
Rules XML files for collecting data. If you’ve ever been bit by a runaway performance counter eating up
disk space in previous operating systems, you’ll be happy to see this little addition to Server 2008.
41
Figure 3-14: Data Manager removes or relocates old log data as log size grows.
Task Scheduler
Task Scheduler also gets a major facelift for Server 2008, gaining some much-desired scheduling capa-
bilities as well as a bigger role to play in exposing system-level tasks to the administrator. Personally, I
really like the added exposure that you get with this improved Task Scheduler, specifically in being able
to see otherwise previously hidden system tasks.
For example, Server 2008 automatically configures an automatic defragmentation operation at install
to occur at 1:00a every Wednesday. You can see this in Server Manager by navigating to Configuration
| Task Scheduler | Task Scheduler Library | Microsoft | Windows | Defrag. In previous versions of the O/S,
I’d have to dig into the defrag utility to locate this information. But, with Server 2008 you sched-
ule many system operations like this one from the same place. Scheduled Tasks becomes the central
clearinghouse for user-generated as well as system events. Even better, since Server 2008 exposes sys-
tem-level tasks like this one inside Task Scheduler, I can choose to change the time or day of the week
that task kicks off.
The ability to schedule tasks has improved markedly with the addition of multiple scheduling. With
previous O/S versions, you were only allowed to create a single schedule for starting a task. This was
problematic when you wanted that task to run, for example, for the first and last week of the month.
Doing this used to involve either some fancy scripting or the creation of multiple tasks with different
schedules. Both were painful.
You now create tasks with a set of Triggers. You can assign multiple triggers to a task’s Action. Even
better, triggers need not necessarily be time-based. You can schedule a task to run at log on, at startup,
42
Server Management
on idle, on an Event Log event, as well as other activities or on a time-based schedule. So, now it is pos-
sible as shown in Figure 3-15 to configure an event to occur at multiple times, such as if you want it to
run every day at noon, every third Friday, as well as every time a user logs onto the server.
Figure 3-15: Scheduling a new Task Trigger.

Determining the status of previously-run tasks has traditionally been a painful process. With Server
2003, the only information you could receive through the GUI interface was information about the last
time the task ran. With Server 2008, Microsoft has augmented task history to provide detailed infor-
mation about each time the task has run in the past as well as the success or failure of that task. For
those stubborn tasks that just won’t run late at night when you aren’t around to watch them, this will
help track down the problem much easier than with previous versions.
Windows Server Backup

Though Windows Server Backup appears by default in Server Manager, you have to install its Feature
within Server Manager prior to being able to use it. To complete this install, right-click the Features
node. In the resulting screen, add the Feature titled Windows Server Backup Features. Once installed,
you’ll immediately notice its much-improved interface, found under the Storage node. Right-clicking
this node presents the ability to create a Backup Schedule, Backup Once, Recover, or Configure Performance
Settings.
Windows Server Backup expands upon the venerable NTBackup by adding in support for the Volume
Shadow Copy Service (VSS), as well as block-level backup abilities right into the native interface. VSS
support means that you can more reliably back up locked files, traditionally unreachable by backup
43
software. The block-level backup also means that you can back up a Windows server as a whole unit,
making bare-metal restore options a reality using just the native tools.
Windows Server Backup can store files on DVD or remote file shares and enhances disk space con-
servation by managing disk space. Depending on how you schedule the backups, the backup process
will automatically remove older backups as the target disk runs out of space. You can configure disks
to be used on a rotating basis so that you can move them to off-site storage as part of a regular rotation
program.
Special Backup Disks

One interesting limitation of using Windows Server Backup is its need to store scheduled
backups onto an empty local disk. This is different from one-time backups which you can
optionally store onto remote disks. The disk used for backups cannot contain operating
system files or application data. Be aware of this when setting up the hard-drive configu-
ration of new servers.
Creating and scheduling a new backup is relatively self-explanatory, but the new restore features are
worth discussing. As discussed before, if you capture a Full Server backup for the server in question, the
system includes all of the necessary bits to perform a bare-metal recovery to a similar piece of hardware.
With earlier operating systems, attempting to restore a full server was often a hairy experience. You first
installed a new O/S, and then restored the backup files atop that basic instance. Now, with Server 2008,
the restore process is a single step.
To complete a bare-metal recovery, first boot the system from either a Server 2008 or Vista installation
DVD. Then, select Repair your computer when prompted and under Choose a recovery tool select Windows
Complete PC Restore. The system will prompt you for the location of the backup files, which can be
either locally stored or on another server. Navigate to the correct backup file. When asked to Choose
how to restore the backup, select the option to Format and repartition disks. The bare-metal restoration will
complete. Once complete, reboot the server to return it to the exact state where it was at the time of the
initial backup.
Windows Server Backup also has some excellent new features that support the backup and restore of
Active Directory. I’ll discuss those features in detail in Chapter 6.
44
Server Management
Command-line Restore
You can also complete a bare-metal restoration via the command line. The native wbad-
min tool can do this from within the Windows Recovery Environment. To use wbadmin,
boot from the O/S media and select the Command Prompt option when asked for a
recovery tool. Then, use:
wbadmin start sysrecovery –version:{version identifier} –backuptarget:{target drive}

–machine:{computer name to restore} –restoreAllVolumes
To identify the correct backup version for the command above, you can use:
Wbadmin get versions –backupTarget:{target drive} –machine:{computer name to restore}
The wbadmin tool also works within a running operating system, but without the bare-
metal restoration option. It is possible within a running operating system to start backups
and view backup information as well as start a System State Recovery.
Disk Management
There’s not a lot new in Disk Management between Server 2003 and Server 2008. But the one new
feature that you’ll definitely appreciate is the ability to resize NTFS disks on the fly. This means that it
is now possible to both expand and shrink NTFS disks without requiring a restart and dismount of the
file system.
Figure 3-16: Shrinking a volume is now

done within the Disk Management GUI.
Although expanding and shrinking the file system is rarely done in the physical world, this new feature
will definitely help in virtual server situations where the assignment of disk space is usually a little more
fluid. Since adding additional disk space to virtual systems within their management tools is relatively
easy, this new feature completes the cycle by making easy the ability for the operating system to extend
its volume onto that new disk space.
To shrink an existing disk, navigate to Storage | Disk Management in Server Manager. Right-click an
available disk and choose Shrink Volume. You’ll be presented with a screen similar to Figure 3-16.
45
The wizard will identify the amount of disk space that is currently unused and can therefore be shrunk.
Select the new size and click the Shrink button to start the process. Shrinking operations do not
remove the disk from use, so this process can occur while the server is operational.
Honey, I shrunk the disk (too far!)

Remember when shrinking disks that all disks require some level of free space for temp
files, swap space, and room to grow. The wizard for shrinking will allow you to remove
all unused space from the disk. So, make sure to leave some space needed by the existing
O/S.
In the old days you used the Resource Kit tool DISKPART to do much of this disk management, but
even DISKPART didn’t have the ability to shrink volumes. With Server 2008, DISKPART gets a few
new options for identifying disk parameters and performing actions:
• Attributes. Displays, sets, and clears attributes about a selected volume.
• Automount. Enables or disables a volume from automounting at system startup. Also can
remove stale mount point directories and registry settings.
• Filesystems. Displays information about the filesystem for the volume currently in focus.
• Format. Formats a volume. Includes typical items that you can configure at format time like set-
ting volume labels and enabling compression on the drive.
• GPT. Assigns GPT attributes to the GUID partition table. This is an advanced function.
• Setid. Sets the partition type field for the partition in focus. This is an advanced function.
• Shrink. This shrinks the size of the volume in focus.
Windows PowerShell
Server 2008 natively includes Windows PowerShell and continues Microsoft’s involvement with mak-
ing PowerShell its command shell of choice. It is, however, not installed by default. PowerShell arrives
as a Feature and you must install it like the other Features to be used via Server Manager.
To read more about what PowerShell is and why it will soon be the command shell of choice for all
Windows administrators, here is a peek at a short section from Don Jones’ and Jeff Hicks’ recent book,
Windows PowerShell: TFM by SAPIEN Press:
Administrators of UNIX and Linux systems (collectively referred to as “*nix” throughout
this book) have always had the luxury of administrative scripting. In fact, most *nix
operating systems are built on a command-line interface (CLI). The graphical operating
environment of *nix systems—often the “X Windows” environment—is itself a type
of shell; the operating system is fully-functional without this graphical interface. This
presents a powerful combination: Because the operating system is typically built from
the command-line, there’s nothing you can’t do, from an administrative sense, from the
command-line. That’s why *nix administrators are so fond of scripting languages like
Python and Perl: They can accomplish real administration tasks with them.
Windows, however, has always been different. When a Microsoft product group sat down
to develop a new feature—say, the Windows DNS Server software—they had certain
tasks that were simply required. First and foremost, of course, was the actual product
46
Server Management
functionality—such as the DNS Server service, the bit of the software that actually
performs as a DNS server. Some form of management interface was also required, and
the Windows Common Engineering Criteria specified that the minimum management
interface was a Microsoft Management Console (MMC) snap-in—that is, a graphical
administrative interface. If they had extra time, the product team might create a Windows
Management Instrumentation (WMI) provider, “connecting” their product to WMI, or
they might develop a few command-line utilities or Component Object Model (COM)
objects, allowing for some scriptable administrative capability. Rarely did the WMI or
COM interfaces fully duplicate all the functionality available in the graphical console; this
often meant that some administrative tasks could be accomplished via the command-
line or a language like VBScript, but you couldn’t do everything that way. You’d always be
back in the graphical console for something, at some point.
Not that graphical interfaces are bad, mind you. After all, they’re how Microsoft has
made billions from the Windows operating system. But clicking buttons and checkboxes
can only go so fast, and with commonly-performed tasks like creating new users,
manual button-clicking is not only tedious, it’s prone to mistakes and inconsistencies.
Administrators of *nix systems have spent the better part of a decade laughing at
Windows’ pitiable administrative automation, and third parties have done very well
creating tools like AutoIt or KiXtart to help “fill in the gaps” for Windows’ automation
capabilities.
That’s no longer the case, though. Windows PowerShell is now a part of the Windows
Common Engineering Criteria, and it occupies a similar position of importance with
product groups outside the Windows operating system. Now, administrative functionality
is built in Windows PowerShell first. Any other form of administration, including
graphical consoles, utilize the Windows PowerShell-based functionality. Essentially,
graphical consoles are merely “script wizards” that run PowerShell commands in the
background to accomplish whatever they’re doing. Exchange Server 2007 is the first
example of this: The graphical console simply runs PowerShell commands to do whatever
corresponds to the buttons you click (the console even helpfully displays the commands
it’s running, so you can use those as examples to learn from). In fact, that graphical
console only exposes roughly 80% of the product’s total functionality: For everything
else, you have to use the PowerShell command-line. PowerShell is now the single source
for administrative functionality; as it is a command-line interface, that means every piece
of functionality can potentially be scripted or automated!
Of course, only new Microsoft products conform to this vision. Even Windows Server
2008 doesn’t, since its development—under the code-name “Longhorn”—began prior
to PowerShell’s availability. But the next version of Windows will have to be built on
PowerShell. It’s a huge step, and it’s a major change for the way administrators work with
Windows. A change, we might add, that we feel is definitely for the better.
When you open a new PowerShell window, you’re actually running a program called
PowerShell.exe. It’s a small application—just about 300 kilobytes, in fact. It’s job is to
fire up the real PowerShell, what we call the “PowerShell engine,” an application written
in C# and housed in a DLL file. PowerShell.exe—called a hosting application—is what
provides you with the command-line interface to issue instructions to the PowerShell
47
engine, and provides you with a means of reviewing the results that the engine generates.
You operate PowerShell primarily by running cmdlets (pronounces, “command-lets”).
These are special mini-applications written in a .NET language, such as C# or Visual
Basic. They’re designed to run exclusively within PowerShell, and they form the basis
of PowerShell’s functionality. For example, PowerShell comes with about 130 cmdlets
built-in, including ones that work with services, permissions, processes, WMI, and more.
More cmdlets can be “snapped in” to PowerShell. Exchange Server 2007, for example,
snaps in about 300 or so additional cmdlets which handle Exchange administration tasks.
Most cmdlets provide instant gratification: Open PowerShell, type Get-Service, and press
Enter, and you’ll see a list of services installed on your computer. But that’s really just
scratching the surface: These cmdlets can, as you’ll learn, do much more.
If you haven’t taken the time yet to dig a little into PowerShell, you probably should before the advent
of Server 2008. As Don and Jeff say, most recently with the release of Exchange 2007, PowerShell is
quickly becoming the command line of choice for Microsoft and its products.
Memory Diagnostics Tool

If you’ve ever experienced wildly strange and inconsistent behavior on a system that doesn’t seem to
track to a particular activity, process, or service, sometimes the problem causing the error may be a
hardware problem with your physical system memory. The problem with physical memory problems in
the old days was the lack of native tools to check out the problem. That changes with Vista and Server
2008.
The Memory Diagnostics Tool verifies the stability of the RAM in your system by performing a series
of tests on the memory itself. These tests verify that information stored into memory is not later read
back to the server incorrectly, which is a good indication that there is a physical fault. To launch this
tool, navigate to Administrative Tools and select the Memory Diagnostics Tool. The tool will give you the
option to start the memory test immediately or after the next reboot. Select Restart now and check for
problems to reboot the system and begin the test. After the restart the tool will appear in text mode and
looks similar to Figure 3-17.
48
Server Management
Figure 3-17: The Memory Diagnostics Tool tests for bad memory conditions.
You can configure three scopes of testing—Basic, Standard, and Extended—by hitting the F1 key once
the test begins. The system bases the differences between these three scopes on the number and types
of tests performed on the memory. Obviously, the more tests you run, the longer the testing will take to
complete but the more accurate the result. You can run tests multiple times if desired or set them to run
indefinitely. Similar to Figure 3-18, the system displays results once the tests complete, the system has
rebooted, and the administrator logs back in.
Figure 3-18: Memory state information is presented after the reboot.

It is also possible to run the Memory Diagnostics Tool from the Server 2008 DVD by booting from the
media and selecting it from the advanced menu. This is a great feature for when you’re about to start
building a server where its memory may be suspect. Performing this action on a server with question-
able memory before installing an operating system will help prevent possible data corruption before it
happens.
49
Windows Remote Management & Windows Remote Shell

Earlier in this chapter I talked about how setting up Event Log Subscriptions requires the use of the
Windows Remote Management (WinRM) service. But, I haven’t yet talked about what this service actu-
ally is. WinRM is a Web services-based mechanism for managing configuration data on a computer.
Native with Vista and Server 2008, WinRM leverages the SOAP and WS-Management protocols to
provide a structured, open-standards API for network-based systems management.
Now, what does that all mean? For you, the administrator, probably not all that much. For developers
who create management applications that push around WMI and other management database informa-
tion from machine to machine, the addition of WinRM to the native operating system eases the process
of moving that information. Because it is a SOAP-based protocol, one of WinRM’s capabilities is its
ability to move this information easily through firewalls and across the Internet. This information trans-
fer occurs essentially as an HTTP request across TCP port 80 by default. So, they are very DMZ- and
Extranet-friendly.
As a Windows administrator, how will you leverage WinRM? Probably not directly. Though it has
a command-line tool, winrm, that will report on information out of WMI to the command prompt.
As an example, from a command prompt you can use this command to enumerate local machine
information:
winrm get wmicimv2/Win32_OperatingSystem
This command will provide some useful inventory information about the local machine to the screen.
But what if you want to enumerate information from a remote computer? To get specifics of the cur-
rently running processes on a remote computer use the command:
winrm get wmicimv2/Win32_Process –r:{remote host}
Event log subscriptions make use of WinRM to pass event log data from Forwarder computer to
Collector computer. It is likely that you’ll begin seeing more uses of this tool as time progresses.
One tool that you can use today is Windows Remote Shell (WinRS), which enables you to run a script or
executable on a remote system. WinRS operates similar to how the Sysinternals tool PSExec works. It
runs the desired command locally on the remote system, enabling you to do things like request ipconfig
–all information from a remote computer. You’ll quickly find when I talk about Server Core in Chapter
5 that WinRS will become your friend for completing actions when not at the console of your Server
Core systems.
Another very useful use of WinRS is in the remote installation of MSI-packaged software. For many
software installations packaged as an MSI, you can use WinRS to install it to a remote computer using
the following command:
winrs –r:{remote host} msiexec.exe /i {msi file} /quiet
Though both of these tools likely will have limited use at present outside the world of management
software developers, it’s good to know that Microsoft recognizes the need for remote tools for systems
management. These two are good forays into fulfilling that need. Though, between you and me, I’ll still
use PSExec for the time being…
Summary
In this chapter I’ve taken the time to review some of the new and improved management tools you’ll
recognize right off the bat when you complete the installation of your first Server 2008 system. I’ve
talked about Server Manager and how it encapsulates many (though not all!) of the separate consoles of
50
Server Management
old. I’ve also gone into detail on some other management toolsets that you’ll want to know to make the
job of managing your Windows Servers that much easier.
In the next chapter, I’ll take what you’ve learned here in terms of individual system management and
talk about the changes to centralized Windows management and Group Policy. In that chapter I’ll take
a look at how Group Policy has changed (completely for the better) and some of the new ways you can
control and lock down your systems using this powerful tool.
51

W2008 WNWCSample

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

W2008 WNWCSample

Enviado por

Direitos autorais:

Formatos disponíveis

Windows

841 Latour Ct Ste D

About the Author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv

Creating an RODC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Command-Line Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

The Intent of this Book…

Who Should Read this Book

What You Should Get out of This Book

Windows Server Editions

Server 2003 R2 Hardware

Windows Server 2008 Standard Edition

Windows Server 2008 Enterprise Edition

Windows Server 2008 Datacenter Edition

uptime of these behemoths.

Check tech spec.

Windows Web Server 2008

Windows Server 2008 Core

Compelling Reasons to Upgrade to Server 2008

What’s New & What’s Changed?

Initial Configuration Tasks

Initial Configuration Password

Figure 3-1: The Initial Configuration Tasks screen.

Figure 3-2: Server 2008 now gets up to three clocks.

Figure 3-3: IPv6 and Link Layer Topology Discovery protocols.

Update this Server

Customize this Server

Figure 3-6: Server Manager.

Server Roles, Role Services, & Features

and automatically include them as part of the installation.

Telling them Apart

Adding New Roles & Role Services

Figure 3-7: Configuring a new Role for a server.

Figure 3-8: Configuring that new Role’s associated Role Services.

Server Manager Command Line

C:\> servermanagercmd.exe –install gpmc

C:\> servermanagercmd.exe –remove Telnet-Client

C:\> servermanagercmd.exe -query

----- Roles -----

[ ] Active Directory Certificate Services [AD-Certificate]

XML-based Answer Files

Event Log Tasks

Figure 3-10: Creating an Event Subscription.

Reliability & Performance Monitor

Figure 3-11: Resource Overview, a much more powerful Task Manager.

Figure 3-12: Windows Reliability Monitor.

Figure 3-13: A System Performance Report.

Figure 3-15: Scheduling a new Task Trigger.

Windows Server Backup

Special Backup Disks

wbadmin start sysrecovery –version:{version identifier} –backuptarget:{target drive}

Wbadmin get versions –backupTarget:{target drive} –machine:{computer name to restore}

Figure 3-16: Shrinking a volume is now

Honey, I shrunk the disk (too far!)

Memory Diagnostics Tool

Figure 3-18: Memory state information is presented after the reboot.

Windows Remote Management & Windows Remote Shell

Você também pode gostar